Planet Debian

Subscribe to Planet Debian feed
Planet Debian -
Updated: 15 min 35 sec ago

Sylvain Beucler: Debian LTS and ELTS - March 2020

1 April, 2020 - 21:26

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In March, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 20h for ELTS (out of 20 max; I did 0).

Most contributors claimed vulnerabilities by performing early CVE monitoring/triaging on their own, making me question the relevance of the Front-Desk role. It could be due to a transient combination of higher hours volume and lower open vulnerabilities.

Working as a collective of hourly paid freelancers makes it more likely to work in silos, resulting in little interaction when raising workflow topics on the mailing list. Maybe we're reaching a point where regular team meetings will be benefical.

As previously mentioned, I structure my work keeping the global Debian security in mind. It can be stressful though, and I believe current communication practices may deter such initiatives.

ELTS - Wheezy

  • No work. ELTS has few sponsors right now and few vulnerabilities to fix, hence why I could not work on it this month. I gave back my hours at the end of the month.

LTS - Jessie

  • lua-cgi: global triage: CVE-2014-10399,CVE-2014-10400/lua-cgi not-affected, CVE-2014-2875/lua-cgi referenced in BTS
  • libpcap: global triage: request CVE-2018-16301 rejection as upstream failed to; got MITRE to reject (not "dispute") a CVE for the first time!
  • nfs-utils: suites harmonization: CVE-2019-3689: ping upstream again, locate upstream'd commit, reference it at BTS and MITRE; close MR which had been ignored and now redone following said referencing
  • slurm-llnl: re-add; create CVE-2019-12838 reproducer, test abhijith's pending upload; reference patches; witness regression in CVE-2019-19728, get denied access to upstream bug, triage as ignored (minor issue + regression); security upload DLA 2143-1
  • xerces-c: global triage progress: investigate ABI-(in)compatibility of hle's patch direction; initiate discussion at upstream and RedHat; mark postponed
  • nethack: jessie triage fix: mark end-of-life
  • tor: global triage fix: CVE-2020-10592,CVE-2020-10593: fix upstream BTS links, fix DSA reference
  • php7.3: embedded copies: removed from unstable (replaced with php7.4); checked whether libonig is still bundled (no, now properly unbundled at upstream level); jessie still not-affected
  • okular: CVE-2020-9359: reference PoC, security upload DLA 2159-1


  • data/dla-needed.txt: tidy/refresh pending packages status
  • LTS/Development: DLA regression numbering when a past DLA affects a different package
  • LTS/FAQ: document past LTS releases archive location following a user request; trickier than expected, 3 contributors required to find the answer
  • Question aggressive package claims; little feedback
  • embedded-copies: libvncserver: reference various state of embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot; builds on initial research from sunweaver
  • Attempt to progress on libvncserver embedded copies triaging; technical topic not anwered, organizational topic ignored
  • phppgadmin: provide feedback on CVE-2019-10784
  • Answer general workflow question about vulnerability severity
  • Answer GPAC CVE information request from a PhD student at CEA, following my large security update

Joey Hess: DIN distractions

1 April, 2020 - 21:12

My offgrid house has an industrial automation panel.

I started building this in February, before covid-19 was impacting us here, when lots of mail orders were no big problem, and getting an unusual 3D-printed DIN rail bracket for a SSD was just a couple clicks.

I finished a month later, deep into social isolation and quarentine, scrounging around the house for scrap wire, scavenging screws from unused stuff and cutting them to size, and hoping I would not end up in a "need just one more part that I can't get" situation.

It got rather elaborate, and working on it was often a welcome distraction from the news when I couldn't concentrate on my usual work. I'm posting this now because people sometimes tell me they like hearing about my offfgrid stuff, and perhaps you could use a distraction too.

The panel has my house's computer on it, as well as both AC and DC power distribution, breakers, and switching. Since the house is offgrid, the panel is designed to let every non-essential power drain be turned off, from my offgrid fridge to the 20 terabytes of offline storage to the inverter and satellite dish, the spring pump for my gravity flow water system, and even the power outlet by the kitchen sink.

Saving power is part of why I'm using old-school relays and stuff and not IOT devices, the other reason is of course: IOT devices are horrible dystopian e-waste. I'm taking the utopian Star Trek approach, where I can command "full power to the vacuum cleaner!"

At the core of the panel, next to the cubietruck arm board, is a custom IO daughterboard. Designed and built by hand to fit into a DIN mount case, it uses every GPIO pin on the cubietruck's main GPIO header. Making this board took 40+ hours, and was about half the project. It got pretty tight in there.

This was my first foray into DIN rail mount, and it really is industrial lego -- a whole universe of parts that all fit together and are immensely flexible. Often priced more than seems reasonable for a little bit of plastic and metal, until you look at the spec sheets and the ratings. (Total cost for my panel was $400.) It's odd that it's not more used outside its niche -- I came of age in the Bay Area, surrounded by rack mount equipment, but no DIN mount equipment. Hacking the hardware in a rack is unusual, but DIN invites hacking.

Admittedly, this is a second system kind of project, replacing some unsightly shelves full of gear and wires everywhere with something kind of overdone. But should be worth it in the long run as new gear gets clipped into place and it evolves for changing needs.

Also, wire gutters, where have you been all my life?

Finally, if you'd like to know what everything on the DIN rail is, from left to right: Ground block, 24v DC disconnect, fridge GFI, spare GFI, USB hub switch, computer switch, +24v block, -24v block, IO daughterboard, 1tb SSD, arm board, modem, 3 USB hubs, 5 relays, AC hot block, AC neutral block, DC-DC power converters, humidity sensor.

Mike Gabriel: My Work on Debian LTS (March 2020)

1 April, 2020 - 16:41

In March 2020, I have worked on the Debian LTS project for 10.25 hours (of 10.25 hours planned).

LTS Work
  • Frontdesk: CVE Bug Triaging for Debian jessie LTS: libpam-krb5, symfony, edk2 (EOL), icu, twisted, yubikey-val, netkit-telnet(-ssl), libperlspeak-perl (new EOL). and glibc.
  • Upload to jessie-security: tinyproxy (DLA-2163-1 [1], 1 CVE, 1 severe bug [2]).
  • Revisit CVE-2015-9541 in jessie's qtbase-opensource-src and agree with Dmitry Shachnev from Debian's KDE/Qt Team about tagging this CVE '<ignored>' in Debian's security tracker. The proposed upstream patch uses an API not available in jessie's Qt5 version (QStringView API) and the serious of patched ot be applied would be quite invasive.
  • Prepare upload of libpam-krb5 4.6-3+deb8u1 (1 CVE) (will be uploaded during the day).
  • Look closer into CVE-2019-17177 for FreeRDP v1.1 (and decide to ignore it, as patchwork would have to be applied all over the code).
Other security related work for Debian
  • Upload to stretch: libvncserver 0.9.11+dfsg-1.3~deb9u4 (1 CVE)
  • Upload to buster: libvncserver 0.9.11+dfsg-1.3+deb10u3 (1 CVE)
  • Upload to stretch: tinyproxy 1.8.4-3~deb9u2 (1 CVE, 1 severe bug [2])
  • Upload to buster: tinyproxy 1.10.0-2+deb10u1 (1 severe bug)
  • Study the code of x11vnc (regarding Debian bug #672435 [3], which currently has a temp-CVE), apply upstream's fix (which did not work) and ping upstream about possible other required patches in x11vnc and/or libVNC.

