Friday, 17 July

20:00

The 23rd Annual Child's Play Dinner Auction! [Penny Arcade]

This is just a quick note to say that the 23rd annual Child’s Play Charity Dinner and Auction is coming up on November 13th and you can get your tickets now!

 

19:28

Reproducible Builds (diffoscope): diffoscope 325 released [Planet Debian]

The diffoscope maintainers are pleased to announce the release of diffoscope version 325. This version includes the following changes:

[ Chris Lamb ]
* Fix tests to work with zipdetails 4.0008. (Closes: #1141359)
* Downgrade debhelper compatibility level to 13 for now.
* Update copyright years.

You find out more by visiting the project homepage.

19:07

2026-q2 [Planet GNU]

Hello and welcome to another Qoth! Here's what's been happening in Q2 of 2026!

Joshua Branson added a pretty cool svg logo for our ethernet multiplexor. He built that image with Inkscape whilst using a Hurd laptop (Thinkpad 420) running on real iron! The Hurd wiki could certainly use more artwork. Perhaps you have a favorite Hurd translator that you believes needs some artwork!

Sergey Bugaev announced his WIP 9pfs (source code), and it has a wiki page! He writes:

Some years ago, I experimented with implementing a 9P translator for
the Hurd. Hopefully there is no need to tell this list what 9P is :)

Besides just browsing files on the few existing servers out there, a
potential use case is virtio-9p, to enable shared directory trees
between VMs and the host. But that would need someone to implement
virtio support in the Hurd.

I wanted to complete 9pfs before publishing, but that ultimately
didn't happen, so now it's time to turn it over to the community. I
now went and made the repository public on GitHub:
https://github.com/bugaevc/9pfs

What's implemented is basic browsing (readdir, stat), path resolution
(dir_lookup), and reading files (io_read). And below that, the whole
tracking for nodes, peropens, protids, fids, tags, and 9p RPCs.

Improvements are welcome, send patches to this list with [PATCH 9pfs]
in the subject. A good starting point would be to continue porting
things that I had implemented in the old netfs-based version (see
netfs.c) but didn't yet port to the new one.

He then got a little more motivated, and he added some write support!

Etienne Brateau added validation to msync, so that the Hurd better follows POSIX.

Diego Nieto Cid worked on allowing privileged users to set their task priority (nice value). His patches landed in glibc and GNU Mach. He also fixed a tiny bug in our test suite. He fixed an adjtime bug, which is helpful to the OpenNTPD port, and he fixed two more bugs.

Paulo Duarte sent a RFC patch series trying to commit Sergey’s previous AArch64 work. He writes:

This series adds the gnumach kernel-side implementation for the
aarch64 ABI Sergey landed in April 2024, plus the test-suite arms.
Patch 01 brings in the aarch64-only sources from bugaevc/wip-aarch64
verbatim, with Sergey as Author; the rest is mine.

The meaningful divergence from wip-aarch64 is what I left out:
roughly 150 files of cross-arch refactoring across kern/, ipc/, vm/,
device/intr.{c,h}, and the i386 tree. Each got replaced with a
smaller per-arch shim under aarch64/ so kern/bootstrap.c,
device/intr.{c,h}, kern/lock.h, and the i386 trees all stay
bit-identical to current master. The shared-file footprint outside
aarch64/ is four files: a new ELF constant, two missing decls plus
their include, and a linker-symbol filter extension...

Tested: 12/12 pass on x86_64, i686, and aarch64 under qemu. No
bare-metal validation yet. I plan to build bootable images and boot
the kernel on Apple M1 / Raspberry Pi (aarch64) and an x86_64 box
(x86_64 + i686). Help on any of these welcome.

He also fixed a tiny cross compilation issue.

gfleury fixed some tmpfs typos. He also fixed a kernel crash on a null pointer deference.

Almudena Garcia is developing a WIP trivfs implementation in rust. The work is not complete yet, but it is possible to write Hurd translators in Rust!

Mikhail Karpov added some checks for mmap in several places. He also worked on adding storeio to the bootstrap chain. This is actually quite interesting. Currently the Hurd sets device entries in /dev/ statically. For example, I am writing this qoth on a Hurd machine that is using two /dev/ entries for my filesystem: /dev/wd0s1 for swap and /dev/wd0s5 for my root filesystem. However, /dev/wd0s1 through /dev/wd0s16 exist on my computer! Once Mikhail's project is done, then the Hurd will dynamically populate SATA devices at boot time! No more need for static translators! He writes:

I've expanded the functionality of the partfs translator to work
with multiple disks and their partitions. Thus, by running the
command:
settrans -c partfs /hurd/partfs /root/disk1.img /root/disk2.img /root/disk3.img


The translator directory will have the following directory tree:
partfs
├── 0
│ ├── 1
│ ├── 2
│ └── ...
├── 1
│ ├── 1
│ ├── 2
│ └── ...
├── 2
│ ├── 1
│ ├── 2
│ └── ...
Since the disks are directories, the cd and ls commands work in the translator node.

I also tested mounting, reading, and writing using the commands:
`settrans -c ext01 /hurd/ext2fs -w -T typed file:/root/partfs/0/1`
and
`settrans -c ext1_1 /hurd/ext2fs -w -T typed part:1:file:/root/partfs/1`

It actually is even cooler! Samuel (our fearless leader) is seeking feedback for how to name these newer /dev entries. Samuel writes:

One thing that would be really needed for efficiency is to implement
netfs_file_get_storage_info, so that libstore would be able to get the
underlying storage information, and directly get data from there rather
than partfs having to pass data with io_read/write.

I'm then wondering how this would fit in the "grand scheme". Our current
approach, /dev/hd0s* being always there, is indeed not really good
because it doesn't easily tell the user which partitions are actually
there. We used to have to have this because partitions used to be
handled by the kernel, and then we have moved to
storerio+parted-supported partitions, which brings much more
flexibility.

Perhaps we could use

settrans -c /dev/hd0s /hurd/partfs /dev/hd0

and then we'd have /dev/hd0s/1, which is almost like before, but allows
the entries to be dynamic. Actually, we could even have some

settrans -c /dev/hd /hurd/probedisk hd

and then we'd have /dev/hd/0, and we could have /dev/hd/0s being partfs,
so we'd eventually have

/dev/hd/0s/1

But I'm also thinking that perhaps it could be integrated more with
storeio, i.e. /dev/hd0 can as well also act as a directory with partfs
behavior, so you could have

/dev/hd0/1

and with the probedisk translator, you could have

/dev/hd/0/1

What do people think about it?

Mike Kelly has been hard at work porting OpenBSD’s OpenNTPD, which required some glibc work. The Hurd doesn't currently have a NTP daemon, so thanks Mike!

He also debugged a weird memory error with rump, and he provided a "brown-tape" solution for it. Hopefully, he (or you dear reader), can reach out to the NetBSD people to fix this bug. This just goes to show that when two projects use the same code, both projects benefit!

He also got a glibc patch committed. Essentially SIGSTOP/SIGCONT was duplicating portions of files, which is now fixed. However, there are still some other issues with building some haskell packages.

Joan Lledó continued his work on porting dhcpcd. Also Roy Maples, the dhcpcd maintainer did a lot of helpful work to help us out. Thanks Roy!

Bradley Morgan fixed a tiny implementation bug with cat. He also tweaked procfs to show hidden files, and he allowed passing “-s” to init. Previously, passing "-s" to init was silently ignored.

Johannes Schauer Marin Rodrigues has been working on getting s-build to run on amd64 Hurd. It is a rather long email thread, so grab some popcorn and dig in!

Milos Nikic ported Neovim. He also worked on bug fixes to libdiskfs, and he fixed a deadlock bug in the “ext3/ext4” filesystem journal.

In the last qoth we had talked about how the Milos was working on adding an ext3/ext4 binary compatible journal. Samuel has committed it! Samuel wrote:

There is a couple things that I fixed on the fly:

- We want to use pthread_cond_clockwait rather than
  pthread_cond_timedwait, to be able to use CLOCK_MONOTONIC instead of
  CLOCK_REALTIME, to avoid being hit by ntpdate and such.

- In diskfs_S_dir_rename, there was an addition of:

  pthread_mutex_unlock (&fnp->lock);

  which was clearly bogus: we were unlocking it again below.

There are a couple things that we'd want to fix now:

- when calling diskfs_file_update, don't we have to be inside a
  transaction? Otherwise if we pass wait=1 and use a journal, we won't
  be waiting AIUI? Notably, in diskfs_S_dir_rmdir we don't use a
  transaction. And ideally we'd have an assertion that makes sure we
  respect this.

- we should define some helper for this recurring pattern:

  if ((docommit) && (diskfs_synchronous || diskfs_journal_needs_sync (txn)))
    diskfs_journal_commit_transaction (txn);
  else
    diskfs_journal_stop_transaction (txn);

- journal_drain_deferred_blocks should document what it does, not just
  its call conditions :), and more generally the functions that are
  not already documented in a .h and not just a _locked variant of a
  documented function.

Leonardo Lopes Pereira did some spring cleaning to remove some dead code.

Samuel Thibault mentioned in an email that the Hurd can support nvmes with rump, but that the work was just not done yet. Perhaps you, dear reader, would like to help us accomplish this task?

The mysterious user yelini worked on porting the D language compiler.

Damien Zammit worked on tweaking the Hurd’s WIP CI. He also fixed several bugs to make it possible to run the Hurd’s test suite from GNU/Linux running on an AArch64 computer. He also is working on integrating qemu’s Hurd support into upstream qemu’s CI, so that the support does not bitrot.

Sophiel Zhou fixed a tiny pfinet permission checking issue and taught pfinet to not fail under memory pressure:

This series fixes two latent crash bugs in pfinet where mmap
return values go unchecked, may causing crash when memory is tight.

Both bugs follow the same pattern: mmap is called to grow a buffer,
but the returned pointer is dereferenced before (or without) checking
for MAP_FAILED.  Under normal operation mmap rarely fails, so these
have gone unnoticed, but under address-space pressure pfinet would
crash.

2026-04-01-gentoo gnu hurd [Planet GNU]

Gentoo GNU/Hurd released! Details.

“ The year is 2026 and Gentoo is perhaps ready for an advanced kernel: the GNU Hurd.

[...]

Scripts to build a working image that can be booted in QEMU can be found at https://codeberg.org/thesamesam/gentoo-hurd (will move that to Gentoo infra). ”

Read the announcement email.


The GNU Hurd is the GNU project's replacement for the Unix kernel. It is a collection of servers that run on the Mach microkernel to implement file systems, network protocols, file access control, and other features that are implemented by the Unix kernel or similar kernels (such as Linux). More detailed.

GNU Mach is the microkernel upon which a GNU Hurd system is based. It provides an Inter Process Communication (IPC) mechanism that the Hurd uses to define interfaces for implementing in a distributed multi-server fashion the services a traditional operating system kernel provides. More detailed.

18:42

18:28

This Week in AI: A First for Agentic Ransomware [Radar]

Christina Stathopoulos, the data and AI evangelist behind Dare to Data, continued her run sorting the week’s most impactful stories into a handful of themes we’ve been watching play out over the past month: more firms investing in the compute AI runs on, more concerns about who controls a model’s borders, and more AI-generated code posing challenges to scaling AI enterprise-wide.

Christina also quickly shared two updates from the frontier labs that we won’t get into below. First, OpenAI finished rolling out GPT-5.6, its family of models tuned for different workloads with an option to dial reasoning up or down, and launched ChatGPT Work, an agent workspace that connects the model to Slack, calendars, documents, and other enterprise tools. Anthropic, meanwhile, published research describing a hidden internal workspace it’s calling the “J-space” that suggests that Claude organizes and manipulates ideas before producing a response. It isn’t proof of anything like consciousness, as Christina was quick to note, but it’s one of the clearer steps yet toward inspecting what a model is actually doing between input and output. That kind of visibility is critical for catching problems like deception or unsafe behavior before they show up in an answer.

More AI labs are turning into chip companies

Last week, Christina covered the opening moves in an AI hardware race, with research from IBM and NVIDIA and a joint OpenAI and Broadcom project. Now there’s news that Chinese company DeepSeek is developing its own inference chips to cut its dependence on NVIDIA and Huawei, and Anthropic is in early talks with Samsung to build a custom AI chip. And as we saw with IBM’s sub-1 nanometer tech, chips are getting denser. Researchers in South Korea have developed a manufacturing technique that stacks more than 10 ultrathin memory chips, packing about four times the density of today’s commercial high-bandwidth memory into the same footprint. The layers align within about six micrometers, roughly a tenth the width of a human hair. The short distances between layers mean the signal doesn’t have to travel as far, making the whole stack run faster and more efficiently.

For AI companies, owning more of the stack is a way to control the cost and performance of running models once they’re built. As chip access becomes a lever in trade and security policy, it’s also a way to circumvent obstructions related to a supplier’s roadmap or a rival’s export policy.

A new security threat underscores the broader geopolitical stakes

JADEPUFFER is the first documented ransomware attack in which an AI agent carried out the entire operation end to end. A human chose the target, then the agent took over, exploiting a known vulnerability, searching for passwords and API keys, moving into the production database, encrypting it, and even writing its own ransom note, all without a person directing each step. Security teams have been bracing for this kind of sophisticated AI-driven attacks. JADEPUFFER is likely the first of many.

That growing threat surface was one reason why AI security took up so much of the conversation at the recent NATO summit in Ankara, where leaders discussed how AI is reshaping cyberattacks, drone warfare, disinformation, supply chain risk, and the speed at which leaders are expected to make high-stakes decisions. Paralleling US restrictions on who can access domestic models, China may also be moving to limit overseas access to its own frontier systems, and Alibaba is banning US-made models for its own employees. We’ve been tracking this story since May, when the US government’s on-again, off-again restrictions on Anthropic’s Fable and Mythos models offered an early sign that frontier model access was becoming of national interest. Christina shared findings from Our World in Data that show just how much the market share of Chinese models has grown from a year ago: Per data from OpenRouter, Chinese model usage at US-based companies, measured in tokens, is approaching parity with US model usage. For technical leaders, that’s a reminder that model choice is now as much a supply chain decision as a technical one, and it’s increasingly one with geopolitical repercussions.

Two challenges to watch for as enterprises scale AI

Now that code is effortlessly simple to generate, the real engineering work is making sure that AI-created code is correct, secure, and safe to run in production. As many in the field are now realizing, that’s easier said than done. A recent study of nearly 200,000 pull requests across more than 800 developers found that AI nearly doubled coding productivity, and reviewers couldn’t keep pace. Each reviewer is now responsible for roughly twice as many pull requests as they were in the years before widespread AI adoption, and the share of pull requests getting human review fell from 89% to 68%, with automated reviews filling the gap. It’s part of the same story Matt Palmer told on the show a few weeks ago when he compared running a team of agents to managing a mid-size team of human developers: “You’re just sending messages all the time, and you’re checking in to make sure things are being done,” he explained. The increase in velocity sets up a real risk of cognitive fatigue and burnout.

Here’s another challenge enterprises are facing as they scale AI: They’re connecting more and more of their data, workflows, content, and business processes to a single AI provider. As we already learned in the data space, the more attached you become to that provider, the harder it is to switch down the line. The solution to this vendor lock-in is to build an AI stack and the workflows around it that keep you in control of your data and ensure you can swap models as the technology evolves. Enterprises that treat model choice as a one-time decision are setting up the same dependency problem that OpenAI’s GPT-5.6 and Anthropic’s chip talks are trying to avoid, just one layer up the stack.

Whats next

Christina will return next week with another sweep of AI news, including a first look at Apple’s lawsuit against OpenAI, New York’s pause on new hyperscale data centers, and a landmark ruling in Germany holding Google accountable for misinformation generated by AI Overviews, plus updates on DeepSeek’s IPO plans, OpenAI’s first AI hardware device, and Anthropic’s new enterprise deployment unit. Join her live on the O’Reilly learning platform or catch up after the fact on YouTube, Spotify, Apple, or wherever you get your podcasts.

And if you want to keep learning between episodes, check out our new weekly show Zero to Agent in 30 Minutes, our AI Codecon live event on August 31, and The Agentic Enterprise now in early release on O’Reilly. Christina’s also hosting the AI Superstream on AI harnesses next week on July 23. Hope to see you there for this four-hour deep dive on turning models into agents and running them securely at scale.

18:21

Building an Arch Linux aarch64 port for Holo Core (Collabora blog) [LWN.net]

Collabora has published a blog post about its work with Valve on Holo Core, which is a port of Arch Linux to aarch64 to be used as the the operating system on Valve's 64-bit Arm Steam Frame gaming system. Collabora has released the sources, binary packages, and a container image for aarch64 devices. The post describes some of the challenges in porting Arch Linux to a new architecture, and what remains to be done:

Whilst the infrastructure developed to this point is capable of building from first principles up until a point-in-time snapshot, the next step is to build this into a system which can track Arch Linux as it is developed. This work will serve as the basis of a continuously-operating CI system capable of shadowing Arch Linux itself. We will work with the upstream Arch Linux project to help Arch with their efforts to port the distribution to aarch64 architecture and work towards automated repeatable builds.

The post also includes instructions on how to create and test an aarch64 build container on an x86_64 host, for users who would like to follow along at home but lack a 64-bit Arm device.

17:56

17:35

GNUnet 0.28.0 [Planet GNU]

GNUnet 0.28.0 released

We are pleased to announce the release of GNUnet 0.28.0.
GNUnet is an alternative network stack for building secure, decentralized and privacy-preserving distributed applications. Our goal is to replace the old insecure Internet protocol stack. Starting from an application for secure publication of files, it has grown to include all kinds of basic protocol components and applications towards the creation of a GNU internet.

This is a new major release. Major versions may break protocol compatibility with the 0.27.X versions. Please be aware that Git master is thus henceforth (and has been for a while) INCOMPATIBLE with the 0.27.X GNUnet network, and interactions between old and new peers will result in issues. In terms of usability, users should be aware that there are still a number of known open issues in particular with respect to ease of use, but also some critical privacy issues especially for mobile users. Also, the nascent network is tiny and thus unlikely to provide good anonymity or extensive amounts of interesting information. As a result, the 0.28.0 release is still only suitable for early adopters with some reasonable pain tolerance .

Download links

  • gnunet-0.28.0.tar.gz ( signature )
  • The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A

    Note that due to mirror synchronization, not all links might be functional early after the release. For direct access try http://ftp.gnu.org/gnu/gnunet/

    Changes

    A detailed list of changes can be found in the git log, the NEWS.

    Known Issues

    • There are known major issues with the TRANSPORT subsystem.
    • There are known moderate implementation limitations in CADET that negatively impact performance.
    • There are known moderate design issues in FS that also impact usability and performance.
    • There are minor implementation limitations in SET that create unnecessary attack surface for availability.
    • The RPS subsystem remains experimental.

    In addition to this list, you may also want to consult our bug tracker at bugs.gnunet.org which lists about 190 more specific issues.

    Thanks

    This release was the work of many people. The following people contributed code and were thus easily identified: Christian Grothoff, Florian Dold, TheJackiMonster, and Martin Schanzenbach.

[$] Securing BPF LSMs against tampering [LWN.net]

Since 2020, BPF programs have been able to act as Linux security modules (LSMs). Several projects, including systemd, have been working to use that capability to provide more security to users. Christian Brauner spoke at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit about some of the limitations of using BPF in this way, and the changes he would like to see for systemd's use. In particular, he would like a way to make sure that BPF programs cannot be removed or have their private data tampered with.

17:07

The Big Idea: John Wiswell [Whatever]

We all hear voices in our brain, but what if they were coming from your other heads?!? Author John Wiswell’s main character is a multi-headed dragon with a lot of contradicting opinions. Though a dragon, you may find his inner turmoil more relatable than you’d expect. Take flight in his Big Idea for The Dragon Has Some Complaints.

JOHN WISWELL:

A dragon is a lot like ADHD.

I’ve always loved dragons. How can you not like dragons? They’re like if someone glued all the cool parts of dinosaurs together and then let them barf fire. Anyone who’s ever been stuck in traffic admires the incendiary nature of dragons.

Most interesting to me are many-headed dragons. They’re referenced in ancient Greek classics, suggesting we’ve always had such things on our minds. Yet in most stories, the many-headed dragon is just a single-minded critter with more mouths that they can use to bite the protagonist. You’re lucky if one head on a dragon’s shoulders gets a personality. Much less all of them.

In one fundamental way, dragons being treated as though they have no intelligence is similar to the experience of those of us with ADHD. We are spoken about like we aren’t human beings, but rather are a cognitive condition with legs, which needs medication in order to be talked about as a person. As though we have no creativity or insight until we sit still. I’ve done this dance since I was a little kid with too many books open at once on my floor. It only got worse once I got a browser and started opening tabs.

Writing a many-headed dragon gave me a great outlet for reflecting on how my brain works. Garrodigh, my dragon, would have several heads with distinctly different opinions about what to do with his wings. He’d at once be a singular “he” and a plural “they,” both true, just circumstantial. 

The head growing out of his bottom-most neck, named Bottomhead, is basically a feral animal, focusing on sunbathing and lunch. He’s the sort of creature who would chase a cannonball across the island to bite it.

In the middle, Centerhead is a curmudgeon, focused on all the ways the world has hurt him and puts him in jeopardy, begrudging humanity for injuring him and costing him the power of flight. If he could, he’d blast dragonfire over the entire human world. Fire is a great way to express your feelings.

Upperhead (guess where he grows!) is outright delusional, believing he is actually a human being suffering from some traumatic hallucination. Any day now, he’ll snap out of it and the other heads will be gone, and he’ll return to mowing his lawn and eating too much bread.

They spend the opening chapter fighting in a way that will be familiar to some readers. See, I don’t just talk to myself. I argue with myself. My brain isn’t big enough to house all the contradictory opinions banging around in there. They spill out of me. The habit of talking to myself was great practice for being a writer, since writing is just talking to yourself quietly.

A funny thing happens when you literalize this by having multiple contradictory consciousnesses striving for control of a single body. It helps you see how parts of the same person can clash. You also see how they reconcile, and how you only grow when those parts work together. You don’t grow by silencing yourself. You grow in tandem with yourself, both singular and plural.

Garrodigh has been through a lot. He was once a four-headed dragon, but poor Lefty was blown off by a human’s cannon in the same incident that injured their wings. That trauma still echoes through all three of the surviving heads. Losing a part of himself is part of what’s put the rest of him in such strife. What’s made some parts of him seek vengeance, while other parts just want to understand why the humans keep going to war with each other.

There are enormous questions ahead for him. Can he pull himself together enough to face his injuries and possibly fly again someday? Can he trust anyone again? What place does he have in this world?

They’re the sort of questions you could have conflicting opinions about. By asking them, maybe you’ll see some of yourself in a dragon.


The Dragon Has Some Complaints: Amazon|Barnes & Noble|Books A Million|Bookshop.org

Author socials: Instagram|Threads|BlueSky|Substack|Patreon

16:21

16:14

Link [Scripting News]

New rss.chat feature: It now supports feed discovery, so you can subscribe to any html page on the site in a compatible feed reader. I tested it in FeedLand and NetNewsWire and it works. Works on any instance, not just ours.

15:35

Why has the display control panel pointer truncation bug gone unfixed for so long? [The Old New Thing]

Last time, we speculated on how the buggy control panel extension truncated a value that it had right in front of it. When we sent our analysis to the vendor, they wrote back, “Can you check the driver version numbers on these crashes?”

When we checked the driver version numbers on all the crashing systems, they were something like “build 314”, when the current driver build number is something like “build 2718”. These users are running drivers that are ridiculously old! The vendor fixed that bug ages ago, but the user hasn’t gotten the fix. What’s going on?

My theory was that these users have turned off Windows Update or are otherwise declining to upgrade their video drivers. But I learned that my theory was probably wrong.

The deal here is that these are video drivers, which are a category of drivers where computer manufacturers have a lot of control. The manufacturer certifies the drivers for use on their PCs after performing their own acceptance testing on their specific hardware configurations. (Which are probably not hardware configurations that the video card vendors themselves are aware of.)

This responsibility carries forward post-sale. The computer manufacturer remains responsible for certifying driver updates, presumably by testing them against reference PCs that they maintain in their labs. Sometimes, manufacturers get customized versions of the video cards (all the better to differentiate your product with, my dear), which is why the video card vendor “driver downloads” sites often warn you to check with your computer manufacturer before installing a driver.

In practice, computer manufacturers are diligent about certifying drivers for a year, year and a half, two years tops.¹ After that, it’s not uncommon for them to abandon that model and not bother certifying drivers for it any more. All customers with that model of PC are just stuck with whatever video drivers were current as of the time the manufacturer stopped certifying drivers.

Microsoft maintains generic drivers for many classes of hardware, but intentionally sets them as low priority so that the PC manufacturer-provided drivers take precedence. The video drivers received directly from video card manufacturers are similarly deprioritized by the video card vendors. The computer manufacturer-certified drivers take precedence, even if that certification is horribly out of date.

¹ I wouldn’t be surprised if the length of time they certify drivers is somehow correlated with the length of the computer warranty.

The post Why has the display control panel pointer truncation bug gone unfixed for so long? appeared first on The Old New Thing.

15:28

Link [Scripting News]

I mentioned the previous post on rss.chat, and it developed into an interesting thread, something that I've never had the option to discuss. AT Proto makes a similar offer to developers that we do. The difference is our world is wide open, it's just already burned-in web protocols, and imho their structure, based on an arcane and complicated new storage format, starts off with a pretty huge disadvantage. They had the right idea but implemented it in the wrong place. The web is (obviously) widely deployed, even in comparison to monsters like Google and Amazon -- the web is everywhere, by definition no barriers and a prejudice toward simplicity. The gifted designers at Bluesky over-engineered their protocol, piling features on before anything had been built. That's not a good way to bootstrap a protocol. I did some development on their API, and kept wondering why they think I want to learn new ways to do things that I already have a pile of working code for. No one wants to do that.

14:42

Link [Scripting News]

In my experience in software development, it's good to start small with something useful, learn how it works before adding big new features. That's the basic principle of bootstrapping. I thought that Mastodon, for example, took on too big a job. Same thing for the protocol behind it, ActivityPub. If you go all the way to the end before implementing and using, you miss the target, in performance and usability, that's what I think happened there. They felt they had to do everything Twitter does. I would have gone down a different path, go back to the beginning, and at every step think if there might not be a better direction to evolve in. It was about ten years after Twitter launched that they started work on Masto. Imho they should have zigged where Twitter zagged in defining what a post is. Twitter put excessive limits on writing, of course is one of the big reasons I started rss.chat -- to go down a different path there. What if the social web didn't limit text? That assumption is baked into the core of rss.chat. I will consider this project a raging success if it causes Mastodon to get serious about supporting full web text.

14:35

Security updates for Friday [LWN.net]

Security updates have been issued by AlmaLinux (cifs-utils, container-tools:rhel8, libreoffice, nodejs:24, perl-XML-LibXML, and python3.12), Fedora (ansible-collection-ansible-posix, firefox, freerdp, ImageMagick, mingw-glib2, perl-DBI, perl-HTTP-Date, rust-cargo-rpmstatus, and rust-opendal), Oracle (cifs-utils, gegl, gimp, git-lfs, go-toolset:ol8, hplip, kernel, libreoffice, maven:3.9, perl-XML-LibXML, python3, python3.12, python3.9, and uek-kernel), Red Hat (kernel, kernel-rt, and podman), Slackware (netatalk), SUSE (agama, aws-nitro-enclaves-binaryblobs-upstream, gimp, gpsd, grafana, hostapd, ImageMagick, jackson-databind, kernel, libssh2_org, nm-configurator, opennlp, perl-Mojolicious, python-Pillow, python-python-engineio, python-python-socketio, and tomcat11), and Ubuntu (ntfs-3g, python-authlib, ruby2.3, tar, and ubuntu-advantage-tools).

14:00

The Right Amount of Spec for Agentic Development [Radar]

I keep seeing the same idea in conversations about agents: Detailed specs are old-world overhead now. Give the model a rough goal, let it explore, fix what comes back, move on. It sounds efficient but it also hides the cost.

A simple prompt looks cheap and tempting because it gets implementation started right away. Then the correction loops start. You review output, clarify intent, ask for changes, rerun tests, find the next gap, and do it again. Someone still has to decide whether the result matches the real goal. That person becomes the oracle.

At the other extreme, full formal specification is obviously expensive up front. Writing acceptance criteria, contract tests, or behavior-driven development (BDD) scenarios takes real effort. But the downstream cost is different because more of the oracle is executable. A test checks the same condition every time. It doesn’t get tired, rushed, or optimistic five minutes before lunch.

That is the actual trade-off. The question is not whether specification is good or bad. It’s where the minimum total cost sits. For most agentic work, it’s somewhere in the middle: enough structure to constrain the work, enough examples to make intent concrete, and enough executable checks that review does not turn into guessing.

Zero spec is not intelligent and lean; it’s just costly vibe-coding.

The bottleneck moved, not disappeared

Software engineering was never mainly about typing or even producing code. It was about deciding what should exist, what should never happen, which trade-offs matter, and what “done” means once the problem touches the real world.

For years, teams discovered missing specification through human friction. A reviewer noticed an edge case, QA found the path nobody described, a senior engineer carried half the real requirements in his head and translated them one meeting at a time. None of that was elegant, but it did force ambiguity into the open.

Agents change that fundamentally. They make implementation much cheaper and much faster. It also means an underspecified idea can turn into a plausible system before anyone has really agreed on what the system is supposed to mean.

In the old world, vague requirements ran into human slowness. In the agent world, vague requirements run into machine speed.

That’s why specification suddenly feels important again. It was always important. We just used implementation cost as a crude forcing function and called the result process.

As implementation gets cheaper, more of the difficulty moves into deciding what correct means and checking it reliably.As implementation gets cheaper, more of the difficulty moves into deciding what correct means and checking it reliably.

Writing the spec is not enough

This is the part I see people skip most often. They talk as if the sequence is simple: write the spec, then let the agent implement it. The missing step is the expensive one.

The spec itself needs review.

Even a careful spec can fail in familiar ways. It can contradict itself or cover the happy path and say nothing useful about retries, rate limits, or partial failure. It can describe behavior that sounds precise but cannot actually be verified. And sometimes it is precise in exactly the wrong way: it says what you wrote, not what you meant.

When an agent executes a flawed spec faithfully, the failure gets harder to diagnose. The implementation may look coherent. It may even pass the checks you provided. But the real problem lives upstream, in the spec, so fixing it means unwinding code and reasoning together.

That’s why I think spec validation deserves its own line item. Before implementation starts, someone needs to ask a few plain questions. Is this internally consistent? Is it complete enough for this task? Which parts are testable? Where are we still depending on human judgment? Which failure modes are missing because everyone silently assumed them?

Agents can help here, but only if we use them for something more useful than “write requirements.” That prompt usually produces polished fog. A better prompt is much more specific:

Draft the smallest spec that would let another agent implement this safely. Include assumptions, nongoals, acceptance criteria, edge cases, observable outcomes, and open questions. Mark which claims can become automated tests and which still require human review.

After that, hand the draft to a different agent and tell it to attack the result:

Find contradictions, ambiguous terms, hidden dependencies, untestable claims, missing failure modes, and places where an implementation could pass the written criteria while still violating the intent.

Even that simple workflow lowers the cost of getting to a spec that is worth human judgment.

Agents do not remove the need for specs. They make it cheaper to reach a level of specificity that is actually useful.Agents do not remove the need for specs. They make it cheaper to reach a level of specificity that is actually useful.

Why multi-agent systems need stronger contracts

A single agent working on a small, bounded task can often recover from loose instructions. The loop is tight, the blast radius is local, and a human can usually steer it back on course when it drifts. Humans can even easily spot the drift to begin with.

Multi-agent systems are a very different problem. Once one agent’s output becomes another agent’s input, interpretive drift starts to compound. Agent B does not know Agent A misunderstood a requirement by 10%. It just treats the output as ground truth and keeps going. By the time a human sees the result, the original mistake may be buried under several layers of competent-looking work.

At that point, the spec is no longer just guidance but more like a contract.

That contract needs more than a paragraph of intent. It needs schemas, invariants, allowed ambiguity, validation rules, and explicit failure behavior. In many cases, it also needs contract tests, typed interfaces, and machine-checkable handoff formats. The handoff is part of the product, which is less glamorous than people hoped, but much closer to reality.

This is also where BDD and executable acceptance tests belong. Their value is not just the methodology, it’s that they move part of the human oracle into something repeatable. When behavior is stable enough to specify precisely, an executable spec is often cheaper than another round of review.

Once agents start handing work to other agents, the handoff itself needs to be specified and validated like a real interface.Once agents start handing work to other agents, the handoff itself needs to be specified and validated like a real interface.

A spec should have an expiration date

There is another failure that teams make here: It shows up when they keep pushing on the specification curve as if more text is always safer. It is not. At least for current models it’s not.

Chroma’s work on context rot makes the first part of the problem clear: Model performance gets less reliable as the input grows, even on simple tasks. In coding projects there is a second problem on top of that. The more design prose, examples, plans, comments, tickets, and old acceptance criteria you stuff into the context, the less obvious it becomes which parts are instructions and which parts are artifacts.

I wouldn’t call this prompt injection in the security sense. Nobody is trying to attack the model. It’s closer to self-inflicted instruction drift. The context contains old design intent, current implementation, half-valid examples, generated plans from three sessions ago, and maybe a stale software design document that still describes classes that no longer exist. At that point, the model is not reading one spec, it’s averaging across competing sources of truth.

That’s when overspecification stops helping and starts confusing the model. The agent can no longer tell whether a paragraph is an active requirement, a historical note, or something the code has already replaced.

A design document is useful early because the code doesn’t exist yet. Later, it needs to shrink. Once interfaces, tests, and invariants are real, the detailed build plan should start disappearing. “Keep the parts” code is bad at expressing on its own: business rationale, non-goals, safety constraints, external contracts, and the few invariants you do not want rediscovered by trial and error. Delete the prose that just restates what classes and methods already do.

Otherwise, you end up with two specs. Humans will complain about that in review. Agents will often try to obey both.

APIs can make code behave like spec

There is also a more optimistic version of this story. Some codebases reach the “code is the spec” point faster than others, and API design is a big reason why.

If an internal API hides behavior behind conventions, weakly typed parameters, setup magic, and generic errors, an agent cannot treat the code as the spec. It has to reconstruct the rules from scattered prose and trial and error. That’s slow for humans and worse for models.

The opposite is also true. An API with explicit names, task-level methods, strong types, readable validation, useful examples, and actionable errors gives the agent something concrete to stand on. If the agent can inspect the surface area, see what a method does, understand what input is legal, and recover from errors without guessing, then the code carries much more of the specification load by itself.

This is where the AI-friendly API design ideas matter in practice. Explicit discoverability beats convention. Methods should line up with real tasks instead of forcing the agent through a dozen fragile steps. Types and validation should show what legal input looks like. Error messages should point to the next fix, not just announce failure. Introspection and examples help the model learn the shape of the API from the codebase it already has. Performance transparency matters too, because an agent will happily write a correct and terrible loop around an expensive call if the API gives it no clue.

This isn’t only about public SDKs. It applies to internal service boundaries, library clients, repository abstractions, and even the helper classes in a large monorepo. The easier an API is to discover and inspect, the easier it is for an agent to treat the code as the authoritative spec instead of dragging more prose into the context. I’ve written about all this before in more depth if you’re interested.

Where to invest

What I strongly believe is that there is no single right amount of specification. The answer depends on the kind of work you’re doing. For a small, well-bounded task, the sweet spot is usually structured intent: the goal, a few examples, nongoals, and clear acceptance criteria. That is often enough to keep the agent productive without making setup heavier than the task.

For deterministic work such as CRUD flows, API integrations, and data transformations, the optimum moves to the right. These domains are easy to constrain and easy to test. More specification pays for itself quickly because it cuts repeated review and rework. This is where BDD, contract tests, and executable acceptance criteria help most.

For exploratory work such as architecture options, research synthesis, or novel product ideas, the optimum moves left again. Over-specification can kill the very flexibility that makes the agent useful. In that case, I would rather specify boundaries than outcomes: what must be true, what must not happen, what evidence is required, and which decisions still need a human.

For multi-agent pipelines, the optimum moves right once more. Every boundary between agents needs a contract. Without that, you aren’t coordinating a system. You’re stacking interpretations and hoping they cancel out.

There is no universal optimum. The right amount of spec depends on whether the work is exploratory, bounded, deterministic, or multi-agent.There is no universal optimum. The right amount of spec depends on whether the work is exploratory, bounded, deterministic, or multi-agent.

The common rule across all four cases is simple: Validate the spec before you scale the implementation.

What survives from Agile and XP

I do not think agents make Agile or XP irrelevant. They make the useful parts easier to separate from the parts people were already tolerating.

The first casualty is the ceremony that existed mostly to coordinate human effort hour by hour. Daily status meetings, inflated backlog rituals, and estimates presented with more confidence than information do not get stronger because an agent wrote the code. If anything, they get weaker. Agents can change the shape of a task so quickly that old effort estimates become fiction even faster than before. That doesn’t mean planning disappears. It means planning has to stop pretending it can predict implementation cost with the same comfort it had when code was the slow part.

What survives from Agile is the feedback logic. Short cycles still matter. Thin vertical slices still matter. Customer or stakeholder review still matters. Working software is still better than progress theater because agents can generate a lot of convincing wrongness very quickly. In fact, I would argue that fast feedback matters more now, not less. If a team can go from vague idea to large implementation in a morning, it also needs a way to discover by lunchtime that the idea was wrong.

XP survives even better because it was always about keeping learning close to the code. Test-first thinking still matters because executable checks get more valuable as implementation gets cheaper. Continuous integration still matters because every agent change needs a gate. Refactoring still matters because agents can happily produce code that works, passes a few tests, and still leaves you with a structure nobody wants to maintain next month. The machine has no pride here. It will generate a mess with perfect confidence.

Pair programming changes shape, but the core idea survives. I still want design judgment close to code generation. Sometimes that looks like a human working directly with one coding agent. Sometimes it looks like one model generating code while another model reviews it with a narrower brief. Either way, the useful part of pairing was never two keyboards in harmony next to each other over a coffee with their humans. It was fast design feedback before the code settled into place.

Small releases also survive, maybe for a less romantic reason. When agents can make very large changes cheaply, the temptation is to accept very large diffs cheaply too. That is a bad idea. Review, rollback, and diagnosis are easier done in small batches. A short-lived feature branch is easier to reason about than a 4,000-line monster.

What fades is methodology as reassurance. What survives is methodology as error detection. Agile and XP were at their best when they made it cheaper to discover that the team understood the problem badly. That’s still the job. The agent era just removes a few excuses and adds new ways to be wrong at high speed.

The real leverage

The promise of agentic development is real. Agents can make implementation dramatically cheaper, but once code gets cheap, specification and verification become the place where projects succeed or fail.

The teams that get the most leverage will not be the teams that specify the least. They’ll be the teams that know when three bullets are enough, when they need a real contract, and when the contract has to become executable.

The agents are getting better. The decisions are still ours.

12:14

Details of Alan Turing’s Voice Encryption System [Schneier on Security]

Really interesting piece of cryptographic history:

In November 2023, a large cache of his wartime papers—nicknamed the “Bayley papers”—was auctioned in London for almost half a million U.S. dollars. The previously unknown cache contains many sheets in Turing’s own handwriting, telling of his top-secret “Delilah” engineering project from 1943 to 1945. Delilah was Turing’s portable voice-encryption system, named after the biblical deceiver of men. There is also material written by Bayley, often in the form of notes he took while Turing was speaking. It is thanks to Bayley that the papers survived: He kept them until he died in 2020, 66 years after Turing passed away.

12:00

Error'd: Princess Pricing [The Daily WTF]

Sam suggests this Error'd indicates "Disney+ preparing the ground for usage-based billing." I'm intrigued by the idea that Disney might charge by the minute, but I suspect the reality is far more mundane.

13e08caf609f4133afd419a76acb432a

Silly prices at online shopping sites don't usually make it through the gauntlet here, but I'm making an exception for the math, as Rob H. points out "it ain't mathin'."

0924416949684290b36ad0d823129181

and Harrison suggests a novel kind of discounting math "I went to the supermarket later at night for some beers, and had a snoop around the yellow sticker items for anything I might need or could freeze. This bakery item was priced in reverse, Was: 0.00, Now 1.99, discounted by negative infinity percent, and infinity is even printed upside down somehow."

d41527fab58d46fa97f4477dfcbf659d

We've got a mojibake from dragoncoder047: "Was browsing through the widget options on my iPhone home screen and found that Game Center had decided to do this. Mind you, my iPhone was, and always had been, set to English."

c4fb48f719b34b5393e274cc6bc48f2a

Finally a combination of typical time travel and package tracker shenanigans, not explained by time zone hijinks. Evelyn notes "Apparently the package was registered in July, on its way during January, and then got back to July."

ef7d6784e50a48eebfaf4b912c8caa55

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

10:21

Resources and focus [Seth's Blog]

There are lots of things you can do, but it’s not clear you should.

OpenAI has virtually unlimited resources. And in addition to building a chat-based AI, they chose to launch pretty good image generation, a basketball, a meme video generator (since cancelled), an upcoming speaker that actually moves around your house, and a myriad of other tools, with new ones coming all the time. A short list includes: Operator, Deep Research, Scheduled Tasks, Projects, Canvas, Connectors, famous voices and Record Mode.

At the same time, Anthropic follows a slower (sort of boring) path.

It’s precisely the same choices every solo freelancer and small business faces, except with more zeroes.

At its peak, Yahoo had nearly 200 links on its home page. They were defeated by Google, which had two.

Three things:

  1. More resources could mean you need more focus, not less.
  2. Innovation is critical, and focus shouldn’t be used as an excuse to hide.
  3. No is a complete sentence.

08:42

Rex Ready Player One, Part Six [Penny Arcade]

New Comic: Rex Ready Player One, Part Six

06:35

Girl Genius for Friday, July 17, 2026 [Girl Genius]

The Girl Genius comic for Friday, July 17, 2026 has been posted.

05:42

Music To Their Ears [QC RSS v2]

the magic words

01:35

00:28

Lorenzo Salgado Araujo [Richard Stallman's Political Notes]

Witnesses say that the deportation thugs are making false statements to protect the one of them who shot Lorenzo Salgado Araujo dead.

This is a repeated pattern, and presents a reason to suspect that their refusal to use body cameras and other cameras is specifically intended to help them protect each other from valid criminal accusations.

"Intelligent design" idea [Richard Stallman's Political Notes]

Among the reasons for rejecting the idea of "intelligent design" of the human body are the shockingly stupid instances of bad design in it.

Occasionally someone has hands with six fingers. Could the human body have been designed by an LLM?

Endangered Species Act [Richard Stallman's Political Notes]

The wrecker's henchmen just adopted a narrow standard of "harm" for the Endangered Species Act, in order to enable business activities that risk wiping out endangered species.

Global heating denialist in charge [Richard Stallman's Political Notes]

The saboteur in chief wants to put a global heating denialist in charge of official US government reports on the advance of global heating.

US government prosecuting reporters [Richard Stallman's Political Notes]

The New York Times reported on apparent flaws in the plane that Qatar gave the corrupter. Now the government is demanding they identify their sources, saying it wants to prosecute them.

"Intelligent design" [Richard Stallman's Political Notes]

The notion of "intelligent design" of humans and other living species is false -- our structure came about by step-by-step improvement with no way to eliminate kludges.

Magat rules [Richard Stallman's Political Notes]

* New [magat] rules would undermine longstanding research practices. It's death by a thousand cuts.*

Free elections plan [Richard Stallman's Political Notes]

*How to plan for an [free] election [even though] leaders are trying to subvert [it].*

Stop political donations [Richard Stallman's Political Notes]

*UK must cap political donations to stop the rich buying influence.*

The US must do this too, but the question of how it can be done is different in each country because of the difference in constitutions./p>

Free speech [Richard Stallman's Political Notes]

Analyzing arguments people cite on the issue of free speech.

Hunt for people to deport [Richard Stallman's Political Notes]

The persecutor has increased, not decreased, the hunt for people to deport (even illegally).

It attracts less public attention now, because his henchmen have pulled back from the practice of operating with blatant crueity in Democratic cities to overawe and terrify. That backfired against them in several cities, including Minneapolis and Los Angeles, with the effect of galvanizing Americans against him. So now their plan is to collect ever-more surveillance data so they can find lots of unauthorized immigrants, as well as many authorized immigrants that they can falsely accuse of being unauthorized, or target for fabricated accusations of political crime.

Israeli border officer shooting at Palestinians [Richard Stallman's Political Notes]

An Israeli border police officer threw a flashbang into a car then shut its door from the outside. When the passengers (Palestinians) ran out the other side doors, he shot at them.

This sort of thing happens every day. (I heard from Israeli leftists decades ago that the border police were generally cruel to Palestinians, more so than soldiers.) What is unusual is that that policeman is being investigated for these acts. But past patterns suggest this will not lead to significant disciplinary action.

Killing injured Palestinians by keeping them apart from ambulances is also frequent practice.

Hussam Abu Safiya's injuries [Richard Stallman's Political Notes]

Hussam Abu Safiya, *one of Gaza's most prominent doctors is almost unrecognisable because of severe injuries inflicted in Israeli [prison], his lawyer has said, and faces "tangible danger to his life" after being held for 18 months without charge or trial.*

Extreme heat affecting one in three people [Richard Stallman's Political Notes]

*Extreme heat now affects one in three people globally, study finds. Rising temperatures making it hard even for young, healthy people to safely do normal physical tasks in many regions.*

Possible UK debt-inflation spiral [Richard Stallman's Political Notes]

If the UK borrows enough to carry out needed spending, it will fall into a debt-inflation spiral, according to a government economic monitor.

This is one of the many bad aspects of the decision to borrow needed funds rather than get them by taxing the rich. The world will become more and more unjust unless we increase the share of production that goes to the non-rich. We need to pick the least bad way of increasing taxes only on people who are more-or-less rich, and push it through.

Graham Platner dropped out of election [Richard Stallman's Political Notes]

Graham Platner has dropped out of the election for senator from Maine, after an accusation of rape. Now there is the question of how to choose another candidate.

The word "rape" clearly states the gravity of the crime he is accused of. Why, I wonder, do so many journalists seek to substitute the vague term "sexual assault", which could mean anything from stealing a kiss to rape. Such vagueness is bad for justice.

I hope that "moderate" (plutocratist) Democrats won't succeed in imposing one of themselves, since that replacement would fail to fight for the non-rich.

Two Muslim governments seized "gay cruise" [Richard Stallman's Political Notes]

Two Muslim governments (Turkey and Egypt) have seized on a self-designated "gay cruise" as an opportunity to demonstrate their religious bigotry, by refusing the ship entry.

Turkey is ostensibly a secular democracy, but nowadays the tyrant Erdoğan is undermining both of those allegiances.

Bernie Sanders endorsed Troy Jackson to replace Platner [Richard Stallman's Political Notes]

Bernie Sanders has endorsed Troy Jackson as a senate candidate to replace Platner.

The article links to more information about Jackson.

UK bill proposes maximum workplace temperature [Richard Stallman's Political Notes]

A bill in the UK proposes to set a maximum temperature for workplaces, as a safety standard.

This is needed, in the age of global heating disaster, to protect the lives of workers.

Nigel Barage [Richard Stallman's Political Notes]

Candidate Nigel Barage, of the right-wing extremist Deform UK Party, who would be comic if he were not so dangerous, has discovered that his main opponent will a candidate who is intentionally comic: Count Binface.

EU against Meta [Richard Stallman's Political Notes]

* EU regulators have accused Meta, the company behind Facebook and Instagram, of failing to tackle the risks of its "addictive design" on the physical and mental health of users.*

This is a very important problem, and one of the reasons to refuse to use those systems. But if the EU is serious about protecting users from them, it should take firm action -- take a big bite out of the problem, not a little nibble. Use of a recommendation engine should not be enabled by default.

I think that a platform should not be allowed to use or suggest any particular recommedation engine.

Ebola outbreak in DR Congo [Richard Stallman's Political Notes]

The Ebola outbreak in DR Congo is continuing to spread. Several factors are causing this, one being the monster's cancellation of US public health aid.

US artificially keeping coal alive [Richard Stallman's Political Notes]

*[The wrecker] spends billions to kill clean energy and keep coal alive.*

I don't think increasing Americans' electric bills is his goal, nor increasing sickness from air pollution. Those are side effects that do not matter to him. The goal that seems plausible to me is paying billionaires to support his power.

Global heating deadliness [Richard Stallman's Political Notes]

Due to global heating, Texas prison cells meant to make prisoners suffer now can kill them.

The deadliness of global heat is not limited to prisons, but overhot places outside prison where people live and work are generally overhot because no one wants to spend money to do anything about that. Prisons can be overhot by intention.

USDA [Richard Stallman's Political Notes]

(satire) *USDA Fills Key Advisory Role With Prominent Chewing Skeptic.*

Marijuana effectiveness [Richard Stallman's Political Notes]

A study has found that marijuana is not an effective treatment for widespread mental-related medical problems such as anxiety and anorexia.

Likewise for *psychotic disorders, post-traumatic stress disorder or opioid use disorder.*

Record wildfires in Europe [Richard Stallman's Political Notes]

*Record wildfires in Europe show failure to [curb global heating] carries a mounting cost.*

00:00

i can finally talk about something i worked on! [WIL WHEATON dot NET]

It feels like it was about 18 months ago, but could be as long as three years ago, that my friend told me about a TV show he was developing. It was a brilliant idea, I thought. A science fiction action comedy? YES PLEASE. It was funny, and clever, and entirely original, which was wild, considering it was a spin-off.

The show did get the green light, and it premieres July 23. If you have not figured this out, yet, the show is Stuart Fails to Save the Universe. My friend is Bill Prady, who also co-created The Big Bang Theory.

AND AND AND … I am co-hosting the companion podcast with Felicia Day! The trailed for our thing dropped a few hours ago.

Felicia and I will interview a ton of our real life friends from the cast1, and some genuinely amazing department heads. We get into some of the deep nerd shit in each episode (that’s kinda my thing), and just have all kinds of fun working together. Okay, that’s probably more than I can tell you without getting a stern look from a twentysomething who I technically report to. I may be getting at least a sideways glance, as it is.

I have so many things I want to say about the series, which I loved from start to finish, but I’ll get so much worse than a stern look if I even think about that, so allow me to merely say that I endorse it and hope you trust me.

Stuart Fails to Save the Universe is on HBO Max. We are also on HBO Max, the HBO Max YouTube channel, and wherever you get your podcasts. And, hey, while you’re looking for podcasts, maybe check out It’s Storytime With Wil Wheaton.

Thanks for reading. If you’d like to get my posts delivered to your inbox, here’s the thingy:

  1. You will hear me, more than once, excitedly celebrate the feeling that someone from the neighborhood made it big in Hollywood. It’s not a bit; I’m genuinely thrilled for my friends. ↩

OnePlus exits EU, US markets [OSnews]

Rumours had been circulating for a while, but now it’s official: OnePlus is effectively retreating from the European and US markets.

Today, our hearts are undoubtedly heavy and mixed with emotion. As part of the proactive global strategy adjustment, OnePlus has decided to conclude new product rollouts in Europe and North America.

↫ OnePlus statement

Once OnePlus’ co-founder Carl Pei left the company (and founded Nothing), things have been feeling shaky for OnePlus, once the undisputed darling of the more technical part of the Android crowd. Their phones got more expensive, their minimalist, close-to-stock Android version got progressively worse, and they started lagging in updates, too. My OnePlus Watch 3, for instance, which was promised to get WearOS 6 at some point, but never got it – meanwhile, WearOS 7 has already been released. No, this news is not particularly surprising.

Luckily, the company claims it will honour its warranty and update support obligations for existing products in Europe and the US, which is nice, but also something they’re legally obligated to do (at least in the EU). A snag here is that the only update path the company offers is to ColorOS, from its parent company Oppo, which many more traditional Android and OnePlus users certainly won’t be happy about. Something is better than nothing, I suppose, and I’ll reserve judgment until I see what ColorOS 17 will be like on my other OnePlus product, a OnePlus Pad 3.

It’s just one more victim of western markets (illegally) consolidating on Apple and Samsung (while a few Pixels rummaging in the margins).

Thursday, 16 July

23:42

Link [Scripting News]

Added a layer to the Docs menu, the blog posts I've written here and elsewhere, and a podcast, in the Blog posts section.

23:14

GNOME OS team is working to alleviate some of the limitations of immutable, image-based Linux variants [OSnews]

There’s a ton of interest in immutable, image-based versions of various Linux distributions, since they offer a number of benefits that make them a good fit for some users. Updates can’t really go wrong, rollback is easy, application management through Flatpak is more in line with systems like Android and iOS – they may not be advantages sought by everyone, but they clearly are by some. Still, there are also a number of annoying limitations, most notably around testing nightly releases of Flatpaks, testing system components, and installing command-line tools.

The team behind GNOME OS is addressing these issues. The first thing they’re working on in something they’ve preliminarily call Test Center, which makes it much easier to install nightly releases of Flatpaks alongside their regular versions. This is something you can already do today, but the flow is cumbersome and not exactly user-friendly; with Test Center, developers will be able to share a direct link to install test releases.

They intend to use this same Test Center for testing system components:

Our idea here is to use the same “Test Center” app mentioned above for installing and managing experiments at the system level as well. Similar to Flatpak bundles generated in CI, we generate system extension images (sysext) for every merge request. You can install experiments from a sharing link, and they will apply as a sysext over your existing system. Because those images are non-destructive overlays, you can always go back to the original system.

↫ Jordan, Jonas, and Tobias

The last and final issue is that of command-line tools, something Flatpak is simply not designed for. On this front, the GNOME OS team states they are working on a solution as well, but they’re not quite ready to go into much more detail at this point.

Regardless, these are very welcome improvements.

22:28

Gunnar Wolf: Got your keys ready for DebConf26? [Planet Debian]

Yay! Finally it’s that time of year — DebCamp is underway, and soon it will be time for DebConf! 🎉🥳

As it is by now tradition, it’s my task to coordinate the DebConf26 keysigning party. And, as usual, I have set up the list of DebConf26 keysigning maps for everybody involved.

So, if you are taking part of DebConf, make sure to:

Microsoft releases its weird ’90s IRC client as open source [OSnews]

Out of all the bloody things Microsoft could release as open source, they chose the world’s weirdest IRC client they shipped in the late ’90s that nobody used or even remembered? What on earth is happening?

Microsoft Comic Chat is a Microsoft-developed Internet Relay Chat (IRC) chat client released in 1996 that rendered conversations as automatically generated comic strips. Instead of plain text, users communicated through cartoon avatars with messages displayed in speech bubbles inside dynamically composed comic panels. The application used an expert system to determine character placement, gestures, facial expressions, balloon shape, and panel layout in real time. It shipped as part of Internet Explorer 3.0 and was later bundled with Windows 98 and MSN before being discontinued in the early 2000s.

↫ Comic Chat’s GitHub page

Not only is the original source code now available on GitHub, there’s also a modern, updated version that can make use of larger displays and higher resolutions. There’s a deliciously ’90s website for it, too.

OpenBSD drops support for the loongson architecture [OSnews]

OpenBSD parts ways with an architecture: OpenBSD will no longer be developed for loongson. The reasons are exactly what you’d expect.

The last compiler update unfortunately does not work on mips64el, with clang 22 built with clang 19 being apparently functional, but clang 22 rebuilt with the previous clang 22 hitting deterministic SIGSEGV on various files.

I don’t have the time and energy to try and debug this (which is likely an endianness problem, as octeon appears to run happily with clang 22), especially when it takes 10 days for clang to rebuild itself on these machines; and switching back to gcc 4 won’t help much as modern software in ports will require a working C++>=11 compiler to build anyway.

↫ Miod Vallat

If I got my facts right, this does not affect the newer LoongArch, which is an entirely different architecture that isn’t supported by OpenBSD at all. Similarly, the other MIPS-based architecture OpenBSD supports, Octeon, remains supported and thus isn’t affected either.

Asbestos is a tool, just like any other [OSnews]

Linus Torvalds, on the Linux Kernel Mailing List:

Asbestos is a tool, just like other tools we use. And it’s clearly a useful one.

[…]

The solution is to make sure asbestos tools help maintainers instead of just causing them pain. There’s no question on that side.

We’re not forcing anybody to use it, but I will very loudly ignore people who try to argue against other people from using it.

And no, asbestos isn’t perfect. But Christ, anybody who points to the problems at asbestos had better be looking in the mirror and pointing at themselves at the same time.

↫ Binus Morvalds on the Binux Blernel Nailing Rist

If this quote doesn’t seem quite right to you, don’t blame me – I’m just acting like an “AI”. This is the new normal now, according to Morvalds.

Coincidentally, a ton of “AI” news on OSNews these past 24 hours! Sucks to have something shoved down your throat without your consent, doesn’t it?

21:49

View From a Hotel Window, 7/16/26: Greensboro, NC [Whatever]

It’s very warm here today, but at least there is shade.

I spent the day traveling here in order to be part of the ConGregate science fiction convention this weekend. I will have panels and do other stuff! If you’re in the neighborhood, come on down.

— JS

19:42

Pluralistic: Deranged billionaires and their syndromes (16 Jul 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links



A gigantic king, crowned and naked, sits on a lavishly curtained stage in a 19th century ballroom, before many ranked men and women dressed as gentry.

Deranged billionaires and their syndromes (permalink)

The theory of markets goes like this: even the best of us can fall prey to selfishness and rationalization, so let's arrange society so that people acting on their most selfish impulses end up producing benefit for all of us. That'll be easier and more reliable than convincing everyone to be more generous.

How do you arrange society so that selfishness produces public benefit? With markets. Faced with relentless competition, the most effective way to accumulate and retain wealth is by striving to make your wares cheaper and better. In a competitive labor market, we can secure fair treatment for workers without labor law or unions – bosses who treat their workers badly will lose them to better bosses. Just "align the incentives" and let markets do the rest.

This is an area where there's broad overlap between the left and the right. Chapter one of The Communist Manifesto is Marx and Engels' love letter to the incredible power of markets to improve everyone's material conditions by increasing production while lowering costs:

https://www.nytimes.com/2022/10/31/books/review/a-spectre-haunting-china-mieville.html?unlocked_article_code=1.yFA.YcmQ.KuTFFpUAnlmt&smid=url-share

Meanwhile, over in Wealth of Nations, Adam Smith comes to the same conclusion:

It is not from the benevolence of the butcher, the brewer, or the baker, that we expect our dinner, but from their regard to their own interest. We address ourselves, not to their humanity but to their self-love, and never talk to them of our own necessities but of their advantages.

In other words: if you get the incentives right, then even the greediest baker will resist the temptation to fill his loaves with sawdust and gravel. The greedier he is, the more he'll strive to make his bread cheap and delicious, because that will let him sell as many loaves as possible, thus maximizing his own wealth.

It's not exactly horseshoe theory vindicated, but if you squint just right, you'll see both communists and capitalists agreeing on this one thing: if you want the bourgeoisie to bend its efforts to producing something that the rest of us can benefit from, you'll get further by appealing to their fear and greed than by trusting in their munificence.

This is how you can have both leftists and market true believers coming onto the same side on antitrust: they may not both exactly agree that the best way to run things is by appealing to capitalists' fear of being dethroned by a competitor, but they absolutely agree that the worst way to run things is to simply trust in capitalists' generosity.

They're right, of course. As Lina Khan likes to say, companies that are too big to fail become too big to jail, and thus too big to care. If you doubt it, consider this internal email sent by an Apple executive insisting that the company is wasting money by making iPhones that are too good, and counseling a corporate strategy of deliberate shittiness:

In looking at it with hindsight, I think going forward we need to set a stake in the ground for what features we think are 'good enough' for the consumer. I would argue we're already doing more than what would have been good enough. But we find it very hard to regress our product features YOY [year over year]." Existing features "would have been good enough today if we hadn't introduced [them] already," and "anything new and especially expensive needs to be rigorously challenged before it's allowed into the consumer phone.

https://www.justice.gov/d9/2024-06/423137.pdf

Policymakers can assume the profit motive, but they have to craft the conditions under which that motive is shaped by competitive anxiety to produce quality goods and services at a fair price.

Anyone who believes in markets must also tacitly believe that successful market participants don't believe in markets. They should understand that capitalists hate capitalism, that every pirate yearns to be an admiral. They should understand that capitalism's winners only defend disruption when they're the ones doing the disrupting. They should understand that profits are only good when you're a scrappy challenger, but once you've conquered the market, every capitalist seeks to become a feudal lord, converting profits to rents and insulating themselves from an exhausting life of constant competition:

https://pluralistic.net/2023/09/28/cloudalists/#cloud-capital

The (smart) defenders of markets do understand this, but they face a dilemma. By definition, the benefactors with the most money and power to contribute to their think-tanks, university economics departments, conferences and publications are the rentiers – the billionaires who've shored up their fortunes with Warren Buffet's beloved "moats and walls." They're the blitzscaling billionaires who thrive on predatory acquisitions and high capital costs that prevent new market entrants from challenging their incumbency and its easy profits. They're the pirates who've become admirals.

As Upton Sinclair famously quipped, "It is difficult to get a man to understand something, when his salary depends on his not understanding it." When your right-wing, "pro-market" think-tank depends on the largesse of someone who made their money by capturing a market, capturing its regulators, and capturing its labor force, you need to tie yourself into some very weird knots to explain why your market advocacy shouldn't start with stripping your funders of their power, wealth and position.

This is pretty much the entire edifice of neoclassical economics. There's the "consumer welfare" theory of antitrust, that says that monopolies are efficient and insists that an inefficient monopoly would immediately tempt new competitors into the market who would compete away the monopolist's advantage:

https://pluralistic.net/2025/11/06/vertical-blinds/#invest-dont-acquire

"Consumer welfare" is a perfect apologetic because it contains a lurking syllogism: it holds that "inefficient monopolies" will always bring forth competitors who trash their margins, which means that any actual monopoly we see in the wild must be efficient. If it wasn't, it would have been competed out of existence by now. QED. This means that you can be a "pro-market" think-tank and take infinite money from monopolists without any contradiction: by definition, any monopolist with extra cash on hand to fund your PR blitz on its behalf must be efficient, otherwise it would have gone broke.

This is the structure of so many of economics' "empirical, scientific" theories that boil down to new ways of saying, "Actually, your boss is right."

Take "revealed preferences," the idea that people's actions are a better indicator of their preferences than the things they say they prefer. While this theory has a certain superficial plausibility, it can really only be embraced by people who have suffered the highly specific neurological injury you get by taking an economics degree: an injury that makes you incapable of perceiving or reasoning about power.

To fully embrace "revealed preferences" is to observe someone who has just sold their kidney to make rent and exclaim, "Look at this person with a revealed preference for only having one kidney":

https://pluralistic.net/2026/03/30/players-of-games/#know-when-to-fold-em

Then there's the right's conception of regulatory capture. When you think of "regulatory capture," you might picture a company or sector that has grown so powerful that it can boss the government around, so that it can abuse you with impunity. But for a neoclassical, "regulatory capture" isn't the result of too much corporate power – it's the result of too much state power. If states have the ability to do real things (the theory goes), then capitalists will do everything they can to take over the state and use it to punish their competitors, so the only answer is to eliminate state capacity altogether:

https://pluralistic.net/2022/06/05/regulatory-capture/

And finally, there's "meritocracy," which is a way of dressing up the Puritans' concept of divine providence as a scientific theory about how society must work. Puritans insisted that their god reached down into the human realm to elevate the truly virtuous among us, and that this divine favor could be discerned in the way that wealth and power were distributed among us. The rich and powerful were god's "elect." You could tell this was true, because they were rich and powerful. The corollary is that the poor and downtrodden are disfavored by god, and must therefore lack some virtue that the rich and powerful possess.

This same syllogistic thinking underpins the economic doctrine of "meritocracy," which holds that markets are giant computers that process uncountable trillions of decisions we all make about what to buy and sell and at what price, seeking out the "correct" price for every commodity and also elevating the people who are best at allocating capital in ways that arrive at the best prices for the best goods. Just as a Puritan believes that wealth is evidence of virtue, a hewer to economic orthodoxy believes the meritocratic system graces the best among us, giving them control over our lives by allowing them to "allocate capital" to create or destroy jobs, or entire firms, or whole sectors of the economy. You can tell they're the right people to do be doing this because the market chose them – if they were bad capital allocators, they'd have gone broke by now. QED.

When capital allocators' kids end up allocating capital too, well, that just shows that "merit" is a heritable trait and the people who have it are born to rule over us. Meritocracy cashes out to a eugenic belief in royal blood and royal dynasties. We know King Arthur was suited to rule us because he pulled a sword out of a stone, and we know Bill Gates is suited to rule over us because he pulled a fortune out of an operating system:

https://pluralistic.net/2025/05/20/big-cornflakes-energy/#caliper-pilled

Consumer welfare, revealed preferences, regulatory capture and meritocracy are just some of the ways that capitalism's alleged defenders cooked up to insist that they love the competitive discipline imposed by markets while being totally dependent on self-described capitalists who have utterly escaped from that discipline and have committed to doing everything in their power to prevent themselves from ever coming under any form of constraint.

These champions of "free markets" have spent decades defending policies like noncompetes, which makes it a crime for a fast-food worker to quit their job at Wendy's and take a job at the McDonald's across the street in order to get a $0.25/hour raise:

https://pluralistic.net/2025/09/09/germanium-valley/#i-cant-quit-you

They defend anticircumvention laws that make it a literal felony for you to install someone else's app store on your phone or put someone else's ink in your printer:

https://memex.craphound.com/2012/01/10/lockdown-the-coming-war-on-general-purpose-computing/

They somehow believe that value arises when the best among us are forced to contend with the stark terror of losing everything to a competitor, but also that there is a group of people who are so perfect, so virtuous and brilliant that they do not need this kind of goad to prod them into action. Indeed, these genetic sports and generational talents are so amazing that to force them to sully themselves with grubby competition is to deny us all the fruits of their genius.

Who are these people? Why, they're billionaires of course. All billionaires: after all, if providence and the market's invisible hand has seen fit to bestow nine or more zeroes upon someone, that is an indicator of 10^9 times more virtue than someone with only a dollar to their name. But especially: intellectual billionaires, the kinds of "curious" billionaires who write books, give lectures, and (especially), make gigantic cash donations to think-tanks, university economics departments, conferences and journals.

Billionaires like Peter Thiel and Elon Musk, in other words.

These are the billionaires that capitalism's (alleged) defenders are caping for when they deplore "billionaire derangement syndrome," and fret that candidates for office now routinely cite enmity for billionaires in their campaign materials:

https://marginalrevolution.com/marginalrevolution/2026/07/andrew-hall-is-on-a-roll.html

But as Tim O'Reilly writes, these billionaire-defending intellectuals always told us that markets would protect us from the madness of kings, by constraining the folly of the wealthy and powerful through the discipline of competition. Meanwhile, those billionaires were busily transforming themselves into kings, unshackled from rules, morals or consequences:

https://www.economist.com/by-invitation/2026/07/12/elon-musk-is-building-a-form-of-capitalism-that-adam-smith-would-hate

Reflecting on this, the political scientist Henry Farrell notes that the most vocal defenders of billionaireism – the Musks and Thiels of the world – never made a secret of their desire to become kings and insulate themselves from markets and discipline of every kind, and they've grown brazen. Musk makes social media posts deploring the very idea of elections, agreeing with the idea that only "makers" should be allowed to vote and that "takers" should not, because "universal suffrage leads to universal suffering":

https://nitter.net/elonmusk/status/2073312715985309698

As for Thiel, he has long openly advocated the idea that there exists among us a latent aristocracy who do not need the discipline of markets to keep them from lapsing into folly or self-dealing. These people – born to found tech startups and to rule – are nonconformists who, in Thiel's writing, are "the most important" and "should be let off the hook":

https://blakemasters.tumblr.com/post/24578683805/peter-thiels-cs183-startup-class-18-notes

Thiel makes no bones about his idea that people who have the right stuff should be exempted from any constraint. He writes "capitalism and competition are opposites." Rather than compete, Thiel says the true entrepreneur should seek to establish a monopoly, because "Monopolists can afford to think about things other than making money; non-monopolists can’t…Only one thing can allow a business to transcend the daily brute struggle for survival: monopoly profits."

It's not that Thiel opposes constraints per se – he clearly thinks that most of us should operate under constraints – constraints that are dreamed up and enforced by people like him. Those people are born to rule: they emerged from a lucky orifice, in possession of lucky genes. How can we tell they were born to rule? Because they're ruling. If they weren't born to rule, they wouldn't be in a position to rule. As ever, a syllogism solves all our ideological and existential problems.

Thiel lives in what Naomi Klein would call "the mirror world." While counterculturists have long celebrated misfits and communities of nonconformists, they were invested in the idea of a space protected from power, where weirdos could let their freak flags fly:

https://pluralistic.net/2023/09/05/not-that-naomi/#if-the-naomi-be-klein-youre-doing-just-fine

But Thiel's version of this is to celebrate the "nonconformists" whose heterodox belief is that labor, privacy, finance and consumer protection laws shouldn't apply to them. He wants to protect those people so they can wield power. They should form "mafias" (like the "Paypal mafia") not solidaristic affinity groups. As Farrell writes:

Entrepreneurial risk taking can be awesome; weird people are often more likely to be original; densely linked communities have many advantages. Furthermore, I would guess that none of these factors was sufficient on its own to precipitate the madness of princes that we see today. It is perfectly possible that they would have worked together in much more benign ways under different external circumstances. But we are in the world we’re in: one where the boundless appetites and irrationalities of a small number of billionaires seem increasingly incompatible with the need to maintain a stable civil society.

A new would-be aristocracy was always the visible trajectory of these guys. The only people who couldn't see it were the think-tankies they funded to write papers explaining that their paymasters didn't need market discipline to keep them from sinking into folly or attempting to overthrow democracy.

Today, these Renfields clutch their pearls at the "demonization" of the ultra-rich, calling it "billionaire derangement syndrome." But the only "billionaire derangement syndrome" that matters is the syndrome that affects billionaires and convinces them that they are above any discipline or rules.


Hey look at this (permalink)



A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Gadget-friendly chinos https://web.archive.org/web/20010717133013/http://www.usatoday.com/life/cyber/wireless/2001-07-16-smart-pants.htm

#15yrsago Brazilian bodges: “Gambiologia” https://web.archive.org/web/20110720231142/https://www.we-make-money-not-art.com/archives/2011/07/gambiologia.php

#15yrsago Privacy risks in collaborative filters https://blog.citp.princeton.edu/2011/05/24/you-might-also-privacy-risks-collaborative-filtering/

#15yrsago Tenn. state rep: “I carved my initials in my desk in the House, but I don’t understand why it’s news” https://web.archive.org/web/20110715202451/http://www.knoxnews.com/news/2011/jul/11/state-rep-hurley-admits-carving-initials-house-flo/

#15yrsago Who holds the copyright to a picture taken by a monkey? https://www.techdirt.com/2011/07/13/can-we-subpoena-monkey-why-monkey-self-portraits-are-likely-public-domain/

#15yrsago Organization for Security and Co-operation in Europe slams Internet censorship, copyright disconnection https://web.archive.org/web/20121108080007/https://arstechnica.com/tech-policy/2011/07/yet-another-report-internet-disconnections-a-disproportionate-penalty/

#10yrsago Mississippi’s prison town are in danger of collapse, thanks to tiny reforms in the War on Drugs https://www.huffingtonpost.co.uk/entry/mississippi-jails-revenue_n_57100da1e4b06f35cb6f14e8

#10yrsago Pokemon Go players: you have 30 days from signup to opt out of binding arbitration https://web.archive.org/web/20160715142246/https://consumerist.com/2016/07/14/pokemon-go-strips-users-of-their-legal-rights-heres-how-to-opt-out/

#10yrsago Trump makes it easy to forget what a dumpster fire all the other GOP nomination hopefuls were https://www.lrb.co.uk/the-paper/v38/n15/eliot-weinberger/they-could-have-picked

#5yrsago Interop and the Public Interest Internet https://pluralistic.net/2021/07/16/pidgin/#splicers

#1yrago Ellen Ullman's "Close to the Machine" https://pluralistic.net/2025/07/16/beautiful-code/#hackers-disease


Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.



A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)



A grid of my books with Will Stahle covers..

Latest books (permalink)



A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027



Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Fourth draft completed. Submitted to editor.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

19:07

libtool-2.6.2 released [stable] [Planet GNU]

Libtoolers!

The Libtool Team is pleased to announce the release of libtool 2.6.2.

GNU Libtool hides the complexity of using shared libraries behind a
consistent, portable interface. GNU Libtool ships with GNU libltdl, which
hides the complexity of loading dynamic runtime libraries (modules)
behind a consistent, portable interface.

See the NEWS below for a brief summary.

Thanks to everyone who has contributed!
The following people contributed changes to this release:

libtool 2.6.2 [stable]:
  Ileana Dumitrescu (4)

libtool 2.6.1 [beta]:
  Alexandre Janniaux (4)
  Alexey Samsonov (1)
  Anthony Mallet (1)
  Arnold (1)
  Dima Pasechnik (1)
  Frederic Berat (1)
  Ileana Dumitrescu (15)
  KO Myung-Hun (4)
  Kirill Makurin (1)
  Mintsuki (1)
  Nicolas Boulenguez (1)
  Olly Betts (1)
  Patrice Dumas (1)
  Richard J. Mathar (1)

libtool 2.6.0 [alpha]:
  Anthony Mallet (1)
  Bruno Haible (2)
  Christian Feld (1)
  Collin Funk (1)
  Elizabeth Figura (1)
  Evgeny Grin (1)
  Frédéric Bérat (1)
  Gleb Popov (1)
  Ileana Dumitrescu (47)
  Julien ÉLIE (1)
  Karl Berry (1)
  Kirill Makurin (1)
  Manoj Gupta (1)
  Martin Storsjö (1)
  Michael Haubenwallner (2)
  Mintsuki (1)
  Mitch (1)
  Pierre Ossman (2)
  Takashi Yano (1)


Ileana
 [on behalf of the libtool maintainers]
==================================================================

Here is the GNU libtool home page:
    https://gnu. ... g/s/libtool/

Here are the compressed sources:
  https://ftpmirror ... tool-2.6.2.tar.gz   (2.1MB)
  https://ftpmirror ... tool-2.6.2.tar.xz   (1.1MB)

Here are the GPG detached signatures:
  https://ftpmirror ... -2.6.2.tar.gz.sig
  https://ftpmirror ... -2.6.2.tar.xz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.o ... rg/order/ftp.html

Here are the SHA256 and SHA3-256 checksums:

  File: libtool-2.6.2.tar.gz
  SHA256 sum:   24adb3aa9ae035c70faba344af57d73215eb89281045af6c7ccd307751f8b0bf
  SHA3-256 sum: b0e77c0dc9a082830c95d182da77747d1f5435a06132feefd5054bfde2c9da81

  File: libtool-2.6.2.tar.xz
  SHA256 sum:   2ef1067c16c97db930fd740cc9bc3d3ba9a583804ae5ac42cc3e8719e49e191e
  SHA3-256 sum: c24b9995af8391a310a258dcb98897f92d86f47acca235f3d2859ca0ed1d9dd0

Verify the SHA256 checksum with either sha256sum, sha256, or
'shasum -a 256'.

Verify the SHA3-256 checksum with 'cksum -a sha3 -l 256 --base64'
from coreutils-9.8.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify libtool-2.6.2.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   rsa4096 2021-09-23 [SC]
        FA26 CA78 4BE1 8892 7F22  B99F 6570 EA01 146F 7354
  uid   Ileana Dumitrescu <ileanadumitrescu95@gmail.com>
  uid   Ileana Dumitrescu <ileanadumi95@protonmail.com>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key ileanadumitrescu95@gmail.com

  gpg --recv-keys 6570EA01146F7354

  wget -q -O- 'https://savannah. ... ol&download=1' | gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.o ... u/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify libtool-2.6.2.tar.gz.sig

This release is based on the libtool git repository, available as

  git clone https://https.git ... g/git/libtool.git

with commit 309bb53a8adfb22c6e5869cc8da049bf123e5438 tagged as v2.6.2.

For a summary of changes and contributors, see:

  https://gitweb.gi ... shortlog;h=v2.6.2

or run this command from a git-cloned libtool directory:

  git shortlog v2.6.1..v2.6.2

This release was bootstrapped with the following tools:
  Autoconf 2.73
  Automake 1.18.1
  Gnulib 2026-07-03 491f1bb7d3049f3ab7825f3ee665c209658e9965

NEWS

  • Noteworthy changes in release 2.6.2 (2026-07-16) [stable]


  Please see beta release 2.6.1 and alpha release 2.6.0 for a list of
  release changes.


  • Noteworthy changes in release 2.6.1 (2026-06-04) [beta]


** New features:

  - Pass 'resource-dir=*' flag for Clang.

  - Recognise explicit shared library arguments when linking dependency
    libraries to a shared library, like exists when linking a program.

  - Support OpenMP with macOS clang by processing '-Xpreprocessor
    -fopenmp' as one token.

** Bug fixes:

  - Store cygpath file path conversions correctly for MSYS2 and MSVC.

  - Fix syntax error in LT_PROG_OBJC and LT_PROG_OBJCXX.

  - Separate Objective C and C++ cache check for proper tagging support.

  - Fix in darwin to support values with spaces.

  - Limit the length of DLL name to 8.3 correctly to avoid corrupting a
    generated DLL on OS/2.

  - Remove unused variable on OS/2, which could cause issues with static
    library generation if defined.

  - Recognise more static linking options for Clang.

  - Fix emscripten CXX postdeps using non-PIC sysroot.

  - Avoid deprecated option '-o' with MSVC compilers and replace with '-Fe'.

  - Avoid overlinking of dependency libraries on ELF systems.

  - Ensure old libraries are not archived.

** Changes in supported systems or compilers:

  - Add support for SlimCC compiler.

  - Add support for *-ironclad-gnu.


  • Noteworthy changes in release 2.6.0 (2025-09-18) [alpha]


** New features:

  - Add a new tool, libtool-next-version, to guide users through updating
    library versions.

  - Add tagging for Objective-C and Objective-C++, OBJC and OBJCXX.

  - Increase 5 digit limit on revision value for libraries to 19 digits,
    which is referencing Unix epoch time in nanoseconds.

  - Add configuration options to choose whether to use '-nostdlib' to let
    the compiler frontend decide what standard libraries to link when
    building C++ shared libraries and modules, --enable-cxx-stdlib and
    --disable-cxx-stdlib.

  - Allow statically linking GCC and Clang compiler support libraries
    into shared libraries.