Russ Allbery: Review: A Grand and Bold Thing

1 April, 2020 - 10:43

Review: A Grand and Bold Thing, by Ann Finkbeiner

Publisher: Free Press Copyright: August 2010 ISBN: 1-4391-9647-8 Format: Kindle Pages: 200

With the (somewhat excessively long) subtitle of An Extraordinary New Map of the Universe Ushering In a New Era of Discovery, this is a history of the Sloan Digital Sky Survey. It's structured as a mostly chronological history of the project with background profiles on key project members, particularly James Gunn.

Those who follow my blog will know that I recently started a new job at Vera C. Rubin Observatory (formerly the Large Synoptic Survey Telescope). Our goal is to take a complete survey of the night sky several times a week for ten years. That project is the direct successor of the Sloan Digital Sky Survey, and it's project team includes many people who formerly worked on Sloan. This book (and another one, Giant Telescopes) was recommended to me as a way to come up to speed on the history of this branch of astronomy.

Before reading this book, I hadn't understood how deeply the ready availability of the Sloan sky survey data had changed astronomy. Prior to the availability of that survey data, astronomers would develop theories and then try to book telescope time to make observations to test those theories. That telescope time was precious and in high demand, so was not readily available, and was vulnerable to poor weather conditions (like overcast skies) once the allocated time finally arrived.

The Sloan project changed all of that. Its output was a comprehensive sky survey available digitally whenever and wherever an astronomer needed it. One could develop a theory and then search the Sloan Digital Sky Survey for relevant data and, for at least some types of theories, test that theory against the data without needing precious telescope time or new observations. It was a transformational change in astronomy, made possible by the radical decision, early in the project, to release all of the data instead of keeping it private to a specific research project.

The shape of that change is one takeaway from this book. The other is how many problems the project ran into trying to achieve that goal. About a third of the way into this book, I started wondering if the project was cursed. So many things went wrong, from institutional politics through equipment failures to software bugs and manufacturing problems with the telescope mirror. That makes it all the more impressive how much impact the project eventually had. It's also remarkable just how many bad things can happen to a telescope mirror without making the telescope unusable.

Finkbeiner provides the most relevant astronomical background as she tells the story so that the unfamiliar reader can get an idea of what questions the Sloan survey originally set out to answer (particularly about quasars), but this is more of a project history than a popular astronomy book. There's enough astronomy here for context, but not enough to satisfy curiosity. If you're like me, expect to have your curiosity piqued, possibly resulting in buying popular surveys of current astronomy research. (At least one review is coming soon.)

Obviously this book is of special interest to me because of my new field of work, my background at a research university, and because it features some of my co-workers. I'm not sure how interesting it will be to someone without that background and personal connection. But if you've ever been adjacent to or curious about how large-scale science projects are done, this is a fascinating story. Both the failures and problems and the way they were eventually solved is different than how the more common stories of successful or failed companies are told. (It helps, at least for me, that the shared goal was to do science, rather than to make money for a corporation whose fortunes are loosely connected to those of the people doing the work.)

Recommended if this is topic sounds at all interesting.

Rating: 7 out of 10

Paul Wise: FLOSS Activities March 2020

1 April, 2020 - 09:34
Changes Issues Review Administration
  • Debian wiki: approve accounts
Communication Sponsors

The dh-make-perl feature requests, file bug report, File::Libmagic changes, autoconf-archive change, libpst work and the purple-discord upload were sponsored by my employer. All other work was done on a volunteer basis.

Junichi Uekawa: After the snow cherry blossoms fell.

1 April, 2020 - 07:52
After the snow cherry blossoms fell. It's already April.

Jonathan Wiltshire: neuraldak

1 April, 2020 - 07:50

We are proud to announce that dak, the Debian Archive Kit, has been replaced by a neural network for processing package uploads and other archive maintenance. All FTP masters and assistants have been re-deployed to concentrate on managing neuraldak.

neuraldak is an advanced machine learning algorithm which has been taught about appropriate uploads, can write to maintainers about their bugs and can automatically make an evaluation about suitable licenses and code quality. Any uploads which do not meet its standards will be rejected with prejudice.

We anticipate that neuraldak will also monitor social media for discontent about package uploads, and train itself to do better with its decisions.

In terms of licensing , neuraldak has been seeded only with the GPL license. This we consider the gold standard of licenses, and its clauses will be the basis for neuraldak evaluating other licenses as it is exposed to them.

Over the course of the next few weeks, neuraldak will also learn to manage the testing suite. Once it is established, we expect to be able to make a full stable release of Debian approximately every six weeks. We have therefore also re-purposed Janelle Shane’s cat name algorithm to invent suitable release names, since the list of Toy Story names is likely to be exhausted before 2021.

neuraldak is an independent software project. Rumours of it being derived from Skynet are entirely unfounded.

The post neuraldak appeared first on

Joachim Breitner: Animations in Kaleidogen

1 April, 2020 - 04:29

A while ago I wrote a little game (or toy) called Kaleidogen. It is a relatively contemplative game where, starting from just unicolored disks, you combine abstract circular patterns to breed more interesting patterns. See my FARM 2019 talk for more details, or check out the source repository.

It has mostly been quiet with this game, but I finally got around to add a little bit of animation: When you have bred one of these patterns, you can animate its genesis, from nothing to a complex patterns, as you can see in this screencast:

Kaleidogen, animated

By the way: I am looking for collaborators who help me to get this into the Play Store properly, so let me know if you want to play around with Haskell, Android, Nix, OpenGL and cross-compilation.

Pau Garcia i Quiles: Uyuni 2020.03 released — with enhanced Debian support!

1 April, 2020 - 00:12

Uyuni is a configuration and infrastructure management tool that saves you time and headaches when you have to manage and update tens, hundreds or even thousands of machines.

Uyuni is a fork of Spacewalk that leverages Salt, Cobbler and containers to modernize it. Uyuni is the upstream for SUSE Manager (the main difference is support: with SUSE Manager you get it from SUSE; with Uyuni you get it from the community) and our development and feature discussion is done in the open.

Last week we released Uyuni 2020.03, with much improved Debian support, coming from the community: we have got client tools (both the Salt stack and the traditional stack) for Debian 9 and 10, and bootstrapping support!

In addition to that, Uyuni 2020.03 brings many other new features:

  • Package pre-downloading for Debian and Ubuntu
  • Automatic generation of bootstrap repositories
  • Provisioning API for Salt clients (previously only for traditional clients), which allows to provision and re-provision Salt minions
  • Recurring actions scheduling, e. g. schedule highstate to happen every so often, repeatedly
  • Content Lifecycle Management filters for RHEL 8 appstreams so that you can convert modular repositories to plain repositories by applying a combination of filters. It will also work on RHEL derivatives, of course: CentOS, Oracle Linux and SLES Expanded Support.
  • Yomi: Yet One More Installer is a Salt-based installer for SUSE and openSUSE operating systems. More architectures (e. g. ARM) and Linux distributions will follow soon!
  • Hub XML-RPC API: the first component of our multi-Server architecture, to support hundreds of thousands of clients
  • SUSE Container as a Platform 4 (SUSE’s Kubernetes distribution) cluster awareness. Nodes in a SUSE CaaSP 4 cluster will by default not install updates, patches, run commands, etc from Uyuni Server on the normal schedule but default to doing that using skuba, CaaSP’s tool in charge of updates and reboots. Further enhancements are coming to this feature soon.