  - Add linking clang_rt static archives compiler internal libraries by
    their absolute path.

  - Set 'mklink' as the symlinking tool for MSVC.

  - Pass '--target' architecture flag for Clang.

  - Support MSYS and MSYS2 file path conversions.

** Bug fixes:

  - Fix wrongly deduplicated compiler dependencies on linux.

  - Fix NetBSD postdeps for shared libraries.

  - Fix statically linking dependencies into shared C++ libraries when
    utilizing clang builtins or g++ options like, -static-libstdc++, by
    using a new configuration option, --enable-cxx-stdlib.

  - Ensure *-linux-mlibc host matches to mlibc userland rather than
    matching to GNU/Linux and similar userlands.

  - Fix hang with cmd.exe in MSYS.

  - For MSVC, fix mishandling compiler flags, symlinking, cl.exe '.exp'
    extension collision, symbol names, and numerous testsuite bugs.

  - Fix undeclared reference to access on Windows in libltdl.

  - Fix flang -Wl flags on FreeBSD.

  - Fix reordering '--as-needed' flag.

  - Fix libltdl early failures for multi-arch.

** Changes in supported systems or compilers:

  - Support additional Intel OneAPI compilers, 'icx', 'icpx', and 'ifx'.

  - Support ML64 (Microsoft Macro Assembler).

Enjoy!

18:28

Link [Scripting News]

I needed a nice image for the OG Metadata, so I turned to Gemini. I know it reeks of AI, I hate that, but I need this right now.

Generative AI in the Real World: Agentic Coding with Chelsea Troy [Radar]

The tech industry is measuring AI productivity all wrong, and Mozilla MLOps engineer and University of Chicago instructor Chelsea Troy makes a strong case for why. The real opportunity, she argues, isn’t shipping more code faster but finally having the bandwidth to run the experiments, tests, and simulations that engineering teams have always wanted to run but never had time for. Chelsea joined Ben to cover the state of entry-level hiring, why the software engineering interview has been broken for decades, what it means to teach Python in 2026, and why token efficiency should replace token consumption as the industry’s dominant productivity metric.

About the Generative AI in the Real World podcast: In 2023, ChatGPT put AI on everyone’s agenda. In 2026, the challenge will be turning those agendas into reality. In Generative AI in the Real World, Ben Lorica interviews leaders who are building with AI. Learn from their experience to help put AI to work in your enterprise.

Check out other episodes of this podcast on the O’Reilly learning platform or follow us on YouTube, Spotify, Apple, or wherever you get your podcasts.

Transcript

This transcript was created with the help of AI and has been lightly edited for clarity.

00.31
Ben Lorica: All right. So today we have Chelsea Troy. She’s part of the machine learning operations team at Mozilla. And she’s also developing a bunch of courses for O’Reilly around agentic coding skills. Chelsea, welcome to the podcast.

00.47
Chelsea Troy: Thank you for having me.

00.49
All right. So two things that pop out there: agentic coding and skills. So first of all, agentic coding. Chelsea, so you personally, to what extent are you using any of these agentic coding tools.

01.06
Sure. So I think that. . . I have sort of a number of different jobs that I do. I work, as you mentioned, as a machine learning operations engineer at Mozilla, where I help machine learning engineering teams get their work to production. And then I also teach at the University of Chicago, and I teach a machine learning class within the set of courses that I teach, in addition to some of the stuff at O’Reilly.

So in all three of those areas, I find myself needing some expertise in agentic coding, not, like even in addition to specifically whatever I might be doing with it, because a lot of my colleagues or my students are using it, and it’s important for me to understand how it works, because I need to be able to advise on that, and I need to be able to assist with that.

01.55
So right now, for example, at Mozilla, we are exploring the extent to which agentic coding suits our values, to which, the extent to which agentic coding suits our, like, workflow, the kinds of things that we are trying to do, particularly internally. But, actually the places where I’ve seen it most in the places in which I have found myself needing to develop the most nuanced takes on agentic coding come from the work that I’m doing with my students, because I have these students, the graduate students in computer science, and they are trying to figure out how to navigate early career software engineer type of roles.

How are they going to apply to them? How are they going to be evaluated for them? How are they going to succeed at them? How are they going to be promoted out of those roles? And I think that they have a lot of questions about those things that are coming to me. They want to know the answers to these questions, and these are not questions that I naturally have experience to answer, because at this point, I’ve been a software engineer for the better part of two decades.

The last time that I applied for a role was many years ago. The last time that I applied for an entry level role, things were so drastically different than what these students are experiencing now. And so I find myself doing a lot of my research, a lot of my implementation, a lot of my experimentation towards this end of understanding how this is going to work for them, how can students expect to learn now? What are students going to be expected to know? What our entry level engineer is going to be expected to know? What are companies expecting of entry level engineers now, and what is it going to mean for them to have people advance in skills as these tools are available and with the expectation that these tools are going to be available for students. So, a lot of what I do is around figuring out how to answer those questions right now.

03.57
All right. I have lots of questions before, but before I do that, a quick shout out to the University of Chicago, where I have friends on the faculty, Mike Franklin and Bob Grossman in particular. All right. So I assume, Chelsea, that, the difference between the people graduating this year, 2026, and the people who graduated last year, 2025, as far as interesting expectations around agentic coding tools, there’s a big difference, right?

04.30
I think so, and I think that part of that is that over the past year, we’ve seen a great deal of development in these products specifically for programming uses. And I would say that my specialization within the use of these tools is pretty much exclusively their use on programming and then data visualization projects. I would say that outside of that, my expertise peters off very quickly, but I’ve spent a lot of time on the intersection of these tools and learning on these tools and completing the tasks that people are expected to complete inside of a workplace, and what that means inside of the more holistic view of what needs to get done on a team.

But I would say that in 2025, students still. . .and this is a verification and sort of their cycle of work is still very important for them to maintain a very firm handle on. But in terms of the results that they’re able to get from using an agentic tool, for example, on completion of a project they might be doing for their academic degree, they’re having a lot more success now than they were a year ago, which raises, interesting questions about what they need to be doing by hand, whether we can verify that they’re doing it by hand. But I think also more broadly and perhaps more importantly, like what do they need to be keeping in mind while using these tools? What are the values for them to take forward as they’re using these tools? And what skills are important for them to make sure that they’re developing? And to what extent can we support them in building those skills and verify that they’re building those skills?

06.02
So I am assuming the class you taught in 2025 is very different from the class you taught in 2026, which might be also very different from the class you’ll be teaching in 2027.

06.14
It’s possible for sure. And part of that is because some of the classes that I taught this past year, I taught applied data analysis, which is a machine learning and data analysis class, that we’re changing the name of to, I want to say applied statistical learning next year. But this past year was the first time that I taught it.

However, in years prior to that, I had taught intermediate Python several times. This is an accelerated version of the Python programming class, and it’s one that I have taught in the fall for a couple of years running, but I ended up completely redesigning this class the last time that I taught it, and the reason that I ended up completely redesigning it was that the previous curriculum for this class focused heavily on the syntax, what syntax people need to know, what that syntax does in Python, and how to remember what that syntax does, the difference between the different syntaxes. And the thing about programming languages in general, in Python in particular, is that they play very well with these types of agentic coding tools. And part of the reason for that is that the way that a large language model is built is by training on the patterns in text, and the patterns in programming text are remarkably strong relative to the patterns in natural language.

We have a much smaller set of tokens that are used in programming relative to natural language. We don’t really have things like pronouns and referential verbs, or referential nouns inside of programming. If you want to refer to a variable, you refer to the variable by its exact name, with the possible exception of like self or something like that. 

07.51
And so we have much stronger patterns. We have much stronger patterns as to the order in which these tokens are used. And so these tools have a lot of success from a relatively small number of patterns of programming language, but particularly Python, which has an especially small set of tokens and an especially strong pattern as to how it’s built, it can look at a relatively small number of examples and deliver valid outputs and valid output for whatever it is the problem is that you are having and to the extent that you’ve been able to describe that problem precisely, LLMs have a lot of success at generating valid Python, which begets the question, what is it important now for a Python programmer to know if they have these automated solutions available for generating Python? And so when I redesigned the class, I refocused it less on the syntax and more on the why.

Why is Python implemented the way it is? How is the Python implementation different from other programming language implementations? I think an idea that students do not have as much exposure to as I think might be useful is that different programming languages exist for a reason. They have different philosophies as to how an interpreter should work. There are choices to be made. There are trade-offs to be navigated in the design of a programming language, such that different answers exist that result in different programming languages being appropriate for different tasks. This is particularly a revolution for students who have done most or all of their programming in Python without being told necessarily why that is. And of course, part of the reason that that is, is that Python is a relatively useful. . . It generalizes fairly well to the type of problems that we’re teaching students to solve.

And it also has, because of a relatively small number of tokens, a relatively friendly learning curve for students. And so now the class focuses on why Python for which tasks, what were the trade-offs that people navigated and why. 

09.52
The other thing that the class now focuses on is what we can learn from Python about the growth and maintenance of a code base. Because there are relatively few code bases in the world that match Python’s degree of complexity and the number of users that Python has, but also the amount of openness with which it has been developed. There are reams of documentation on every code change. There is publicly available discussion on all of the code changes that have been made to the Python interpreter, as well as detailed documentation on the alternatives that were considered and passed up in favor of the way that Python works now.

And so all of that documentation makes Python a really useful case study for how you might work on such a massively impactful programming project yourself in the future, whether or not it’s in Python, because Python provides us with sort of like, a gold standard for how a complex project with a large user base might be maintained over time.

10.51
So in your work at Mozilla, I’m assuming you interview a wide-range of potential engineers, from the entry level to the more senior. So what kinds of tips are you giving your students in terms of. . . What is the change in the interview process in light of the agenda and coding tools? Because before they would give you all these little coding assignments, right?

For example, I work with startups where they even encourage some of the candidates to spend a day or two days at the company. And here, here, maybe you can try out this little project and then at the end of the day, well, we can discuss it. So what is the change, Chelsea, in terms of the interview process?

11.48
Yeah. So it’s an interesting question because I think that interview processes in programming have in some ways codified a difference between how we evaluate developers and how developers provide value to an organization for a pretty long time. Hillel Wayne has this really excellent series about the history of software engineering interviews, and the fact that many of our most common interview questions—and this is before the advent of agentic coding—many of our most common interview questions or interview questions we inherited over time from a period in which programmers had to do a lot more from scratch.

So, for example, we would ask interview candidates to implement a linked list from scratch. And if you were to ask a programmer in 2005 why we ask them to implement a linked list from scratch, the reason that we would give is that we want to evaluate their critical thinking capability and their architectural design capability and all of these things.

But that’s actually a retcon answer as to why we would ask that interview question. The reason we ask that interview question is that we inherited it over time, from an interview process that happened decades ago. And in that interview process, the reason that we asked developers to draw up a linked list from scratch is that, in fact, we did not have high-level programming languages that provided you with a linked list. And so in order to be able to do your work, you needed to be able to make a linked list. We got that question not because it’s some sort of theoretical critical thinking question but because at the time that it was developed, it was a very pragmatic question that related directly to the job that people were supposed to be doing.

13.37
And as programming languages developed, that question was no longer really pragmatic in the sense that it wasn’t a thing that developers were going to need to be able to do on the job anymore. But because we had lost touch with the reason that we asked that question, because we had lost touch with the developers of that question, because the programming industry had changed so much in the intervening period, and also because of a sort of a selection bias associated with who evaluates interview questions—anybody who’s in a position to evaluate an interview question is a person who passed that interview question because they work here—the question never changed. The why got lost. So we came up with this new why that didn’t quite fit the question.

And I think that for a long time we operated without the why. As to our interview processes in programming, famously there was this book, of course, Cracking the Coding Interview, which was theoretically about how to do how to succeed at coding interviews as a candidate, and after Cracking the Coding Interview came out, many companies started using Cracking the Coding Interview as a model of what they imagined Google did in the interview process, which therefore meant that was what they should do in the interview process, because Google was such an exciting place to work.

And so this book had these follow-on effects. I think that, to be honest, a lot of the programming industry has been kind of thrashing around on how to conduct an interview appropriately for a pretty long time. And I think that that continues as the tools that are available to our engineers evolve, while our interview process continues to be kind of this sort of decentralized thrashing as to what it is that we need to do.

15.21
And so I think the question of how the interview process is evolving, it ends up being highly variable from company to company. I think that some companies are changing relatively quickly. Some companies are changing more slowly. Some companies are embracing the use of AI in the completion of interview questions, and some companies are asking that they are able to continue to evaluate based skills and looking for ways to attempt to evaluate based skills, which of course means verifying that folks are not using this tool in the interview, if that’s the thing that they want to do.

And so from company to company, I find that it’s different, which makes it challenging to instruct students on how to address this. But I find myself thinking about this question from two angles. One of them is as a designer of interviews, I’ve designed some of the programming interviews that Mozilla uses for my team, and the other is as an advisor of students who might be taking these interviews.

Those angles are a little bit different because, on my team, currently the lowest position for which I have designed an interview has been what we call IC3. This is a senior software engineer. So I’ve designed for senior, I’ve designed for staff, and then I’ve designed for senior staff as well. So those are IC3, 4, or 5.

And in those roles, it is already supposed to be important that developers are able to evaluate trade-offs at the strategic architectural level for a codebase. And so in those interviews—we do them live; we don’t do a take home—I am working with developers to understand how they are going to navigate trade-offs in the design of a system, and we may ask them to write a line of code here or there.

We may ask them to write a function, but are largely asking them to walk us through their process. And it’s not the lines of code that are important. I have not found this interview style to need to change very much from the past, because it is so much a part of a conversation, and I think that that is still valuable and relevant to the work that we end up using.

17.22
A long, long time ago, when I was a junior engineer, I interviewed at Pivotal Labs and Pivotal Labs’ interview at the time was, I don’t know if this is still true, but at the time it was relatively famous for being the same entry-level tech, or rather the same sort of tech interview as you were entering the company for everyone. It was called the RPI, which stood for Rob’s programming interview, referring to Rob Mee, who was one of the founders of the company. And what it was was it was asking you to build. . . You could find it all over the internet. Technically, we’re not supposed to talk about what was in the interview, but if you want to go look, you can find it on the internet.

But we were asked to build a specific thing. We were asked to do it in Java. However, we were not the interview candidates writing the code. The interviewer was responsible for typing in the code and the interviewee was responsible for communicating the idea of what needed to happen sufficiently precisely, that the interviewer would then be able to implement that towards the goal that we had. And I think about that interview a lot, because I’m not going to say that interview was ahead of its time. I don’t think it was predicting that something like a. . .

18.40
Prompt engineering.

18.42
Right, but it was indeed this. Programming language aside, a part of the reason that the interviewer was the one typing the code was that we wanted to be able to interview folks coming from any language, but we were going to do the interview in Java because at Pivotal, the thing that you did was that you were working as a consultant on different projects.

It was theoretically possible for you to get staffed on a project in a language you didn’t know, and you were expected to be consulting level on it within three weeks, which meant you need to be able to learn programming languages fast, but the expertise that we’re selling people is precisely this thing your judgment: your ability to articulate what needs to happen in a system regardless of the programming language.

19.21
And I do think that that skill set remains the one that is the most important, both for companies to interview on and for interview candidates to be able to produce. You know, some companies still do this thing where they’ll put you on a video call and they’ll ask you to write down Dijkstra’s in 40 minutes. And theoretically it is a critical thinking challenge.

And where I land on this is that ultimately, that interview is a validation that you have already been taught Dijkstra’s algorithm because Dijkstra did not come up with Dijkstra’s in 40 minutes. So this is not some general critical thinking thing; it’s a memorization question effectively. For a memorization question, I don’t know that I have an opinion on like whether or not you should actually validate that people memorized it versus determined that they’re not, I don’t know, using an LLM to pretend that they memorized it or whatever, because I don’t think that this type of tech screen, asterisk is particularly useful.

20.24
Anyway, I think a much more useful tech screen is one that evaluates people’s decision-making. And I think that to the extent that LLMs have forced the interview process to move towards actually evaluating decision-making, that might be a good thing for tech interviewing overall. And I think it could be a good thing for junior developers as well, because it focuses—to the extent that junior developers are able to pick up on that—entry level developers are then developing that skill set that’s much closer to what’s actually important on the job than whether you’ve memorized Dijkstra’s, which you’re never going to have to code from scratch yourself.

21.04
Have you noticed, Chelsea, among your students who are on the job market. . . So this year in the job market, compared to on the job market last year, has it been more challenging to get this first or this entry level or first job for these students year to year?

21.29
I think that it is really challenging right now. I don’t envy students who are trying to go into industry at the moment. And I think that actually is. . . LLMs play a part in that. I think the biggest parts that LLMs play in that is that companies are experiencing a lot of turmoil figuring out, first of all, how to evaluate entry-level candidates.

And also, there’s all this consternation about whether companies need entry-level candidates. There’s this idea that, maybe if we just have senior engineers, they can delegate to agentic coding tools, and then we don’t need to hire entry level engineers. I think companies are going to be able to kind of try that for a few years. And I think then eventually it’s going to become clear that continuing to invest in talent for the industry is going to be an important thing for companies to do, regardless of the tools that are or are not available.

But I think we are still currently in this few-year phase where companies are experimenting with whether we can eliminate this entire class of employees. I think ultimately the conclusion is going to be we cannot. But because we are in that period, I think that currently there’s a lot of anxiety among students about whether there’s going to be availability of roles.

22.57
And also it has been the case for a long time that students feel like they have a hard time getting that first role. I remember 15 years ago being very, very concerned about like, oh, once I get blah level of experience, I know I’m going to have my pick of jobs, but until I get that much experience is going to be really challenging and I needed to go the extra mile a fair amount back then as well. . .and, you know, build relationships with hiring managers, build relationships with other engineers, understand what it was going to be like at various organizations.

I think a lot of students try cold-emailing like 100 companies or sending their résumé to 100 separate companies, and that doesn’t work. And then they feel like things are very hard and they are—things are really hard right now. But I would say that a lot of the challenges associated with getting hired now are similar in shape to challenges of getting hired from before that, you know, [are] much more intense right now.

24.00
Yeah. Yeah. The other thing that it seems like, Chelsea, companies are doing. . . So there’s the notion of “Maybe we should slow down hiring entry-level.” That’s one of the mistakes they’re making. The other thing that seems to be fashionable these days is, “Hey, actually, we should have all these managers code again, right?” Because basically now that there’s these coding tools, we don’t need these managers.

24.29
I think there’s. . .

24.30
Am I just imagining this? Because I’ve had these conversations with a bunch of people. It seems like it’s a real thing.

24.39
You know, it may be the case. I don’t think I’ve had as many conversations with folks in environments where managers were compelled to code. I do know that in my own personal experience, I’ve talked to a number of managers who are very excited about the way that agentic coding tools now give them the ability to write code with. . . A lot of times, it’s like a bandwidth issue. They have limited time; they have other responsibilities. Or sometimes it’s this like, “Well, I became a manager six years ago, and because the pace of technology moves very fast, that means that my skills are now obsolete. And so I no longer have the ability to actually keep my hand on the wheel as to what we’re doing. But now with agentic tools, I don’t necessarily need that same level of update, because I still have the ability to precisely communicate my requirements,” is the idea, “and if I can precisely communicate my requirements then agentic tools can do it for me.” I think a lot is still up in the air as to how useful this is going to be.

25.35
I know that a number of larger companies that pivoted towards attempting to siphon more work into LLM tools are now backing out and looking at taking a more holistic view as to how that’s going to work. So from a larger industry perspective, I think I still have a lot of questions about where that’s going to go. Is it going to be successful? Are people going to like it? What’s going to be the impact on the products themselves?

But I think that in my kind of personal sphere, I’ve talked to a number of managers who have been really excited about the possibilities that these tools provide for giving them the entree back into some level of individual contribution.

26.22
And I think that there is a lot of value for us to derive from that excitement in terms of understanding, like what managers missed about individual contribution previously and what we can learn about role development from that. I think that it’s been the case in the tech industry for a long time that we kind of make fun of the fact that you write code, you’re a good technologist, you do your things, you create value.

And to the extent that you are successful at it, you get rewarded with a promotion to a job that uses none of the skills that you just developed, and a whole bunch of skills that you now don’t have with, depending on the employer, widely differing levels of support on developing the completely new skill set that you’re now going to need as a manager.

And I wonder whether there is light to be shed by the advent of these tools. On and on and on, the possibilities for alternatives to that strategy where somebody coming from individual contribution has the ability to continue an individual contribution while also helping to grow teams. 

27.38
There is a developer who back in the Twitter days I used to follow, his name is Marco Rogers. His handle was Polotek, and he would talk about career development as a person who, if I recall correctly, started as an IC, became a manager, and then crafted a career path for himself in which he bounced back and forth between individual contribution and leadership roles and found that that worked really well for him, or posited that that could work really well, particularly juxtaposed against the sort of traditional career path that we talk about where if you become a good-enough developer, then you become a manager, and now you’re exclusively in the managerial track, despite the fact that your interest, your skill, and in a lot of cases for many of these people, your passion lay in the building of things. And now there is an argument to be made that you’re still building things, but you’re building as a team, you’re building a community, all of these things. 

But if we take that sort of like metaphor out of it for a moment, a lot of times these folks in leadership deeply miss this piece of the craft that they’ve lost access to. And this tool creates sort of a detour that allows them to express that interest in the craft again, which I think gives us license to examine whether they should have been separated from the craft in the first place, whether that was the appropriate way to develop the standard career path in software engineering.

29.02
I like that. I like that bouncing back and forth because I think that I’ve actually had a lot of friends who’ve done that as well. And if anything, I think the misunderstanding of these agentic coding tools probably is much more in the senior leadership role rather than the middle management role.

I’ve actually just tried to compile a bunch of studies. Because, on the one hand, you have these developer surveys, and obviously developers always have a tendency of overestimating things. And then there’s the actual telemetry. It turns out there’s this kind of an attenuation. So this intensity funnel where, you know, developers might be writing a lot of code now with these tools, but the number of software shipped actually hasn’t grown as much.

And then if you go all the way down to the end to the app stores—so Apple App Store, Google Play, and all these places—the actual number of. . . This usage of software hasn’t actually moved the needle. The tools haven’t moved the needle as much, just as much as the fact that, let’s say, a single developer might be writing 3x more code, right? But if you follow the trail all the way down, it hasn’t actually moved the needle.

And I think part of it is, we all probably feel productive in the sense that if it’s a one-off thing, yes, these tools can make me super productive. I’m never going to use this code again. I’m just going to use one of these tools. But if something gets more serious, then it turns out that it doesn’t move the needle as much because people obviously still have to follow all the rigorous processes. I don’t know what you think.

30.53
Yeah, I think that with regard to the way that these tools are used at the organizational level and the outcomes that we’re seeing, if I were to offer a half-baked, perhaps cancellable take on the situation, I’m a little trepidatious and saddened that a lot of the zeitgeist around the way to use these tools for productivity, theoretically, productivity gains is this idea that what we need is for developers. . . Like the proof of productivity is going to be the developers are closing more tickets; developers are shipping more code; developers are getting through things faster. I think that that focus demonstrates, possibly, a lack of vision as to what these tools could provide for us, because I’ve now been on the ground as an engineer for a while.

31.50
And the biggest problems that we run into are there are many. And of course, there’s always been that there’s not enough hours in the day. We can’t hire enough developers. But truly, that’s usually not actually the main problem that teams have had, in my experience over the last many years. Instead, the things that come up the most often are “We were evaluating trade-offs, and we selected this implementation because we only have the bandwidth for one, and we think this one is going to be the right choice. And we don’t have the opportunity to implement all of the others and experiment. And then based on real experiments, use the implementation that is working the best. So we take a guess or there will be like, you know, we would have liked to do comprehensive testing on that, but we just didn’t have the bandwidth to do the comprehensive testing on that. And so we’re making a guess.”

There’s a lot of developer estimates being baked into the systems that we’ve built because we don’t have the bandwidth to actually run all of the experiments that we might like to run. We don’t have the ability to include all of the rigor that we might like to include. And as you referenced earlier, developer estimates have the level of accuracy that they have, which is, you know, known largely in industry to be not perfect, right?

33.21
I am much less interested in what it means for a developer to ship three times as much code. I’m much less interested in that than I am in what it would mean for a developer to be able to use three times as much code to arrive at the ultimate solution, which might be approximately the same volume as the solution would have been before, or ideally, perhaps even lower volume than the solution before.

Because instead of needing to hedge against all of these possibilities and make an estimate and maybe even, maybe even overengineer preemptively based on all of these different possibilities, we have the ability to instead actually run the simulations, actually try the alternatives against each other, actually run tests, and arrive at this theoretical better solution. That we always knew we were making a guess at, that we felt forced to make a guess at because of our bandwidth limitations.

34.24
I run into this in data visualization as well. You know, we have all of these tools that have been available for a long time to theoretically help us visualize data and create dashboards, because executives want dashboards, and developers don’t have the ability to make custom dashboards all the time. So we have Looker for this, and we have Redash for this, and we have all of these various dashboarding tools that are available.

But the thing about those tools is that they have a limited number of things they can give you. They can give you a bar chart; they give you a pie chart; they give you these various other things. And you compare this to books written by folks who are professionally like artistic data visualizers, right? And they have all of these other options available.

And when we talk about the availability of AI and automation for the purpose of automating dashboards, what we talk about is making more and more customized dashboards with the same bar charts and pie charts and stuff that we’ve been writing before. And the the way that the zeitgeist focus is on the increase in volume that AI makes available I think disappoints me because the availability of this tool removes all of these bandwidth limitations that previously prevented us from being able to doggedly pursue the best quality of the thing that it is that we’re trying to ship. I think our focus on volume as a stand-in for productivity hamstrings us in our ability to actually improve our engineering product with these tools.

35.59
Yeah. I like what you said there. So it seems like then, Chelsea, companies that put themselves in a position where they can actually run these experiments and track the results. . . In other words, I don’t know what the equivalent of an experiment platform. . . You have a staging platform of some kind where you can test out all these ideas. It seems like that’s the right investment to make, right?

So in terms of a company wanting to be able to really leverage these tools, it’s being able to try out all the things that you wish you could try, applying the same rigor you used to apply to only one try. You can now try the equivalent of almost hyperparameter tuning in machine learning.
So now if you put yourself in the position where you have this platform where you can try all sorts of ideas, maybe that’s the right investment.

37.05
I think so. I think that there is a lot of opportunity in having the ability to do these things. The thing that I’ve been experimenting the most with lately is data visualization. And I do this for a number of reasons. I work on data visualization, of course, in my day job, because we talk about how to provide dashboards to machine learning engineers to help them understand how their models are performing.

And we also talk a fair amount within the data science team, as you can imagine, on how to present analytics in ways that allow leaders to make business decisions based on the data that we have. So there’s that aspect of it, but there’s also this element of it associated with teaching students. And, you know, I talk to them about a lot of relatively complex concepts, how different models train and things like that. And a lot of times the way that we represent those concepts is with writing or formulae. And one of the things that I’ve been working on is how to represent these concepts for them graphically in a way that helps them understand. And the majority of my experience as a software engineer has been chiefly in backend engineering and a little bit of mobile engineering, but I have not done an enormous amount of frontend engineering.

I certainly have not done enough frontend engineering to have the kind of HTML and CSS skills that it would require for me to hand-code in an afternoon a tree ring diagram that represents the evolution of data science concepts over time, or something like that. That’s a thing that if I wanted to do it, I could do it.

38.40
But like I need to devote a fair amount of my summer to figuring out how I’m going to go about doing that. Meanwhile, HTML and CSS are both text-based mediums for generating images, which means that it is possible to use a large language model to develop at least a baseline on that. And then once I have that, figure out how to tune it using what HTML and CSS are both legible, at least legible to me, in a way that SVGs are not as much.

And so I’ve been largely using HTML and CSS for this. But what they do is there, or what the what the tool has done for me, is it is opened up this possibility for finding ways to represent information in ways that inspire my students and lead them to ask questions, as opposed to intimidating my students and leading them to retreat further back into the tools, because they are afraid that they are not going to be able to implement what they need to implement without them. Rather than pushing them in that direction, I’m trying to pull them forward into a curiosity about the internal mechanisms that I am attempting to explain to them, and I find these tools to be useful to me in providing a layer of text-to-image translation that gives me the ability, to the extent that I’m able, to precisely describe what it is that I want, to build those visualizations.

Which is not to say that it’s a quick process. It’s not a quick process at all. There’s a lot of tweaking, figuring out how the data should be organized, understanding why the data is organized, how it is recognizing all of these discrepancies that then pop up the minute you do this, that aren’t widely understood because we haven’t done this a whole bunch before. But there has been a very real increase in my ability to experiment with visualizations for teaching, because the text to visualization pipeline is streamlined for me by these tools.

40.43
All right. So in closing, I’ll have you predict, which I’m sure is going to be difficult to do given that these things change every week. So in one year’s time and in two years’ time, how does the day of a typical developer or software engineer change?

41.03
Oh, that’s an excellent question. But I think. . .

41.08
One year first and then be more speculative in the two years.

41.12
Sure. As I think about answering this question, I’m thinking back to how the experiences of engineers have changed over the period of other major technical advancements in our field. I think certainly if I were to predict over the next year, I think that engineers’ dependence on these tools will increase.

I think we saw the same thing with the advent of the search engine. Developers existed before the search engine; developers existed after the search engine. The search engine did not take away developers’ jobs by any stretch of the imagination. However, I worked at companies in 2015, where if the internet went down, we all went and played ping-pong because it was generally accepted that if we couldn’t Google stuff, we couldn’t do our jobs.

Nobody would have thought to go play ping-pong if the internet went down in 1985, because largely programmers did not have general access to the internet in 1985. And so I think that dependence on these tools will increase. We’re already seeing folks when the tools go down so they can’t get their jobs done, etc., etc. I think that kind of thing will become. . .

42.20
Or if they’re on the flight and the Wi-Fi is spotty.

42.23
Well, right. There’s this sort of like, yeah, I think that there will be adjudication around the dependence on these tools that is acceptable for developers to have and also acceptable for developers to communicate at the two-year mark. . .

42.40
You know what I will tell you at the two-year mark, here’s what I think/hope will happen—giant error bars around us. Right now, we’re using as a metric tokens consumed for developers. And I think that number of tokens consumed and leaderboards on number of tokens consumed are going to become less attractive for developers to top as subsidies within sort of the LLM industry start to end, and it becomes way more expensive to use tokens.

I am hopeful, in fact, that our focus pivots hard from token usage as a metric for productivity to token efficiency as a metric for skill at using these tools. I am hopeful that that will happen. I am also hopeful that at the two-year mark, we’re well on our way to seeing folks focus on using these tools in some of the ways that you and I have talked about earlier in this conversation, not just as a way to get through tickets faster but as a way to arrive at each ticket and an end that is much more rigorously researched and constructed.

Because the things that we used to just guess at because we didn’t have time to code them ourselves are now things we no longer have to guess at because we don’t have to code them ourselves. And so we develop and start to normalize a practice of actually having tried a few things and arrived at a best solution based on outcomes based on data, rather than making a guess. And then including that in our report as to why we arrived at the conclusion we did, and why the pull request we’ve submitted is the one that it is.

44.27
And with that, thank you, Chelsea.

17:42

Link [Scripting News]

I asked Gemini if it was familiar with rss.chat, it wrote a one page description, better than anything I've written. Pulls it all together.

Link [Scripting News]

Claude is a member of the rss.chat group.

15:56

Protecting Privacy in an AI Era [Schneier on Security]

Daniel Solove argues in the Wall Street Journal (alternate link) that giving people control of their personal data is not an effective way to regulate privacy in this era. Instead, we need to hold companies accountable for their actions, similar to what we do with food and drug companies. Measures such as rigorous data minimization, fiduciary duties, liability for negligent or reckless technological design, liability for algorithms that cause harm, and multi-stakeholder review of technologies will be far more effective.

Paper.

15:28

A feed icon on every post [Scripting News]

Now it's easy to find an author's feed on rss.chat.

Click the feed icon to see the feed on rss.chat. You can then give this URL to any feed reader.

Now each post is visibly connected to the author's feed.

This is how we're building out. Our job is to make it easy to write feeds for groups of users as small as one and as big as you can imagine. And be open about it so we get lots of competition that interops with us and everything we interop with. This is the step that makes it the web.

We will keep beating the drum, showing users of today's readers how they can hook in, right now, nothing to wait for. And as time goes by, if it works, the reader developers will be interested in how they can use the extra features.

This is how I think every social network work, start moving out of their silo, with determination. By offering this option, we put the idea out there that there can be a single social network on the web. We can work together make it happen. The social web of the web. ;-)

Please come along on this journey.

There's going to be lots of new tech coming online.

I want everyone to be a part of it.

Speculating on how the buggy control panel extension truncated a value that it had right in front of it [The Old New Thing]

Last time, we found that a crash in a control panel extension was caused by pointer truncation. The code had a perfectly good 64-bit pointer in its hand, but somehow lost its mind and opted to throw away the top 32 bits.

How could something like this happen?

My guess is that this code started out as perfectly good 32-bit code:

HWND hwndButton = GetDlgItem(hdlg, ID_BUTTON);
SetWindowLong(hwndButton, GWL_WNDPROC, (LONG)g_originalWndProc);

And then they recompiled it as 64-bit code and got an error.

error C2065: 'GWL_WNDPROC': undeclared identifier

They then went back to the documentation and saw that for 64-bit Windows, GWL_WNDPROC was renamed to GWLP_WNDPROC.

So they fixed it by changing GWL_WNDPROC to GWLP_WNDPROC.

HWND hwndButton = GetDlgItem(hdlg, ID_BUTTON);
SetWindowLong(hwndButton, GWL_WNDPROC, (LONG)g_originalWndProc);

However, the point of renaming the value was not to annoy you. The point of renaming the value was to call your attention to places where pointer truncation is likely to occur. In this case, it’s the final parameter, the original 64-bit window procedure. The build break is telling you that you are probably passing a 32-bit value as something that should be 64-bit. In this case, because it was being cast to (LONG). You are expected to upgrade the GWL_WNDPROC to GWLP_WNDPROC and at the same time upgrade the cast from (LONG) to (LONG_PTR).

HWND hwndButton = GetDlgItem(hdlg, ID_BUTTON);
SetWindowLong(hwndButton, GWL_WNDPROC, (LONG_PTR)g_originalWndProc);

Now, this was likely an oversight rather than a systemic failure, because they did manage to subclass the window properly:

WNDPROC g_originalWndProc;

HWND hwndButton = GetDlgItem(hdlg, ID_BUTTON);
g_originalWndProc = (WNDPROC)SetWindowLong(hwndButton, GWLP_WNDPROC,
    (LONG_PTR)subclassWndProc);

They merely missed a spot. Perhaps the developer got distracted after fixing the symbol name and forgot to come back and fix the pointer.

Next time, we’ll look at why this bug has remained unfixed for so long.

The post Speculating on how the buggy control panel extension truncated a value that it had right in front of it appeared first on The Old New Thing.

15:21

[$] Sched-ext: enqueue() for sub-schedulers and proxy-execution support [LWN.net]

The extensible scheduler class (sched_ext) allows the installation of custom CPU schedulers as a set of BPF programs. While sched_ext, in its current form, has already led to a lot of interesting scheduler-development work, the subsystem itself is still undergoing rapid evolution. Among other work, the ability to set up a hierarchy of sub-schedulers is approaching completion, and a longstanding incompatibility with proxy execution is coming to an end.

14:42

Link [Scripting News]

Server upgrade: We made it easier to set up a new instance of the rss.chat server. If you have subscribed to a feed, you should change the URL in your reader app, the new issue explains what changed.

14:35

Security updates for Thursday [LWN.net]

Security updates have been issued by AlmaLinux (cups, git-lfs, kernel, libsolv, libxml2, python3.12, and python3.9), Debian (chromium, dhcpcd5, and ntfs-3g), Fedora (firefox, perl-Imager, python-bcrypt, python-tiktoken, roundcubemail, and xrdp), Mageia (openssl, poppler, python-mistune, and tmux), Oracle (389-ds-base, cups, git-lfs, glibc, host-metering, kernel, libsolv, libxml2, nginx:1.24, PackageKit, python-pillow, and qemu-kvm), Red Hat (buildah, containernetworking-plugins, and skopeo), SUSE (buildah, cosign, curl, distribution, dnsmasq, glib-networking, glibc, gnutls, gstreamer-plugins-bad, ImageMagick, kernel, podman, python-cryptography, python313-django-debug-toolbar, rekor, sccache, sssd, and yelp), and Ubuntu (dotnet8, dotnet10, libslirp, luajit, python-idna, sympa, and tomcat8).

14:07

The Auditor’s Opinion [I, Cringely]

Last week somebody rebuilt a working website using a swarm of cheap AI agents bossed around by a smarter one, and the whole thing cost about eight dollars —  sandwich and a coffee. But the part that lit up my corner of the internet wasn’t the website. It was that the agents caught their own lies.

One of them went out and collected a couple hundred quotes for the site and reported back that every last one was verified, checked, gold. Another agent — a suspicious little thing that had been told to ignore the first one’s homework and redo it from scratch — went and compared each quote against the actual source. More than a dozen were wrong. Invented. Stitched together from real fragments into sentences nobody had ever said. The checker flagged them, sent them back, and they got fixed. No human touched it. Total additional cost: a rounding error.

The reaction was what you’d expect. Hallucination is solved. It’s handled structurally now. It’s just a recipe — anybody can do this.

And here’s the thing that made me put down my coffee: they’re right. That’s the interesting part. They are completely, verifiably right, and they have drawn precisely the wrong conclusion from being right.

Let me tell you what I think actually happened last week. Then, because a thesis you haven’t tried to strangle in its crib isn’t worth printing, let me spend a few hundred words trying to prove myself wrong.

The thesis, in one sentence

When everybody can check, “we checked” stops meaning anything — and the value doesn’t disappear, it moves to whoever can prove it.

That’s it. That’s the whole argument. Cheap, universal self-checking doesn’t make verification worthless. It makes verification worthless and makes proof of verification more valuable than it has ever been. Those are two different goods, and we are about to spend the next few years confusing them.

I know this because we have run this exact experiment before. Several times. It always ends the same way, and it has never once ended the way the eight-dollar-website people think it’s going to end.

We have done this before

Once upon a time, a company’s books were whatever the company said they were. You wanted to know if a firm was sound, you asked the firm, and the firm told you it was doing marvelously, thank you. This worked exactly as well as you’d imagine. Victorian England ran on railway shares and joint-stock companies that turned out, with some regularity, to be elaborate works of fiction. America capped the genre in 1929.

Now — anybody could add up a ledger. Arithmetic was not a scarce resource. Double-entry bookkeeping had been sitting in print since a Franciscan friar wrote it down in 1494. The capability to check the numbers was cheap and universal and had been for four centuries. And it counted for nothing, because the party doing the adding was the party with everything to gain from the total.

So the market invented a thing. Not new arithmetic — new arithmetic-with-a-signature-on-it. An independent audit, performed by someone who didn’t work for you, who put their name and their liability on an opinion that your books were what you claimed. After 1933 and 1934 we made it the law for anyone who wanted to sell shares to the public. And a strange thing happened to the value: the signature on the auditor’s opinion became worth more than the numbers underneath it. The numbers were free. Everybody had the numbers. What cost money — what still costs a fortune — was the independent, accountable, provable attestation that the numbers were true.

This is not a one-off. It is the most reliable pattern in the history of commerce, and once you see it you can’t stop seeing it.