While this version of Uyuni provides a much better experience for Debian sysadmins, we still have a lot of room for improvement:

Do you want to help us with development, or just with feedback? Join our community on IRC, Gitter or the mailing lists. And check our user documentation, developer documentation and presentations.

We are also participating in Google Summer of Code 2020. Hurry up and submit a proposal to provide Uyuni for Debian, and/or enhance Debian support!

Chris Lamb: Free software activities in March 2020

31 March, 2020 - 22:05

Here is my monthly update covering what I have been doing in the free software world during March 2020 (previous month):

  • Further conversations for the next iteration of the OpenUK awards to announced soon.

  • Merged a number of contributions to my django-cache-toolbox "non-magical" caching library for Django web applications, including caching negative relation lookups locally (#14) and to include the README file in the package long description (#17).

  • Made some small changes to my tickle-me-email library which implements Gettings Things Done (GTD)-like behaviours in IMAP inboxes to support to optionally limiting the number of messages in the send-later functionality. [...]

In addition, I did even more hacking on the Lintian static analysis tool for Debian packages, including:

  • New features:

    • Check for py3versions -i in autopkgtests and debian/rules files. (#954763)
    • Warn when py3versions -s is used without a python3-all dependency. (#954763)
    • Expand possible-missing-colon-in-closes to also check for semicolons used in place of colons. (#954484)
    • Check for new packages that use a date-based versioning scheme (eg. YYYYMMDD-1) without a 0~ suffix. (#953036)
  • Improvements:

  • Misc:

    • Correct reference to build dependencies in the long description of the debian-rules-uses-installed-python-versions tag. [...]
    • Make some cosmetic improvements to the file. [...]
    • Correct reference to a bug in a previous debian/changelog entry. [...]
    • Avoid indenting approximately 150 lines by returning early from a subroutine and other code improvements. [...]

Reproducible builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

  • Filed an issue against IMAP Spam Begone — a script by Louis-Philippe Véronneau (pollo) that makes it easy to process an email inbox using SpamAssassin — to report that a (duplicate) documentation entry includes nondeterministic value taken from the value of the XDG cache directory (#151) and filed an upstream pull requests against the pmemkv key-value data store to make their documentation build reproducibly (#615).

  • Further refined my merge request against the debian-installer component to allow all arguments from sources.list files (such as [check-valid-until=no]) in order that we can test the reproducibility of the installer images on the Reproducible Builds own testing infrastructure. (#13)

  • Submitted two following patches to fix reproducibility-related toolchain issues within Debian:

    • node-browserify-lite: Please make the output reproducible. (#954409)

    • pdb2pqr: Please make the file reproducible. (#955287)

  • Submitted eight patches to fix specific reproducibility issues in beep (caused by a variation between /bin/dash and /bin/bash), cloudkitty (due to a default value being taken from the number of CPUs on the build machine), font-manager (embedding the value of @abs_top_srcdir@ into the resulting binary), gucharmap (due to embedding the absolute build path when generating a comment in a header file), infernal (timestamps are injected into a Python example, which should not be shipped anyway), ndisc6 (embeds the value of CFLAGS into the binary without sanitising any absolute build paths), node-nodedbi (embedded timestamp in binary) & pmemkv (does not respect SOURCE_DATE_EPOCH when populating a YEAR variable).

  • Kept up to date. [...]

  • Continued collaborative work on an academic paper to be published within the next few months.

  • Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

  • Drafted, published and publicised our monthly report.

  • Improved our website, including correcting the syntax of some CSS class formatting [...], improved some "filed against" copy a little better [...] and corrected a reference to calendar.monthrange Python method.. [...]

In our tooling, I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including preparing and uploading version 138 to Debian:

  • Improvements:

    • Don't allow errors with R script deserialisation cause the entire operation to fail, for example if an external library cannot be loaded. (#91)
    • Experiment with memoising output from expensive external commands, eg. readelf. (#93)
    • Use dumppdf from the python3-pdfminer if we do not see any other differences from pdftext, etc. (#92)
    • Prevent a traceback when comparing two R .rdx files directly as the get_member method will return a file even if the file is missing. [...]
  • Reporting:

    • Display the supported file formats into the package long description. (#90)
    • Print a potentially-helpful message if the PyPDF2 module is not installed. [...]
    • Remove any duplicate comparator descriptions when formatting in the --help output or in the package long description. [...]
    • Weaken "Install the X package to get a better output." message to "... may produce a better output." as the former is not guaranteed. [...]
  • Misc:

    • Ensure we only parse the recommended packages from --list-debian-substvars when we want them for debian/tests/control generation. [...]
    • Add upstream metadata file [...] and add a Lintian override for upstream-metadata-in-native-source as "we" are upstream. [...]
    • Inline the RequiredToolNotFound.get_package method's functionality as it is only used once. [...]
    • Drop the deprecated "py36 = [..]" argument in the pyproject.toml file. [...]

The Reproducible Builds project also operates a fully-featured and comprehensive Jenkins-based testing framework that powers This month, I reworked the web-based package rescheduling tool to:

  • Require a HTTP POST method in the web-based scheduler as not only should HTTP GET requests be idempotent but this will allow many future improvements in the user interface. [...][...][...]

  • Improve the authentication error message in the rescheduler to suggest that the developer's SSL certificate may have expired. [...]

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 8 hours on its sister Extended LTS project.

  • Investigated and triaged glibc (CVE-2020-1751), jackson-databind, libbsd (CVE-2019-20367), libvirt (CVE-2019-20485), netkit-telnet & netkit-telnet-ssl (CVE-2020-10188), pdfresurrect (CVE-2020-9549) & shiro (CVE-2020-1957), etc.

  • In the script that reserves a unique advisory number don't warn about potential duplicate work when issuing a regression in order to avoid this message being missed when it does apply. [...]

  • Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

  • xtrlock versions 2.8+deb9u1 (#949112) and 2.8+deb10u1 (#949113) was accepted to the Debian jessie and buster distributions.

  • Issued DLA 2115-2 to correct a regression in a previous fix (a use-after-free vulnerability) in the ProFTPD FTP server.

  • Issued DLA 2132-1 to fix an issue where incorrect default permissions on a HTTP cookie store could have allowed local attackers to read private credentials in libzypp, the library underpinning package management tools such as YaST, zypper and the openSUSE/SLE implementation of PackageKit.

  • Issued DLA 2134-1 to patch an out-of-bounds write vulnerability in pdfresurrect, a tool for extracting or scrubbing versioning data from PDF documents.

  • Issued DLA 2136-1, addressing an out-of-bounds buffer read vulnerability in libvpx, a library implementing the VP8 & VP9 video codecs.

  • Issued DLA 2142-1. It was discovered that there was a buffer overflow vulnerability in slirp, a SLIP/PPP emulator for using a dial up shell account. This was caused by the incorrect usage of return values from snprintf(3).

  • Issued DLA 2145-1 and DLA 2145-2 for twisted to prevent a large number of HTTP request splitting vulnerabilities in Twisted, a Python event-based framework for building various types of internet applications.

  • Issued ELA-219-1 to address an out-of-bounds read vulnerability during string comparisons in libbsd, a library of functions commonly available on BSD systems but not on others such as GNU.

You can find out more about the Debian LTS project via the following video:

Debian Uploads

For the Debian Privacy Maintainers team I requested that the pyptlib package be removed from the archive (#953429) as well as uploading onionbalance (0.1.8-6) to fix test failures under Pytest 3.x (#953535) and a new upstream release of nautilus-wipe.

Finally, I sponsored an upload of bilibop (0.6.1) on behalf of Yann Amar.

Norbert Preining: Fixing the Breeze Dark theme for gtk3 apps

31 March, 2020 - 17:36

It has been now about two weeks that I switched to KDE/Plasma on all my desktops, and to my big surprise, that went much more smooth than I thought. There are only a few glitches with respect to the gtk3 part of the Breeze Dark theme I am using, which needed fixup.

Tab distinction

As I wrote already in a previous blog, the active tab in all kinds of terminal emulators, but in fact everything that uses the gtk3 notebook widget, is not distinguishable from other tabs. It turned out that this fix is a bit convoluted, but still possible, see the linked blog. Just for completeness, here is the CSS code I use in ~/.config/gtk-3.0/gtk.css:

notebook tab {
    /* background-color: #222; */
    padding: 0.4em;
    border: 0;
    border-color: #444;
    border-style: solid;
    border-width: 1px;
notebook tab:checked {
    /* background-color: #000; */
    background-image: none;
    border-color: #76C802;
notebook tab:checked label {
    color: #76C802;
    font-weight: 500;
notebook tab button {
    padding: 0;
    background-color: transparent;
    color: #ccc;
notebook tab button:hover {
  border: 0;
  background-image: none;
  border-color: #444;
  border-style: solid;
  border-width: 1px;
Scroll bars

Another of the disturbing properties of the Breeze theme is the width-changing scroll bar. While not hovered upon, it is rather small, but when the mouse moves over it it expands its width. Now that might sound like a flashy cool idea, but in fact it is nothing but a PITA: When used with a terminal emulator, the result is that the line length changes when the mouse moves over the vertical scroll bar, and thus suddenly the layout (line break) changes for instant, which is really really disturbing. I can’t imagine why developers ever come up with such a stupid idea. Anyway, the fix is not that difficult again, simply put the following into your ~/.config/gtk-3.0/gtk.css (adjusting the width to your liking) and all will be fine:

.scrollbar.vertical slider, scrollbar.vertical slider {
        min-width: 10px;

Not that bad, right?

Other than this I haven’t found any disturbing issue with using the Breeze theme with gtk3 (and gtk2) apps!

Hope that helps

Russell Coker: Links March 2020

31 March, 2020 - 16:12

Rolling Stone has an insightful article about why the Christian Right supports Trump and won’t stop supporting him no matter what he does [1].

Interesting article about Data Oriented Architecture [2].

Quarantine Will normalise WFH and Recession will Denormalise Jobs [3]. I guess we can always hope that after a disaster we can learn to do things better than before.

Tyre wear is worse than exhaust for small particulate matter [4]. We need better tyres and legal controls over such things.

Scott Santens wrote an insightful article about the need for democracy and unconditional basic income [5]. “In ancient Greece, work was regarded as a curse” is an extreme position but strongly supported by evidence. ‘In his essay “In Praise of Idleness,” Bertrand Russell wrote “Modern methods of production have given us the possibility of ease and security for all; we have chosen, instead, to have overwork for some and starvation for others. Hitherto we have continued to be as energetic as we were before there were machines; in this we have been foolish, but there is no reason to go on being foolish forever.”‘

Cory Doctorow wrote an insightful article for Locus titled A Lever Without a Fulcrum Is Just a Stick about expansions to copyright laws [6]. One of his analogies is that giving a bullied kid more lunch money just allows the bullies to steal more money, with artists being bullied kids and lunch money being the rights that are granted under copyright law. The proposed solution includes changes to labor and contract law, presumably Cory will write other articles in future giving the details of his ideas in this regard.

The Register has an amusing article about the trial of a former CIA employee on trial for being the alleged “vault 7 leaker” [7]. Both the prosecution and the defence are building their cases around the defendent being a jerk. The article exposes poor security and poor hiring practices in the CIA.

CNN has an informative article about Finland’s war on fake news [8]. As Finland has long standing disputes with Russia they have had more practice at dealing with fake news than most countries.

The Times of Israel has an interesting article about how the UK used German Jews to spy on German prisoners of war [9].

Cory Doctorow wrote an insightful article “Data is the New Toxic Waste” about how collecting personal data isn’t an asset, it’s a liability [10].

Ulrike Uhlig wrote an insightful article about “Control Freaks”, analysing the different meanings of control, both positive and negative [11].

538 has an informative article about the value of statistical life [12]. It’s about $9M per person in the US, which means a mind-boggling amount of money should be spent to save the millions of lives that will be potentially lost in a natural disaster (like Coronavirus).

NPR has an interesting interview about Crypto AG, the Swiss crypto company owned by the CIA [13]. I first learned of this years ago, it’s not new, but I still learned a lot from this interview.

Related posts:

  1. Links January 2020 C is Not a Low Level Language [1] is an...
  2. Links February 2020 Truthout has an interesting summary of the US “Wars Without...
  3. Links March 2013 Russ Allbery wrote an informative post about how to determine...

Russ Allbery: pam-krb5 4.9

31 March, 2020 - 09:34

This is a security release fixing a one-byte buffer overflow when relaying prompts from the underlying Kerberos library. All users of my pam-krb5 module should upgrade as soon as possible. See the security advisory for more information.

There are also a couple more minor security improvements in this release: The module now rejects passwords as long or longer than PAM_MAX_RESP_SIZE (normally 512 octets) since they can be a denial of service attack via the Kerberos string-to-key function, and uses explicit_bzero where available to clear passwords before releasing memory.

Also in this release, use_pkinit is now supported with MIT Kerberos, the Kerberos prompter function returns more accurate error messages, I fixed an edge-case memory leak in pam_chauthtok, and the module/basic test will run properly with a system krb5.conf file that doesn't specify a realm.

You can get the latest release from the pam-krb5 distribution page. I've also uploaded the new version to Debian unstable and patched security releases with only the security fix to Debian stable and oldstable.

Mike Gabriel: UBports: Packaging of Lomiri Operating Environment for Debian (part 02)

31 March, 2020 - 03:30

Before and during FOSDEM 2020, I agreed with the people (developers, supporters, managers) of the UBports Foundation to package the Unity8 Operating Environment for Debian. Since 27th Feb 2020, Unity8 has now become Lomiri.