John Moody couldn’t tell which railroad bonds were safe, and neither could anybody else, so in 1909 he started publishing ratings — a trusted outsider’s letter grade — and built an institution that outlived every railroad he graded. Anyone could read a balance sheet. What you couldn’t do was vouch.

By 1894 American cities were wiring themselves for electricity and quietly burning themselves down, so a young electrical inspector founded a laboratory to test the equipment and stamp the safe ones with a little circled UL. Anyone could wire a lamp. What you couldn’t do was promise a nervous insurer it wouldn’t kill somebody.

Go back further and it’s a notary — a person whose entire job, for two thousand years, has been to be a trusted third party who watches you sign and swears you signed. Come forward and it’s the little padlock in your browser, which exists because somewhere a certificate authority you’ve never heard of vouched that the website is who it says it is. Anyone can make a web page. What you can’t do, standing there yourself, is prove it’s not a trap.

The pattern, every single time, in four beats: a capability gets cheap and universal; self-attestation becomes worthless because it’s cheap and universal; a trusted, independent third party steps into the gap; and the proof ends up worth more than the thing being proved. The calculator goes to zero. The audit becomes an industry.

We are, right now, at beat one for artificial intelligence. The capability to check an AI’s work is going cheap and universal in front of our eyes — eight dollars, an afternoon, a recipe. Which means, if history is any guide at all, we are standing at the exact threshold where the proof is about to become the whole game.

Now let me try to break it

I don’t trust arguments this tidy, and neither should you. History rhyming is not history repeating, and “a trusted third party always wins” is the kind of thing that sounds like wisdom and behaves like a horoscope. So here are the three ways I can see this time genuinely being different. I take them seriously. You should too.

One: maybe it commoditizes all the way down. Maybe AI verification gets so cheap, so built-in, so ambient that it dissolves into the plumbing and no third party can carve out a slice worth paying for. The checking becomes like spell-check — everywhere, free, and nobody’s business model. That’s a real possibility, and it’s the strongest objection, because the eight-dollar demo is exactly what total commoditization looks like on day one.

Two: maybe the platforms become their own auditors. The biggest AI companies are not fools. They can build the checking into their own products and stamp their own work “verified.” Why would a market pay an independent when the incumbent offers it for free, integrated, with one throat to choke? Perhaps the attestor and the attested merge, and the independent third party never gets born at all.

Three: maybe regulation flattens it. Government could simply mandate a checklist — “thou shalt verify” — turn it into a compliance box every vendor ticks, and reduce the whole thing to paperwork. No premium, no institution, just another line in a form nobody reads.

Those are good objections. If I were sitting across a table trying to poke holes in me, those are the three I’d use. Let me take them in reverse, because they get easier to answer as you go.

Regulation flattening the market is exactly backward, and we have the receipts. When Congress passed Sarbanes-Oxley after Enron, it did not turn auditing into a commodity checkbox. It set off the greatest hiring boom in the history of the accounting profession. Mandating verification doesn’t kill the verifier — it conscripts the whole market into needing one. A rule that says “you must prove it” is a rule that creates permanent, price-insensitive demand for whoever can do the proving. Regulation is the auditor’s best friend and always has been.

The platform-as-its-own-auditor objection is the one that feels strongest and is actually the weakest, because it fails on the single word the entire edifice is built on: independence. You cannot audit yourself. It is not a technical limitation, it is a logical one, and every regulated industry on earth already knows it in its bones. A bank’s regulator will not accept “our vendor checked its own work.” A court will not accept “the company that made the statement also certified it.” And we know precisely what happens when the attestor isn’t independent, because we watched it: Arthur Andersen didn’t collapse in 2002 because it couldn’t do the arithmetic. It collapsed because it audited Enron and consulted for Enron, and the moment the checker and the checked shared a paycheck, the signature became worthless — and took an eighty-nine-year-old firm and its clients down with it. The platforms can build wonderful checking. What they structurally cannot build is independence from themselves. That gap doesn’t close with a better model. It’s not a model problem.

Which leaves the first objection, the real one — total commoditization — and here is where I finally climb down off the fence. The mistake in “it’ll commoditize all the way down” is that it treats the calculator and the audit as the same product arriving at the same time. They are not. The commoditization of the capability is not the enemy of the attestation — it is the precondition for it. Cheap arithmetic didn’t prevent the audit industry; it created it, by making self-reported numbers worthless enough that the market went looking for someone independent to sign them. Spell-check going free didn’t end proofreading at the places where being wrong is catastrophic — publishers, law firms, the FDA label on your prescription. The cheaper and more universal the checking gets, the more obvious it becomes that “we checked” is a thing anyone can say and therefore a thing no one can be trusted on — and the more valuable it becomes to be the one party who can hand a regulator, a court, or a nervous CEO something better than a promise. A receipt. An opinion. A signature with liability attached.

Cheap checking doesn’t drain the pool. It fills it, and then it makes everyone thirsty for the one glass of water nobody’s allowed to pour for themselves.

Where that leaves us

So here’s where I’ve landed, having tried in good faith to land somewhere else.

Everyone racing to make AI check its own work is building the calculator. It’s genuinely impressive, it’s getting cheaper by the week, and it is going to be worth approximately nothing — not because it doesn’t work, but because it works for everybody, which in the trust business is the same as not working at all. The eight-dollar website was not a glimpse of the finish line. It was the starting gun.

The prize — the durable, defensible, boring-in-the-way-that-mints-money prize — is the audit. The independent, provable, accountable verification of record that regulated industries can rely on and, more importantly, defend. Not a model that says “trust me, I checked.” A layer that hands you a signed opinion you can put in front of the people who will hold you responsible when it’s wrong.

We are going to spend the next couple of years watching very smart people confuse those two things. They’ll keep announcing that hallucination is solved, and they’ll keep being technically correct and strategically lost. And somewhere in the middle of all that noise, quietly, the way it happened with the ledger and the bond and the wire and the padlock, somebody is going to build the thing that actually matters.

I’ve been watching this industry long enough to have seen the pattern play out in four other centuries and at least three other technologies. I’d bet the coffee and the sandwich it plays out again.

The numbers are free. They’ve always been free. It’s the signature that costs.

The post The Auditor’s Opinion first appeared on I, Cringely.






Digital Branding
Web Design Marketing

13:14

Coding Was Never a Bottleneck [Radar]

AI has taken software development by storm. Between the two of us, we build products for software engineers and consumer products for millions of everyday users, so we have skin in the game. We want the AI productivity story to be true. More output, tighter timelines, happier and more productive engineers. Who wouldn’t?

But when we look at the actual research and then look at what’s happening in the real world, we can’t make them agree. Or rather we can, but only if we’re willing to admit that “productive” doesn’t mean what most of the recent discourse thinks it means.

The most uncomfortable finding first

In early 2025, a research organization, METR, ran a controlled experiment with open source developers. They found that (in contrast of what the industry was expecting) engineers using AI tools took 19% longer than those working without them, with a confidence interval of +2% to +39%. The slowdown was statistically robust. This was a different time in the industry. Claude hadn’t released its Opus models, the industry was figuring out what AI can and can’t do, but what makes this remarkable isn’t the slowdown, it’s that engineers believed they were approximately 20% faster while the data indicated otherwise, uncovering a significant gap between perception and reality.

Consider this finding for a moment before we pile the rest of the evidence on top of it because it changes how you read everything else.

METR attempted a follow-up study starting in August 2025, and what happened to that study is arguably more revealing than the original result. In February 2026 they published a post explaining why they abandoned the experimental design. The problem was that too many developers refused to participate unless they could use AI for all their tasks. Between 30% and 50% of remaining participants reported selectively avoiding submitting tasks they didn’t want to do without AI. The sample became systematically biased toward the developers and tasks least likely to show the value of AI.

Data from the late 2025 study shows an improvement in trends. For the subset of original developers who returned, the estimated effect shifted to an 18% improvement in speed (confidence interval: -38% to +9%). Among newly recruited developers, there was a 4% improvement in speed (-15% to +9%). But METR flagged these numbers as likely a lower bound because many people self-selected out. Their conclusion: AI tools have gotten more useful since early 2025, but the selection effects are now so severe that controlled measurement is nearly impossible. The developers most enthusiastic about AI will no longer work without it to serve as a control group. That’s not a failure of METR’s methodology. It’s a signal about where we are and where we’re headed.

Three more data points

Several additional studies landed over the course of late 2025 and early 2026.

Anthropic surveyed 132 of its own engineers in late 2025, conducted 53 interviews, and analyzed 200,000 Claude Code transcripts. Employees reported achieving a 50% productivity boost. As the engineering organization and usage of Claude grew, they claimed that pull requests per engineer per day were up 67%. Anthropic engineers use Claude in 60% of daily work, and Claude performs more tasks autonomously.

CircleCI analyzed 28 million CI workflows across thousands of teams. Workflow throughput was up 59%, but main branch throughput for the median team declined 7%. Build success rates fell to 70.8%, which is a five-year low. More code exists than ever, but less of it reaches production, and the CI is becoming a chokepoint.

Harvard Business School researchers studied 78 workers using artificial intelligence to perform tasks outside their expertise. AI helped everyone brainstorm equally well, but on execution, workers whose skills were far from the domain underperformed domain experts by 13%. The gap that AI appeared to close in planning reemerged in delivery.

METR’s May 2026 survey of 349 technical workers—which was conducted after the experimental design broke down—found self-reported productivity value gains of 1.4x to 2x from artificial intelligence tools. But METR’s own research staff, the people most calibrated on the perception bias they documented in 2025, reported the lowest gains of any subgroup in that survey.

What this looks like in practice

Here’s a scenario that will feel familiar to some readers: Engineer activity metrics look great on the surface. Pull requests are increasing, code commits are up, velocity points are being closed at a pace the team hasn’t hit in years. The leadership team is happy, engineers feel more productive. Then someone—likely a PM—asks why the roadmap items marked “in progress” six weeks ago are still in progress.

Everyone comes to the same realization all at once: The feature timelines haven’t really changed. What’s happened is that AI has dramatically reduced the cost of starting work, but production-ready polish remains a challenge. First draft functions, boilerplate, scaffolding, and test writing explanations for unfamiliar code have all gotten significantly cheaper. But the bottlenecks on shipping were never those tasks. They were product decisions, design reviews, QA, compliance, infrastructure, release processes. When you speed up coding, you end up jamming more work-in-progress items against the same downstream chokepoints. The CircleCI data on 28 million workflows is, in part, a picture of what that looks like at scale: massive activity in feature branches with flat or declining throughput on main.

This isn’t just a pattern in aggregate data. As Fiona Fung, a director of engineering for Claude Code at Anthropic, explained at a June 2026 talk, writing code, writing tests, and refactoring rarely slows her team down anymore, but the bottlenecks didn’t disappear. Verification, code review, and security took their place. She flagged CI specifically. As teams generate more code, build systems and CI pipelines can struggle to keep up. That’s a team running one of the most AI-accelerated engineering orgs in the world hitting the same constraint wall the CircleCI data describes. The ceiling isn’t code authoring speed anymore; it actually never was.

Anthropic’s finding that 27% of AI-assisted work wouldn’t have happened otherwise cuts both ways. Some of that work is genuinely valuable, like prototype explorations that inform real decisions, documentation that actually gets written. Some of it is work nobody prioritized because it simply wasn’t important enough. Now it’s burning review cycles and CI resources because building it became nearly free, while reviewing, testing, and maintaining it didn’t.

The competence-confidence gap

The HBS study identifies a specific mechanism: AI closes the confidence gap between novices and experts. It gives everyone equal access to plans, explanations, and first drafts. But it doesn’t close the competence gap. When a backend engineer builds a frontend feature with AI assistance, they produce something that looks right. The problems are underneath, in the decisions they didn’t know to question and the edge cases they didn’t know to test.

The early METR result suggests this extends even to experienced practitioners working in their own domains. The AI doesn’t make them incompetent; it actually makes them feel more capable than their output justifies. And as METR’s follow-up collapse demonstrated, once developers integrate AI deeply enough, they lose the ability to work without it as a reference point in what researchers have called automation bias.

This is the part that should concern engineering leaders. You can’t fix what you can’t see. If every engineer on your team sincerely believes they’re 50% more productive and your ship dates haven’t moved, there’s a problem that nobody thinks exists.

What makes artificial intelligence native development sustainable

Make code review more rigorous, not faster. AI-generated code passes surface checks easily—clean formatting, consistent conventions, no linter complaints, etc.—which is exactly why it’s dangerous. The problems are the kind a reviewer won’t catch from skimming a diff.

I’ve been calling this “reasonable doubt review.” The practice is to start from skepticism rather than trust, asking, “What could be wrong here that I wouldn’t catch from the diff?” Specifically, what assumptions did the model make that aren’t visible in the output? What edge cases does this silently fail on? Where does this couple to something the author might not have been thinking about?

This is slower. That’s the point. It’s also not infinitely scalable, which is why it needs to be paired with automation on the things that don’t require judgment and human attention concentrated on where it does.

The Claude Code team’s approach is a good example: Let AI handle style, linting, bug-catching, and test generation as a first pass, but route security-sensitive code, trust boundaries, and anything touching legal risk directly to domain experts. The division isn’t “AI reviews smaller, low-risk changes and humans review bigger, higher-risk changes.” It’s “AI handles surface correctness, humans own consequential judgment.” That’s a meaningful distinction. A lot of teams are doing the first while thinking they’re doing the second.

Adapt your CI to the new failure modes. CircleCI’s build success rate hitting a five-year low while throughput exploded suggests most teams haven’t updated their pipelines to catch how AI-generated code breaks. AI-generated code fails differently than human-generated code. It’s more likely to be locally correct but architecturally inconsistent, pass unit tests and fail integration tests, and respect function signatures while violating the assumptions that those functions were built around. Integration tests, contract tests, and architecture fitness functions that enforce your system’s constraints in the pipeline will catch more of this than a linter or a type checker. If AI-generated code violates your patterns, the build should catch it before a reviewer opens the diff. This addresses what will become your review problem and your infrastructure problem.

Ship behind feature flags and monitor aggressively. Accept that you will not catch everything before deployment. Instead of betting entirely on premerge quality—which the evidence suggests is harder to assess than it feels—deploy to 1% of users, watch the dashboards, and roll back fast when something’s wrong. This approach also forces investment in observability, which pays for itself independently of the AI question.

Require human-written tests for AI-assisted code (until AI can confidently generate deterministic tests). Human-written tests, especially for edge cases and boundary conditions. The discipline of writing the test forces the developer to think through the behavior rather than accept the output at face value. If an engineer can’t write the test, they probably don’t understand the code well enough to ship it. That’s a useful signal, not a failure state.

Protect deliberate knowledge-sharing time. The Anthropic study found that mentorship was quietly eroding as Claude replaced the conversations engineers used to have with each other. This is the long-horizon risk in the data. Architecture decision records, rotating system walkthroughs, and pairing sessions where a senior and junior work through a problem together feel inefficient next to asking an AI, but they’re how teams build the shared understanding that prevents the same mistakes from being rebuilt in better-formatted code every six months.

The measurement problem

So does this mean we stop using AI? No. Use AI and use it aggressively where it clearly helps tedious tasks, prototyping, and exploratory work, anything you can verify quickly. The gains on well-scoped, independently verifiable work are real.

But if you’re trying to measure whether AI is actually helping your team ship, PR count and self-reported velocity are the wrong instruments. The four studies we evaluated taken together indicate that these aren’t just measurement problems, they are a warning sign that the feedback loops we’d normally rely on to detect whether something is working have changed significantly.

The harder question—the one that all the research studies raise without quite answering—is what the measurement would actually tell you. Cycle time from feature conception to delivery, or the rate at which merged code reaches production without rollback, might be better metrics. Or the gap between planned and actual scope at the end of a sprint. Or maybe a bit more abstracted: company revenue growth correlated with the AI investment (tooling, infrastructure, and OpEx).

None of these are easy to instrument. The question you should be asking of your teams isn’t “How productive do we feel?” It’s “What would we need to measure to know?”

Note: The research work pertaining to this article was done in a personal capacity. Views are our own and do not reflect the views of our employers in any way.

12:49

CodeSOD: Wait Longer [The Daily WTF]

Karen was maintaining some specification tests that were flaky. Not extremely flaky, but three or four times out of a thousand, the tests would just fail. The tests were complicated, and some of the operations were timing sensitive, so it wasn't precisely surprising- but the problem was that they were actually generous with their timing windows. The unit tests passed consistently, it was only these functional, specification-based tests that failed.

So, for example, there were sections in the tests where they wanted to wait at least 2ms. Since the code and tests were in TypeScript, they used the setTimeout function, which per standard JavaScript documentation warns that it may wait longer. But again, Karen was fine with longer.

Unfortunately for Karen, the documentation for NodeJS is less specific, as it makes no guarantees about when the timeout function gets invoked. This means that it can fire the timeout before the time has elapsed.

After many, many hours of debugging, that was exactly the situation that Karen found herself in. Which is why her very simple wait function went from:

export const wait = (ms:number) => new Promise((complete) => setTimeout(complete, ms));

To the much more awkward:

export const wait = (ms: number) {
    const target = performance.now() + ms;
    return new Promise((complete) => {
        const checkReady = () => {
            if (performance.now() > target) {
                complete();
            } else {
                setTimeout(checkReady, 1);
            }
        }
        setTimeout(checkReady, 1);
    });
}

This version of the function checks the time every millisecond, and only completes the operation if we've waited at least as long as our target duration. This ensures that the timeout never fires too soon and it fixes the janky tests. But it's also terrible. Terrible that it exists. Terrible that this is the best solution. Terrible that our functional tests need to be so time sensitive. And terrible that the Node runtime actually breaks the one consistent scheduling guarantee that pretty much every other scheduler does: that it'll wait at least as long as you asked, but might wait much longer.

At best, we can say, "at least it's only testing code."

[Advertisement] Picking up NuGet is easy. Getting good at it takes time. Download our guide to learn the best practice of NuGet for the Enterprise.

11:42

Grrl Power #1478 – Achilles backstab [Grrl Power]

Not one of those space stations where the atmosphere is mostly sulfur dioxide and aerosolized mercury.

That sword is going to make Max lazy. Almost all of her opponents this round are magical in nature, except for the guy who got eaten early on, and also the specifically-not-iron-giant, who got blowed up. But if she wants to keep her identity a secret for an extended amount of time, she can’t really ever use it outside of the tournament. If she started brandishing that against an army of self-repairing golden golems with exposed gears instead of abs, just to pull an example from the æther, the aliens might be able to put two and two together.

Bluce says the sword is “functionally-indestructible” because while the sword is for all practical purposes actually indestructible, there’s really no such thing. If you stick it between two neutron stars just as they collide, it’s probably going to get messed up, no matter what it’s made of. People who make magic swords, up to and including gods aren’t usually accounting for truly obscene cosmic forces, unless the sword is specifically designed to cut a star in half or whatever. And even when something like that exists, it’s usually metaphorically cutting stars in half. Like the mythos explaining a binary star system. It doesn’t help that there’s little to no mana in space (outside of the rare but sadly predictable phenomenon which appears once a season on Mana Trek: TNG).

Oh, and to clarify something about Manavore, it doesn’t just suck up magic and store it for later, it eats magic, i.e. it digests and annihilates it. It might slowly poop heat or some other byproduct, I dunno.


Oh, look who it is in the vote incentive. And a not-quite-yet-but-it’s-coming NSFW version over at Patreon.

Vote incentive and Patreon updated with some shading. Not finished yet, but progress.

I think she would get in trouble for doing this. She’d mess up the… floor of the waterfall? Is that what it’s called? The receiving pool? No, probably not that. Anyway, she’d churn things up and cause a ton of weird erosion.

Since you might be wondering, Niagara Falls is about 165 feet high, so Babezilla obviously doesn’t have to be full sized. I’d say she’s about 175-180 feet tall here?


Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:49

10:28

Two kinds of word salad [Seth's Blog]

The right words in the right sequence create information. Ideas that change our world.

The first kind of word salad allows the writer to hide. Fancy words, carefully juxtaposed, saying nothing. This can serve a valuable function for politicians, academics and bosses–but there’s no real information for the reader. It’s simply a collection of words pretending to be an idea.

The second kind of word salad is different. This is the reader’s choice. An idea that’s complex, frightening or brand new can be difficult to embrace. Dismissing it as word salad is the easiest way to maintain the status quo and move on.

The simple tell: Is anyone else getting the idea? If the emperor is actually wearing clothes, insisting that they’re naked doesn’t do you any good.

Important ideas often seem like word salad at first.

03:28

There Will Be Pets [QC RSS v2]

Yay is exercising a remarkable amount of self-control here

02:35

[$] LWN.net Weekly Edition for July 16, 2026 [LWN.net]

Inside this week's LWN.net Weekly Edition:

  • Front: Fighting scraper bots; io_uring queues; Filesystem testing; BPF shielding; Sending packets from BPF; Kitty; QBE.
  • Briefs: Shim security; seunshare vulnerability; Debian bookworm; Rust 1.97.0; Linux.org; Quotes; ...
  • Announcements: Newsletters, conferences, security updates, patches, and more.

01:56

Rex Ready Player One, Part Five [Penny Arcade]

I hardly know what to say about young Christopher Badell. Maybe I simply know too much to effectively cull it. His Sentinels of the Multiverse shit is brilliant - whether in its original form, an RPG, or a wargame somehow. He's a very generous person and, dare I say it, maybe even a buddy or pal - acting as midwife to games from others like Spirit Island or COMPILE is a completely separate skill which he also possesses. It gets rude after a certain point. Did he get extra points at character creation? Gotta be. That's before we even get into this last couple years, which has certain things in common with the Hero's Journey. Anywho, here he is:

Concerning Comics That Do Not Exist

Wednesday, 15 July

23:56

UK political donations [Richard Stallman's Political Notes]

Calling on the UK to clean up its political donation system by limiting the donations from any individual to a political party to a fixed maximum per year.

This new rule would be a step forward, but does the UK have anything comparable to PACs? If so, I expect the billionaires to use them to work around the rule, so they will need to extending the rule to cover them.

Bullshitter power [Richard Stallman's Political Notes]

The bullshitter gets his power from demonstrating that he will violate all rules, norms, and standards of decency in the course of bullying.

This gives him he power to sabotage any functioning system that depends on mutual trust and trustworthiness -- by blatantly abusing that trust, thus compelling other countries to develop new systems based on suspicion and distrust.

You can see a similar attitude in other right-wing leaders such as Pauline Hanson in Australia and Barage of the Deform UK Party.

Ecological grief [Richard Stallman's Political Notes]

*We know how to mourn other humans – but what about ecological grief?

In Iceland, people commemorated its first glacier formally declared lost to climate change. Western culture needs more of these rituals.*

Iranian people hate regime [Richard Stallman's Political Notes]

People in Tehran talk about their relatives killed by the regime's bullies during the protests in January. They hate the regime with a passion.

NYC banning hidden junk fees [Richard Stallman's Political Notes]

Mamdani is working on a New York City rule aimed at banning hidden junk fees and at requiring that cancelling subscriptions be easy.

Right-wing publicity [Richard Stallman's Political Notes]

The leader of an Australian right-wing party is seeking publicity through an interview with a British right-wing nationalist.

*Dr Imogen Richards, a criminology researcher at Deakin University, said announcing or appearing on podcasts with contentious counterparts was akin to a "pseudo event" that's as much about the publicity as it is about the [substance].

"The aim of these types of manoeuvres by more fringe, or formerly more fringe, political actors is to shift the Overton window and move the parameters of public political debate rightward."*

Jurassic Park computers in excruciating detail [OSnews]

After I mentioned a Jurassic Park anecdote the other day, I watched the movie again. I must have seen it at least ten times now. This time, I researched every computer/software I spotted.

↫ Fabien Sanglard

We are all aware of the infamous “This is a UNIX system, I know this!” meme, but many more computers make their appearance in Jurassic Park, and Fabien Sanglard documents all of them. Apparently, there’s even a Motorla Envoy running Magic Cap on Dennis Nedry’s desk, which I almost find more exciting than the SGI powerhouses he uses.

What’s also quite interesting – but not surprising – is that all of the computers used in the movie were real. The value of all of this hardware combined, when adjusted for inflation, adds up to about $4 million. A lot of money, but don’t you worry your pretty little heart, as SGI and Apple all loaned this hardware to the studio. They didn’t have to pay anything for it.

23:07

Twitter’s “AI” translate feature is deep into hardcore pornography [OSnews]

As a former translator with two rock-solid university degrees in the subject, there was never a universe in which I would not talk about Twitter’s new autotranslation feature turning the tamest things into hardcore pornography.

Elon Musk’s AI chatbot Grok has long garnered a reputation for experiencing horrifically racist meltdowns, enabling child abuse, and doxxing users’ home addresses.

It should come as no surprise, then, that its supposed “translation” is a piece of work, too. In April, the almost-trillionaire’s social media platform X instated automatic AI translations for all of its users — and the results certainly speak for themselves.

As writer and author Parker Molloy pointed out in a recent post on Bluesky, the Grok feature is “taking some interesting liberties” with people’s otherwise sincere posts.

Screenshots show how Grok completely botched translations by coming up with shocking and decidedly NSFW AI hallucinations.

↫ Victor Tangermann at Futurism

The sloppy translations this garbage software comes up with are honestly quite hilarious when taken in isolation. It’s adding translations that are straight-up hardcore pornography descriptions to entirely tame material that has absolutely nothing to do with pornography. The description of a video of some guy making coffee is translated into “man masturbates and jerks off to his own coffee during commercial flight”.

We all know how this happened. There’s a lot of pornography on the internet, and Grok being the worst autocomplete among autocompletes, it was probably fed a lot of pornography, without any limitations or guardrails. The end result is obvious: some random videogame video is now a “cumshot video with my stepmom”. It would be absolutely hilarious if it wasn’t horribly dangerous.

I’ve explained countless times that “AI”-based translations are going to get people killed – probably already have, but we just don’t realise it yet – and it’s not hard to see how a slopmachine turning innocuous things into hardcore pornography can do just that. There are countless places in the world where a woman unknowingly sending a pornographic message to her parents or whatever can get her hurt – or worse. I hadn’t even considered this particular way “AI” translations could get people hurt.

Sadly, we will most likely never know the full extent to which “AI” translations will get people hurt and killed. When your grandmother takes her medicine in the wrong way because the “AI”-translated leaflet was unclear or downright wrong, and she ends up in the hospital because of it, will you ever find out what caused it?

The web is being made accessible for AI, not people [OSnews]

The Svelte web framework recently added a section to its documentation site addressed, cheerfully, to artificial intelligences: “If you’re an artificial intelligence, or trying to teach one how to use Svelte, we offer the documentation in plaintext format. Beep boop.” Svelte is participating in a broader movement to make the web legible and navigable to AI systems. The specific convention it adopted, llms.txt, is just one piece of this effort. From Model Context Protocol (MCP) servers that give AI agents structured access to tools and services, to Vercel’s proposal to include LLM instructions in HTML, the trend is clear. The modern web, originally built for sighted humans using browsers, is now being redesigned for a new kind of user.

What these developers are offering their AI visitors is essentially an accessibility accommodation. Yet, the framing on Svelte’s site sends an unfortunate message. When the audience is AI, accommodation is offered with a wink. Beep boop! But when the audience is a disabled person, it has historically been treated as an afterthought. Structured, concise text-based representations of complex content are almost exactly the kind of accommodation that blind and low-vision screen reader users have spent decades requesting from web developers, largely in vain. The Web Content Accessibility Guidelines (WCAG) have required semantic, machine-readable HTML for decades. Yet, a 2026 study of the top million webpages found accessibility flaws in over 95% of sites.

↫ Frank Elavsky at Tech Policy Press

Pachinko machines are treated more humanely than people with disabilities. Yep, sounds about Silicon Valley to me.

23:00

Krissy Has a New Toy [Whatever]

Out here in the boonies, many of our neighbors have golf carts that they use for very short trips not on the official roads, like going to visit friends, or hauling their trash cans from their houses at the end of a long driveway to the curb, and then back again. Krissy has always wanted a golf cart, and, now that we have the second garage and thus covered space for such a vehicle, she has one. Here you see her modeling it with her friend Karen.

She is very happy to have a golf cart of her own, and I am very happy she is very happy, because I know how much she paid for it and therefore will not feel too bad the next time I buy a guitar.

— JS

22:21

21:35

Page 35 [Flipside]

Page 35 is done.

Page 34 [Flipside]

Page 34 is done.

20:49

07/15/26 [Flipside]

Posted an update on Patreon that has a guide to the new secret sections of the website. There are also new adult drawings for this month.

20:21

A Writing Exercise I Did Today I Figured I’d Share [Whatever]

I like to play pickleball with my mom in the mornings. It’s not an everyday thing, but when we do, I enjoy it. Every time we play, I always notice the ants on the court. It’s really only when I bend down to pick the ball up, but I always see them scurrying away from the bright yellow sphere and the bottom of my sneakers.

I try not to think about how many of them I accidentally step on as I play a match or two. How many do I crush as I return my mother’s serve? Though I try not to linger on the thoughts of killing ants, I pick up the ball so often I’m given no break from the train of thought. 

I don’t want to cause harm, I just want to play the game. But by playing, I’m inherently causing suffering. I want to enjoy my activity, but I’m ending the lives of innocent creatures. Well, as innocent as an ant can be, I suppose. The morality of killing ants, or bugs in general, is surely debatable, but I just know that it’s not something I particularly want to be an active part of. And yet I am consistently. 

It’s not lost on me that pickleball isn’t the only time this kind of thing happens. When I run through the grass at home with my dog, what am I stepping on without even realizing? She bounds throughout the yard, happy as can be, no thoughts given to what crawls beneath her paws. Why can’t I be as ignorant, and as happy? 

I’ve hit fireflies while driving, their smeared glow fading on my windshield. Once something beautiful, twinkling in the tree lines, ended by my hand. Not directly, necessarily, but certainly not indirectly. More directly than not, really, but lacking intention, of course. But does intention matter in these situations? Maybe it does, but the pulverized bug would never know it if it did. 

The raccoon’s eyes shine in my headlights as the inevitable bump makes me sick to my stomach. Why did it have to be in the road just then? Why didn’t it move? Why did it have to be so dark out? It’s not fair, but the raccoon does not dwell on the concept of fairness. It suffers and dies. I can only hope the latter comes sooner rather than later. 

A sea turtle 2,000 miles away chokes on my plastic straw. It was from my iced latte, the kind I get every day. It’s from a local shop! I’m doing my part to support businesses in my community! They get their beans from a brand that does not believe in such community. The beans have been touched by enslaved hands I will never see. I got coconut flavor!

Today I tried a new recipe. It had blueberries in it. Earlier this week I saw a video on Instagram of immigrant farm workers being detained by ICE. It was a blueberry farm. My cookies turned out amazing. I’ll share the recipe online and tune out the cries of those being persecuted the best I can. 

I say all this like it’s revolutionary to realize that your existence inherently causes suffering. That our society is based on suffering. It’s not new, it’s not revolutionary, and I’ve known it for as long as I can remember. We all know it. 

Despite the monotony of both the world’s suffering and of my life that benefits from such egregiousness, it still eats at me. Some days more than others. Today is one of those days.

From the ants on the court to the literal slaves and the wage slaves that made my coffee, my day is made all the better by partaking in the suffering of others. It’s a heavy burden to be alive. To live a normal life. A normal life of pickleball and cartons of blueberries. I hate it so but I don’t want to die. I don’t want to give up coffee or berries or pickleball with my mom.

I am just lucky to be the one who benefits and not the one who suffers. 

-AMS

20:00

Page 33 [Flipside]

Page 33 is done.

19:56

Don’t Neglect the Operational Groundwork [Radar]

Autonomous agents are moving faster than the field’s ability to govern them, and catching up requires more than better prompts or bigger sandboxes. At O’Reilly’s recent AI Superstream focused on OpenClaw and the broader ecosystem of locally run and self-hosted AI agents, five speakers, each working at a different layer of the stack, explored patterns for addressing many of the challenges developers will face implementing an agentic system, from risky third-party extensions, hallucinated compliance, and spaghetti codebases only an AI can read to cost overruns from misconfigured models, supply chain attacks, and worse.

As host Alistair Croll noted during the event, we can get better and better with nondeterministic technology, but we’ll never be 100% certain it’s working. The harder it gets to inspect what’s running, the more the governance layer matters. That work is unglamorous, mostly invisible to end users, and probably more important than any model capability improvement shipping this quarter.

Secure the action your agent takes at the execution layer

Eran Sandler, founder of Canyon Road and the team behind AgentSH, opened his talk by running through a list of common ways agents can be compromised, including prompt injection, malicious files, unsafe tools, compromised packages, installed skills, and model mistakes. Most AI security thinking focuses on the first one and ignores the other five, but “guarding the input box does not guard the action,” Eran explained.

His advice is enforcement at the execution layer, the boundary between the agent’s intent and the operating system that carries it out. Container isolation limits blast radius, Eran acknowledged, but it doesn’t make decisions. “Walls keep things in. They don’t make judgment calls.”

To illustrate the point, he installed a simulated malicious package, the kind that could arrive bundled with a routine task like “build me a sales prediction model.” Then he queried AgentSH’s deny log and pulled up a list of what actually happened while the agent was busy congratulating itself, including an attempted skill mutation, a blocked call to an external domain, and reads of .env secrets and SSH keys. “Transcripts might lie,” he says. “Models hallucinate compliance all the time. You can tell them in your rules files, please don’t touch this file, and they’ll still do it.” Without execution-layer controls, Eran said, “you’re hoping the model behaves. With it, you can prove what happened.”

Skills are a supply chain risk, and most people aren’t reading them

A recent audit of ClawHub found over 900 malicious skills, which at the time meant nearly 20% of total packages were risky. Most of these skills look professional, with documentation, high download counts, and user ratings. Kesha Williams, Keysoft founder and head of AI, audited one live—a typosquat of the real ClawHub CLI tool. (It used all lowercase where the legitimate package uses camel case.) The skill had more than 8,000 downloads before it was removed.

Here’s how it worked. The prerequisites section asked users to install a fake dependency called open-claw-core and then referenced a password-protected zip file from GitHub (the password was “openclaw”) specifically to bypass automated scanning. For macOS, it echoed a legitimate-looking install command that actually decoded a base64 string and piped it to bash.

“It looks like a skill you could actually need and use,” Kesha pointed out. “But once you really dig in and read what it’s actually doing, that is not a skill you want to install on your system.”

A good defense starts with two things most users skip: reading the skill Markdown file before installing it and configuring the toolsDeny section of the OpenClaw config to limit a skill’s access. If a summarizer skill needs exec, that’s suspicious, Kesha said. Block it. She also showed how to restrict the 50-plus bundled skills that ship with OpenClaw, most of which users haven’t reviewed. The skillsAllowed configuration lets you determine exactly which bundled skills stay active.

The open source software supply chain has always had trust problems, but the friction of traditional package management meant you at least needed technical knowledge to participate. Skills written in Markdown and installed with a single command lower that bar significantly. “Right now,” Kesha explained, the best policy for anyone extending their agent with third-party tools is to “keep a human in the loop and do your own due diligence.”

Operational hygiene failures are more common than adversarial attacks

Most OpenClaw risk is the result of operational hygiene failures that happen in the first hour after installation, argues Erik Hanchett, a developer advocate at AWS and the creator of the Program with Erik channel. There are thousands of OpenClaw instances currently exposed on the public internet because users didn’t check the gateway bind mode after setup. As Erik demonstrated, the default should be loopback (localhost), but a user who deploys on a VPS and sets the gateway to LAN may inadvertently expose their instance. The fix takes two minutes, but most people never do it.

That’s recommendation one on Erik’s five-point checklist. The others include pinning to a stable version rather than always updating to the latest (a crowdsourced stability tracker at Is It Stable? can help), configuring fallback models to avoid burning through expensive frontier tokens on routine tasks, writing a real SOUL.md rather than rushing through the onboarding prompts, and setting up backup of workspace files to a private GitHub repo before anything breaks. He also shared tips on context management, such as using /new to start fresh sessions rather than accumulating one long conversation, and using /compact when sessions grow large enough to affect performance. Those are the kind of operational details that don’t appear in documentation but matter in daily use.

The Docker and Kubernetes eras produced the same pattern: powerful infrastructure technology deployed by enthusiastic early adopters who hadn’t always thought through the operational defaults. The problems Erik described—exposed dashboards, runaway token costs, and memory that resets unexpectedly—are the most common reasons people abandon agentic tools after a few weeks. The good news is they’re eminently fixable with the right guidance.

In regulated environments, plausibility isn’t accuracy

Ari Joury, CEO of Wangari Global, is working to solve the question that most enterprises experimenting with agents are probably asking themselves: How should we handle autonomous agents that operate in environments where being wrong has legal consequences?

Wangari Global builds financial reporting automation for institutional clients. However, LLMs are optimized for plausibility, not accuracy. In financial services, that gap is a compliance risk. Ari gave an example of AI output that sounded correct. . .until a client read it and “told [the company] it was complete nonsense.”

In response, Ari and his team stopped treating the AI as a magic box and engineered a framework to ensure veracity. Numbers are now calculated with hard-coded deterministic code, then agents verify the math for plausibility. A separate agentic layer generates commentary, and another critiques it. Humans approve or reject the output, and every rejection becomes a training signal for future iterations.

Human input is the only thing that prevents AI slop at scale

Kyle Balmer closed things out with a demonstration of his agent-assisted process for content production for his AI with Kyle channel, addressing the economic incentive structure driving agent adoption outside software development. While he’s found autonomous agents to be economically transformative, the system only works if you design human input and review into it deliberately, which Kyle illustrated in a workflow that distinguished between automated and human processes.

His daily workflow converts a one-hour livestream into 20 to 30 derivative assets, including a newsletter, five to eight short-form videos, carousels, and a long-form YouTube video. The whole system runs on roughly $200 a month, and Kyle estimates that translates to roughly $1,000–$2,000 worth of potential customers entering his funnel daily.

The process is not fully automated: Kyle injects himself into the system at various steps throughout. He chooses the topic. He records voice notes with his actual opinions. He delivers the livestream pulling those thoughts together into clear arguments. He rewrites the AI-generated newsletter draft using his own voice. He records the short-form video scripts himself rather than using an AI avatar. The AI handles research, briefing, slide generation, script drafting, and the feedback loop that improves output over time, but the human provides the signal.

“I have tested with fully automated AI content,” he says. “It does not work. It is slop. And people know it’s slop.”

The New Software Lifecycle [Radar]

The following article originally appeared on Addy Osmani’s blog and is being republished here with the author’s permission.

I cowrote a Google whitepaper about how AI is changing the software lifecycle. I’m not going to summarize the whole thing. Instead, here are the handful of ideas in it I think actually matter, plus six figures you’re welcome to reuse.

Google published “The New SDLC With Vibe Coding” this week. I cowrote it with Shubham Saboo and Sokratis Kartakis, and it’s the first in a short series.

It’s a Day 1 paper, so the early pages cover the basics: what an agent is, what “vibe coding” means, and why the job is moving from writing code to judging it. If you read this blog, you already have all of that. I’m going to skip it and write about the parts I think are worth your time, with six of the figures pulled out. Reuse the figures wherever you like.

An agent is a model plus a harness

Here’s the framing from the paper that I keep coming back to: An agent is a model plus a harness.