Recent Uploads to Debian related to Lomiri

Over the past 7-8 weeks the packaging progress has been slowed down due to other projects I am working on in parallel. However, quite a few things have been achieved:

  • review forks of unity-api, ubuntu-download-manager and unity-app-launch under the names lomiri-api, lomiri-download-manager, lomiri-app-launch.
  • request upstream releases of lomiri-api and lomiri-download-manager
  • package and upload lomiri-api to Debian unstable (unfortunately still in Debian's NEW queue)
  • package and upload lomiri-download-manager to Debian unstable (dito)
  • package (and with 'package' I mean Debian policy compliant packaging) lomiri-app-launch (no upload, yet, as there are some strange unit test failures that need more debugging)
  • package and upload qtsystems (under the umbrella of the Debian QT/KDE Maintainers' team) to Debian unstable (pending review in Debian's NEW queue)
  • package and upload qtfeedback (under the umbrella of the Debian QT/KDE Maintainers' team) to Debian unstable (pending review in Debian's NEW queue)
  • package and (upload) [1] qtpim (under the umbrella of the Debian Qt/KDE Maintainers' team) to Debian unstable (pending review in Debian's NEW queue)

The packages qtsystems, qtfeedback, and qtpim are no official Qt5 components, and so I had to package Git snapshots of them; with all implicit consequences regarding ABI and API compatibilities, possibly Debian-internal library transitions, etc.

Esp. packaging qtsystems was pretty tricky due to a number of failing unit tests when the package had been built in a clean chroot (like it is the case on Debian's buildd infrastructure). I learned a lot about DBus and DBus mocking while working on all those unit tests to finally pass in chrooted builds.

Unfortunately, the Lomiri App Launch component still needs more work due to (finally only) one unit test (jobs-systemd) not always passing. Sometimes, the test gets stucks and then fails after having reached a time out. I'll add it to my list of those unreproducible build failures I have recently seen in several GTest related unit test scenarios. Sigh...


A great thanks goes to Lisandro Perez Meyer from the Debian KDE/Qt Team for providing an intro and help on Qt Debian packaging and an intro on symbols handling with C++ projects.

Another big thanks goes to Dmitry Shachnev from the Debian KDE/Qt Team for doing a sponsored upload [1] of qtpim (and also a nice package review).

Also a big thanks goes to Marius Gripsgard for his work on forking the first Lomiri components on the UBports upstream side.

Previous Posts about my Debian UBports Team Efforts References
  • [1] Unfortunately, I missed a crucial element of the GPG key update workflow as Debian Developer. My GPG key was about to expire at the end of March 2020. I renewed its expiration date and exported its public key to the public PGP/GPG keyserver. However, for being able to upload packages to Debian, one has to push the public key to Debian's own keyring server. Which I missed. Thus, I won't be able to upload any packages before the end of April myself and will depend on DD colleagues helping out with sponsoring my uploads.

Jonathan Dowland: ephemeral note-taking wins

30 March, 2020 - 21:47

Some further thoughts on ephemeral versus preserve-everything note-taking.

Note-taking is about capturing ideas, thoughts, and processes. You want as little friction as possible when doing so: you don't want to be thinking the page is too small, or the paper drying up the ink too quickly so the pen doesn't move smoothly, or similar such things distracting from capturing what you are trying to capture.

I used my PhD notebook as an example of a preserve-everything approach. A serious drawback of the notebook as the sole place to capture work is the risk that it will be damaged or lost. I periodically photograph all the pages and store those photos digitally, alongside other things relating to the work. Those other things include two different private wiki instances that I use to capture notes when I'm working at the computer, as well as several Git repositories (some public, some private) for source code, experiments, drafts of papers, etc. There's also a not-insignificant amount of email correspondence.

There have been several train journeys and several meetings where I've grabbed a cheap, larger-format pad of paper and a box of Pound-shop felt-tip pens to sketch ideas, whiteboard-style. At the time it just seemed easier to capture what we were doing in that way, rather than try to do so into the notebook.

So the notebook is neither canonical nor comprehensive. Ultimately it's really another example of ephemeral note-taking, and so I think the Ephemeral model wins out.

Use whatever notebook or paper or envelope or window pane that is convenient and feels attractive at the time you need to capture something with the least amount of friction. Digitise that and store, catalogue, adjust, derive, etc. from that in the digital domain.

Mike Gabriel: Mailman3 - Call for Translations (@Weblate)

30 March, 2020 - 14:47

TL;DR; please help localizing Mailman3 [1]. You can find it on hosted Weblate [2].The next component releases are planned in 1-2 weeks from now. Thanks for your contribution! If you can't make it now, please consider working on Mailman3 translations at some later point of time. Thanks!

Time has come for Mailman3

Over the last months I have found an interest in Mailman3. Given the EOL of Python2 in January 2002 and also being a heavy Mailman2 provider for various of my projects and also for customers, I felt it was time to look at Mailman2's successor: Mailman3 [1].

One great novelty in Mailman3 is the strict split up between backend (Mailman Core), and the frontend components (django-mailan3, Postorius, Hyperkitty). All three are Django applications. Postorius is the list management web frontend whereas Hyperkitty is an archive viewer. Other than in Mailman2, you can also drop list posts into Hyperkitty directly (instead of sending a mail to the list). This makes Hyperkitty also some sort of forum software with a mailing list core in the back. The django-mailman3 module knits the previous two together (and handles account management, login dialog, profile settings, etc.).

Looking into Mailman3 Upstream Code

Some time back in midst 2019 I decided to deploy Mailman3 at a customers site and also for my own business (which still is the test installation). Living and working in Germany, my customers' demand often is a fully localized WebUI. And at that time, Mailman3 could not provide this. Many exposed parts of the Mailman3 components were still not localized (or not localizable).

Together with my employee I put some hours of effort into providing merge requests, filing bug reports, request better Weblate integration (meaning: hosted Weblate). It felt a bit like setting the whole i18n thing in motion.

Call for Translations

Over the past month I had to focus on other work and two days ago I was delighted that Abhilash Raj (one of the Mailman3 upstream maintainers) informed me (via closing one of the related bugs [3]) that Mailman3 is now fully integrated with the hosted Weblate service and a continous translation workflow is set to go.

The current translation stati of the Mailman3 component are at ~ 10%. We can do better than this, I sense.

So, if you are a non-native English speaker and feel like contributing to Mailman3, please visit the hosted Weblate site [2], sign up for an account (if you don't have one already), and chime in into the translation of one of the future mailing list software suites run by many FLOSS projects all around the globe. Thanks a lot for your help.

As a side note, if you plan working on translating Mailman Core into your language (and can't find it in the list of supported language), please request this new language via the Weblate UI. All other components have all available languages enabled by default.


Axel Beckert: How do you type on a keyboard with only 46 or even 28 keys?

30 March, 2020 - 13:51
Some of you might have noticed that I’m into keyboards since a few years ago — into mechanical keyboards to be precise.


It basically started with the Swiss Mechanical Keyboard Meetup (whose website I started later on) was held in the hackerspace of the CCCZH.

I mostly used TKL keyboards (i.e. keyboards with just the — for me useless — number block missing) and tried to get my hands on more keyboards with Trackpoints (but failed so far).

At some point a year or two ago, I looking into smaller keyboards for having a mechanical keyboard with me when travelling. I first bought a Vortex Core at Candykeys. The size was nice and especially having all layers labelled on the keys was helpful, but nevertheless I soon noticed that the smaller the keyboards get, the more important is, that they’re properly programmable. The Vortex Core is programmable, but not the keys in the bottom right corner — which are exactly the keys I wanted to change to get a cursor block down there. (Later I found out that there are possibilities to get this done, either with an alternative firmware and a hack of it or desoldering all switches and mounting an alternative PCB called Atom47.)