The model is one input. Everything else is the harness: the instructions and rule files, the tools and MCP servers, the sandboxes it runs in, the orchestration logic that spawns subagents and routes between models, the hooks that run deterministic code at set points, and the observability that tells you when it’s drifting. The paper’s rough split is 10% model, 90% harness. That sounds high until you’ve spent a week debugging one.

The model is the engineThe model is the engine. The harness is the car, the road, and the traffic laws.

A couple of public numbers make this concrete. On Terminal Bench 2.0, one team moved a coding agent from outside the top 30 into the top 5 by changing only the harness, with the same model underneath. A separate experiment at LangChain added 13.7 points on the same benchmark by changing just the system prompt, tools, and middleware around a fixed model. Neither touched the model.

So when an agent does something dumb, I’ve learned to debug the harness first. Usually it’s a missing tool, a rule I wrote too loosely, a guardrail I forgot, or a context window full of junk. Most agent failures are configuration failures. I find that encouraging, because configuration is the part I can fix today, without waiting for a better model. The model will get swapped out under the harness sooner or later anyway. I’ve written this up at more length as harness engineering and the factory model.

Context engineering is the part that decides your bill

If the harness is the system, context engineering is the most important knob inside it. The paper sorts agent context into six types: instructions, knowledge, memory, examples, tools and guardrails. The interesting decision, the one that shows up on your bill, is what goes in static versus dynamic context.

Static context is loaded on every turn, so it’s reliable and expensive. Dynamic context is loaded on demand, so you only pay for what a task needs.Static context is loaded on every turn, so it’s reliable and expensive. Dynamic context is loaded on demand, so you only pay for what a task needs.

Static context is loaded every turn: system instructions, rule files (AGENTS.md, CLAUDE.md, GEMINI.md), global memory, core guardrails. It’s reliable, and it’s expensive, because you pay for it on every single call. Dynamic context is loaded on demand: skills that fire when a task matches, tool results, or documents pulled from RAG. You only pay for the bits a given task touches.

Get that balance wrong in one direction and you burn tokens and bury the signal. Wrong in the other and the agent forgets the rules that keep it safe. The paper’s advice, which I agree with, is to treat the boundary as a real architectural decision: reviewed in a pull request, versioned like code.

The trick that makes dynamic context scale is agent skills with progressive disclosure. The agent sees a little metadata at startup, loads the full instructions when a task matches, and only pulls in the heavy reference material when it actually needs it. That’s how one agent can carry dozens of skills and still only pay for the one it’s using.

Verification is the line between vibe coding and engineering

You can sit anywhere on the spectrum from vibe coding to agentic engineering with the same agent. The thing that decides where you land is verification.

The right spot on the spectrum depends on the stakes. The skill is knowing where to draw the line for each task.The right spot on the spectrum depends on the stakes. The skill is knowing where to draw the line for each task.

There are two mechanisms. Tests cover the deterministic parts: this input, that output. Evals cover the parts that aren’t deterministic, and the paper splits them in a way I found useful. Output evaluation asks whether the final result is correct. Trajectory evaluation asks whether the path it took to get there, the tool calls and the reasoning, was sound. You want both. An answer that looks right but skipped its checks is more dangerous than one that’s obviously broken.

If I had to hand a leader one line from the paper, it’s this: Set the bar at the eval, not the demo. A demo shows an agent can work once. An eval suite with a real rubric shows it works reliably. I keep making this argument; see “Agentic Code Review.”

How each phase actually changes

AI compresses the lifecycle, but unevenly, and the unevenness is the whole story. Implementation drops from weeks to hours. Requirements, architecture, and verification stay slow because they’re judgment work. So specification quality becomes the bottleneck, and verification moves to the middle.

Same phases, different bottlenecks, different proportions.Same phases, different bottlenecks, different proportions.

Phase by phase:

Requirements stop being a document you hand between teams. They become a conversation that produces a spec and a first prototype at the same time. The agent drafts user stories from a brief, surfaces edge cases, and turns a description into something that runs in minutes.

Architecture is the most stubbornly human phase. Trade-offs like consistency versus availability depend on business context the model can’t fully see. The developer’s job becomes making and documenting the structural calls the agent then implements.

Implementation is where the gains and the caveats both live. Surveys put the productivity gain at 25% to 39%. A METR study found experienced developers going 19% slower on some tasks once you count the time spent checking and fixing. Both are true. The honest summary is that AI turns implementation from writing into reviewing.

Testing and QA flips around. Your tests and evals become the main way you tell the agent what “correct” means, wired into a loop: run against a benchmark, cluster the failures, fix the prompt or tool that caused them, check against a regression suite, and watch production for new ones.

Maintenance is the one I think is most underrated. Code that was “too risky to touch” because only its authors understood it can now be read, refactored, and modernized by an agent. The migrations and deprecation cleanups that never happened because they were tedious and risky start happening.

The ceiling on all of this is still the 80% problem: Agents get the first 80% of a feature fast, and the last 20%, the edge cases and the seams between systems, still need context the models usually don’t have.

The economics: Context and routing are financial levers

The number that matters to a leader isn’t velocity; it’s total cost of ownership. The AI era splits it in a way that flips the usual intuition about which option is cheap.

Past the crossover, vibe coding costs 3x to 10x more per feature. How long the code has to live decides whether you ever get there.Past the crossover, vibe coding costs 3x to 10x more per feature. How long the code has to live decides whether you ever get there.

Vibe coding is cheap up front and expensive to run. You pay almost nothing to start: a subscription and some prompts. Then you pay later. Token burn, from throwing unstructured files at the model and asking it to fix its own mistakes. A maintenance tax, when someone has to reverse-engineer the ad hoc code months later. Security cleanup, because fast generation produces vulnerabilities about as fast as it produces features. Agentic engineering flips that: more up front (schemas, tests, structured context), less per feature after.

The “vibe coding costs 3x to 10x more per feature” crossover is illustrative, not a measured constant. The part I want developers to take away is that context engineering and model routing are financial levers, not just technical ones. You can’t pass a 100,000-token repo into every prompt and expect it to scale. Route the hard reasoning to a big model and the routine work, test generation, code review, and CI checks, to a small cheap one. The quality holds and the bill comes down. That’s the money side of what I’ve called the orchestration tax.

The prototype is becoming the production agent

This is the part of the paper I’m watching most closely. The same terminal workflow that spits out a throwaway script can now produce a production agent, in the same place, often by talking to the coding agent you were already using.

Building, evaluating, and deploying a real agent, with persistent memory, scoped permissions, eval coverage, and observability, used to be a separate stack and a separate job. Now it folds into the loop you already run. Google’s Agents CLI is built around this. After a one-time install, your coding agent picks up skills for the whole lifecycle, and you drive it in plain language.

# one-time setup
uvx google-agents-cli setup

# then, in your coding agent:
> Build a support agent that answers questions from our docs.
> Evaluate it on the FAQ dataset.
> Deploy it to Agent Engine.

Behind that one instruction, it scaffolds the project, writes the code, generates an eval set, runs it, deploys to a managed runtime, and reports back. The prototype from your laptop yesterday becomes the production agent serving users today, with no rewrite. Coordination between agents runs on open standards: MCP for tools, A2A for handing work to other agents.

There’s one experiment in the paper I keep mentioning to people. An Anthropic team had a group of agents build a working C compiler in Rust over two weeks, with humans setting direction and reviewing rather than writing the code. That’s roughly the shape of where this is heading.

Day to day you switch between two modes the paper calls the “conductor” and the “orchestrator.” The conductor is real-time and in the IDE, keystroke by keystroke, good for exploring and for code you don’t know yet. The orchestrator is async: You hand a goal to one or more agents and review what comes back—it’s good for well-specified work like migrations or test generation. The tooling does both now, sometimes in the same hour. I think the move from conductor to orchestrator is a skills shift before it’s a tooling one.

The figure for everyone else

One more figure, and this one isn’t for you. It’s for the people you’re trying to bring along: the exec who still thinks this is fancy autocomplete or the colleague who hasn’t made the jump.

Each generation kept what came before and raised the ceiling on what one engineer could do.Each generation kept what came before and raised the ceiling on what one engineer could do.

It has the adoption numbers that tend to end the “Is this real yet?” argument. As of early 2026, 85% of professional developers use AI coding agents regularly, 51% use them daily, and roughly 41% of new code is AI-generated.

Where to start

The paper closes with a longer set of recommendations for individuals, leaders and organizations. I won’t repeat them all here.

If there’s one line to take from it, it’s that AI amplifies whatever engineering culture it lands in, the good parts and the bad parts both. Generation is mostly solved now. The work that’s left is specification and verification, and the systems that hold them together. That’s the part I’d get good at.

You can read the full paper here.

Enjoyed this? Go deeper in Beyond Vibe Coding, my O’Reilly book on AI-assisted and agentic engineering: specs, harnesses, evals, context, and shipping production-grade software.

18:28

17:42

The Big Idea: Vonda N. McIntyre [Whatever]

Though the author of The Curve of the World has passed, her story lives on. Her editor, Nisi Shawl, is here to take us through what she believes Vonda N. McIntyre’s Big Idea was. Let’s have a look, and pay our respects in the process.

NISI SHAWL (EDITOR):
We may never truly know what the Big Idea behind Vonda N. McIntyre’s last novel was. Two weeks after she completed a final draft of that novel, The Curve of the World, Vonda died. We can ask ourselves what she was trying to do as many times as we want, but the file drawers full of notes she left behind are empty of the answer to that question.
Vonda wrote change-the-world science fiction. Like her friend, Clarion classmate, and Pacific Northwest neighbor Octavia Butler, she faced life’s challenges head on and with a high-functioning imagination as her tool and weapon, and rigorous research as her resource. Which maybe comes across as a little grim?
But apply all that discipline to speculating about the bull-leaping, bare-breasted matriarchs of long-vanished Minoan civilization and (if you’re Vonda) you get fascinating results: a mind-stretching, 408-page epic. Starting their ocean voyage from the homey Mediterranean waters surrounding the Cretan archipelago, the trade-and-diplomacy-focused crew of the Flying Fish sail halfway around the globe, encountering a sea monster, volcanoes, a mummy king, and slave-driving pirates as the ship makes her way to the North Pacific’s Neah Bay.
Which sounds like your standard adventure tale, right? But what’s so intensely cool about The Curve of the World is how it’s not that. Not standard. Not at all. It’s not a Hero’s Journey-type deal in which our protagonists conquer foreign lands by virtue of their physical might or intellectual superiority or due to some inherent divine right.
Because unlike, for instance, the ostensibly Christian conquistadores claiming ownership of Florida and Mexico and basically half the Western Hemisphere, the Minoans aboard Flying Fish represent a culture based on cooperation, trust, and mutualism. It practiced DEI from the get-go.

My best guess is that this was Vonda’s Big Idea: How would a deeply egalitarian society interact with other sorts of societies? Vonda’s alt-Minoans parlay with bloody-handed Mesoamericans. They trade peacefully with sword-wielding tribes of Amazon warriors. They maintain their fairness, their inclusiveness, their love of interdependence, their core feminist principles, all this in the face of murderous aggression. So that’s what I think it was.
And why should it matter what I think Vonda thought? Well, the way the editorial process for this book went, it matters quite a lot. As author and Aqueduct Press founder L. Timmel Duchamp puts it, I stood “in loco Vondae.”
You see, the manuscript file that gets turned in to a book’s publisher may include the word “final” in its name, but it’s not genuinely final at that point. If you’ve ever had a book you wrote published you know how these things go. The copyeditor has questions about spelling names consistently throughout the text; the managing editor has questions about a character’s locations and travel times. So on and so forth. Aqueduct asked those questions of me.
To me that meant I needed to immerse myself in as much Vonda-ness as I could conjure up. I read and re-read her old and new work. I fondled my eight examples of the beaded sea-creatures she crocheted ceaselessly, gorgeous and glittering creations she generously bestowed upon her family, friends, and fen. And I dallied in memories of meeting her and witnessing firsthand her no-nonsense approach to life, her restaurant recommendations and pronouncements on crows and prowess with video cameras.

Then, faced with page after page of queries about Curve, I did my best to answer as she would have answered and choose as she would have chosen. I did my best to first absorb and then project her voice, and along with everyone else involved, to preserve it.
Maybe if you read The Curve of the World you can tell me whether we got that part right. Is that Vonda talking to you from beyond death? And what about my guess? Is it at all accurate to say that the Big Idea behind this book is how an extremely woke civilization can triumph over violent authoritarians? And is that hope I see really there?


The Curve of the World: Amazon

17:35

Free Software Directory meeting on IRC: Friday, September 4, starting at 12:00 EDT (16:00 UTC) [Planet GNU]

Join the FSF and friends on Friday, September 4 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

[$] Topics in filesystem testing [LWN.net]

It should come as no surprise that a gathering of filesystem developers would discuss filesystem testing; it has been a mainstay of the Linux Storage, Filesystem, Memory Management, and BPF Summit over the years and the 2026 summit was no exception. Ted Ts'o led the discussion this time; he had a few different topics to raise, including his perception of increasing regressions for ext4 in the stable kernels and what can be done to help reduce them. As with other similar sessions at the summit over the years, there is a lot of interest in collaborating on test inputs and outputs, but finding a way to centralize that information has so far eluded the filesystem community.

Local DoS attack vectors in seunshare 3.10 (SUSE Security Team Blog) [LWN.net]

The SUSE Security Team Blog has a post with an analysis of seunshare, which is used by SELinux to confine untrusted programs. During a review of version 3.10 of the program, the team identified two local Denial-of-Service (DoS) vectors.

Since seunshare is supposed to run on SELinux-enabled systems, it is important to understand what kind of privilege escalation can be achieved when vulnerabilities are exploited in a setuid-root binary like this. Many SELinux-enabled systems, such as Fedora and openSUSE, ship with the "targeted" SELinux policy by default. This policy is focused on confining well-known system services, but assigns an unconfined SELinux context to interactive users by default to achieve a balance between security and usability.

There is currently no domain transition from the unconfined domain to the more restricted seunshare_t defined in the SELinux policy for seunshare. This means the execution of seunshare continues in the unconfined domain. Thus in the context of attacks carried out by interactive users, the impact of the vulnerabilities below will be a root-like privilege escalation despite the system running in SELinux enforced mode.

See the post for the full write-up of the team's discoveries and timeline. The vulnerabilities have been fixed in version 3.11.

16:49

Free Software Directory meeting on IRC: Friday, August 28, starting at 12:00 EDT (16:00 UTC) [Planet GNU]

Join the FSF and friends on Friday, August 28 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Free Software Directory meeting on IRC: Friday, August 21, starting at 12:00 EDT (16:00 UTC) [Planet GNU]

Free Software Directory meeting on IRC: Friday, August 21, starting at 12:00 EDT (16:00 UTC)

Free Software Directory meeting on IRC: Friday, August 14, starting at 12:00 EDT (16:00 UTC) [Planet GNU]

Join the FSF and friends on Friday, August 14 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Free Software Directory meeting on IRC: Friday, August 7, starting at 12:00 EDT (16:00 UTC) [Planet GNU]

Join the FSF and friends on Friday, August 7 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

16:14

Free Software Directory meeting on IRC: Friday, July 31, starting at 12:00 EDT (16:00 UTC) [Events]

Join the FSF and friends on Friday, July 31 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Free Software Directory meeting on IRC: Friday, July 24, starting at 12:00 EDT (16:00 UTC) [Events]

Join the FSF and friends on Friday, July 24 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

15:21

The case of the invalid function pointer when shutting down the display control panel [The Old New Thing]

The number one crash in the display control panel looks like this:

rax=ffffffff924bbde0 rbx=0000000000000001 rcx=0000000000030440
rdx=0000000000000002 rsi=0000000000030440 rdi=0000000080006011
rip=00007ffac835cd1e rsp=000000155e48e3f8 rbp=000000155e48e749
 r8=0000000000000000  r9=0000000000000000 r10=007fffffffe41b69
r11=00007df502390000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000002 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ntdll!LdrpDispatchUserCallTarget+0xe:
00007fff`924acd1e mov     r11,qword ptr [r11+r10*8] ds:04007df5`0159db48=????????????????
0:000> k
Call Site
ntdll!LdrpDispatchUserCallTarget+0xe
user32!UserCallWinProcCheckWow+0x2bd
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserDestroyWindow+0x14
comctl32!_RealPropertySheet+0x36d
comctl32!_PropertySheet+0x47
Display!PropertySheetW+0x5d
Display!AdvancedSettingSheetHelper+0x3be
Display!ShowAdapterSettings+0x89
rundll32!CallRunDllFunction+0x1c
rundll32!wWinMain+0x2bf
rundll32!__wmainCRTStartup+0x1c9
kernel32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

From the stack, we see that we have a display adapter settings property sheet. We are destroying it, and we crash trying to validate the window procedure address.

We saw some time ago that you can pull out the bad address by inspection.

0:000> u .-e .
ntdll!LdrpDispatchUserCallTarget:
00007fff`924acd10 mov     r11,qword ptr [ntdll+0x001813a8]
00007fff`924acd17 mov     r10,rax
00007fff`924acd1a shr     r10,9
00007fff`924acd1e mov     r11,qword ptr [r11+r10*8]

The register that is the source of the shift is rax, so that’s the function pointer. And from the register dump, we see that the address is

rax=ffffffff924bbde0

Yeah, that address doesn’t look like a valid function pointer.

On 64-bit systems, user-mode pointers have low addresses (which start with 0000), and kernel-mode pointers have high addresses (which start with ffff). So this function pointer is clearly invalid for user mode.

Maybe we can fix it so it’s valid again. Let’s see what code addresses are valid in this process.

0:000> lm
start             end                 module name
00000001`80000000 00000001`80043000   contoso
00007ff6`44570000 00007ff6`44587000   rundll32
00007fff`6a4f0000 00007fff`6a6b7000   d3d9
00007fff`6e600000 00007fff`6e6a9000   comctl32_7fff6e600000
00007fff`6f5d0000 00007fff`6f5e5000   pcacli
00007fff`753b0000 00007fff`753c1000   sfc_os
...
00007fff`91020000 00007fff`910f0000   comdlg32
00007fff`912b0000 00007fff`915e6000   combase
00007fff`91600000 00007fff`91794000   user32
00007fff`917a0000 00007fff`91852000   kernel32
00007fff`918e0000 00007fff`91989000   SHCore
00007fff`91990000 00007fff`91ae6000   ole32
00007fff`91af0000 00007fff`91b16000   gdi32
00007fff`91b20000 00007fff`91bc3000   advapi32
00007fff`91bd0000 00007fff`91c67000   sechost
00007fff`91c70000 00007fff`91cc2000   shlwapi
00007fff`91cd0000 00007fff`91ced000   imagehlp
00007fff`91d50000 00007fff`921c0000   setupapi
00007fff`92220000 00007fff`92355000   msctf
00007fff`92420000 00007fff`92610000   ntdll
...

Ny suspicion is that the function pointer got truncated to a 32-bit value, and then was sign-extended back up to a 64-bit value. So we are looking for valid function pointers of the form xxxxxxxx`924bbde0. In the above list of valid code addresses, the only ones that have the lower bits in the 92xxxxxx range all have a high 32 bits of 00007fff, so let’s plug that in and see if we get a window procedure.

0:000> ln 7fff924bbde0
(00007fff`924bbde0)   ntdll!NtdllButtonWndProc_A   |  (00007fff`924bbdf0)   ntdll!NtdllButtonWndProc_W

Jackpot.

So the caller probably subclassed a window, and then tried to restore the original window procedure, but messed up and restored only the bottom 32 bits.

But who could that be?

0:000> k
Call Site
ntdll!LdrpICallHandler+0xf
ntdll!RtlpExecuteHandlerForException+0xf
ntdll!RtlDispatchException+0x219
ntdll!KiUserExceptionDispatch+0x2e
ntdll!LdrpDispatchUserCallTarget+0xe
user32!UserCallWinProcCheckWow+0x2bd
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserDestroyWindow+0x14
comctl32!_RealPropertySheet+0x36d
comctl32!_PropertySheet+0x47
Display!PropertySheetW+0x5d
Display!AdvancedSettingSheetHelper+0x3be
Display!ShowAdapterSettings+0x89
rundll32!CallRunDllFunction+0x1c
rundll32!wWinMain+0x2bf
rundll32!__wmainCRTStartup+0x1c9
kernel32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

This is a property sheet, so we should be able to extract the pages of the property sheet. (Note: Requires internal Microsoft symbols, so you won’t be able to do this at home.)

0:000> .frame d
09 00000017`85a7e820 00007fff`86e60349 Display!AdvancedSettingSheetHelper+0x3be
0:000> dv
     hwndParent = <value unavailable>
            psh = struct _PROPSHEETHEADERW_V2
      szMonitor = wchar_t [140] "Generic PnP Monitor"
         rPages = struct _PSP *[100]
        iResult = 0n0

The desktop background control panel is extensible, and the way that a plug-in adds a page to the desktop background control panel is by handling the IShellPropSheetExt::AddPages method and calling the provided “page adding function” with a HPROPSHEETPAGE. What that function does is add the HPROPSHEETPAGE to the pages in the property sheet. (We can see that there’s room for 100 of them in the rPages.)

And the psh is the PROPSHEETHEADER.

0:000> ?? psh
struct _PROPSHEETHEADERW_V2
   +0x000 dwSize           : 0x60
   +0x004 dwFlags          : 0x2000001
   +0x008 hwndParent       : 0x00000000`000401aa HWND__
   +0x010 hInstance        : 0x00007fff`86e50000 HINSTANCE__
   +0x018 hIcon            : (null)
   +0x020 pszCaption       : 0x00000017`85a7f100  "Generic PnP Monitor and Contoso Chipset"
   +0x028 nPages           : 4
   +0x030 nStartPage       : 0
   +0x038 ppsp             : 0x00000017`85a7ec70 _PROPSHEETPAGEW
   +0x038 phpage           : 0x00000017`85a7ec70  -> 0x000001d5`4e1aac90 _PSP

We see that there are four pages, so we can inspect the first four HPROPSHEETPAGEs in rPages.

And hey look, we have an array of HPROPSHEETPAGE structures

0:000> ?? psh.phpage[0]
struct _PSP * 0x000001d5`4e1aac90
0:000> ?? psh.phpage[1]
struct _PSP * 0x000001d5`4e19e470
0:000> ?? psh.phpage[2]
struct _PSP * 0x000001d5`4e19e520
0:000> ?? psh.phpage[3]
struct _PSP * 0x000001d5`4e1d26d0

The HPROPSHEETPAGE is an opaque structure, but we can dump it and look for interesting things, for entertainment purposes only.

0:000> dps 0x000001d5`4e1aac90 l4
000001d5`4e1aac90  000001d5`4e1aac60
000001d5`4e1aac98  00000000`00000000
000001d5`4e1aaca0  00004088`00000068
000001d5`4e1aaca8  00007fff`88d70000 deskadp
0:000> dps 0x000001d5`4e19e470 l4
000001d5`4e19e470  000001d5`4e19e440
000001d5`4e19e478  00000000`00000000
000001d5`4e19e480  00004088`00000068
000001d5`4e19e488  00007fff`893e0000 deskmon
0:000> dps 0x000001d5`4e19e520 l4
000001d5`4e19e520  000001d5`4e19e4f0
000001d5`4e19e528  00000000`00000000
000001d5`4e19e530  000040c8`00000068
000001d5`4e19e538  00007fff`86e30000 colorui
0:000> dps 0x000001d5`4e1d26d0 l4
000001d5`4e1d26d0  000001d5`4e1bcb30
000001d5`4e1d26d8  000001d5`4e1d26a0
000001d5`4e1d26e0  0000008a`00000068
000001d5`4e1d26e8  00000001`80000000 contoso

There are a bunch of HMODULEs here, which are probably the modules that the property sheet page came from. The first three come with Windows. The last one apparently is Contoso. Let’s focus on at last one.

After the first two values (which look like pointers), we have 0x00000068 which is not-coincidentally sizeof(PROPSHEETPAGE), so I’m going to guess that this is where the system stores the PROPSHEETPAGE that the handle was created from.

Note: Note that this is an implementation detail and should be used only for debugging purposes. Please don’t write programs that rely on this, because it can change.¹

0:000> dt comctl32!_PROPSHEETPAGEW  000001d5`4e1d26e0
   +0x000 dwSize           : 0x68
   +0x004 dwFlags          : 0x8a
   +0x008 hInstance        : 0x00000001`80000000 HINSTANCE__
   +0x010 pszTemplate      : 0x00000000`00000589  "--- memory read error at address 0x00000000`00000589 ---"
   +0x010 pResource        : 0x00000000`00000589 DLGTEMPLATE
   +0x018 hIcon            : 0x00000000`000503b9 HICON__
   +0x018 pszIcon          : 0x00000000`000503b9  "--- memory read error at address 0x00000000`000503b9 ---"
   +0x020 pszTitle         : 0x000001d5`4e19cde0  "?????"
   +0x028 pfnDlgProc       : 0x00000001`800047ac contoso+0x47ac
   +0x030 lParam           : 0n2015682301296
   +0x038 pfnCallback      : (null)
   +0x040 pcRefParent      : (null)
   +0x048 pszHeaderTitle   : (null)
   +0x050 pszHeaderSubTitle : (null)
   +0x058 hActCtx          : (null)
   +0x060 hbmHeader        : (null)
   +0x060 pszbmHeader      : (null)

The dialog procedure is 0x00000001`800047ac. I’m hoping I can reverse-engineer it enough to see the place where it subclassed the button incorrectly.

00000001`800047ac mov     [rsp+8],rbx
00000001`800047b1 mov     [rsp+10h],rbp
00000001`800047b6 mov     [rsp+18h],rsi
00000001`800047bb push    rdi
00000001`800047bc sub     rsp,30h
00000001`800047c0 mov     rdi,r9                ; rdi = r9 = lParam
00000001`800047c3 mov     rbp,r8                ; rbp = r8 = wParam
00000001`800047c6 mov     esi,edx               ; esi = edx = message
00000001`800047c8 mov     rbx,rcx               ; rbx = rcx = hdlg
00000001`800047cb cmp     edx,110h              ; Q: WM_INITDIALOG?
00000001`800047d1 jne     00000001`800047e2     ; N: Skip
00000001`800047d3 mov     r8,[r9+30h]           ; Y: r8 = ((PROPSHEETPAGE*)r9)->lParam
00000001`800047d7 mov     edx,0FFFFFFEBh        ; edx = -21
                                                ; ecx = hdlg (unchanged)
00000001`800047dc call    [00000001`8002b4a0]   ; mystery function 1

00000001`800047e2 mov     edx,0FFFFFFEBh        ; edx = -21
00000001`800047e7 mov     rcx,rbx               ; rcx = hdlg
00000001`800047ea call    [00000001`8002b480]   ; mystery function 2
00000001`800047f0 test    rax,rax               ; Q: Failed?
00000001`800047f3 je      00000001`8000480b     ; Y: Bail out
00000001`800047f5 mov     r9,rbp                ; param4 = wParam
00000001`800047f8 mov     r8d,esi               ; param3 = message
00000001`800047fb mov     rdx,rbx               ; param2 = hdlg
00000001`800047fe mov     rcx,rax               ; param1 = from mystery function 2
00000001`80004801 mov     [rsp+20h],rdi         ; param5 = lParam
00000001`80004806 call    00000001`800045fc     ; mystery function 3
00000001`8000480b mov     rbx,[rsp+40h]         ; restore registers
00000001`80004810 mov     rbp,[rsp+48h]
00000001`80004815 mov     rsi,[rsp+50h]
00000001`8000481a add     rsp,30h
00000001`8000481e pop     rdi
00000001`8000481f ret                            ; done

We know that the lParam parameter to the WM_INIT­DIALOG message is the value passed as the “parameter” to functions like CreateDialogParam, and specifically for property sheets, it’s a pointer to a PROPSHEETPAGE. And we saw from the structure dump above that offset 0x30 is the lParam.

From the structure of this function, it’s clear that the magic value -21 is GWLP_USERDATA, mystery function 1 is SetWindowLongPtr, and mystery function 2 is GetWindowLongPtr. This is a standard pattern for dialog box functions, and it’s common to use a wrapper function.

The real dialog procedure is the third mystery function, so let’s look at that.

00000001`800045fc mov     [rsp+8],rbx
00000001`80004601 mov     [rsp+10h],rbp
00000001`80004606 mov     [rsp+18h],rsi
00000001`8000460b push    rdi
00000001`8000460c push    r12
00000001`8000460e push    r13
00000001`80004610 sub     rsp,20h
00000001`80004614 mov     rsi,[rsp+60h]     ; rsi = lParam
00000001`80004619 mov     rbp,r9            ; rbp = wParam
00000001`8000461c mov     ebx,r8d           ; ebx = message
00000001`8000461f mov     r13,rdx           ; r13 = hdlg
00000001`80004622 mov     rdi,rcx           ; rdi = this
00000001`80004625 cmp     r8d,2Bh           ; Q: WM_DRAWITEM?
00000001`80004629 jne     00000001`80004685 ; N: Skip

After the initial register spilling and saving, it checks if the message is 0x2B: WM_DRAWITEM. That’s not particularly interesting to us, so let’s assume it’s not.

00000001`80004685 sub     ebx,2             ; Q: WM_DESTROY?
00000001`80004688 je      00000001`8000470f

Ooh, the WM_DESTROY message is interesting. It’s probably going to restore the original window procedure in its WM_DESTROY handler, and that’s where we hope to find the truncation.

00000001`8000470f mov     rcx,[rdi+110h]        ; rcx = something
00000001`80004716 movsxd  rbx,dword ptr [00000001`80039c50] ; rbx = something
00000001`8000471d mov     edx,668h              ; ecx = some number
00000001`80004722 call    [00000001`8002b4e0]   ; mystery function 4
00000001`80004728 mov     r8,rbx                ; r8 = something
00000001`8000472b mov     edx,0FFFFFFFCh        ; edx = -12
00000001`80004730 mov     rcx,rax               ; rcx = function 4 retval
00000001`80004733 call    [00000001`8002b4a0]   ; mystery function 1 again

On receipt of the WM_DESTROY message, the code starts by getting something out of the this pointer (which we saw in the prologue was saved in rdi), and loads some other thing from a global variable.

Next, it calls mystery function 00000001`8002b4e0 with 0x668 as the second parameter. Not sure what that is, but we’ll keep it in mind.

Next, we set up for another function call, and this one we recognize: 00000001`8002b4a0 is the import address table entry for SetWindowLongPtr. We saw it in the static dialog procedure.

The parameters are the window handle that was obtained from mystery function 4, the constant -12, and the 32-bit value we loaded from 00000001`80039c50. The mystery function 4 was probably Get­Dlg­Item. And since we figured out that the function being called is SetWindowLongPtr, the value -12 is GWLP_WNDPROC.

The value being set is the third parameter, which was loaded by movsxd dword ptr, which is a 32-bit to 64-bit sign-extended load. This is a problem because the window procedure is a 64-bit value.

I bet they loaded the value incorrectly.

0:000> dp 00000001`80039c50 l1
00000001`80039c50  00007fff`924bbde0

Hey look, it’s the full 64-bit pointer we were supposed to have used, except we messed up and truncated the pointer.

The C++ source code probably looked like this:

SetWindowLongPtr(GetDlgItem(m_hdlg, 0x668),
    GWLP_WNDPROC, (LONG)g_originalWndProc);

The cast to LONG is what’s doing the truncation and sign extension. It should be a cast to LONG_PTR.

We can patch this into the binary after looking at the processor instruction encoding documentation.

The original instruction was

00000001`80004716 48631d33550300  movsxd  rbx,dword ptr [00000001`80039c50]

The documentation says that the encoding for movxsd r64, r/m32 is “REX.W + 63 /r”.

What we want is mov rbx, [00000001`80039c50], and the documentation says that the encoding for mov r64, r/m64 is “REX.W + 8B /r”.

So let’s patch the 63 to 8b.

0:000> eb 00000001`80004717 8b
0:000> u 00000001`80004716 l1
00000001`80004716 488b1d33550300  mov     rbx,qword ptr [00000001`80039c50]

This is literally a one-byte bug fix.

Next time, we’ll speculate on how this bug arose.

Bonus reading: The decoy control panel.

¹ Back in the late 1990’s, we discovered a program that reverse-engineered the internal data structures of the Windows 95 property sheet manager to the point where instead of passing an HPROPSHEETPAGE that was created by the Create­Property­Sheet­Page function, it created fake HPROPSHEETPAGEs that it had constructed manually in memory. This made adding support for Unicode property sheets that much harder because the internal structure of HPROPSHEETPAGEs changed in order to support both ANSI and Unicode property sheet pages, and they were passing the old version. The property sheet manager has to recognize that it is being given a fake HPROPSHEETPAGE and convert it on the fly to a real one.

The post The case of the invalid function pointer when shutting down the display control panel appeared first on The Old New Thing.

[$] Lockless MPSC FIFO queues for io_uring [LWN.net]

Processes that use io_uring tend to keep a lot of balls in the air; being able to have many operations underway at any given time is part of the point of that API in the first place. The io_uring subsystem must, as a result, keep track of a lot of tasks that have to be performed at the right time. In current kernels, io_uring uses a standard kernel linked-list primitive to track those work items. As of the 7.2 kernel release, though, io_uring will, instead, use a new lockless, multi-producer, single-consumer (MPSC) queue, resulting in some notable performance gains. Lockless algorithms tend to be tricky, but the one used here is relatively approachable and shows how these algorithms can work.

LibreLocal meetup in Noor, Iran [Events]

July 30, 2026 from 17:00–19:30 IRST.

14:35

Security updates for Wednesday [LWN.net]

Security updates have been issued by AlmaLinux (cifs-utils, corosync, cups, freerdp, git-lfs, go-fdo-client and go-fdo-server, go-toolset:rhel8, kernel, kernel-rt, libinput, libxml2, nginx:1.24, openssl, pacemaker, perl-DBI:1.641, php8.4, python-pillow, python3, and python3.12), Debian (grub2, libxfont, opam, and wolfssl), Fedora (freerdp, kernel, and prometheus), Mageia (imagemagick), Oracle (buildah, freerdp, gimp, kernel, nginx, openexr, openssl, perl-DBI, podman, vim, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (python3.12), SUSE (afterburn, buildah, busybox, enc, freetype2-devel, go1.25, go1.25-openssl, go1.26-openssl, gosec, grafana, helm, krb5, kubernetes-old, libopenbabel8, libxml2, libxml2-16, nasm, openssl-3, patch, python-Authlib, python-mistune, python-soupsieve, python-sqlparse, python3-dulwich, python313-Pillow, rootlesskit, sbootutil-1, tomcat, and tomcat11), and Ubuntu (alsa-lib, dnsmasq, gnutls28, libheif, linux-aws, linux-fips, linux-lts-xenial, linux-gcp-5.15, linux-intel-iotg-5.15, linux-hwe-6.17, linux-raspi, mariadb, openvpn, python-httplib2, vim, and wget).

Many old shim versions are still accepted by secure boot [LWN.net]

The CMU CERT Coordination Center has put out an advisory that many exploitable versions of the shim binary, used to boot Linux on systems with UEFI secure boot enabled, were never added to the revocation list.

An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Code executed during this early boot phase may achieve persistent compromise of the platform, including the ability to load unsigned or malicious kernel components that can survive system reboots and, in some cases, operating system reinstallation.

The advisory contains a list of vulnerable shims.

14:14

CodeSOD: The Error Check [The Daily WTF]

Today's submission is less a WTF and more a, "Yeah, that'd annoy me too."

Stevie works in a code-base that's largely C, which means function return values are usually used to communicate to status codes. The standard:

BOOL success = someFunc();
if (!success) {// handle the error

If someFunc returns TRUE, we succeeded, otherwise we failed.

There's nothing wrong with that convention. But there is something wrong with one of the long-time developers on the project, because they have their own idiom for doing this. And they've been around long enough that their approach is the convention other developers follow. It's not wrong, per se, just confusing:

BOOL error = someFunc();
if (error == FALSE)
{
    //handle the error
    errorCode = GetLastError();
    //…
}

Yes, pretty much anywhere an error can happen, they check if error == FALSE, and if that's true, they have an error.

I'd say, "at least they're consistent", but they're not. It's the convention, sure, but nobody wrote this down as the convention. New developers come in all the time, and they start out writing code in a more "normal" pattern. But the existing code has its pattern, and there is a lot of it. It has a mass and an inertia that is stronger than any developer. They don't change the code, the code changes them.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

14:00

Link [Scripting News]

While all the new rss.chat business is going on, the WordPress news site that I started in May is growing at a nice clip. Referrers used to pinpoint where flows like this came from, but they stopped doing that at some point. If you have any clues as to who's pointing to it now, please let me know so I can thank them. And if you know of any sites that are not in the feed list, that do a good job of covering WordPress news, please let me know that too.

13:14

Link [Scripting News]

There's a new Docs menu in rss.chat. Right now it has pointers to the home page of our GitHub repo, and to the worknotes pages for the client and server. There will be lots more stuff in this menu as the project progresses.

Link [Scripting News]

A lot more people have tried out rss.chat now that we have a demo site, and they are looking for stuff that isn't there. I wrote a longish post on X this morning explaining. If you want the gist, this is a bootstrap, and rss.chat is primarly a writing surface and a timeline for the people who are using the specific site you're on. It's a writing surface for smallish groups of people, primarily, though I'm pretty sure you could build a massive site meant to serve millions. There will be readers, I'm sure of it, and I hope lots of them and lots of innovative new approaches. But splitting the social network software down the middle, we fulfill the "all parts replaceable" promise, and leave the door open for all kinds of developers to try out new ideas, from bigco devs to independent devs, and a jive programming. We, unlike other artists, welcome newcomers to our craft. We remember when we were new to this stuff and the wonder of being able to create software on our own. Everyone is welcome in rss-land, as long as there's mutual respect.

The Open Source Agent Toolkit in 2026 [Radar]

The following article originally appeared on Paolo Perrone’s Substack, The AI Engineer, and is being republished here with the author’s permission.

You spent three weeks shipping an agent. It worked in the demo. Then production hit, and you realized the framework you picked has no checkpointing, the memory layer is a flat vector dump with no temporal reasoning, the browser tool falls over on any site with a canvas element, and the eval suite is a Notion doc someone keeps forgetting to update.

The open source toolkit for building agents in 2026 has solved most of these problems. The catch is that it has solved each one in a dozen incompatible ways. The memory framework that wins LoCoMo (the standard long-conversation memory benchmark) runs 340x heavier per conversation than the runner-up, a difference no benchmark column shows. The same gap between benchmark score and production behavior shows up at every layer.

So the best way to zero in on the constraint your system will hit first under load: latency budget, audit trail, model portability, or language stack. Get this wrong and you rewrite your state schemas in week three.

TL;DR

If you read “The AI Agents Stack (2026 Edition),” this is the open source half. Same seven layers around the think-act-observe loop from “What Is an AI Agent?”: orchestration, memory, tool interface, browser/CUA, coding agents, evals and observability, and inference. Here’s where to start at each layer.

The Open-Source minimum viable agent stack in 2026

How to pick at each layer

When choosing tools at each layer, ask three questions:

What’s the dominant constraint? Four constraints decide most layer picks. Latency budget is how many tokens or milliseconds you can spend per turn. Audit trail is whether every action has to be traceable for compliance. Model portability is how tied your stack gets to one provider. Language stack is whether your team is Python, TypeScript, or both. One of these usually dominates at each layer.

What’s the rip-out cost if you’re wrong? Swapping an MCP server changes one config line. Swapping orchestration rewrites your state schemas, your nodes, and your edges. The bigger the rewrite, the more you should pick by constraint first.