40% Keyboards

So at some point I ordered a MiniVan keyboard from The Van Keyboards (MiniVan keyboards will soon be available again at The Key Dot Company), here shown with GMK Paperwork (also bought from and designed by The Van Keyboards):

The MiniVan PCBs are fully programmable with the free and open source firmware QMK and started to use that more and more instead of bigger keyboards.


With the MiniVan I learned the concepts of layers. Layers are similar to what many laptop keyboards do with the “Fn” key and to some extent also what the German standard layout does with the “AltGr” key: Layers are basically alternative key maps you can switch with a special key (often called “Fn”, “Fn1”, “Fn2”, etc., or — especially if there are two additional layers — “Raise” and “Lower”).

There are several concepts how these layers can be reached with these keys:

  • By keeping the Fn key pressed, i.e. the alternative layer is active as long as you hold the Fn key down.
  • One-shot layer switch: After having pressed and released the Fn key, all keys are on the alternative layer for a single key press and then you are back to the default layer.
  • Layer toggle: Pressing the Fn key once switches to the alternative layer and pressing it a second time switches back to the default layer.
  • There are also a lot of variants of the latter variant, e.g. rotating between layers upon every key press of the Fn key. In that case it seems common to have a second special key which always switches back to the default layer, kinda Escape key for layer switching.
My MiniVan Layout

For the MiniVan, two additional layers suffice easily, but since I have a few characters on multiple layers and also have mouse control and media keys crammed in there, I have three additional layers on my MiniVan keyboards:

“TRNS” means transparent, i.e. use the settings from lower layers.

I also use a feature that allows me to bind different actions to a key depending if I just tap the key or if I hold it. Some also call this “tap dance”. This is especially very popular on the usually rather huge spacebar. There, the term “SpaceFn” has been coined, probably after this discussion on Geekhack.

I use this for all my layer switching keys:

  • The left spacebar is space on tap and switches to layer 1 if hold. The right spacebar is a real spacebar, i.e. already triggers a space on key press, not only on key release.

    Layer 1 has numbers on the top row and the special characters of the number row in the second row. It also has Home/End and Page Up/Down on the cursor keys.

  • The key between the Enter key and the cursor-right key (medium grey with a light grey caret in the picture) is actually the Slash and Question Mark key, but if hold, it switches me to layer 2.

    Layer 2 has function keys on the top row and also the special characters of the number row in the second row. On the cursor keys it has volume up and down as well as the media keys “previous” and “next”.

  • The green key in the picture is actually the Backslash and Pipe key, but if hold, it switches me to layer 3.

    On layer 3 I have mouse control.

With this layout I can type English texts as fast as I can type them on a standard or TKL layout.

German umlauts are a bit more difficult because it requires 4 to 6 key presses per umlaut as I use the Compose key functionality (mapped to the Menu key between the spacebars and the cursor block. So to type an Ä on my MiniVan, I have to:

  1. press and release Menu (i.e. Compose); then
  2. press and hold either Shift-Spacebar (i.e. Shift-Fn1) or Slash (i.e. Fn2), then
  3. press N for a double quote (i.e. Shift-Fn1-N or Fn2-N) and then release all keys, and finally
  4. press and release the base character for the umlaut, in this case Shift-A.

And now just use these concepts and reduce the amount of keys to 28:

30% and Sub-30% Keyboards

In late 2019 I stumbled upon a nice little keyboard kit “shop” on Etsy — which I (and probably most other people in the mechanical keyboard scene) didn’t take into account for looking for keyboards — called WorldspawnsKeebs. They offer mostly kits for keyboards of 40% size and below, most of them rather simple and not expensive.

For about 30€ you get a complete sub-30% keyboard kit (without switches and keycaps though, but that very common for keyboard kits as it leaves the choice of switches and key caps to you) named Alpha28 consisting of a minimal Acrylic case and a PCB and electronics set.

This Alpha28 keyboard is btw. fully open source as the source code, (i.e. design files) for the hardware are published under a free license (MIT license) on GitHub.

And here’s how my Alpha28 looks like with GMK Mitolet (part of the GMK Pulse group-buy) key caps:

So we only have character keys, Enter (labelled “Data” as there was no 1u Enter key with that row profile in that key cap set; I’ll also call it “Data” for the rest of this posting) and a small spacebar, not even modifier keys.

The Default Alpha28 Layout

The original key layout by the developer of the Alpha28 used the spacbar as Shift on hold and as space if just tapped, and the Data key switches always to the next layer, i.e. it switches the layer permanently on tap and not just on hold. This way that key rotates through all layers. In all other layers, V switches back to the default layer.

I assume that the modifiers on the second layer are also on tap and apply to the next other normal key. This has the advantage that you don’t have to bend your fingers for some key combos, but you have to remember on which layer you are at the moment. (IIRC QMK allows you to show that via LEDs or similar.) Kinda just like vi.

My Alpha28 Layout

But maybe because I’m more an Emacs person, I dislike remembering states myself and don’t bind bending my fingers. So I decided to develop my own layout using tap-or-hold and only doing layer switches by holding down keys:

A triangle means that the settings from lower layers are used, “N/A” means the key does nothing.

It might not be very obvious, but on the default layer, all keys in the bottom row and most keys on the row ends have tap-or-hold configurations.

Basic ideas
  • Use all keys on tap as labelled by default. (Data = Enter as mentioned above)
  • Use different meanings on hold for the whole bottom row and some edge column keys.
  • Have all classic modifiers (Shift, Control, OS/Sys/Win, Alt/Meta) on the first layer twice (always only on hold), so that any key, even those with a modifier on hold, can be used with any modifier. (Example: Shift is on A hold and L hold so that Shift-A is holding L and then pressing A and Shift-L is holding A and then pressing L.)
Bottom row if hold
  • Z = Control
  • X = OS/Sys/Win
  • C = Alt/Meta
  • V = Layer 3 (aka Fn3)
  • Space = Layer 1 (aka Fn1)
  • B = Alt/Meta
  • N = OS/Sys/Win
  • M = Ctrl
Other rows if hold
  • A = Shift
  • L = Shift
  • Enter = Layer 2 (aka Fn2)
  • P = Layer 4 (aka Fn4)
How the keys are divided into layers
  • Layer 0 (Default): alphabetic keys, Space, Enter, and (on hold) standard modifiers
  • Layer 1: numbers, special characters (most need Shift, too), and some more common other keys, e.g.
    • Space-Enter = Backspace
    • Space-S = Esc
    • Space-D = Tab
    • Space-F = Menu/Compose
    • Space-K = :
    • Space-L = '
    • Space-B = ,
    • Space-N = .
    • Space-M = /, etc.
  • Layer 2: F-keys and less common other keys, e.g.
    • Enter-K = -
    • Enter-L = =
    • Enter-B = [
    • Enter-N = ]
    • Enter-M = \, etc.)
  • Layer 3: Cursor movement, e.g.
    • scrolling
    • and mouse movement.
    • Cursor cross is on V-IJKL (with V-I for Up)
    • V-U and V-O are Home and End
    • V-P and V-Enter are Page Up/Down.
    • Mouse movement is on V-WASD
    • V-Q
    • V-E and V-X being mouse buttons
    • V-F and V-R is the scroll wheel up down
    • V-Z and V-C left and right.
  • Layer 4: Configuring the RGB bling-bling and the QMK reset key:
    • P-Q (the both top corner keys) are QMK reset to be able to reflash the firmware.
    • The keys on the right half of the keyboard control the modes of the RGB LED strip on the bottom side of the PCB, with the upper two rows usually having keys with some Plus and Minus semantics, e.g. P-I and P-K is brightness up and down.
    • The remaining left half is unused and has no function at all on layer 4.
Using the Alpha28

This layout works surprisingly well for me.

Only for Minus, Equal, Single Quote and Semicolon I still often have to think or try if they’re on Layer 1 or 2 as on my 40%s (MiniVan, Zlant, etc.) I have them all on layer 1 (and in general one layer less over all). And for really seldom used keys like Insert, PrintScreen, ScrollLock or Pause, I might have to consult my own documentation. They’re somewhere in the middle of the keyboard, either on layer 1, 2, or 3. ;-)

And of course, typing umlauts takes even two keys more per umlaut as on the MiniVan since on the one hand Menu is not on the default layer and on the other hand, I don’t have this nice shifted number row and actually have to also press Shift to get a double quote. So to type an Ä on my Alpha, I have to:

  1. press and release Space-F (i.e. Fn1-F) for Menu (i.e. Compose); then
  2. press and hold A-Spacebar-L (i.e. Shift-Fn1-L) for getting a double quote, then
  3. press and release the base character for the umlaut, in this case L-A for Shift-A (because we can’t use A for Shift as I can’t hold a key and then press it again :-).


If the characters on upper layers are not labelled like on the Vortex Core, i.e. especially on all self-made layouts, typing is a bit like playing that old children’s game Memory: as soon as you remember (or your muscle memory knows) where some special characters are, typing gets faster. Otherwise, you start with trial and error or look the documentation. Or give up. ;-)

Nevertheless, typing on a sub-30% keyboard like the Alpha28 is much more difficult and slower than on a 40% keyboard like the MiniVan. So the Alpha28 very likely won’t become my daily driver while the MiniVan defacto is my already my daily driver.

But I like these kind of challenges as others like the game “Memory”. So I ordered three more 30% and sub-30% keyboard kits and WorldspawnsKeebs for soldering on the upcoming weekend during the COVID19 lockdown:

  • A Reviung39 to start a new try on ortholinear layouts.
  • A Jerkin (sold out, waitlist available) to try an Alice-style keyboard layout.
  • A Pain27 (which btw. is also open source under the CC0 license) to try typing with even one key less than the Alpha28 has. ;-)

And if I at some point want to try to type with even fewer keys, I’ll try a Butterstick keyboard with just 20 keys. It’s a chorded keyboard where you have to press multiple keys at the same time to get one charcter: So to get an A from the missing middle row, you have to press Q and Z simultaneously, to get Escape, press Q and W simultaneously, to get Control, press Q, W, Z and X simultaneously, etc.

And if that’s not even enough, I already bought a keyboard kit named Ginny (or Ginni, the developer can’t seem to decide) with just 10 keys from an acquaintance. Couldn’t resist when offered his surplus kits. :-) It uses the ASETNIOP layout which was initially developed for on-screen keyboards on tablets.

Louis-Philippe Véronneau: Using Zoom's web client on Linux

30 March, 2020 - 11:00

TL;DR: The zoom meeting link you have probably look like this:

To use the web client, use this instead:

Like too many institutions, the school where I teach chose to partner up with Zoom. I wasn't expecting anything else, as my school's IT department is a Windows shop. Well, I guess I'm still a little disappointed.

Although I had vaguely heard of Zoom before, I had never thought I'd be forced to use it. Lucky for me, my employer decided not to force us to use it. To finish the semester, I plan to record myself and talk with my students on a Jitsi Meet instance.

I will still have to attend meetings on Zoom though. I'm well aware of Zoom's bad privacy record and I will not install their desktop application. Zoom does offer a web client. Sadly, on Linux you need to jump through hoops to be able to use it.

Using Zoom's web client on Linux

Zoom's web client apparently works better on Chrome, so I decided to use Chromium.

Without already having the desktop client installed on your machine, the standard procedure to use the web client would be:

  1. Open the link to the meeting in Chromium
  2. Click on the "download & run Zoom" link showed on the page
  3. Click on the "join from your browser" link that then shows up

Sadly, that's not what happens on Linux. When you click on the "download & run Zoom" link, it brings you to a page with instructions on how to install the desktop client on Linux.

You can thwart that stupid behavior by changing your browser's user agent to make it look like you are using Windows. This is the UA string I've been using:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

With that, when you click on the "download & run Zoom" link, it will try to download a .exe file. Cancel the download and you should now see the infamous "join from your browser" link.

Upon closer inspection, it seem you can get to the web client by changing the meeting's URL. The zoom meeting link you have probably look like this:

To use the web client, use this instead:
Jitsi Meet Puppet Module

I've been playing around with Jitsi Meet quite a bit recently and I've written a Puppet module to install and configure an instance! The module certainly isn't perfect, but should wield a working Jitsi instance.

If you already have a Puppet setup, please give it a go! I'm looking forward receiving feedback (and patches) to improve it.

Shirish Agarwal: Covid 19 and the Indian response.

30 March, 2020 - 08:07

There have been lot of stories about Coronavirus and with it a lot of political blame-game has been happening. The first step that India took of a lockdown is and was a good step but without having a plan as to how especially the poor and the needy and especially the huge migrant population that India has (internal migration) be affected by it. A 2019 World Economic Forum shares the stats. as 139 million people. That is a huge amount of people and there are a variety of both push and pull factors which has displaced these huge number of people. While there have been attempts in the past and probably will continue in future they will be hampered unless we have trust-worthy data which is where there is lots that need to be done. In the recent few years, both the primary and secondary data has generated lot of controversies within India as well as abroad so no point in rehashing all of that. Even the definition of who is a ‘migrant’ needs to be well-established just as who is a ‘farmer’ . The simplest lucanae in the later is those who have land are known as ‘farmers’ but the tenant farmers and their wives are not added as farmers hence the true numbers are never known. Is this an India-specific problem or similar definition issues are there in the rest of the world I don’t know.

How our Policies fail to reach the poor and the vulnerable

The sad part is most policies in India are made in castles in the air . An interview by the wire shares the conundrum of those who are affected and the policies which are enacted for them (it’s a youtube video, sorry) –

If one with an open and fresh mind sees the interview it is clear that why there was a huge reverse migration from Indian cities to villages. The poor and marginalized has always seen the Indian state as an extortive force so it doesn’t make sense for them to be in the cities. The Prime Minister’s annoucement of food for 3 months was a clear indication for the migrant population that for 3 months they will have no work. Faced with such a scenario, the best option for them was to return to their native places. While videos of huge number of migrants were shown of Delhi, this was the scenario of most states and cities, including Pune, my own city .