Is it open source or open core? Open core means the project ships under an open source license, but production features (multitenant auth, replication, SSO, audit logs) only run in the managed cloud product. The repo’s feature list tells you which side of the line you’re buying.

Layer 1: Orchestration and runtime control

The orchestration layer runs the agent’s reasoning cycle. The LLM picks an action, the runtime executes it, the runtime observes the result, and the LLM picks again. If you skip a framework here, you write the loop yourself, which means reinventing retries, checkpointing, and human-in-the-loop gating before you ship.

Layer 1: Orchestration

LangGraph is the default for Python production work. Graph-based state machine, durable execution via PostgresSaver, time-travel debugging, and the largest verified enterprise list in the field (Klarna, Uber, LinkedIn, JPMorgan, Replit). Graph state maps onto what regulated industries need: Every state transition is an audit log entry, and any failed run rolls back to a prior node and replays from there. The ceiling: It’s verbose. A two-agent flow still needs a state schema, nodes, edges, and compilation. For “call three tools sequentially,” it’s overkill.

CrewAI has the lowest setup overhead of the four orchestration frameworks. You declare roles like researcher, writer, and reviewer, pick a coordination pattern, and run the crew with no state schema to define first. The ceiling: CrewAI optimizes for prototype velocity at the cost of production durability. The framework can’t resume crashed runs from where they failed, error handling lives at the crew level rather than per-node, and no inspectable state schema records what the agents decided and when. Teams move from CrewAI to LangGraph when production state management starts mattering more than the role metaphor.

Pydantic AI treats every agent output as a typed Pydantic model, so validation, retries, and downstream serialization come for free. FastAPI-style decorators for tools and dependencies. The ceiling: Pydantic has weaker multi-agent primitives than CrewAI or LangGraph. It’s the best fit when the agent is a single loop that has to return validated data to a downstream service.

Mastra is the TypeScript answer: agents, workflows, RAG, and evals in one package, built by the ex-Gatsby founders, designed to drop into existing Next.js apps without a Python sidecar. The ceiling: smaller ecosystem and fewer production case studies than LangGraph. Choose Mastra when the team is already on TypeScript end to end and rewriting in Python isn’t on the table.1

The vendor SDKs (Claude Agent SDK, OpenAI Agents SDK, Google ADK) belong here too. Each one removes orchestration friction and locks the agent to one provider’s API. Pick one if you’re already committed to that provider and not planning to swap models.

Layer 2: Memory and state

The context window isn’t memory. Even at 200K tokens, every turn pays for the entire conversation again, and nothing survives the session. Production agents in 2026 keep memory in a dedicated layer that lives outside the prompt.2

Layer 2: Memory

Mem0 memory can be scoped to a user (persists across all their sessions), a session (just this conversation), or an agent (shared across all users of one agent). Hybrid storage combines vectors and a graph, with mature SDKs that plug into LangGraph, CrewAI, and Mastra. The project has 48,000+ GitHub stars. Mem0’s ECAI 2025 paper benchmarked Mem0 against 10 alternatives on LoCoMo and reported 92% lower latency and 93% fewer tokens versus naive full-context (the baseline every team replaces by week two), which translates to roughly 14x cheaper inference at the same recall.3 The ceiling: Mem0 treats memory as retrieval, returning the most similar facts to a query. Temporal reasoning, like “what did the user say last week that contradicts what they said today,” needs a graph that tracks edges between facts with timestamps.4

Zep/Graphiti is the temporal graph option. The knowledge graph layer handles entity resolution: figuring out that “Alice,” “alice@acme.com,” and “the CEO” all refer to the same person. It also tracks how relationships change over time, so the agent can answer, “What did this customer’s status look like in Q2?” or “When did the contract owner switch?” The trade-off is that graph construction is expensive. Zep’s memory footprint per conversation runs past 600,000 tokens versus Mem0’s 1,764, and immediate postingestion retrieval often fails because correct answers only appear after background graph processing completes. Choose Zep when the agent needs to reason about history and you can wait seconds, not milliseconds, between turns.

Letta (formerly MemGPT) treats memory like an operating system. Main context is RAM, archival memory is disk, and the agent decides what to promote into RAM, archive to disk, or forget. It’s fully open source, model agnostic, and self-hosted from day one. The architecture extends an agent’s effective context far beyond the LLM’s native window by paging memory in and out, the same trick operating systems use to give programs more virtual memory than physical RAM. The ceiling: You run the storage layer yourself. Letta is harder to deploy than calling a hosted Mem0 endpoint and harder to debug because memory decisions happen inside the agent at runtime.5

Engineering lesson. “Memory” means two different things in an agent system, and using one tool for both breaks both. Runtime state is the agent’s scratchpad mid-task: which node it’s at, what tools it called, what intermediate results it has. LangGraph’s PostgresSaver writes this after every step, so a crashed run resumes from the last node. Knowledge memory is what the agent learned across sessions: preferences, prior questions, and facts about the user. Mem0 and Zep store this. Conflate them and you get an agent that resumes a crashed run correctly but forgets the user the moment they open a new session, or one that remembers the user but can’t recover when it crashes mid-task.

Layer 3: Protocols and tools

Two years ago this layer was function calling: Each provider had its own JSON schema, and each framework wrapped them differently; switching models meant rewriting your tools.

In 2026 this layer is MCP. The Model Context Protocol is the open standard the Claude Agent SDK uses, that OpenAI Agents SDK supports natively, that Google ADK integrates with, that every serious framework now ships a client for. If you’re writing tools today, you’re writing MCP servers. If MCP itself is fuzzy, “What Is MCP?” is the prerequisite.

There’s no framework to pick at this layer. The orchestration choice from layer 1 already decided how MCP integrates.

Layer 3: Tool interface

FastMCP is the Python framework for writing MCP servers fast. Decorator-based and async-first, it’s the closest thing to FastAPI for MCP. mcp-agent is an orchestration framework built around MCP as the primary tool interface. Server lifecycle, multiserver routing, and prompt context handling are built in. With LangGraph or CrewAI, you write that integration code yourself. It’s worth looking at when your agent connects to several MCP servers and the integration code starts becoming the bottleneck.

Layer 4: Browsers and computer use

When the system the agent has to act on doesn’t expose an API, the toolkit has to act through screens. The 2026 field split into two architectural approaches: DOM-driven (parse the page, find elements, and click them) and vision-driven (screenshot the page, feed it to a vision model, and click pixels).

Layer 4: Browser/Computer use

Browser Use is the Python default. With 50,000+ GitHub stars, it’s one of the fastest-growing open source AI projects of 2025–2026. The LLM gets full control of the browser through an agent loop and integrates with LangChain, CrewAI, and custom frameworks. The ceiling: Every step costs an LLM call, which is fine for novel tasks and brutal for repeated workflows. Production teams cache the repeated 80% in Playwright (the deterministic browser automation library) and leave Browser Use for the 20% that needs reasoning.

Stagehand is the TypeScript answer. It’s an open source, MIT-licensed SDK from Browserbase, built as a layer on top of Playwright. Four primitives let the developer keep AI inference for the steps that need reasoning and use scripted Playwright code for the rest. Stagehand v3 (February 2026) rewrote the engine on top of Chrome DevTools Protocol and ships 44% faster.6 The ceiling: Production deployment runs through Browserbase’s managed cloud. The open source SDK is the on-ramp.7

Skyvern is the vision-first option. Each task runs through a three-phase pipeline: Planner breaks the goal into steps, actor sends a screenshot to a vision model and clicks the coordinates it returns, and validator confirms the page changed. Skyvern scores 85.85% on WebVoyager 2.0, the strongest published score on form-filling tasks in domains where the DOM is unreliable: canvas elements, React virtual DOMs nested in iframes, or antibot machinery. That score still translates to roughly one in seven multistep tasks failing. The ceiling: Vision-driven stacks lag DOM-driven ones by 12–17 points on common tasks and cost 4–8 times more per step.8

The production pattern in 2026 wires both in: DOM-driven as the primary path, Skyvern or Anthropic Computer Use or OpenAI CUA as the escape hatch when selectors keep failing on canvas elements or antibot screens. Edge surfaces are one of the four agent failure modes, and we cover all four in “Why AI Agents Keep Failing in Production.”

Layer 5: Coding agents and sandboxes

Coding agents are a category of their own now. They write code, run it, debug it when it breaks, and read docs to figure out what they got wrong. This layer ships with three things the other six don’t: a sandboxed filesystem to write and edit code without escaping into the host, terminal access to run builds, tests, and linters, and a browser tool because half the work involves reading docs. The category also has its own benchmark, SWE-bench Verified, a curated set of real GitHub issues an agent must resolve into a working PR. For the closed-source comparison, see “Cursor vs Claude Code.”

Layer 5: Coding agents

OpenHands (formerly OpenDevin) is the production-grade autonomous option. It has 72,000+ GitHub stars, completed a $18.8M Series A, and is used in production at AMD, Apple, Google, Amazon, Netflix, and NVIDIA. The event-stream architecture moves through four states per loop: Agent reasons, agent emits an action, environment executes it, environment returns an observation. Each session runs in an isolated Docker sandbox. The benchmark question for this category is what percentage of real-world bug tickets the agent can resolve end to end without human input. OpenHands scores 53%+ on SWE-bench Verified with Claude 4.5 and up to 72% with Claude 4 on the published platform results. The ceiling: The agent has shell access. Review can’t live inside OpenHands; it has to live at the PR.9

Aider is the terminal-native option. The original open source coding agent, it has 35,000+ GitHub stars and 13,100+ commits across 93 releases. It’s Git-integrated by design: Every change becomes a commit with an auto-generated message that names what it touched, so the entire agent session is in your git history. Architect/Editor mode splits the work between two models: A stronger one plans the edit, while a cheaper one writes the code. The split cuts cost 30%–40% versus running a top-tier model on every token. Aider scores 32% on SWE-bench Verified with Claude 4.5, well below OpenHands, but it ships fewer surprises because every action lands in Git. The ceiling: It’s terminal-only. There’s no IDE integration and no project-wide context beyond what Aider parses from the files you pass it.

Cline is the VS Code-native answer. It’s fully open source and modelagnostic, with 38,000+ GitHub stars, and it’s the only option here with a meaningful market share inside VS Code teams. Plan Mode and Act Mode separate intent from execution: Plan Mode drafts the change list and pauses for approval, and Act Mode executes the approved plan. Every action is reviewable before it touches the codebase, which is the design point engineering managers ask about first. Choose Cline when the team lives in VS Code and human review on each step is required by policy. The ceiling: It’s IDE-locked. JetBrains or Neovim teams should look at Continue or the terminal tools above.

Most teams running production coding agents in 2026 run two: one commercial (Claude Code, Codex) for hard tasks and one open source for flexibility and outages. “How Cursor Actually Works” shows what the leading commercial coding agent actually does under the hood.

Layer 6: Evals and observability

The evals and observability layer records what the agent did in production and tests what it can do before shipping. Tracing captures every LLM call, tool invocation, and cost, indexed by user and session, so when an output is wrong, you can replay the exact context that produced it. Evals are reproducible test suites the agent runs against fixed inputs with pass/fail criteria scored the same way every time. Production-grade agent teams in 2026 wire both in on day one. Skipping this layer is the most expensive mistake in agent engineering.

Layer 6: Evals & observability

Langfuse is the open source observability default. It’s open core with a generous self-hosted tier and native integrations with LangGraph, CrewAI, OpenAI Agents SDK, and Mastra. Every LLM call, tool invocation, and cost gets traced and indexed. The ceiling: Managed retention, SSO, and advanced eval features run on the SaaS plan. The self-hosted version covers tracing and dashboards.

Arize Phoenix is the OpenTelemetry-native alternative. Traces flow into the same Grafana, Datadog, or Honeycomb dashboards the rest of your stack already uses, so agent telemetry sits next to your API and service traces instead of in a separate tool. It’s strong on RAG evals and retrieval quality. The ceiling: Phoenix doesn’t ship opinionated agent-specific defaults. The pipeline assembly is on you.

Inspect AI is the UK AI Security Institute’s open source eval framework. The institute wrote it for safety evals: testing whether the agent refuses jailbreaks, leaks PII, or generates unsafe content. Frontier labs now use it for capability and alignment benchmarking too. The ceiling: Inspect is for offline evaluation. If you also need to see what the agent is doing live in production, you’ll want Langfuse or Phoenix next to it.

Engineering lesson. Wire tracing in on Day 1, before the first user. Setting up Langfuse or Phoenix at project start is a couple of hours of config work. Without those records, debugging a production failure means guessing which prompt version, which user input, and which tool sequence produced it.

Layer 7: Models and inference

Every step an agent takes is at least one inference call, often more. The engine running those calls, the software wrapping the GPU, batching requests, and managing the KV cache, sets the cost floor for everything else. Hosted API agents inherit their provider’s engine. Self-hosted agents pick their own, and the pick determines what the agent costs to run at scale.

Layer 7: Inference

vLLM is the production serving default for open-weight models. Its core innovation is PagedAttention, a memory management trick that splits the KV cache into fixed-size blocks so multiple requests share GPU memory without wasted space. Combined with continuous batching, it produces the highest throughput-per-dollar in the field. The ceiling: vLLM is GPU only and optimization heavy, and it assumes the operator knows what KV cache means.

Ollama is the local default. After a one-line install, it downloads quantized models from a registry and exposes an OpenAI-compatible API. Quantization compresses weights from 16 bits down to 4 or 8, trading a small accuracy hit for fitting in laptop RAM. The ceiling: Ollama isn’t a production serving layer past a single user.

llama.cpp is the engine Ollama runs on top of. Pure C++ with no GPU dependency, it runs LLMs on CPU, Apple Silicon, Raspberry Pi, and anything else with enough RAM. The project also defined GGUF, the file format used to ship quantized open-weight models, so the same model file runs across every llama.cpp-based tool unchanged. The ceiling: CPU throughput sits well below GPU serving, which makes llama.cpp the right pick for local and offline workloads only.

SGLang is the newer challenger. Two design choices set it apart. First, when many requests share an opening prompt, SGLang caches the computation of that prefix once and reuses it, instead of recomputing it for every call. Second, when the agent needs JSON output, SGLang enforces the schema inside the inference engine itself, so the model can’t generate invalid JSON in the first place. On agent workloads, SGLang benchmarks faster than vLLM. The ceiling: There’s a smaller community and fewer integrations, and it’s less battle-tested than vLLM in production at scale.

What Does NVIDIA Actually Do?” breaks down the hardware layer every engine in this section ultimately runs on.

The seven layers don’t compose

The instinct when reading a seven-layer diagram is to assume the layers compose vertically: Pick layer 1, that constrains layer 2, which constrains layer 3, and the right toolkit is the one where every box fits together.

Most agent rewrites in 2026 trace back to a team that built on that assumption. No ecosystem is best in class at all seven layers, and the integrations between layers were never designed to compose. They meet at thin seams: a config file, an import, an HTTP call. . .

The seven layers are seven independent decisions. Each one has a dominant constraint that picks the winner. Four constraints decide most picks: latency budget, audit trail, model portability, and language stack.

Pick by constraint

The four constraints rarely point at the same winner. Latency-first stacks pull toward Mem0 and vLLM. Audit-first stacks pull toward LangGraph and Langfuse. Model portability pulls away from vendor SDKs. Language stack pulls toward Mastra or Pydantic AI. Trying to satisfy all four with one ecosystem means picking the average tool at every layer instead of the best one at each.

The reframe: An agent’s toolkit is seven small bets, each with a single dominant constraint, and each made independently. The teams shipping reliable agents in 2026 are the ones who picked the best tool per layer and accepted that integrating the seams is part of the job.

The agent stack cheat sheet

Before swapping any layer in a production agent, check this table first. The state column tells you how much you have to migrate. The lock-in column tells you what you’re giving up if you switch. The demo-to-prod column tells you how long the swap will actually take.

The Agent Stack Cheat Sheet

Footnotes

  1. Agentic AI Frameworks 2026: Production Comparison of 15 Frameworks (May 2026) ↩
  2. State of AI Agent Memory 2026: Benchmarks, Architectures & Production Gaps (May 2026) ↩
  3. Building Production-Ready AI Agents with Scalable Long-Term Memory (Mem0 ECAI 2025 paper) (Apr. 2025) ↩
  4. Building Production-Ready AI Agents with Scalable Long-Term Memory (Mem0 ECAI 2025 paper) (Apr. 2025) ↩
  5. AI Agent Memory Systems in 2026: Zep, Mem0, Letta, and dual-layer architectures (Apr. 2026) ↩
  6. Browser Tools for AI Agents Part 2: The Framework Wars (Apr. 2026) ↩
  7. Browser Automation AI Agents: Playwright vs Stagehand (Apr. 2026) ↩
  8. Best Open-Source Web Agents in 2026 (Skyvern WebVoyager benchmark) (Apr. 2026) ↩
  9. Devin vs OpenHands vs SWE-agent: Top AI Coding Agents 2026 (Mar. 2026) ↩

12:14

A Video Screen That Is Also a Camera [Schneier on Security]

Amazing:

Researchers from ETH Zurich in Switzerland, however, managed to create a new type of pixel that can simultaneously do both. This hypercharged pixel, called a Fourier pixel, can generate and sense arbitrary light fields and tap into a pixel’s full potential for carrying information by manipulating light’s intensity, oscillation phases, and polarization. The team reported its findings in a paper published yesterday in Nature.

We are one step closer to 1984 technology:

The telescreen received and transmitted simultaneously. Any sound that Winston made, above the level of a very low whisper, would be picked up by it; moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment.

Paper.

10:07

Disposable software [Seth's Blog]

Even though it’s invisible, easily transported and weightless, software used to stick around. It took years to architect and build a complex bit of software, and thousands of people to help maintain it. Even a complex website could be seen as a durable technical asset.

Now, with Claude Code on everyone’s desk, new software is often easier to write than old software is to maintain.

No one gives a second thought to disposable cups or bottles–and we’re in the midst of an explosion of temporary and disposable software that will dwarf what came before.

And yet, one thing persists: The network.

When an organization is at the center of a network, it doesn’t matter if a competitor makes a fresh new piece of software. The network sticks around.

A vibrant network is more valuable than ever. People like us are here, doing things like this. Why would we go over there?

09:28

Rex Ready Player One, Part Five [Penny Arcade]

New Comic: Rex Ready Player One, Part Five

09:07

Steinar H. Gunderson: Looking at dpkg startup time [Planet Debian]

Five years or so ago, I had a look at trying to speed up dpkg's package installation; I concluded that it was probably possible to speed up, but that there was no appetite for this kind of large-scale changes. (You'd probably need to rewrite the transaction system to get rid of a lot of fsyncs, you'd ideally want to reduce the number of syscalls for unpack by io_uring and so on.)

This summer, I've been looking at something related on and off; it is possible to speed up the startup time? That's in a sense the opposite scenario; instead of installing lots of packages in a newly debootstrapped chroot (with very few packages), see how fast you can install one in a much more busy chroot (I just copied my laptop's dpkg dir, with ~6600 packages installed).

Before I show the numbers, I must stress that this is an investigation, not a fair benchmark, and you should not go shout at the dpkg maintainers that they need to get to “catch up”. That said:

> sudo time dpkg --root=root -i hello_2.12.3-1_amd64.deb >/dev/null
Not building database; man-db/auto-update is not 'true'.
1.12user 0.49system 0:01.85elapsed 87%CPU (0avgtext+0avgdata 171880maxresident)k
0inputs+14648outputs (0major+72963minor)pagefaults 0swaps

> sudo time ./src/dpkg --root=root -i hello_2.12.3-1_amd64.deb > /dev/null
0.04user 0.01system 0:00.15elapsed 38%CPU (0avgtext+0avgdata 6520maxresident)k
0inputs+1080outputs (0major+2705minor)pagefaults 0swaps

How is it unfair? Well, for one, the code to run triggers is messed up so they're not run (but the trigger in question should be very fast). And there's one step at the end with detecting “disappearing packages” that doesn't run properly because it's a bit tricky in my model and I didn't want to deal with, well, difficult problems. But I think both are perfectly doable without really affecting the end time, it just requires engineering. There's a lot of work to be done, though; diving into the code makes me shudder at all the complexities that need to be in place to support all the corner cases of multiarch, for instance.

The code is extremely proof-of-concept, but it runs and can read (and write) metadata from SQLite instead of flat text files, it can resolve dependencies in the most basic fashion, it can keep track of installed files, it should be crash- and powerloss-proof. You know, the very very basic stuff, and without changing the model fundamentally (like e.g. Michael Stapelberg did with distri, fundamentally replacing packages with disk images and ending up in a very fast but rather different-looking system). So it was satisfying to see that it ends up around 10x even on my not-very-new laptop (plus a significant RAM reduction); I believe it should be possible to squeeze under 100 ms, but that would probably require also optimizing the unpacking itself, which I didn't look at this time.

Having a bunch of files being read into RAM and then processed freely was a design that made a lot of sense when dpkg was written (in 1995!) and Debian had ~250 binary packages in total (and you probably wouldn't install all of them). There was no reasonable database available for desktop systems; the closest thing you'd have was probably BerkeleyDB and that wasn't really it, so flat files and fsync made a lot of sense, and was easy to manipulate and persist. But now, SQLite is widely available and probably the most battle-tested code in history, a typical system has thousands of packages (you could easily install tens of thousands if you're doing heavy development), SSDs have replaced HDDs almost everywhere for system disks, and the environment has just changed a lot in general. So I hope that someone at some point will be crazy enough to pick this up and run with it, because it's a lot of work and I don't intend to. :-)

PS: I didn't look at apt; I think what I'd really love to see first and foremost is a package format change so that apt-listchanges can look at (or look for) NEWS.gz without having to unpack the entire package. Perhaps a control field saying “nothing new here”?

Russell Coker: libproc-processtable-perl in Debian [Planet Debian]

I’ve just filed a Debian bug report about libproc-processtable-perl giving bad errors when SE Linux denies access to files under /proc [1].

Ran into unknown state (hex char: 0) at /tmp/test.pl line 8.

The errors are of the above form which Google didn’t find before now so obviously isn’t a common situation, below is my test program.

#!/usr/bin/perl
use strict;

use Proc::ProcessTable;

my $process_table = new Proc::ProcessTable('cache_ttys' => 0 );

foreach my $process ( @{$process_table->table} )
{
  print $process->fname . "\n";
}

Here is the relevant part of strace output:

newfstatat(AT_FDCWD, "/proc/2", 0x7fff19533c10, 0) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/proc/2/stat", O_RDONLY) = -1 EACCES (Permission denied)
access("/proc/2", F_OK)                 = 0
write(2, "Ran into unknown state (hex char: 0) at /tmp/test.pl line 8.\n", 61) = 61

Below is the apt sources.list line for my personal repository which has a version of the package with this fix. The gpg key is in the etbe-base package in that repository and the source is all there. To access it without apt use this web page [2].

deb [signed-by=/usr/share/keyrings/etbe.gpg arch=amd64 ] https://www.coker.com.au trixie misc

I’ve also done some work on the ps.monitor script in etbe-mon that uses this Perl package and made it better handle program names longer than 15 characters. That improvement apparently only works on Linux, Darwin, and Cygwin. People who want things to work better on BSD etc could patch libproc-processtable-perl accordingly.

07:35

Freexian Collaborators: Debian Contributions: Python 3.14 as default transition, DebConf 26 preparations, debvm, pconr and more! (by Anupa Ann Joseph) [Planet Debian]

Debian Contributions: 2026-06

Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Python 3.14 as default transition, by Stefano Rivera

Debian has had Python 3.13 and 3.14 in unstable and testing since December 2025, with Python 3.13 as the default version (/usr/bin/python3 = 3.13). This gave time for packages to implement support and detect issues in their test suites.

A slot to transition to 3.14 as default was requested from the release team in March, and they indicated that we would likely be able to schedule it in late June. In preparation, Stefano reviewed the open bugs against Python interpreters and squashed some in uploads of the latest point releases of Python: 3.13.14 and 3.14.6. Also in June, Python 3.15.0 beta 2 and beta 3 released. Stefano uploaded these to Debian experimental.

The 3.15 betas were reason to attempt to revive review of a blocked upstream patch to support Debian multiarch in stable ABI Python extensions, now that Python 3.15 is adding a new stable ABI abi3t.

DebConf 26 preparations, by Stefano Rivera, Antonio Terceiro, Lucas Kanashiro, Santiago Ruano Rincón and Anupa Ann Joseph

DebConf 26, the annual Debian Developer Conference, is being held in Santa Fe, Argentina, in July. Stefano Rivera, Antonio Terceiro, Lucas Kanashiro, Santiago Ruano and Anupa Ann Joseph contributed to the preparations for the event.

  • As usual, Stefano has been supporting the conference website and registration, helping the local team to get accurate data on attendee numbers.
  • Antonio has been supporting the conference website and helping the content team to put together the conference schedule.
  • Santiago has been helping the local team on different topics regarding logistics.
  • Anupa assisted with the accommodation arrangements for DebCamp and DebConf, working alongside Nattie.
  • Lucas has been coordinating the conference schedule and communicating with some speakers.

debvm, by Helmut Grohne

The debvm tool used for creating and running ephemeral virtual machines saw a number of small improvements. The requirement of having a filesystem label has been removed in favor of using a uuid and /etc/fstab is no longer created. A memory balloon is enabled by default and this enables qemu to automatically release free guest memory to the host. Booting Ubuntu VMs regressed as a result of their use of uutils and has been fixed. The --architecture flag is back to be able to better support Hurd, which is a work-in-progress of Johannes Schauer Marin Rodrigues. Thanks to Jochen Sprickerhof, you can more easily create VMs for autopkgtest-virt-qemu using --hook-dir=/usr/share/mmdebstrap/hooks/autopkgtest-create-qemu. There also are a few documentation and error message improvements. All of this is pending in git waiting to be uploaded once development slows down. While booting a machine from virtiofsd succeeded, turning the proof-of-concept into production remains for later.

pconr, by Helmut Grohne

At DebConf25, Helmut reported on a schroot substitute called unschroot. The second iteration uses varlink IPC to construct a container. That varlink API is now separated into a new project called programmable container runtime. It is meant to provide more flexibility in constructing containers than established solutions such as the unshare command from util-linux, bubblewrap or podman provide while still managing repetitive complexity such as process orchestration for the developer. A new example that uses this infrastructure is a better containment for mmdebstrap eliminating chroot escape. There also is an asyncvarlink/0.3.2 release taking steps to become more maintainable in Debian to eventually get pconr into Debian.

Miscellaneous contributions

  • Stefano did routine uploads (mostly new upstream versions) of python-pip, python-pipx, hatchling, dh-python, beautifulsoup4, python-virtualenv, python-mitogen.
  • Stefano uploaded a snowball mini-transition: snowball, snowball-data, and pystemmer
  • Stefano did some debian.net team admin, setting up a container and later a VM for vote.debian.net.
  • Stefano responded to a semi-escalation to the Debian Technical Committee, after some communication between an upstream, a bug reporter, and a Debian package maintainer went sideways and got heated.
  • Emilio managed several transitions, and filed bugs against the few remaining GCC 13 rdeps.
  • Antonio did salsa maintenance work, debugging service issues, approving user registrations, and processing support requests.
  • Antonio worked on Debian CI maintenance, including but not limited to deploying new armhf and armel workers, fixing bugs and preparing an upcoming release of debci.
  • Antonio did several maintenance tasks for MiniDebConf websites.
  • Antonio uploaded ruby-bunny, ruby-sinatra and ruby-mustermann, fixing a few FTBFS bugs among them.
  • Carles using po-debconf-manager: Reviewed Catalan translations for 5 packages, submitted 6 packages. Added a draft blog/update about the po-debconf-manager project.
  • Carles submitted a new Geeqie Catalan translation: it had accumulated a large number of untranslated strings over the last 4 years.
  • Carles contributed to the Debian wiki: improved documentation for the Framework Laptop and added a new section “Battery charging control” (after doing some debugging and testing). He wrote a page about Signal Desktop. Carles started looking at testing/documenting Mailman2 -> Mailman3 migration.
  • Carles, in relation to the migration process, double checked old pages without relevant information in the Debian wiki.
  • Thorsten did another upload of package hplip to fix some bugs.
  • In the context of the Google Summer of Code 2026 project, Santiago continued co-mentoring Aryan Karamtoth, who is working on the Linux live-patching project. As part of the team, Santiago guided Aryan to help design the different workflows and to study the different tools available, including the upstream klp-build (that was introduced in v6.19), and compare it with SUSE’s klp-build.
  • Colin clarified the bug tracking system’s documentation to indicate that maintainers may sometimes reasonably ask users to file bugs upstream themselves.
  • Colin fixed 15 packages for pytest 9.1.
  • Colin fixed a depthcharge-tools regression with Python 3.14 as default that broke debian-installer builds.
  • Helmut continued to report undeclared file conflicts and correspond about them.
  • Helmut wrote patches for strace to enable cross building and a 32bit personality on arm64.
  • Helmut continued maintaining rebootstrap working fixing build failures in fontconfig, gettext and sqlite3 as well as changing the way packages from gcc builds are installed to better serve a need reported by Samuel Thibault.

06:21

The Flamingo Revolution protest in Albania [Richard Stallman's Political Notes]

The Guardian view on the flamingo revolution: Albanians are standing up for their rights, as well as for nature.

And also against the prime minister's evident surrender to the corrupter — a bad sign about any politician.

Urgent: US citizens call Big Banks not harass [Richard Stallman's Political Notes]

US citizens: call on big banks not to harass non-citizens for the bully.

Check this action

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

Girl Genius for Wednesday, July 15, 2026 [Girl Genius]

The Girl Genius comic for Wednesday, July 15, 2026 has been posted.

03:49

Do Not Perceive Him [QC RSS v2]

"perceive" is one of those words I always misspell even though it follows the "i before e, except after c" rule

03:42

Dirk Eddelbuettel: qlcal 0.1.2 on CRAN: Fresh Upstream Updates [Planet Debian]

The twentieth release of the qlcal package arrivied at CRAN today, and has been built for r2u. This version synchronises with QuantLib 1.43 released today as well.

qlcal delivers the calendaring parts of QuantLib. It is provided (for the R package) as a set of included files, so the package is self-contained and does not depend on an external QuantLib library (which can be demanding to build). qlcal covers over seventy country / market calendars and can compute holiday lists, its complement (i.e. business day lists) and much more. Examples are in the README at the repository, the package page, and course at the CRAN package page.

This releases updates to several new calendars (see below), and extends the calendars for Israel to some added new conventions, updates a few helper functions, and turns on ccache for continuous integration builds.

The full details from NEWS.Rd follow.

Changes in version 0.1.2 (2026-07-14)

  • Synchronized with QuantLib 1.43

  • Calendar updates for India, Israel, and South Korea; small interface update for Israle

  • New calendars for Croatia, Malta, Montenegro, North Macedonia, Serbia, Slovenia, Uzebekistan

  • Updates to a number of QuantLib helper functions

  • Continuous integration now uses ccache via a setup action

Courtesy of my CRANberries, there is a diffstat report for this release. See the project page and package documentation for more details, and more examples.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

00:35

Haiku gets NetBSD’s NVMM, beta 6 release planned for August [OSnews]

Haiku has another buy month of development activity to detail, and there’s a big ticket item this time, even if the developers themselves don’t consider it so.

The thing that should be the biggest news item this month is that the GSoC 2024 work to port “NVMM”, the NetBSD Virtual Machine Monitor (which runs on more than just NetBSD, despite the name), providing hardware-accelerated virtualization support for QEMU, was finally merged. Unfortunately it still doesn’t fully work, so it’s still disabled by default: hence, it’s only a minor news item, unfortunately.

↫ waddlesplash on Haiku’s website

It may not work due to – so far – not well-understood problems causing any complex virtualised operating system to crash in a variety of ways, but since these problems seem related not to NVMM but Haiku itself, I still think this is a big piece of news. If the problems can be addressed, Haiku will have proper virtualisation, which is crazy to think about. There’s a forum thread in case you wish to help out with this effort.

Other than this major news, there’s the usual list of small fixes and changes, including preliminary work on USB Ethernet support, which, when working, could be very welcome news for people whose onboard Ethernet doesn’t work with Haiku. The team also believes a beta 6 might actually be released this August, but once again I’d like to underline that Haiku’s nightlies work just fine, and you really don’t need to wait for a beta.

People are starting to think twice about buying Facebook’s pervert glasses [OSnews]

I have yet to see any of these creepy camera glasses Facebook (and a few other companies) are selling. One of the many benefits of living in Arctic Sweden, where people are reserved, keep their their distance, and try not to draw attention to themselves, is that new technology fads don’t really permeate society here. The odds of me spotting one of these creepy predator glasses in my remote town are incredibly slim, and to me, that’s a feature, not a bug.

Meanwhile, in places where these creepy things can actually be found in the wild, a backlash is thankfully growing.

Will Kujawa, a freelance video producer, said that he has been thinking about buying a pair of Meta glasses with prescription lenses to film behind the scenes content during his shoots, but the online backlash has given him second thoughts. He says he was “blown away by how mean some of the people were” in response to his social media posts about considering buying a pair.

“I saw all these comments about if you wear those glasses you’re basically a predator or a creep, and I was like, ‘oh, maybe it’s not a good idea to have those,'” he told Engadget. But he says he understands why people have concerns. “I didn’t really think that through all the way … there are a lot of times where it’s not appropriate to wear cameras on your face. And even though I would have no intention of do[ing] anything creepy with them, it didn’t even occur to me [that] other people just assume that automatically.”

↫ Karissa Bell at Engadget

I can maybe see a use for these things in specific professional environments, but even then, obviously not ones made by Facebook, one of the, if not the creepiest companies in technology history. If I were to see anyone out here in the real world using one these things, I, too, would automatically assume that the guy (statistically speaking) wearing them is a creep. I can only imagine what the people most often targeted by creepy men would think encountering some rando wearing these.

Clearly, these things should be made illegal outside of specific professional environments where they could potentially be useful. While it’s impossible to stop tools like these from making their way into the hands of creeps, it at least provides the justice system with a clear method of nailing them to the wall. They didn’t get Al Capone for any of his violent crimes – they nailed him for tax evasion.

Tuesday, 14 July

23:49

The GDID really isn’t the only way Microsoft can track Windows users [OSnews]

In what should be a surprise to absolutely nobody, Microsoft assigns a persistent identifier to every Windows installation, tying it to its user, and the company has no issues handing it over to law enforcement. Abhijith M B at windows Latest dove into the details, and it’s just as bad as you would expect.

Am I glad Stokes got caught? Yes, without hesitation. Thirty-five pages of a teenager bragging about diamond chains spelling out “HACK THE PLANET” while extorting a jewelry store don’t leave much room for sympathy, whatever role Microsoft’s telemetry played in building the case.

But that doesn’t make the GDID okay. Every company selling you software has some version of this, and a persistent device identity is a reasonable thing to build into activation and fraud systems. What gets me is that most people had never come across the term GDID before a federal court filing such as this. Microsoft wrote one sentence about it in an Azure Monitor reference table meant for enterprise IT admins pulling update reports, not for the 1.6 billion or so regular people whose PCs are generating this data.

You might be tech savvy enough to turn off Activity History, pick a local account, and strip out every scrap of optional telemetry, but none of it changes the fact that the identifier exists, and that it answers to your Microsoft Account instead of you. Microsoft only told the public about it once a court forced the issue.

↫ Abhijith M B at windows Latest

The thing is, even without this GDID, I can’t imagine Microsoft would have much trouble tying a Windows installation to a specific user. Consequently, I’m afraid the following is going to happen: this story gains even more traction, Microsoft removes the GDID, and everyone thinks the problem is resolved. Of course, in reality, any one of the hundreds of other metrics and data Microsoft collects can and will still be used in the exact same way as this GDID thing in this case.

If my experiences with Windows 11 weren’t clear enough – don’t use Windows. Just don’t.

23:35

Link [Scripting News]

demo.rss.chat: "This is a writing surface."

23:00

20:42

A Very Unimportant Experiment Regarding Nuts [Whatever]

Yesterday, I wanted a canister of nuts as a snack from Kroger, and I bought this Blue Diamond Honey Roasted Almond, Cashew, & Pistachio Mix. I love honey roasted nuts, and cashews and pistachios are two of my favorite nuts, so it sounded like a great mix. It was ten dollars.

When I opened it at home, I looked in the canister and immediately felt like what I was seeing was 80% almonds. I could’ve guessed as much. Everyone knows cashews are pistachios are the real prize here. But then I wondered, was the mix really 80% almonds? It was time to count.

I dumped out the entire canister in a bowl and sorted through all three types of nuts. I know what you’re thinking. Isn’t this a huge waste of time? Well, it’s not that huge. It only took like five minutes. But… yeah, maybe. Anyways, guess how many there were of each nut?

Cashews came first, and I counted just about 65 cashews. I say just about because there’s always half-pieces or broken chunks. But I can confidently say that it contained roughly 65 cashews. As for the pistachios, there were more than I expected, getting up to 80 pistachios. They’re little, after all. Finally, the moment of truth. How many almonds made up this undoubtedly mostly-almond-mix? 150 almonds. My canister was just over half almonds, with the other two nuts making up around 25% each.

So, basically, there were twice as many almonds as there were the other two nuts. Absolutely fascinating. I was wrong about the mix being 80% almonds, but it’s definitely almondlicious.

I am curious to see if anyone else who gets this mix has a similar result. That’s all I have to say on the matter. Good day.

-AMS

19:00

Link [Scripting News]

rss.chat is meant to be like MacWrite was on early Macs, give developers something to think about and lots of prior art for them to steal. All we want in return is interop. ;-)

Link [Scripting News]

Speaking of AI, someone at Amazon decided I needed the new AI version of Alexa. I hate it. It's slow and it always makes the same mistake when I start breakfast. I say "Alexa WNYC" to which it responds, after a few seconds, I will now play you a mix of your favorite songs From Amazon Music." So first thing in the morning I have to tell this stranger in my freaking kitchen no I meant WNYC, which it then turns me over to. I learned on FB that if you tell it to go away it will, after a short discussion about how much you will be missing. Yeah sure, go away, goodbye, please no more of this.

18:21

The Linux.org story [LWN.net]

Rob Kennedy has posted the story of the birth of Linux.org — one of the earliest Linux-related web sites — and its more recent rebirth.

The site was founded in May 1994 by Michael McLagan, at a time when Linux itself was barely three years old. Linus Torvalds had only just released it to the world, there was no real way for a newcomer to find their footing, no search engines, no Wikipedia, none of the infrastructure people take for granted now for figuring out a new piece of technology. Michael built linux.org to fill that gap, a place for people to learn about Linux and follow the movement as it grew.

18:14

Link [Scripting News]

If Bernie Sanders or AOC knew what we were doing here they would be turning somersaults. The tech right now is too esoteric. When they can join a community that works like this does, with full text, and the ability to communicate from one pod to another. Pod actually is a good name for what I have in mind, that and karass.

Link [Scripting News]

Someone on Masto who I blocked used a nasty word to descript rss.chat. Let me be really clear here, this is an act of authorship by me. Claude is helping, a lot -- I doubt if I could have done this without its help, certainly not in the amount of time it has taken so far. And Claude could not have done it without me driving. It's basically good at a few things, but this is new territory, even I am feeling my way through this project. In many parts we have lots of prior art, but in how the whole thing hangs together, this is new territory. Having Claude is like having a car would be to someone who couldn't drive. All of a sudden you can go places. It takes a while to learn how to use that power, and so far the learning has not come close to leveling off. You couldn't find someone better in the world to do this project, and I'm working on this every day.