I was discussing with a friend who is a contractor and builder about the construction labour issues which were pointed in the report and if it is true that many a times the migrant labour is not counted. While he shared a number of cases where he knew, a more recent case in public memory was when some labourers died while building Amanora mall which is perhaps one of largest malls in India. There were few accidents while constructing the mall. Apparently, the insurance money which should have gone to the migrant laborer was taken by somebody close to the developers who were building the mall. I have a friend in who lives in Jharkhand who is a labour officer. She has shared with me so many stories of how the labourers are exploited. Keep in mind she has been a labor officer appointed by the state and her salary is paid by the state. So she always has to maintain a balance of ensuring worker’s rights and the interests of the state, private entities etc. which are usually in cahoots with the state and it is possible that lot of times the State wins over the worker’s rights. Again, as a labour officer, she doesn’t have that much power and when she was new to the work, she was often frustrated but as she remarked few months back, she has started taking it easy (routinized) as anyways it wasn’t helping her in any good way. Also there have been plenty of cases of labor officers being murdered so its easier to understand why one tries to retain some sanity while doing their job.

The Indian response and the World Response

The Indian response has been the lockdown and very limited testing. We seem to be following the pattern of UK and U.S. which had been slow to respond and slow to testing. In the past Kerala showed the way but this time even that is not enough. At the end of the day we need to test, test and test just as shared by the WHO chairman. India is trying to create its own cheap test kits with ICMR approval, for e.g. a firm from my own city Pune MyLab has been given approval. We will know how good or bad they are only after they have been field-tested. For ventilators we have asked Mahindra and Mahindra even though there are companies like Allied Medical and others who have exported to EU and others which the Govt. is still taking time to think through. This is similar to how in UK some companies who are with the Govt. but who have no experience in making ventilators are been given orders while those who have experience and were exporting to Germany and other countries are not been given orders. The playbook is errily similar. In India, we don’t have the infrastructure for any new patients, period. Heck only a couple of states have done something proper for the anganwadi workers. In fact, last year there were massive strikes by anganwadi workers all over India but only NDTV showed a bit of it along with some of the news channels from South India. Most mainstream channels chose to ignore it.

On the world stage, some of the other countries and how they have responded perhaps need sharing. For e.g. I didn’t know that Cuba had so many doctors and the politics between it and Brazil. Or the interesting stats. shared by Andreas Backhaus which seems to show how distributed the issue (age-wise) is rather than just a few groups as has been told in Indian media. What was surprising for me is the 20-29 age group which has not been shared so much in the Indian media which is the bulk of our population. The HBR article also makes a few key points which I hope both the general public and policymakers both in India as well as elsewhere take note of.

What is worrying though that people can be infected twice or more as seems to be from Singapore or China and elsewhere. I have read enough of Robin Cook and Michael Crichton books to be aware that viruses can do whatever. They will over time mutate, how things will happen then is anybody’s guess. What I found interesting is the world economic forum article which hypothesis that it may be two viruses which got together as well as research paper from journal from poteome research which has recently been published. The biggest myth flying around is that summer will halt or kill the spread which even some of my friends have been victim of . While a part of me wants to believe them, a simple scientific fact has been viruses have probably been around us and evolved over time, just like we have. In fact, there have been cases of people dying due to common cold and other things. Viruses are so prevalent it’s unbelivable. What is and was interesting to note is that bat-borne viruses as well as pangolin viruses had been theorized and shared by Chinese researchers going all the way back to 90’s . The problem is even if we killed all the bats in the world, some other virus will take its place for sure. One of the ideas I had, dunno if it’s feasible or not that at least in places like Airports, we should have some sort of screenings and a labs working on virology. Of course, this will mean more expenses for flying passengers but for public health and safety maybe it would worth doing so. In any case, virologists should have a field day cataloging various viruses and would make it harder for viruses to spread as fast as this one has. The virus spread also showed a lack of leadership in most of our leaders who didn’t react fast enough. While one hopes people do learn from this, I am afraid the whole thing is far from over. These are unprecedented times and hope that all are maintaining social distancing and going out only when needed.

Enrico Zini: Politics links

30 March, 2020 - 06:00
How tech's richest plan to save themselves after the apocalypse politics privilege 2020-03-30 Silicon Valley’s elite are hatching plans to escape disaster – and when it comes, they’ll leave the rest of us behind Life of Privilege Explained in a $100 Race privilege 2020-03-30 Hierarchy problems in autiautoritarian groups, and how to face them chart politics 2020-03-30 Abstruse Goose | The Story of the Cheese Maze comics politics privilege 2020-03-30 Heteronomy - Wikipedia language politics 2020-03-30 Heteronomy refers to action that is influenced by a force outside the individual, in other words the state or condition of being ruled, governed, or under the sway of another, as in a military occupation. Poster - Early Warning Signs of Fascism fascism politics 2020-03-30 Poster P590CW $9.00 Early Warning Signs Of Fascism Laurence W. Britt wrote about the common signs of fascism in April, 2003, after researching seven fascist regimes: Hitler's Nazi Germany; Mussolini's Italy; Franco's Spain; Salazar's Portugal; Papadopoulos' Greece; Pinochet's Chile; Suharto's Indonesia. Get involved! Text: Early Warning Signs of Fascism Powerful and Continuing Nationalism Disdain For Human Rights Identification of Enemies As a unifying cause Supremacy of the military Rampant Sexism Controlled Mass Media Obsession With National Security Mobilizing in Times of Social Media politics 2020-03-30 Political and social scientist Stefania Milan writes about social movements, mobilization and organized collective action. On the one hand, interactions and networks achieve more visibility and become a proxy for a „collective we“. On the other hand: Law enforcement can exercise preemptive monitorin The Billion-Dollar Disinformation Campaign to Reelect the President perception politics 2020-03-30 How new technologies and techniques pioneered by dictators will shape the 2020 election An Italian Flash Mob Just Pushed Back Europe’s Populist Tide perception politics 2020-03-30 A regional election offers lessons on combatting the rise of the far right, both across the Continent and in the United States. Italian diaspora - Wikipedia italy politics 2020-03-30 The Italian diaspora is the large-scale emigration of Italians from Italy. There are two major Italian diasporas in Italian history. The first diaspora began more or less around 1880, a decade or so after the Unification of Italy (with most leaving after 1880), and ended in the 1920s to early-1940s with the rise of Fascism in Italy. The second diaspora started after the end of World War II and roughly concluded in the 1970s. These together constituted the largest voluntary emigration period in documented history. Between 1880-1980, about 15,000,000 Italians left the country permanently. By 1980, it was estimated that about 25,000,000 Italians were residing outside Italy. A third wave is being reported in present times, due to the socio-economic problems caused by the financial crisis of the early twenty-first century, especially amongst the youth. According to the Public Register of Italian Residents Abroad (AIRE), figures of Italians abroad rose from 3,106,251 in 2006 to 4,636,647 in 2015, growing by 49.3% in just ten years.


Creative Commons License ลิขสิทธิ์ของบทความเป็นของเจ้าของบทความแต่ละชิ้น
ผลงานนี้ ใช้สัญญาอนุญาตของครีเอทีฟคอมมอนส์แบบ แสดงที่มา-อนุญาตแบบเดียวกัน 3.0 ที่ยังไม่ได้ปรับแก้