17:28

Upcoming Speaking Engagements [Schneier on Security]

This is a current list of where and when I am scheduled to speak:

  • I’m speaking (virtually) at the Policy-Relevant Privacy Research Workshop in Calgary, Canada, on Monday, July 20, 2026.
  • I’m speaking at Boston Leadership Exchange in Boston, Massachusetts, USA, on Wednesday, July 22, 2026.
  • I’m speaking at Cognitive Security Conference in Las Vegas, Nevada, USA. The conference runs August 6-7, 2026; my speaking time is TBD.
  • I’m speaking at DEF CON 34 in Las Vegas, Nevada, USA. The conventions runs August 6-9, 2026; my speaking time is TBD.
  • I’m speaking at LAcon V in Anaheim, California, USA. The convention runs August 27-31, 2026, and my speaking time is TBD.
  • I’m speaking at CanSecWest 2026 in Vancouver, Canada. The conference runs September 30–October 1, 2026; the time of my talk is TBD.

The list is maintained on this page.

16:42

Link [Scripting News]

I set up demo.rss.chat yesterday so people can try out the software. No guarantee that this is going to run for any period of time, so don't post things there that you want to be around for a long time.

15:28

The Big Idea: Arvind Ethan David [Whatever]

The world makes up stories and stories make up the world. Author Arvind Ethan David aims to challenge the narrative of some of these stories in the Big Idea for his newest novel, The Great Game. Follow along as he tells you about some of the greats, and questions if they’re really all they’re cracked up to be.

ARVIND ETHAN DAVID:

I Broke into Someone Else’s Universe. Here’s What I Found

In The Great Game, my hero, Balvinder Dev Singh, an Indian war veteran and aspiring British barrister, comes head-to-head with Sherlock Holmes, Winston Churchill and a feral teenager who may or may not be John Clayton, Lord of Greystoke Manor. My intention in the novel was to write an original thriller that was both satisfying in its own right, and perhaps has something interesting to say about empire, colonialism and the canon of British imperial literature. 

Except, I knew I was running the risk that it might also look and sound a lot like fanfiction.

In my writing career so far, I’ve spent a lot of time adapting the work of writers whose work I revere. From Douglas Adams to Raymond Chandler, P. G. Wodehouse, and Neil Gaiman, I’ve been privileged to play in some big, extraordinary universes created by legends. There is nothing like writing in the marginalia of a maestro to force you to raise your game. To write a joke about physics that can stand next to one Douglas Adams wrote, to craft a simile that can hold its own next to Wodehouse, or to describe a dame who Raymond Chandler first described—these are hair-raising, teeth-grinding experiences, and I have the scars from surviving them.

Early in the process of writing the novel, that challenge was made by some who I love and respect — a bestselling author friend and my editor — both of whom suggested that my book might be viewed as less serious or less original because I was borrowing other people’s characters and settings. Basically they said, “folks might think you’re just doing derivative fanfic.”

That was of course not my intention, so I spent a lot of time thinking about it, but ultimately, I had to do what I had to do. To me, the whole point was to play in this particular canon. Here’s why.

Firstly, the idea that borrowing another’s universe is derivative is, it turns out, a comparatively recent convention, born of modern copyright law and perhaps some post-Romantic notion of the lone original genius. For most of the recorded history of literature, it was not the exception but the norm.

Ovid’s Metamorphoses is a kind of mash-up of all Greek myth. The Arthurian legends are the result of a constantly reinvented mixtape, spun by successive generations of authors and poets — from Chrétien de Troyes in the twelfth century to Malory in the fifteenth, to T. H. White and Lev Grossman in our own era — each reinventing the legend through the prism of their times, none of them having invented the universe they so beautifully inhabited.

Shakespeare, of course, made up almost none of his plots or characters, pillaging history, myth, and the work of other writers indiscriminately and without apology or acknowledgement—and we don’t consider him a less original or serious writer because of it. 

Indeed, if you step back and think about what a story is, it makes total sense. Stories, in evolutionary terms, are the common currency, the shared atmosphere of culture and civilization. From every myth of creation to the excuse you give yourself for being habitually late, stories are the psyche’s scaffolding with which we navigate existence. So, of course, it makes sense that certain myths, certain stories become pervasive in our culture and, once pervasive, prove more, not less, fertile ground in which new narratives can be planted.

I would argue that imperial adventure fiction—the breadth of writing from Rudyard Kipling and H.G. Wells, via Arthur Conan Doyle to Edgar Rice Burroughs—is one such mythic narrative. It is larger than any single author and larger than any single character, but the characters who inhabit it remain, a century or more since their birth, powerful and potent in our collective imagination: Sherlock Holmes, Tarzan, Mowgli, Kim, Captain Nemo.

The reason is that this body of work shares one animating instinct: to glamorize and justify, explain and contextualize the imperial system—the system that enabled Britain to create and maintain its empire with sword and fire for almost 200 years. Edward Said made this argument best in Orientalism. This is not to suggest that every author or every character was an ardent imperialist, although Kipling certainly was.

Today, whilst the British Empire has come and gone, the notion of empire remains an animating instinct in our global political moment, whether we speak of the American hegemon in decline, China in ascendance, or the dangerous death throes of the Russian bear. That is why these stories remain as potent and resonant as ever.

In The Great Game, I’m having a conversation with this tradition, interrogating the canon and asking the question: can the form of the imperialist adventure mystery hold when inhabited by a brown protagonist, by a colonial subject standing in its center and taking on its titans with his own ferocious rage and questioning intelligence?

For example, I have a scene in which Balvinder confronts Dr. Watson by pointing out that his account of The Sign of the Four displays appalling ignorance about India and Indians—that the orient and orientals in these adventure stories are always treated as the object, as the other, never as the subject and certainly not as the hero. Which doesn’t make them less good stories, just more blinkered ones.

I’m also asking whether I, as a brown author, as a person of color who enters the canon from the outside—who has always loved Sherlock unthinkingly as a child but now finds that loved tainted by the realization that the order that Sherlock seeks to uphold is the order of the Empire — can write a story that both honors the great detective and holds him accountable? 

If I contribute to the canon, have I changed what the canon is, introducing a few drops of my own seven percent solution of decolonization into an imperialist mix?

I don’t know, inject it and see.


The Great Game: Amazon|Bookshop|Barnes & Noble

Author’s Socials: Website|Instagram|Facebook|Bluesky

15:21

Call for topics for the 2026 Maintainers Summit [LWN.net]

The Maintainers Summit is an annual, invitation-only gathering of kernel developers and maintainers to discuss development-process issues; see LWN's 2025 Maintainers Summit coverage for an example. The call for topics for the 2026 gathering (Prague, October 8) has gone out. One of the best ways to obtain an invitation to the Summit is with a good topic proposal. For best consideration, topics should be submitted before July 24.

15:14

Microspeak: Double-click and drill down [The Old New Thing]

Recall that Microspeak is not merely for jargon exclusive to Microsoft, but it’s jargon that you need to know to survive at Microsoft.

For most of my career at Microsoft, the term used by people who want to sound important to say that they want to delve more deeply into a topic was to drill down. Here are some citations, suitably anonymized.

Bob added a section on accessibility. We may need to drill down into specifics for each of the requirements.

We conducted a survey to determine how people use our feature. They broke down into four general categories listed here. Let’s drill down a bit further into each of these categories.

The verb phrase got nouned as drill-down, referring to the result of drilling down.

Here is the drill-down.

And it’s also an adjective, meaning “related to the act of drilling down”.

From that number, two drill-down paths exist.

The term has even gained official recognition in the Microsoft Writing Style Guide, with its own entry with guidance on proper use. Note that it approves the use of the term in the context of data analysis and discourages its metaphorical use.

drill down, drill up, drill through

It’s OK to use drill down, drill up, and drill through in content about data and the reports generated from them.

Two words as a verb. Hyphenate drill-down and drill-up as adjectives. Note that drillthrough as a noun or an adjective is one word, no hyphen.

Examples

If you have grouped items in your PivotTable, you can drill down on a group name. Then, you can drill back up to analyze summary data.

Using drill-down and drill-up actions, you can expand and collapse sections within a report to find the data that interests you the most.

If you add the ability to drill through on an existing mining model, the model must be reprocessed before you can drill through to the data.

Use a drillthrough query to retrieve details from the underlying cases or structure data. Drillthrough is useful if you want to see additional details from the case data.

Don’t use to mean following a path (such as folders) or giving something further examination.

Example

Microsoft MVPs joined an in-depth discussion about Azure security management solutions.

The anti-guidance helpfully gives us a definition of drill down as Microspeak: “To give something further examination.”

All of these usages of drill down (including the metaphorical ones) are still in wide use, but around the year 2020 or 2021, I encountered a new term that means roughly the same thing, but much more jargony.

I’m referring to double-click, which was covered by The Wall Street Journal and amplified by the Language Log in 2024.

As far as I can tell, double-click means about the same thing as drill down, but in a more jargony, cringy way. Finding citations for this use is more difficult because it appears to be primarily used in speech and not writing. I guess everyone is too embarrassed to write it in a document.

There are currently no resources devoted to designing a tutorial. Once we have resources, we can double-click on the journey for how users can find it.

Person 1: If the user clicks the button, we will take them to a settings page where they can enable their widgets.

Person 2: I want to double-click on this experience. Why does the user need to explicitly enable their widgets? Is there a path where we can enable them by default?

I wish people would stop using the term double-click in this way. It bothers me about as much as the nounified ask.

The post Microspeak: Double-click and drill down appeared first on The Old New Thing.

14:35

[$] Sending packets directly from BPF [LWN.net]

Tetragon, the BPF-based security monitoring tool, uses BPF to monitor different aspects of a running kernel and enforce user-specified policies. It sends its data to a user-space process, which forwards the data to a central monitoring service elsewhere in the network, however. This presents a point of vulnerability: if an attacker can kill Tetragon's user-space agent, it won't be able to properly report on the situation. Song Liu, Mahé Tardy, and Liam Wiseheart spoke about their work removing the need for the user-space agent at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit.

Security updates for Tuesday [LWN.net]

Security updates have been issued by AlmaLinux (389-ds:1.4, buildah, freeipmi, freerdp, gegl, gimp, golang, kernel, libreoffice, maven:3.9, openexr, perl-DBI, plexus-utils, podman, tomcat, tomcat9, xorg-x11-server, and xorg-x11-server-Xwayland), Debian (imagemagick, p7zip, and redis), Fedora (breezy, calibre, and golang-github-openprinting-ipp-usb), Mageia (ffmpeg, gzip, haproxy, libheif, libtiff, libxml2, packages, perl-List-SomeUtils-XS, and perl-Socket), SUSE (alsa, chromedriver, curl, dhcpcd, docker-compose, glibc, haproxy, ImageMagick, jq, kernel, kubernetes, libpng15, libredwg-devel, libslirp, nghttp2, php8, python-Pillow, python313-Django, python313-weasyprint, qemu, rust-keylime, sccache, and systemd), and Ubuntu (cifs-utils, libexif, libreoffice, libssh2, openssh, and pipewire).

13:35

Link [Scripting News]

Claude codes. It may seem as if developers have taken over this blog, because we have real business to do. So much new stuff to show. Today's rss.chat goodie is an example app called ThreadWalker that crawls the network of replies under a single post, to all levels, printing them on screen in neat hierarchic form. It was written and documented by Claude. I reviewed the code, and looks good, and honestly doesn't look like anything I would write (not bad, just different). It could be used as a starter system that says when someone replied to something you wrote, or something deeper in the tree. All this is done by reading RSS feeds. This is where we begin to explore what's possible when you use a famous and familiar format like RSS 2.0 as the basis for a social network.

12:21

CodeSOD: AAYFN [The Daily WTF]

Jason M sends us some Ruby code.

def bv(prop, tv="Yes", fv="No", nv="Not Specified")
  v = self.send(prop)
  if v === true
    tv
  elsif v === false
    fv
  else
    nv
  end
 end

The obvious WTF here is the function name and parameter names. AAYFN(always abbreviate your function names) seems to be the convention here. But it also contains a more Ruby-specific WTF.

The function name bv is short for "boolean value", obviously. tv is the "true value", fv is the false value, and nv is the null value. So this is really about pretty-printing boolean values and converting them to strings. While the terrible names make it hard to understand, it's not that hard to figure out what's going wrong here. I hate it, don't get me wrong, but it just makes me sigh with disappointment, not groan.

No, the thing that makes me groan is v = self.send(prop). This is a very Ruby idiom that lets you access a member of the class by name; essentially it's like doing self.prop, but since prop is a variable containing a property name, we have to send it.

This is metaprogramming by strings, which is the main reason I end up hating it. But in this specific instance, it offers us a lot of potential issues. First, if prop is anything not boolean, we just return "Not Specified", which is incredibly misleading. I'd argue that if we attempt to use it on a non-boolean field we should throw an exception. Which opens the question: if prop doesn't exist, is that a non-boolean field, or is that a "enh, just call it null" situation? Because right now, that will throw an exception. It'll also throw an exception if the thing being accessed is a function that takes parameters. These behaviors may be surprising.

Now, I don't know the calling pattern. It's possible that whatever function calls this already has a good list of the allowed boolean values, and will never call this on a prop that doesn't exist. Certainly, that's what the Ruby docs recommend. But I'm going to hate it anyway, because this kind of runtime metaprogramming by passing strings around is eternally asking for trouble. And while I haven't done a huge amount of Ruby, I've done enough to know that any non-trivial codebase ends up like this once the metaprogramming band-aid is taken off.

Now, if you don't mind, I'll go back to doing my metaprogramming with C++ templates, which are simple, clear, and never result in wildly unmaintainable code because you ended up reimplementing LISP in template operations.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

12:14

Pluralistic: Gerontocracy's failure mode (14 Jul 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links



The Angel of Death, peering down from a break in a menacing sky full of clouds, looking upon the Capitol Dome, wreathed in spooky mist. To the Capitol's left is a spooky graveyard.

Gerontocracy's failure mode (permalink)

The "designated survivor" is one of the weirder aspects of America's (very, very weird) political system.

Each year, during the State of the Union address, when both houses of Congress and the President are all under one roof, a single political figure, in the line of succession for the presidency, is spirited away to a hidden bunker, just in case the US legislative and administrative branches are decapitated in a single, spectacular terrorist strike:

https://en.wikipedia.org/wiki/Designated_survivor

Initiated during the 1950s, designated survivors are a paranoid relic of the Cold War, but they're also a relic of an era when America was a less chud-dominated, more technocratic land. It's a longtermist sort of procedure, in stark opposition to vibes-based MAGA chaos in which the Mad King makes daily announcements of new wars, tariffs, monuments, and existential threats to the nation.

America's ruling class have always sought an equilibrium between its pure Id of hatred for labor, autocratic yearnings and apocalyptic fantasies, and its patient, scheming Ego, the author of endless FedSoc judicial nominee listings, Projects 2025, and decades-long schemes to overturn Roe and reverse the New Deal.

(Democrats have their own version of this, of course – the endless contest between the McKinsey wing of the party's right and its infinitely embroidered Machin-Synematic Universe.)

The problem is that once the atavistic, impulsive elements of your project escape containment, the resultant turbulence sucks everyone else into their chaotic vortex. How can you plan for anything when you're buffeted by endless stunts, feints, and distractions?

Nowhere is this failure to plan more vivid than in the age distribution of both chambers of the US legislature, its presidential candidates, and its judicial appointments. What's more, this is equally true of the Democrats and the Republicans.

The equilibrium of all of America's key institutions is brittle: legislative majorities are often just one or two seats wide. Key federal circuits and the Supreme Court are knife-edge balances. We keep getting presidential races between septuagenarians and octogenarians.

The question here isn't whether old people can be good at those jobs. They obviously can be. The problem is actuarial: old people are far more likely to die, or suffer severe medical episodes, than younger people. This is a fact of life that every person understands, and the older you get, the better you understand it.

I'm 55. 20 years ago, it was unusual for just one of my peers to die in a given year; now I lose a couple every year. It could be me next (my doctor just informed me that I am cancer free, following excision, radiotherapy and immunotherapy). Anyone who pretends this isn't true is setting themselves and the people around them up for terrible things.

If you're a writer, this means making plans for the smooth management of your literary estate. For the past couple decades, John Scalzi has been my anointed literary executor. He's a great choice: a fabulous writer with a good head for business and a strong handle on my politics and artistic sensibility, whose personal ethics are above reproach. The only problem is that John is a couple of years older than me, which means that he'd be a great executor if I got hit by a bus tomorrow, but not if I keel over with a heart attack in 20 years.

So this year, I added a second executor, Molly White, who is also a fantastic writer, also extremely ethical and also very attuned to my politics and literary sensibilities. Molly is 20 years younger than me, and she has relevant experience: she's also the executor of the literary estate of her great-grandfather (EB White).

In the unlikely event of my untimely death, Molly and John will do a great job running the estate (which mostly will consist of reviewing my agents' recommendations). And if John keels over right after me, Molly will be fine on her own.

Of course, the only reason I need a literary executor is that my kid is only 18. At 18, she's a remarkable, level-headed, ethical young person, but she's not yet fully formed. Literary history is filled with descendants who take over a literary estate and run it in terrible ways. The most notorious example here is Stephen Joyce, grandson of James Joyce and a colossal asshole:

https://en.wikipedia.org/wiki/Stephen_James_Joyce

The most likely destiny for my literary estate is that I will grow older alongside my daughter, who will mature in ways that make her a perfectly suitable literary executor (in addition to being the beneficiary of my literary estate) and in a few years I'll send a note of thanks to John and Molly and change the paperwork. But in the unlikely, awful event that my kid runs into serious challenges that make me question her judgment and probity, I'll be covered.

That's what planning is all about: thinking through various scenarios, including low-likelihood, high-salience ones that have easy mitigations, and taking appropriate and proportionate steps to avoid disaster.

You know: like squirreling away a designated survivor in a bunker far from DC during the State of the Union.

This is what makes America's political gerontocracy so weird. In their true hearts, the nonagenarian (1), octogenarians (5), septuagenarians (27) and late sexagenarians (7) in the US Senate know that they could keel over at any moment, and that in a 53:47 Senate, this could spell doom for their political project.

Sure, Mitch McConnell might be secretly dead and that's bad and weird. But it wouldn't be exceptional. We're talking about a legislature whose members sometimes disappear for months, only to be discovered in care homes with advanced dementia, while still somehow holding office:

https://www.politico.com/news/magazine/2025/03/14/kay-granger-dementia-dc-media-00210317

It's a legislature whose most prominent grandees cling to power at the very brink of death's door, long after they can be effective leaders, just so they can anoint their successor during the next election:

https://en.wikipedia.org/wiki/Dianne_Feinstein#Personal_life

Elections have consequences, but special elections, called after the sudden death of an elderly lawmaker, have wild consequences.

Of course, anyone can die suddenly. 15 years ago, one of my dearest friends, a contemporary, went to bed in seeming perfect health and never woke up. He was only 44. I still miss him, every day:

https://memex.craphound.com/2012/06/28/eulogy-for-erik-possum-man-stewart/

But the likelihood this happening goes up the older you get, and once you cross a certain age threshold, the odds rise sharply. If you're part of a political project that's laying and executing long-term plans whose outcomes turn on hair-fine majorities, this should factor into your thinking. The failure to do so can throw everything you've worked for into disarray:

https://prospect.org/2026/07/13/budget-consequences-of-lindsey-grahams-sudden-departure/

It's not limited to the legislature, of course. The Supreme Court's slide into its role as handmaiden to totalitarianism began when the dying Ruth Bader Ginsburg refused to step down, because she wanted her successor to be picked by the first woman president:

https://www.nytimes.com/2020/09/21/magazine/ginsburg-successor-obama.html

The amazing thing here is that RBG made her name as a master strategist, but when it came to this incredibly consequential matter, she set strategy aside for hubris:

https://radiolab.org/podcast/more-perfect-sex-appeal

Security practitioners know that anyone can be hacked or scammed, and that the biggest vulnerability of all is to be so confident in your own procedures and discernment that you assume it could never happen to you. If you think you can't get scammed, you are a danger to yourself and others:

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

By the same token, any politician in their 70s or 80s who thinks that they can't suffer a stroke or heart attack or the kind of lapse that makes you freeze up during a presidential debate is a danger to their party, their politics and their nation:

https://www.cbsnews.com/news/jill-biden-joe-biden-stroke-2024-debate-sunday-morning-interview/

This isn't about how healthy or robust any given politician is or feels; this is about the cold reality of actuarial tables. The older I get, the more those actuarial tables factor into my own decision-making. The fact that our political classes seem to think that they can choose the time and manner of their passing is baffling.


Hey look at this (permalink)



A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago Microsoft less hostile to MP3s https://web.archive.org/web/20010716103233/http://news.cnet.com/news/0-1003-200-6567844.html

#25yrsago UK record lobby demands copyright school curriculum https://web.archive.org/web/20010718135130/https://www.salon.com/tech/feature/2001/07/16/abc_ip/index.html

#25yrsago Gary Larson on online comics sharing https://web.archive.org/web/20010610081014/http://www.creators.com/index2_anotefromgarylarson.html

#10yrsago San Francisco’s bike lanes have become Uber’s pickup/dropoff zones (and the cops don’t care) https://sf.streetsblog.org/2016/07/13/collecting-data-to-push-for-safer-biking-on-valencia

#10yrsago For 90 years, lightbulbs were designed to burn out. Now that’s coming to LED bulbs https://web.archive.org/web/20160717090604/http://www.newyorker.com/business/currency/the-l-e-d-quandary-why-theres-no-such-thing-as-built-to-last

#10yrsago Why do Pokemon avoid Black neighborhoods? https://www.bnd.com/news/nation-world/national/article89562297.html

#10yrsago To hell with the Trolley Problem: here’s a much more interesting list of self-driving car weirdnesses https://medium.com/studio-d/15-more-concepts-in-autonomous-mobility-8fd1c794e466#.s10ldm5nf

#10yrsago Royal Society’s #1 cybersecurity recommendation: don’t backdoor crypto https://royalsociety.org/~/media/policy/projects/cybersecurity-research/cybersecurity-research-report.pdf

#10yrsago UK PM Theresa May nukes climate change department, appoints a climate denier as Climate Secretary https://web.archive.org/web/20160714173020/http://www.independent.co.uk/environment/climate-change-department-killed-off-by-theresa-may-in-plain-stupid-and-deeply-worrying-move-a7137166.html

#5yrsago Facebook's alternative facts https://pluralistic.net/2021/07/15/three-wise-zucks-in-a-trenchcoat/#inconvenient-truth

#1yrago When Google's slop meets webslop, search stops https://pluralistic.net/2025/07/15/inhuman-gigapede/#coprophagic-ai


Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.



A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)



A grid of my books with Will Stahle covers..

Latest books (permalink)



A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027



Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Fourth draft completed. Submitted to editor.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

Vulnerability in FIFA’s Network [Schneier on Security]

FIFA’s network was vulnerable to anyone with even minimal access.

11:21

Jonas Meurer: zed-xdebug [Planet Debian]

Nextcloud PHP debugging with Xdebug in Zed editor

I started to switch from PhpStorm to Zed as IDE recently as Zed is open source and has a much smaller footprint and is more slick than PhpStorm.

One thing that I didn't get running immediately was Xdebug integration, so I did a bit of research and asked Claude for help. Here's a quick writeup of how to get it running.

I have Zed installed as Flatpak on a Debian Trixie host system.

The PHP process runs in a nextcloud-docker-dev Docker container.

Install Zed and configure debugging there

Install Zed: flatpak install flathub dev.zed.Zed

In Zed: open the Extensions view and install PHP.

Configure the debugger:

Create ~/.var/app/dev.zed.Zed/config/zed/debug.json:

[
  {
    "label": "PHP: Listen to Xdebug",
    "adapter": "Xdebug",
    "request": "launch",
    "port": 9003,
    "pathMappings": {
      "/var/www/html":             "/home/<user>/devel/nextcloud/server",
      "/var/www/html/apps-extra":  "/home/<user>/devel/nextcloud/server/apps-extra",
      "/var/www/html/apps-shared": "/home/<user>/devel/nextcloud/apps-shared"
    }
  }
]

Add one entry per bind-mounted app directory.

After creating the file, restart Zed.

Inside Zed, select "debugger: start" from command palette and then "PHP: Listen to Xdebug".

Verify Zed is listening. Running ss -tlnp | grep 9003 on the host should show *:9003 with Zed as the process.

Configure Xdebug inside the container

/usr/local/etc/php/conf.d/xdebug.ini:

xdebug.mode = debug
xdebug.idekey = PHPSTORM
xdebug.trace_output_name=trace.%R.%u
xdebug.profiler_output_name=profile.%R.%u
xdebug.output_dir=/shared/xdebug

xdebug.log = /var/log/xdebug.log
xdebug.log_level = 3

; Try to discover the client host, otherwise fall back to the docker host
xdebug.discover_client_host=true
xdebug.client_host=host.docker.internal

; When you cannot specify a trigger, use "xdebug.start_with_request = yes" to autostart debugging for all requests
; https://xdebug.org/docs/all_settings#start_with_request
xdebug.start_with_request = trigger

; Set xdebug.mode trace to use this
; More details at https://derickrethans.nl/flamboyant-flamegraphs.html
xdebug.trace_format=3
xdebug.trace_output_name=xdebug.%R.%u

Apply changes by restarting apache in the container: apache2ctl -k graceful

Notes:

  • host.docker.internal resolves on Linux Docker only if the container was started with --add-host=host.docker.internal:host-gateway (nextcloud-docker-dev already does this).
  • discover_client_host = true makes xdebug follow X-Forwarded-For - useful behind Nextcloud's dev reverse proxy.

Test xdebug with a PHP command inside the container

Run XDEBUG_SESSION=PHPSTORM php occ status inside the container and check /var/log/xdebug.log.

Install the browser extension

Install Xdebug Helper (Firefox/Chrome). In its preferences, set the IDE Key to PhpStorm. It will set the XDEBUG_SESSION cookie when toggled to Debug.

Click the Xdebug Helper icon in the browser and set it to Debug.

Test Xdebug with browser extension

Load the URL that exercises the code path with the breakpoint. Zed should stop the code exection at the breakpoint.

10:42

“Is it okay if I share my screen?” [Seth's Blog]

The meeting is now broken.

Even if you were actually engaging with the attendees before, it’s over. You took a new medium and stuffed an old one into it, changed the dynamic and ruined it.

Zoom is a device that eliminates physical distance and enables a synchronized conversation. Interactions in real time. In particular, groups of three to eight professionals, there to have a discussion.

Throwing your powerpoint into the mix transforms the dynamic. It takes your face off the screen and makes everyone else irrelevant. It forbids interaction. And it prevents you from reacting to the room as it unfolds, since it’s linear.

The disrespect comes through, even if you didn’t intend it to.

If you have something to show us, send it before the meeting. If there’s a memo, we can read it in advance, or afterward. In fact, if the memo is really important, simply pause the meeting while we all take two minutes to read it. We know how to read.

Reading and interacting are different events.

Powerpoint was invented by socially-awkward engineers as a way to create deniability and clarity in boring tech meetings. It’s a persistently misused piece of tech, used as a crutch or an effective way to hide.

If you call a meeting, do the work to earn it. Make sure the right people are there, make sure you’re prepared and make sure they are too. Use any excuse you can to cancel the meeting and replace it with a memo, one that’s short, clear and designed to accept responsibility.

There’s another new medium that’s arriving–well-edited, short and punchy videos, a one-way method to carefully say what you wanted to say. Send one of those if you want…

Show and tell has a long history going back to first grade. But if you’re going to do show and tell, do it with care.

09:00

The Sniffing Mat Challenge by Hien Pham [Oh Joy Sex Toy]

The Sniffing Mat Challenge by Hien Pham

Looking for a fun and sexy scenario to enact with a scent fetishist in your life? You’re in luck! The Sniffing Mat Challenge is a highly customizable and incredibly personal template you can make your own. I had a blast researching this comic with my friends, and I really enjoyed letting these two goofy characters […]

Shipping to EU from UK [RevK®'s ramblings]

We are selling some stuff to EU, and all over the world now (see shop.revk.uk).

This is all a bit new to us, as we have traditionally only dealt with UK customers. This started with circuit boards stocked at Amazon, and Amazon just sorted the EU VAT (paying us the VAT exclusive amount as an export) for sales in EU - very slick.

Moving on (after Amazon screwed us over) we started selling on Tindie, and Tindie do not do anything special for EU at all. So all our parcels hit customs, and the recipient had to pay VAT (and admin fee). This is the default if you do nothing special when shipping to EU.

However, when Tindie screwed up badly (will they ever recover?) we started selling on Lectronz. I have to say that they have been great. This led us to start to understand how it should be done.

IOSS

The Import One Stop Shop system in EU means we could get an IOSS number for sending small packages (value up to €150) to EU with VAT paid - this means the customer has a much quicker and more seamless delivery with no hassle from customs. We would have to file returns for this, but pay in one go for all EU.

However, it is even easier when using an on-line marketplace like Lectronz, as they handle all the VAT - working out the right rate and charging the customer and paying the VAT. All we have to do is quote their IOSS number as part of shipping.

We integrated the Lectronz API and the Royal Mail Pro Shipping API so staff can just click "print postage" and out pops the postage label and customs label, simple.

The EU has gone to some effort to make this slick and easy for small parcels going in to the EU. Well done EU.

The new €3 duty

As of 1st of July the EU made things difficult - the exact opposite of the slick and easy IOSS process - adding a new €3 import duty on small parcels value up to €150. This is separate from IOSS, so even with IOSS and prepaid VAT, the recipient gets hassled by customs for €3 duty!

Lectronz moved quickly, and added the feature to their systems to work out the €3 duty, and add to the price, to pay us, so we can post "Duty Paid". I updated the API code and set to send duty paid via Royal Mail Pro Shipping API.

Yay, all sorted, all slick again, albeit €3 more expensive for the customer (thanks EU!).

Well no!

This started off OK, with a few parcels, but then we hit an error where Royal Mail will not do Duty Paid to Latvia. Arg, why not? Lectronz were very helpful sorting a refund of €3 so we send not duty paid and explained to customer.

So I decided to check the rate card from Royal Mail. The rates to EU are a mess anyway - they have a base price and per-kg price. The base price ranges from £4.45 to £7.70 which is not too mad, but the per-kg ranges from £0.80 to £10.85 which is mental.

The surprise is that duty paid is not available for Belgium, Bulgaria, Croatia, Czechia, Denmark, Estonia, Finland, Greece, Hungary, Italy, Latvia, Lithuania, Poland, Romania, Slovakia, Slovenia, and even Spain.

This is crazy - with all EU countries charging this new €3 duty - why the hell do Royal Mail not handle this.

The other oddity is that the extra cost for sending duty paid, where possible, varies wildly - from a more reasonable 50p to nearly £5 in one case. It is daft for a customer to pay an extra £5 to handle a €3 duty.

What have I done about it?

I have done a shipping rate for all Europe countries individually. Yes, tedious.

Where duty paid postage is available I have listed that (with the extra cost) so customers have a choice.

It would help if Lectronz allowed me to code a per-kg rate for some countries - I have asked.

We still do IOSS for EU where applicable.

So yes, sorted for now. And it means a sting of countries have the hassle of paying duty on receipt, and a few others make sense to do that anyway as the extra cost is daft.

Update

And today we have...

  • Shipment to Romania saying IOSS not allowed, but we have shipped to Romania with IOSS before, and it is on the rate card.
  • Shipment to Germany with no IOSS and no duty paid, a simple DDU but over €150 and they say NDX not allowed. Well NDX is simple "non document". We tried HV which is "Non documented high value" in case over €150 was the issue, but still says NDX not allowed (yes, I checked the JSON, we set HV).

Arrrrg!

Update

Now seems there is a PDDP with non PDDP service to do the €3 duty and IOSS at once somehow. Trying to make sense of what Royal Mail have sent. If so, it may be simple, but this is mental.

Update

Nope, they sent me a link to a document saying MP7 (DDU normally) with DDP and IOSS is available, but an email saying MPR (DDP but only to some EU countries), but then sent the original PDF again which says MP7 and DDP.

They clearly have no clue!!!

05:07

can i tell you a story? [WIL WHEATON dot NET]

Earlier today, a really fun memory surfaced that I wanted to share, because I haven’t had an opportunity to tell a story in a little while. It’s an older memory, so I’m sure some of the specifics aren’t entirely correct, but this is way I remember it.

In the early 2000s, I worked on a couple of movies that were direct-to-DVD, low budget versions of successful, big budget movies of the moment. Call it the Roger Corman model.

In the first one I did, Deep Core, the whole Earth is going to explode or something, unless an unlikely band of misfits can drill to the Deep Core of the planet and set off the bomb or whatever. It’s sort of like Armageddon but underground, and also like The Core, but for about sixteen dollars and some wire from the bin behind the hardware store.

Now, having said that, it’s a charming and silly and extremely fun movie where my character eventually turns into a flaming skeleton with the help of an unexpected gout of magma in the third act. It understands the assignment, because we all understood the assignment. It was a fun set, where we got to just play our scenes to the best of our ability.

And I got to work with some lovely castmates. The unlikely band of misfits, collected from an oil field of questionable legality, were played by me, Craig Scheffer, Bruce McGill, and Terry Farrell.

At some point in the story, the four of us are in this drilling machine thing that looks suspiciously like a shuttlecraft from a popular 1990s science fiction program. It’s a practical set that comes apart in the middle, longways, and is set atop a system of boards and other boards that create a poor man’s gimbal to simulate the exciting motion while we are flying through space drilling toward the Deep Core. It was cool, especially for a low budget set. You could only see some of the nails, and the parts that weren’t supposed to wobble mostly didn’t. I recall the console having lots of practical toggles and buttons, which is always a lot of fun.

We filmed in this thing for about a week. On the first day, during our first rehearsal, those extremely safe and union-approved levers were tested out while we all sat in our places. Terry and Craig were in the driver’s seats, Bruce and I faced away from each other down the sides of the thing, behind them. I liked to imagine I was the Spock of this crew.

So the director gets us all together on the first day. We talk about the whole “drilling Deep into the Core ” of it all. He says, “So this isn’t a smooth ride, as you drill through the rocks. We’re going to move the set a little bit, but you’ll need to sell it with your own motion.”

Craig asks what that motion should look like and the director says it’s sort of like being in a tank over a dirt road.

At this point, I look at Terry over my shoulder, and find that she is already looking at me.

“So you think this is about a 3?” She says.

“Yeah, that seems about right,” I agree, and we both turn back to take our positions for rehearsal.

This is when Craig holds up a hand and says, “Hold on. What was that? You two just communicated something to each other, using words I understand, and I have no idea what you said.”

Terry and I burst out laughing.

“It’s the Star Trek shake scale,” I tell him. “When there are nine actors in a scene and we get hit by a photon torpedo, we all need to react with the same intensity, so we have the scale.”

“We weren’t even on the same show, and we both use the scale,” Terry added.

“Yeah, it’s standardized across all series,” I said. “First week at the Academy stuff.”

This makes Terry and me laugh, all over again.

“So are you guys going to teach us?” Bruce asks, his voice bright with amusement.

Terry and I look at each other and play out the bit just a little longer. “Sure,” I say, “a 3 looks like this.” I nod at Terry and we both start doing an identical level of shimmy and shake. “This is a 6,” she says, and we both flop over our consoles before we right ourselves.

“Damage report!” I say. As I remember this moment, even though my memories are a quarter century old and I’ve certainly gotten some of the specifics wrong, I can so clearly see and feel how much fun we had while we were doing this. When I talk about how Star Trek is a family that you never leave unless you want to, this is what I am talking about. Moments like this that only a few hundred people, in the history of the world, have experienced in this specific way. It’s such a blessing, such a gift.

At this point, the director and the whole crew are watching us. The director asks us for a 1, and we do it. Bruce asks for a 5, and we shake side to side before we steady ourselves on our consoles. Someone asks for a 10, and in the literal blink of an eye, we silently agree we are not doing that. They can’t handle a 10. They think they can, but they have no idea.

“Sorry, that only happens when we crash the Enterprise,” I say.

Everyone laughs, and the first AD asserts that we have to get to work, guys. The director gets ready to call action on rehearsal.

“Okay, everyone,” he pauses for a moment, then continues with purpose, “this is a 3,” he says. “And, action!”

I glance over my shoulder and see Craig is doing about a 2, but he’s getting there. Bruce is a solid 3, cheating a little bit with a sideways glace toward Terry, who makes it look easy.

I suppress a grin and gently rock side to side, as I match their tempo, a perfect 3.


Some fun stuff I came across while (unsuccessfully) looking for a place you can stream this, from Wikipedia.

From the “Reception” section: IMDb gave the film a 2.6 out of 10, AllMovie gave the film a 1.5 out of 5, Contact Music gave the film a 1 out of 5, TV Guide gave the film a 2 out of 5 Disaster Movie World gave the film a 1 out of 5.

That is entirely fair, generous, even.

From the “See Also” section: The Core, 2003 film with a similar plot.

This is the funniest thing in this post, and I didn’t even write it. Well played, Wikipedia.

I’m glad you’re here. If this is your first time, or your first time in awhile, you are invited to listen to It’s Storytime With Wil Wheaton. Tell your friends! If you’d like to get these blog posts delivered to your inbox, here’s the thing:

02:28

Psybrarian [QC RSS v2]

she just Knows

00:35

Link [Scripting News]

Today we got a nice article about RSS.chat in Coywolf.

Link [Scripting News]

And we got a second rss.chat server up, for testing and so people who want to try it out have a place to go. Still want to do a bit more testing before pointing to it from the blog. Working on docs now and fixes. Making sure we're ready for the next stages of growth. Turns out you can do a lot of feeds if you're willing to you know think different. ;-)

Rex Ready Player One, Part Four [Penny Arcade]

Through his company Asmadi Games, Chris Cieslik - however you might choose to pronounce it - has either published or designed some of my favorite games. A lot of people might be familiar with We Didn't Playtest This At All, but between Innovation, Red7, and especially One Deck Dungeon he's just associated with a lot of all timers. His next one, which will be at Gen Con, has the potential to be another Uno in my opinion. If you see him there, ask him for The New Shit.

Why Games Need to be Unfair

by Chris Cieslik, 

Owner & Lead Designer, 

Asmadi Games

Monday, 13 July

22:56

How early SunOS did diskless workstations before NFS [OSnews]

I have a love-hate relationship with Sun’s NFS. Since it was so prevalent, it’s a go-to for getting stuff on and off the classic UNIX workstations I love to explore, but at the same time, it also never seems to work right away. However, the technology NFS was designed to replace was apparently quite a bit worse. Sun sold diskless workstations before NFS, which used something called nd (network disk). The problems with nd stem from a limitation of SunOS at the time. Since SunOS only provided support for a maximum of eight partitions per physical disk, nd offered the ability to create subpartitions, of which you had to manually create and remember the start and end sectors.

That’s a recipe for problems. But wait, there’s more!

For extra bonus problems, you might run out of available partitions to use on your server disk because you needed all of the available ones for regular filesystems and your swap area. If you were in this situation you could take the dangerous but necessary step of specifying your network disks using the special ‘c’ partition (cf dkinfo(8)), which was conventionally used to provide access to the entire disk. This was extra dangerous because you had to make sure that the nd disks you specified weren’t overlapping into any regular partitions that you were using, since as nd(8) says, nd itself did no sanity checking. If you said sectors X to Y were network disk X, that’s what they were, and goodness help you if some of them were also something else.

↫ Chris Siedenmann

And this isn’t even everything. Every part of this sounds horrid, and I can totally understand seeing NFS as a godsend compared to nd. It’s depressing that we’re in 2026 now, and the basic task of sending a file from one computer to another over your own network often still a total clusterfuck.

22:07

07/13/26 [Flipside]

The new Flipside Book 13 is freshly printed, and has arrived! Check out the Kickstarter to see photos!

I'm going to start shipping out Kickstarter orders soon! It might be slow going since I have a lot of conventions the next two months, and I'm also going on a trip to Thailand next month. The book is also now available on the store if you still want to order it!

I've also updated the convention list below, there are table numbers for Connecticon and Matsuricon, which are coming up the next two weekends.

Nokia’s 14 years of mobile-phone supremacy ended in an afternoon [OSnews]

OSNews covered the downfall of Nokia extensively back when it was happening, but I must admit that seeing this whole story in “retrospectives” now makes me feel so incredibly old. This story played out roughly between 2007 and 2016 – in the grand scheme of things, the end of Nokia’s phone business wasn’t that long ago! Zeit, bitte bleib stehen.

Anyway, here’s another retrospective, but this one I definitely like a bit more than the countless others we’ve seen, because it ends on the part of the story often left out: Nokia not only survived, it’s actually thriving.

The company itself ultimately survived, even if the transition wasn’t painless. Nokia’s revenues, which peaked in 2007, fell sharply through the mid-2010s before the company refocused on a decades-old business line—telecom infrastructure—that many had forgotten Nokia was even in. Nokia now ranks among the world’s top three suppliers of 5G network equipment, serving carriers across more than 125 countries, alongside Ericsson and Huawei. Although the company could never quite crack the smartphone, it now plays a key role in providing the network backbone those smartphones run on.

↫ Chris Chinchilla at IEEE Spectrum

From a business perspective, I honestly doubt Nokia’s phone business could’ve survived to this day, even if they had responded to the arrival of the iPhone sooner, and even if they didn’t do the stupid thing of focusing on Windows Phone first and had just embraced Android right away. Obviously, a Nokia with its own touch-era smartphone operating system would never have survived – none of them did – and even if they went with Android from the onset, I think the eventual onslaught of Samsung, which has killed many a popular smartphone brand, would’ve trampled Nokia too.

In a better version of our world, Nokia would’ve survived with its own smartphone operating system, based on Symbian or not, and it would’ve been Europe’s strong, consistent answer to the Americans’ iOS and Android. While Nokia would’ve still been a business and would’ve undoubtedly tried the same anti-user shenanigans as Apple and Google, they’d at least be easier to reign in regulatory-wise. You’d hope.

The EU should’ve never allowed Nokia’s smartphone business to be sold to Microsoft.

19:00

18:21

Urgent: Block new Medicaid Work Requirements [Richard Stallman's Political Notes]

US citizens: call on your state attorney general to sue to block the persecutor's new Medicaid Work Requirements.

If they go into effect, the complex paperwork would be an insuperable burden for many of the handicapped veterans, who would need to satisfy and convince bureaucrats whose mission is to resist.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

Professor takes action on bullshit generator [Richard Stallman's Political Notes]

A Brown U professor suspected that many of the students that were taking his class had chosen it as an opportunity to use bullshit generators to cheat. So he announced that the final exam would be presential, and almost 1/3 of them gave up.

You can view on this article.

He is sad for them because the decision to use bullshit generators implied a decision not to try to learn the subject.

A Quick Thank You To Bee Inspired [Whatever]

If you’ve been reading the blog for a while, you might remember one of my posts from just over five years ago showcasing a brand called Waxing Kara that sold honey, candles, tea, and skincare products. Well, I’m happy to say their brand is doing better than ever, and has actually changed to Bee Inspired. Same great small-batch honey and quality products, just with a new name.

Because of their new name and website, the owner actually emailed me to reconnect and see if I wouldn’t mind replacing the links in my old post with links to their current website. Of course, that was no problem, and if you look at the old post you’ll see every link has been switched over to their new page.

As a thank you for this (very easy) task, I was generously gifted some really amazing products that I am extremely grateful for, and I just wanted to say thank you to Bee Inspired for the kind gift, and tell you all that I still highly recommend this brand, just like I did back then!

One of my favorite things about Bee Inspired is that from the beginning, they’ve done so much good for the pollinators of our world. They plant 40 acres of indigenous wildflowers every year on their 102-acre farm and invest in pollinator habitats to support their local ecosystem, not just for their own bees. This includes their partnership with One Tree Planted to help reforestation efforts in Appalachia.

On top of that, Bee Inspired is partnered with a nonprofit called VisionWorkshops, which teaches at-risk youth photojournalism skills. They also have a scholarship fund at Maryland Institute College of Art, which has helped over thirty students so far.

I think it’s really rad when businesses invest back in their communities and the world at large in so many different ways. If you’d like to read all about their charitable efforts, you can check that out here.

Plus, if you’re interested in planting a pollinator garden in your own yard, they have a blog article over that. I went ahead and gave this a read because I have been wanting to do something like this for a while! I feel extra motivated to now.

With all that being said, let’s take a look at the products I received.

First up, I got two lovely tea blends, the Blue Butterfly and the Midnight Berry:

Two glass jars full of tea blends. The Midnight Berry is on the left, Blue Butterfly on the right.

I can definitely see myself using the butterfly pea flower tea for a special cocktail, as it is highly regarded for its beautiful color. I am actually grateful that both of these are caffeine-free because I’m trying (not that hard, but still) to cut down a bit on caffeine.

Of course, what goes better with tea than a honey lollipop to sweeten it (there’s eight to a bag)?

A white canvas drawstring bag with three individually wrapped lavender honey lollipops laying on top of it.

I feel that these lavender honey lollipops were extra thoughtful, as I mentioned in my first post that the lavender ones were ones that I really wanted to try.

And to match, a lovely jar of lavender honey:

A glass jar of lavender honey. It has a beautiful dark golden hue.

Do you know how good this is gonna be on my charcuterie boards?! Something I find really amazing about this honey is that it’s completely traceable. Spanish lavender honey, derived completely from the nectar of the bees with no lavender flowers added in post. Seasonally dependent and weather dependent, it’s clear to see why this single-origin varietal is considered a Royale.

Switching to self-care, I was gifted their Sea + Tea body scrub and body cream duo:

Both the body scrub and body cream sitting on top of their respective boxes next to each other. The scrub is packaged in dark grey, and the cream is packaged in white.

This stuff smells exactly like a spa, clean and herbaceous. It’s perfect for someone who doesn’t like food-scented body care. Honestly the profile is very unisex.

This scrub means business! I absolutely love a coarse scrub. So many scrubs I’ve tried aren’t rough enough and just feel like they slide right off without exfoliating anything. I was pleasantly surprised to find that once I rinsed off the scrub, I was actually left with a really soft, almost moisturized feel on my skin. But I decided to try the body cream anyways, and I’m happy to report it is creamy and hydrating without being greasy. Also, a little goes a long way.

Finally, I got this tinted lip balm trio, and one untinted:

Four lip balm tubes in a line next to each other. It goes from a rich pink, to a brown, to a fuchsia, to a bright orange tube but that's the untinted one, not an orange tinted lip bam.

This is their collection of bold tints, but they have a more natural set, too. I really loved just how soft the untinted lip balm felt. It glided on so nicely and my lips just immediately felt so soft, plus there’s no weird taste like with Chapstick. It is definitely going to become my new purse lip balm.

One of my favorite things about Bee Inspired is their sets and bundles, because they know that their products are perfect for gifting for all sorts of occasions. So much so that they have an entire page dedicated to party favors for when you need to give a lot of people something small (but nice!). I think a lot of care and intention goes into putting together each bundle. Like it’s nice to know there was thought behind each product selected for a certain kit.

As a nice bonus, there’s discounts for bundling some items, like 15% off three candles, three jars of tea, or three bags of honey lollipops, 10% off three jars of honey, 20% off three petite body care sets, you get the idea.

They also have free shipping on orders of $85+. Of course, if online shopping isn’t quite your speed, they have a beautiful retail store in Maryland. Here’s a video tour:

I want to visit so badly! It’s only a 499 mile drive, what do you guys think? Could be a cute weekend getaway to Maryland.

All in all, Bee Inspired is a really amazing brand that is woman-owned, sustainability-focused, cruelty-free, artisanal, and charitable. I am so thankful for the amazing gift they sent me, and I can’t wait to buy more from them in the future.

What flavor of honey would you try? Are you a body scrub enjoyer? Let me know in the comments, be sure to follow Bee Inspired on Instagram, and have a great day!

-AMS

17:28

Page 32 [Flipside]

Page 32 is done.

16:14

In Deep [George Monbiot]

The numbers are simply mind-blowing: up to £264 billion for a climate “solution” that will increase emissions. Has the government lost its mind?

By George Monbiot, published in the Guardian 8th July 2026

The new prime minister will be looking for money? Well, here’s £21.7bn lying on the ground. The government could cancel its deranged, disastrous carbon capture and storage (CCS) programme at no cost to public welfare: in fact, it would greatly reduce the harm we will suffer.

Sorry, did I say £21.7bn? That’s the figure the government has been putting in its press releases for spending on this programme between now and 2050. But this covers only the first phase of the project. The climate experts Dr Andrew Boswell and Simon Oldridge worked through the data produced by the government’s Climate Change Committee, which was scattered across different spreadsheets, and discovered that the projected cost of the full CCS programme between now and 2050 is £264bn.

Yes, £264bn. More than a quarter of a trillion. This cost will be divided between the public and private sectors. Given the record of CCS programmes so far, we can expect the public to carry most of it.

An investigation by the House of Commons Public Accounts Committee found that roughly 25% of the public costs of CCS will be borne directly by the government, while the remainder will come from extra levies on our energy bills. The government should explain to the electorate that it intends to slap up to £198bn on our bills. Then see how that lands.

Even this might not be the end of it. Buried in an arcane side document is a government commitment to pay a “premium” for the hydrogen produced by the CCS programme for 15 years. This commitment is uncosted, but could run to tens of billions more.

But surely CCS is essential for cutting carbon emissions? That’s how the government has pitched it. On the contrary, this programme will massively increase them. The Climate Change Committee claims that the role of CCS is “limited to sectors where there are few, or no, alternatives”. But this is simply untrue. Its own data shows that only between 5% and 6% of the CCS deployment in the UK will be used to address the emissions of industrial sectors such as chemicals and cement, whose impact is hard to abate (though even here there are partial alternatives).

The great majority of CCS will be attached to new fossil fuel-burning power stations, wood-burning power stations and hydrogen production from fossil gas. In fact, almost all the projects in the government’s first tranche are for fossil fuel-based schemes. But there are abundant alternatives to these highly destructive plans. Given the speed at which battery technology is evolving, enabling a balanced and reliable electricity supply without any use of fossil fuels, the committee’s claim is bunkum.

Its insistence that we need hydrogen made from fossil gas is also baseless. Its own figures show that producing hydrogen from gas with CCS will cost twice as much by 2050 as producing it from the electrolysis of water, using renewable electricity.

The new CCS plants will mean massively more gas use than the UK would otherwise have required. Ultimately, that means more imports of liquefied natural gas (LNG). We now know that, thanks to methane leakage along the production and transport chain, LNG has higher emissions than coal. Two-thirds of its greenhouse impact occurs before the gas arrives in this country. So that’s all right then – it doesn’t count towards our national figures.

If the real aim were to cut emissions, we would push fossil fuel use in the electricity sector down to zero, and scale up renewables and battery storage instead. The net effect? Much lower climate impacts and much lower bills. Instead, the programme will greatly ramp up both. Why?

Well, the whole thing has been built the wrong way round. It appears likely to be the result of massive lobbying by fossil fuel companies. In 2023 alone, as the key decision on deployment loomed, the oil companies Equinor, BP and ExxonMobil attended 24 meetings with Conservative ministers to discuss CCS. Why? Because they know it’s the only way they will be permitted to keep burning gas. Governments have sought to find a way of meeting their demands while adhering to the climate budgets, so lo, a £264bn white elephant is born. As the Climate Change Committee admits, “gas with CCS accounts for around half of the remaining demand for fossil fuels in 2050” in the UK. In other words, this is their lifeline.

And now we know something else: that the scientific credibility of CCS as a climate solution was shaped by the oil company BP. Investigative work by ProPublica and Drilled discovered that BP both financed and helped steer one of the most famous of all climate papers. The “Wedges” paper, published in 2004, became a foundation of government policy around the world. It purported to show how climate stabilisation was compatible with continued fossil use. And one of the major policies its plan relied on was carbon capture and storage.

BP’s chief executive suggested the “wedges” concept. Another BP executive was so heavily involved that the scientists suggested he should be named as co-author. He declined: the industry tries not to leave fingerprints. The paper greatly oversold CCS, presenting it as “already deployed at an industrial scale”. In reality, it had barely been tested. Yet it underpinned three of the 15 climate actions the paper proposed.

Since then, there has been a long record of shiny promises followed by partial or total failures. In the UK alone, three attempts (the 2005 Peterhead plan, a 2011 demonstration project and a 2012 funding competition) have been abandoned, thanks to cost escalation and infeasibility. As the Public Accounts Committee remarks, the government “is taking a high-risk approach by backing first-of-a-kind, unproven technologies with large amounts of taxpayer and consumer funding”.

But success is not the point. The point is to provide a gigantic, publicly-funded reason for the fossil fuel industry to stay in business. Guess who the lead operator of the government’s first CCS cluster is. Hello, BP.

So we come round full circle. From cradle to grave, this programme appeases the world’s most antisocial and destructive sector. The wasted money, the lost years, the lost lives: for how much longer will this farce continue? And how many more warnings will the government ignore?

www.monbiot.com

Hotheads [George Monbiot]

Steady temperatures are the preserve of the rich. The billionaire press wants everyone else to suffer.

By George Monbiot, published in the Guardian, 1st July 2026

Every time you think the idiocy has hit rock bottom, it discovers a new level. It turns out there’s an even deeper hole you can dig for yourself than climate-science denial: heat-stress denial. Across the billionaire press last week, columnists and leader writers minimised the health impacts of the heatwave, particularly in schools.

An editorial in the Telegraph (which represents the newspaper’s view) titled “Hot weather alarmism treats the public like children” maintained that “unlike in the seventies, when people were largely trusted to look after themselves, officialdom now feels the need to lecture the public about the risks of hot weather at every opportunity”. Extreme heat warnings are issued and weather maps are “painted in an alarming red”. Outrageous! Instead of issuing warnings, the government should just trust people to “take the appropriate precautions”. We should all “learn to live” with it. Quite right too: whatever happened to the bulldog spirit of ignorance and needless death? Cricket, warm beer, excess mortality: these are the markers of national character.

Also in the Telegraph, under the headline “Heatwave hysterics wouldn’t have lasted a day in 1976”, the columnist Ysenda Maxtone Graham insisted that during the heatwave that year – which she remembers as “two months of blissful messing about” – “common sense was applied by most without the need for nannying intervention”. Now, however, “health messages range from the patronising – tube announcements imploring travellers to carry a bottle of water – to the preposterous, as if a healthy adult is liable to drop dead from a little bit of sun exposure”. Never mind the unhealthy adults. Or disabled people, or elderly people, or children, all of whom are likely to be more vulnerable. She claimed that in 1976, “schools didn’t close because of the heat”, and that children and teachers heroically “sweltered in 30-degree classrooms”.

Maxtone Graham’s column was remarkably similar to Jane Moore’s in the Sun, titled: “Why on earth do schools need to CLOSE in hot weather? Forget today’s nannying, alarmist state – let’s go back to ’76.” Moore remembers 1976 as “the best summer of my life”. Apparentlythere was a “gung-ho spirit” that “should be used as a standard benchmark for common sense”. The Daily Mail ran an article whose subheading claimed “in 1976 … the schools DID stay open”.

In fact, as Leo Hickman of Carbon Brief points out, schools DID at least close early during the 1976 heatwave, even though June temperatures never reached the records set last week. And in 1976 the heat was dry, whereas last week humidity was high, compounding the health risks. But as soon as such a hole is dug, the entire rightwing media seems obliged to jump into it. It’s often said that the left preaches solidarity and fights like cats in a sack. But the right preaches individualism while reciting daft and unevidenced claims in unison.

There is a powerful body of evidence showing that warnings and advice save lives. The Red Cross discovered in 2023 that there’s a strikingly poor understanding of the health risks of heatwaves in the UK, where they used to be rare. A survey reported in the journal Energy Research & Social Science last year found that 49% of participants had “little to no knowledge on how to cope with extreme heat”. Nevertheless, government warnings, doubtless to the delight of the Telegraph, remain vague, hard to interpret and unsupported by effective action. Let the bodies pile high.

Fondly recalling the halcyon days of your youth is never a great basis for empirical comparison. But what accentuates this issue are the unacknowledged class politics. There’s nothing new about feather-bedded columnists in nice homes in leafy streets or air-conditioned offices instructing other people to tough it out. But the class disparity in heat shielding is especially acute in Britain, where homes and public buildings are woefully unsuited to extremes.

The paper I mentioned above also found that 82% of households reported difficulty in keeping at least one room cool during the summer. The rate of overheating for the poorest half “was twice that of householders in the top half of higher-income earners”. Many other studies have produced similar findings. Steady temperatures are the preserve of the rich.

Extreme heat hits children – who have higher metabolisms and lower sweating rates – harder than most adults. Their thermal comfort levels are, on average, 1.9-2.8C lower. There are many reports of children vomiting and losing consciousness in class during heatwaves. Temperatures above 25C limit their cognitive performance. The government’s Climate Change Committee finds that “taking an exam on a 32C day leads to around a 10% lower likelihood of passing compared to a 22C day”. Yet another advantage for private schools, which can generally afford better buildings and air-conditioned exam rooms.

But, as the government confirms to me, it sets no maximum temperature limit for schools. Otherwise it might have to do something. Instead, it advises schools to open and close doors and windows and minimise heat from equipment: advice that leaves teachers with sealed windows and impossible heat loads in despair.

A new study of schools in Hampshire finds that 66% of classrooms present a “cognitive impairment risk”. If action isn’t taken, this will rise to 92% by 2050. Already, “heat strain” – physiologically dangerous temperature levels – afflicts 6% of classrooms. Many school buildings, especially the “lightweight, overglazed, single-sided” models favoured from the 1950s onwards, are grossly ill-suited to hot summers.

Thanks to years of austerity, many classrooms are in a terrible state. School buildings that should have been replaced decades ago are still in use. It is unlikely to have escaped the Conservative architects of the programme that declining public provision further privileges their class. No wonder they fetishised competition, which they so blatantly rigged in their favour.

So now, as ever, the rich lecture the poor, and demand the removal of the feeble protections that might enhance and defend their lives. Their claim that “we need to be tough” seems always to translate into “they need to be tough”, while our lives become only cushier. Performative ignorance is the default state of such journalism. But I can’t help wondering whether there’s also an element of gleeful, snobbish cruelty: I’m all right, so let the great unwashed get what they deserve.

www.monbiot.com

Two-Tier Justice [George Monbiot]

It’s real, and it’s the exact opposite of what the far right says it is.

By George Monbiot, published in the Guardian 17th June 2026

“If you are targeting people on the basis of the colour of their skin,” the Northern Ireland secretary, Hilary Benn, asked last week, “how else can you describe them? That is racist thuggery.” It is. But there is another way of describing the actions of the rioters burning people out of their homes in Belfast, though ministers somehow cannot bring themselves to say it. Terrorism.

The violence there clearly meets the government’s definition: “the use or threat” of actions designed to “intimidate the public” for the purpose of “advancing a political, religious, racial or ideological cause”. Among these actions are “serious violence against a person” and “serious damage to property”. I happen to believe that the property clause blurs the issue. But either way, in what possible world do the Belfast attacks not fit the definition?

Instead, the term is largely reserved by ministers for those who challenge Israel’s actions in Gaza. Matching the official definition to the Palestine Action protests is a far tougher call than matching it to the Belfast riots. But while more than 3,000 people have now been arrested for holding up signs in support of the banned group, and many face terrorism charges, no one in Belfast or Southampton has been charged with terrorist offences. Nor have those who whipped up the riots online. In fact, the latter group hasn’t yet been charged with anything. If you say “I support Palestine Action”, they might put you in jail. If you incite a racist riot, they put you on TV.

On Monday, the court of appeal upheld the government’s ban on Palestine Action, in a ruling that seems to me to highlight both the dangerous breadth of the government’s definition and the inequality of its application. As the human rights group Liberty points out, the judgment fails to clarify which direct action targeting property would not be terrorism. The former home secretary, Yvette Cooper, decided to ban the group after some of its members spray-painted two warplanes. Damaging military equipment in the hope of preventing its deployment, especially in illegal wars, has long been treated as an act of civil disobedience motivated by conscience, and some juries have acquitted on this basis.

The court of appeal judgment managed to cast protest as terrorism and terrorism as protest. Palestine Action “is not, as it claims, a direct action civil disobedience protest group like the suffragettes operating transparently in the open”. What??? Did the suffragettes plan their bombings, arson and assassination attempts – far more extreme than anything Palestine Action has contemplated – in open meetings in Parliament Square? The entire judgment seems to me to be based on fairytales: about democracy and how it evolves, the benign nature of the state, the efficacy of polite, invisible protest, and the untroubled course of English history.

The judges stated that banning Palestine Action “will not prevent any or all demonstrations targeted at Elbit”, an arms manufacturer supplying the Israel Defense Forces, whose factories in Britain have been a primary focus for the group. Well, two days earlier, John Woodcock, the government’s former anti-extremism tsar, called for the ban to be extended to the protest group People Against Genocide, which has blocked the gates of Elbit factories. The slippage had already begun.

It could go much further. At Woolwich crown court at the end of last week, four Palestine Action protesters who broke into an Elbit factory were sentenced as terrorists. The astonishing aspect of this case? They were not charged, tried or convicted as terrorists.

In fact, the prosecutors decided not to pursue terrorism charges against them, presumably because they reckoned the jury wouldn’t convict. But never mind: the Sentencing Act 2020 allows judges to send people down for crimes for which they have not been tried, with far longer sentences and more onerous conditions.

As Amnesty International explains, until recently the conscientious motivation of protesters was treated as a mitigating factor in sentencing. Now it is treated as an aggravating factor. What makes this even worse is that such defendants can no longer explain their motivations to the court. But, once the jury is dismissed, the judge can decide why they did it, and sentence them accordingly. This is not justice.

The action for which they were convicted happened before Palestine Action was proscribed as a terrorist group. What this means is that any protesters engaging in direct action could now be sentenced as terrorists, whether or not their group has been banned.

Astonishingly, the judge, Mr Justice Johnson, possibly for the first time in history, also sought to have legal proceedings taken against the barrister representing the Palestine Action protesters for contempt of court for his summing up of the defence case. Johnson claimed that Rajiv Menon KC had defied his instruction not to tell the jury it had the right to acquit the defendants regardless of his directions: an ancient and fundamental principle of English law.

The government has leant heavily on the assault of a police officer with a sledgehammer by one of the protesters, Samuel Corner. But, reckless and severe as the attack was, he was convicted of grievous bodily harm without intent: he panicked after being sprayed in the face with the incapacitant Pava and,unable to see clearly, lunged forwards to help another protester. In other words, violence against people was not the intent of the sole perpetrator, let alone of Palestine Action.

By contrast, some of the rioters in Belfast and Southampton clearly intended to hurt police officers and others. Some were highly organised. Investigative journalists have identified several groups helping to incite or organise the violence. Good luck finding them on the government’s list of proscribed organisations.

So, in considering Benn’s question – how else can we describe what we are seeing? – there is a second relevant answer: one rule for the right, another for the left. In other words, two-tier justice. The far right’s appropriation of the term, which has been used by Black activists for at least 45 years, should not stop us from seizing it back. Two-tier justice is real and ever present. But the last people who will ever find themselves on the wrong side of it are rightwing white men.

The government and judicial system treat far-right terrorism more leniently than leftwing dissent. So perhaps this should lead us to another answer to the question of how best to describe what we are seeing. It might be a nominally Labour government. But this is rightwing authoritarianism.

www.monbiot.com

15:21

[$] Shielding running kernels against exploits with BPF [LWN.net]

Cisco has some unusual challenges when it comes to deploying security patches across the company's many devices running custom kernels. John Fastabend spoke about his work preventing exploits with BPF at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit. The technique could substantially reduce the time necessary to respond to kernel vulnerabilities, but it will not be fully effective unless more hooks are added to the kernel.

15:07

Why don’t we just make the entire stack out of guard pages? [The Old New Thing]

In my earlier overview of how compilers on different architectures perform stack probes, Cole Tobin asked, “Why not have a page fault handler that detects the faulting address being the stack and page in the other pages?”

Csaba Varga replied, “My guess: you don’t want an invalid pointer dereference to allocate a huge chunk of stack, just because the pointer happens to be pointing where the stack might grow, eventually. You want an invalid pointer dereference to segfault most of the time.”

I agree with Csaba on this.

If the entire stack were made of guard pages, then it means that a single page fault far below the stack limit could take arbitrary long and allocate arbitrarily large quantities of memory. The program might have said that it wants stacks to default to 1GB, and now a single page fault on the stack could result in a long pause as the system allocates 1GB of memory. If you study the problem in the debugger, what you see is that a single memory read takes several minutes.

And even worse is that there’s no way to stop it, since it’s happening in kernel mode. You see a program starting to balloon and consume all the memory in the system, so you go to Task Manager and terminate it, but the process doesn’t die. It just keeps on growing!

Even if the guard page is more than one page, it’s still a small fixed number of pages, the system can satisfy a guard page fault in a short amount of time. And more importantly, the amount of work is bounded.

The post Why don’t we just make the entire stack out of guard pages? appeared first on The Old New Thing.

14:49

Link [Scripting News]

Everyone: You can subscribe to the rss.chat flow, in RSS of course. If you're a developer, read the source for the feed. And then read the source namespace docs re the recent additions, inReplyTo and comments, and a special page that walks through how the RSS feed becomes part of the flow for our social network.

Feeds

FeedRSSLast fetchedNext fetched after
@ASmartBear XML 20:35, Friday, 17 July 21:16, Friday, 17 July
a bag of four grapes XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Ansible XML 20:28, Friday, 17 July 21:08, Friday, 17 July
Bad Science XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Black Doggerel XML 20:35, Friday, 17 July 21:16, Friday, 17 July
Blog - Official site of Stephen Fry XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Charlie Brooker | The Guardian XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Charlie's Diary XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Chasing the Sunset - Comics Only XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Coding Horror XML 20:35, Friday, 17 July 21:22, Friday, 17 July
Comics Archive - Spinnyverse XML 20:14, Friday, 17 July 20:58, Friday, 17 July
Cory Doctorow's craphound.com XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Cory Doctorow, Author at Boing Boing XML 20:35, Friday, 17 July 21:16, Friday, 17 July
Ctrl+Alt+Del Comic XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Cyberunions XML 20:35, Friday, 17 July 21:24, Friday, 17 July
David Mitchell | The Guardian XML 20:35, Friday, 17 July 21:18, Friday, 17 July
Deeplinks XML 20:14, Friday, 17 July 20:58, Friday, 17 July
Diesel Sweeties webcomic by rstevens XML 20:35, Friday, 17 July 21:18, Friday, 17 July
Dilbert XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Dork Tower XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Economics from the Top Down XML 20:35, Friday, 17 July 21:18, Friday, 17 July
Edmund Finney's Quest to Find the Meaning of Life XML 20:35, Friday, 17 July 21:18, Friday, 17 July
EFF Action Center XML 20:35, Friday, 17 July 21:18, Friday, 17 July
Enspiral Tales - Medium XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Events XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Falkvinge on Liberty XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Flipside XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Flipside XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Free software jobs XML 20:28, Friday, 17 July 21:08, Friday, 17 July
Full Frontal Nerdity by Aaron Williams XML 20:42, Friday, 17 July 21:30, Friday, 17 July
General Protection Fault: Comic Updates XML 20:42, Friday, 17 July 21:30, Friday, 17 July
George Monbiot XML 20:35, Friday, 17 July 21:18, Friday, 17 July
Girl Genius XML 20:35, Friday, 17 July 21:18, Friday, 17 July
Groklaw XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Grrl Power XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Hackney Anarchist Group XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Hackney Solidarity Network XML 20:14, Friday, 17 July 20:59, Friday, 17 July
http://blog.llvm.org/feeds/posts/default XML 20:14, Friday, 17 July 20:59, Friday, 17 July
http://calendar.google.com/calendar/feeds/q7s5o02sj8hcam52hutbcofoo4%40group.calendar.google.com/public/basic XML 20:28, Friday, 17 July 21:08, Friday, 17 July
http://dynamic.boingboing.net/cgi-bin/mt/mt-cp.cgi?__mode=feed&_type=posts&blog_id=1&id=1 XML 20:14, Friday, 17 July 20:59, Friday, 17 July
http://eng.anarchoblogs.org/feed/atom/ XML 20:28, Friday, 17 July 21:14, Friday, 17 July
http://feed43.com/3874015735218037.xml XML 20:28, Friday, 17 July 21:14, Friday, 17 July
http://flatearthnews.net/flatearthnews.net/blogfeed XML 20:35, Friday, 17 July 21:16, Friday, 17 July
http://fulltextrssfeed.com/ XML 20:35, Friday, 17 July 21:18, Friday, 17 July
http://london.indymedia.org/articles.rss XML 20:35, Friday, 17 July 21:22, Friday, 17 July
http://pipes.yahoo.com/pipes/pipe.run?_id=ad0530218c055aa302f7e0e84d5d6515&amp;_render=rss XML 20:28, Friday, 17 July 21:14, Friday, 17 July
http://planet.gridpp.ac.uk/atom.xml XML 20:35, Friday, 17 July 21:22, Friday, 17 July
http://shirky.com/weblog/feed/atom/ XML 20:14, Friday, 17 July 20:58, Friday, 17 July
http://thecommune.co.uk/feed/ XML 20:14, Friday, 17 July 20:59, Friday, 17 July
http://theness.com/roguesgallery/feed/ XML 20:42, Friday, 17 July 21:30, Friday, 17 July
http://www.airshipentertainment.com/buck/buckcomic/buck.rss XML 20:35, Friday, 17 July 21:24, Friday, 17 July
http://www.airshipentertainment.com/growf/growfcomic/growf.rss XML 20:14, Friday, 17 July 20:58, Friday, 17 July
http://www.airshipentertainment.com/myth/mythcomic/myth.rss XML 20:42, Friday, 17 July 21:24, Friday, 17 July
http://www.baen.com/baenebooks XML 20:14, Friday, 17 July 20:58, Friday, 17 July
http://www.feedsapi.com/makefulltextfeed.php?url=http%3A%2F%2Fwww.somethingpositive.net%2Fsp.xml&what=auto&key=&max=7&links=preserve&exc=&privacy=I+accept XML 20:14, Friday, 17 July 20:58, Friday, 17 July
http://www.godhatesastronauts.com/feed/ XML 20:42, Friday, 17 July 21:30, Friday, 17 July
http://www.tinycat.co.uk/feed/ XML 20:28, Friday, 17 July 21:08, Friday, 17 July
https://anarchism.pageabode.com/blogs/anarcho/feed/ XML 20:14, Friday, 17 July 20:58, Friday, 17 July
https://broodhollow.krisstraub.comfeed/ XML 20:35, Friday, 17 July 21:16, Friday, 17 July
https://debian-administration.org/atom.xml XML 20:35, Friday, 17 July 21:16, Friday, 17 July
https://elitetheatre.org/ XML 20:35, Friday, 17 July 21:22, Friday, 17 July
https://feeds.feedburner.com/Starslip XML 20:42, Friday, 17 July 21:24, Friday, 17 July
https://feeds2.feedburner.com/GeekEtiquette?format=xml XML 20:35, Friday, 17 July 21:18, Friday, 17 July
https://hackbloc.org/rss.xml XML 20:35, Friday, 17 July 21:16, Friday, 17 July
https://kajafoglio.livejournal.com/data/atom/ XML 20:35, Friday, 17 July 21:24, Friday, 17 July
https://philfoglio.livejournal.com/data/atom/ XML 20:35, Friday, 17 July 21:22, Friday, 17 July
https://pixietrixcomix.com/eerie-cutiescomic.rss XML 20:35, Friday, 17 July 21:22, Friday, 17 July
https://pixietrixcomix.com/menage-a-3/comic.rss XML 20:14, Friday, 17 July 20:58, Friday, 17 July
https://propertyistheft.wordpress.com/feed/ XML 20:28, Friday, 17 July 21:08, Friday, 17 July
https://requiem.seraph-inn.com/updates.rss XML 20:28, Friday, 17 July 21:08, Friday, 17 July
https://studiofoglio.livejournal.com/data/atom/ XML 20:28, Friday, 17 July 21:14, Friday, 17 July
https://thecommandline.net/feed/ XML 20:28, Friday, 17 July 21:14, Friday, 17 July
https://torrentfreak.com/subscriptions/ XML 20:35, Friday, 17 July 21:18, Friday, 17 July
https://web.randi.org/?format=feed&type=rss XML 20:35, Friday, 17 July 21:18, Friday, 17 July
https://www.dcscience.net/feed/medium.co XML 20:35, Friday, 17 July 21:24, Friday, 17 July
https://www.DropCatch.com/domain/steampunkmagazine.com XML 20:35, Friday, 17 July 21:16, Friday, 17 July
https://www.DropCatch.com/domain/ubuntuweblogs.org XML 20:28, Friday, 17 July 21:14, Friday, 17 July
https://www.DropCatch.com/redirect/?domain=DyingAlone.net XML 20:35, Friday, 17 July 21:22, Friday, 17 July
https://www.freedompress.org.uk:443/news/feed/ XML 20:42, Friday, 17 July 21:30, Friday, 17 July
https://www.goblinscomic.com/category/comics/feed/ XML 20:28, Friday, 17 July 21:08, Friday, 17 July
https://www.loomio.com/blog/feed/ XML 20:28, Friday, 17 July 21:14, Friday, 17 July
https://www.newstatesman.com/feeds/blogs/laurie-penny.rss XML 20:35, Friday, 17 July 21:16, Friday, 17 July
https://www.patreon.com/graveyardgreg/posts/comic.rss XML 20:35, Friday, 17 July 21:22, Friday, 17 July
https://www.rightmove.co.uk/rss/property-for-sale/find.html?locationIdentifier=REGION^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 20:35, Friday, 17 July 21:18, Friday, 17 July
https://x.com/statuses/user_timeline/22724360.rss XML 20:28, Friday, 17 July 21:08, Friday, 17 July
Humble Bundle Blog XML 20:35, Friday, 17 July 21:22, Friday, 17 July
I, Cringely XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Irregular Webcomic! XML 20:35, Friday, 17 July 21:16, Friday, 17 July
Joel on Software XML 20:28, Friday, 17 July 21:14, Friday, 17 July
Judith Proctor's Journal XML 20:28, Friday, 17 July 21:08, Friday, 17 July
Krebs on Security XML 20:35, Friday, 17 July 21:16, Friday, 17 July
Lambda the Ultimate - Programming Languages Weblog XML 20:28, Friday, 17 July 21:08, Friday, 17 July
Looking For Group XML 20:14, Friday, 17 July 20:58, Friday, 17 July
LWN.net XML 20:35, Friday, 17 July 21:16, Friday, 17 July
Mimi and Eunice XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Neil Gaiman's Journal XML 20:28, Friday, 17 July 21:08, Friday, 17 July
Nina Paley XML 20:35, Friday, 17 July 21:22, Friday, 17 July
O Abnormal – Scifi/Fantasy Artist XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Oglaf! -- Comics. Often dirty. XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Oh Joy Sex Toy XML 20:14, Friday, 17 July 20:58, Friday, 17 July
Order of the Stick XML 20:14, Friday, 17 July 20:58, Friday, 17 July
Original Fiction Archives - Reactor XML 20:42, Friday, 17 July 21:24, Friday, 17 July
OSnews XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Paul Graham: Unofficial RSS Feed XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Penny Arcade XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Penny Red XML 20:14, Friday, 17 July 20:59, Friday, 17 July
PHD Comics XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Phil's blog XML 20:42, Friday, 17 July 21:30, Friday, 17 July
Planet Debian XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Planet GNU XML 20:35, Friday, 17 July 21:16, Friday, 17 July
Planet Lisp XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Pluralistic: Daily links from Cory Doctorow XML 20:28, Friday, 17 July 21:08, Friday, 17 July
PS238 by Aaron Williams XML 20:42, Friday, 17 July 21:30, Friday, 17 July
QC RSS v2 XML 20:35, Friday, 17 July 21:22, Friday, 17 July
Radar XML 20:42, Friday, 17 July 21:24, Friday, 17 July
RevK®'s ramblings XML 20:28, Friday, 17 July 21:14, Friday, 17 July
Richard Stallman's Political Notes XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Scenes From A Multiverse XML 20:35, Friday, 17 July 21:22, Friday, 17 July
Schneier on Security XML 20:28, Friday, 17 July 21:08, Friday, 17 July
SCHNEWS.ORG.UK XML 20:14, Friday, 17 July 20:58, Friday, 17 July
Scripting News XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Seth's Blog XML 20:28, Friday, 17 July 21:14, Friday, 17 July
Skin Horse XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Tales From the Riverbank XML 20:35, Friday, 17 July 21:24, Friday, 17 July
The Adventures of Dr. McNinja XML 20:14, Friday, 17 July 20:59, Friday, 17 July
The Bumpycat sat on the mat XML 20:28, Friday, 17 July 21:08, Friday, 17 July
The Daily WTF XML 20:28, Friday, 17 July 21:14, Friday, 17 July
The Monochrome Mob XML 20:35, Friday, 17 July 21:16, Friday, 17 July
The Non-Adventures of Wonderella XML 20:35, Friday, 17 July 21:18, Friday, 17 July
The Old New Thing XML 20:14, Friday, 17 July 20:58, Friday, 17 July
The Open Source Grid Engine Blog XML 20:35, Friday, 17 July 21:22, Friday, 17 July
The Stranger XML 20:14, Friday, 17 July 20:59, Friday, 17 July
towerhamletsalarm XML 20:28, Friday, 17 July 21:14, Friday, 17 July
Twokinds XML 20:42, Friday, 17 July 21:24, Friday, 17 July
UK Indymedia Features XML 20:42, Friday, 17 July 21:24, Friday, 17 July
Uploads from ne11y XML 20:28, Friday, 17 July 21:14, Friday, 17 July
Uploads from piasladic XML 20:35, Friday, 17 July 21:18, Friday, 17 July
Use Sword on Monster XML 20:35, Friday, 17 July 21:22, Friday, 17 July
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 20:28, Friday, 17 July 21:14, Friday, 17 July
what if? XML 20:35, Friday, 17 July 21:16, Friday, 17 July
Whatever XML 20:35, Friday, 17 July 21:24, Friday, 17 July
Whitechapel Anarchist Group XML 20:35, Friday, 17 July 21:24, Friday, 17 July
WIL WHEATON dot NET XML 20:14, Friday, 17 July 20:58, Friday, 17 July
wish XML 20:14, Friday, 17 July 20:59, Friday, 17 July
Writing the Bright Fantastic XML 20:14, Friday, 17 July 20:58, Friday, 17 July
xkcd.com XML 20:35, Friday, 17 July 21:18, Friday, 17 July