hashman.ca

A beginner's guide to improving your digital security

2026-01-26T21:00:00-05:00

In 2017, I led a series of workshops aimed at teaching beginners a better understanding of encryption, how the internet works, and their digital security. Nearly a decade later, there is still a great need to share reliable resources and guides on improving these skills.

I have worked professionally in computer security one way or another for well over a decade, at many major technology companies and in many open source software projects. There are many inaccurate and unreliable resources out there on this subject, put together by well-meaning people without a background in security, which can lead to sharing misinformation, exaggeration and fearmongering.

I hope that I can offer you a trusted, curated list of high impact things that you can do right now, using whichever vetted guide you prefer. In addition, I also include how long it should take, why you should do each task, and any limitations.

This guide is aimed at improving your personal security, and does not apply to your work-owned devices. Always assume your company can monitor all of your messages and activities on work devices.

What can I do to improve my security right away?

I put together this list in order of effort, easiest tasks first. You should be able to complete many of the low effort tasks in a single hour. The medium to high effort tasks are very much worth doing, but may take you a few days or even weeks to complete them.

Low effort (<15 minutes)

Upgrade your software to the latest versions

Why? I don't know anyone who hasn't complained about software updates breaking features, introducing bugs, and causing headaches. If it ain't broke, why upgrade, right? Well, alongside all of those annoying bugs and breaking changes, software updates also include security fixes, which will protect your device from being exploited by bad actors. Security issues can be found in software at any time, even software that's been available for many years and thought to be secure. You want to install these as soon as they are available.

Recommendation: Turn on automatic upgrades and always keep your devices as up-to-date as possible. If you have some software you know will not work if you upgrade it, at least be sure to upgrade your laptop and phone operating system (iOS, Android, Windows, etc.) and web browser (Chrome, Safari, Firefox, etc.). Do not use devices that do not receive security support (e.g. old Android or iPhones).

Guides:

Activist Checklist: Install the latest software updates
Consumer Reports: Update your Mac, Windows PC, Chromebook, Android phone, iOS device
Apple: Obsolete products (obsolete devices do not receive security updates)
Google: How long you'll get Pixel updates
Samsung: Devices that receive security updates
Other brands: check the manufacturer's website

Limitations: This will prevent someone from exploiting known security issues on your devices, but it won't help if your device was already compromised. If this is a concern, doing a factory reset, upgrade, and turning on automatic upgrades may help. This also won't protect against all types of attacks, but it is a necessary foundation.

Use Signal

Why? Signal is a trusted, vetted, secure messaging application that allows you to send end-to-end encrypted messages and make video/phone calls. This means that only you and your intended recipient can decrypt the messages and someone cannot intercept and read your messages, in contrast to texting (SMS) and other insecure forms of messaging. Other applications advertise themselves as end-to-end encrypted, but Signal provides the strongest protections.

Recommendation: I recommend installing the Signal app and using it! My mom loves that she can video call me on Wi-Fi on my Android phone. It also supports group chats. I use it as a secure alternative to texting (SMS) and other chat platforms. I also like Signal's "disappearing messages" feature which I enable by default because it automatically deletes messages after a certain period of time. This avoids your messages taking up too much storage.

Guides:

Activist Checklist: Use Signal
Activist Checklist: Turn on disappearing messages
Electronic Frontier Foundation: How to use Signal
Consumer Reports: Communicate privately with Signal
Signal: Enabling Incognito Keyboard (Android) to provide slightly more privacy

Limitations: Signal is only able to protect your messages in transit. If someone has access to your phone or the phone of the person you sent messages to, they will still be able to read them. As a rule of thumb, if you don't want someone to read something, don't write it down! Meet in person or make an encrypted phone call where you will not be overheard. If you are talking to someone you don't know, assume your messages are as public as posting on social media.

Set passwords and turn on device encryption

Why? Passwords ensure that someone else can't unlock your device without your consent or knowledge. They also are required to turn on device encryption, which protects your information on your device from being accessed when it is locked. Biometric (fingerprint or face ID) locking provides some privacy, but your fingerprint or face ID can be used against your wishes, whereas if you are the only person who knows your password, only you can use it.

Recommendation: Always set passwords and have device encryption enabled in order to protect your personal privacy. It may be convenient to allow kids or family members access to an unlocked device, but anyone else can access it, too! Use strong passwords that cannot be guessed—avoid using names, birthdays, phone numbers, addresses, or other public information. Using a password manager will make creating and managing passwords even easier. Disable biometric unlock, or at least know how to disable it. Most devices will enable disk encryption by default, but you should double-check.

Guides:

Electronic Frontier Foundation: Creating strong passwords
Electronic Frontier Foundation: Remove fingerprint or face unlock
How-To Geek: Temporarily disable biometric unlock on Android and iOS
Electronic Frontier Foundation: How to encrypt your Windows, Mac, or Linux computer, your iPhone, Android Privacy and Security settings
Consumer Reports: Protect your Mac, Windows PC, Android phone, iPhone devices with encryption

Limitations: If your device is unlocked, the password and encryption will provide no protections; the device must be locked for this to protect your privacy. It is possible, though unlikely, for someone to gain remote access to your device (for example through malware or stalkerware), which would bypass these protections. Some forensic tools are also sophisticated enough to work with physical access to a device that is turned on and locked, but not a device that is turned off/freshly powered on and encrypted. If you lose your password or disk encryption key, you may lose access to your device. For this reason, Windows and Apple laptops can make a cloud backup of your disk encryption key. However, a cloud backup can potentially be disclosed to law enforcement.

Install an ad blocker

Why? Online ad networks are often exploited to spread malware to unsuspecting visitors. If you've ever visited a regular website and suddenly seen an urgent, flashing pop-up claiming your device was hacked, it is often due to a bad ad. Blocking ads provides an additional layer of protection against these kinds of attacks.

Recommendation: I recommend everyone uses an ad blocker at all times. Not only are ads annoying and disruptive, but they can even result in your devices being compromised!

Guides:

Consumer Reports: Add an ad blocker
uBlock Origin, a highly recommended browser-based ad blocker (Firefox, Chrome)
AdGuard Ad Blocker is multi-platform and also supports Mac/iOS

Limitations: Sometimes the use of ad blockers can break functionality on websites, which can be annoying, but you can temporarily disable them to fix the problem. These may not be able to block all ads or all tracking, but they make browsing the web much more pleasant and lower risk! Some people might also be concerned that blocking ads might impact the revenue of their favourite websites or creators. In this case, I recommend either donating directly or sharing the site with a wider audience, but keep using the ad blocker for your safety.

Enable HTTPS-Only Mode

Why? The "S" in "HTTPS" stands for "secure". This feature, which can be enabled on your web browser, ensures that every time you visit a website, your connection is always end-to-end encrypted (just like when you use Signal!) This ensures that someone can't intercept what you search for, what pages on websites you visit, and any information you or the website share such as your banking details.

Recommendation: I recommend enabling this for everyone, though with improvements in web browser security and adoption of HTTPS over the years, your devices will often do this by default! There is a small risk you will encounter some websites that do not support HTTPS, usually older sites.

Guides:

Consumer Reports: Set Up HTTPS-Only Mode on your browser

Limitations: HTTPS protects the information on your connection to a website. It does not hide or protect the fact that you visited that website, only the information you accessed. If the website is malicious, HTTPS does not provide any protection. In certain settings, like when you use a work-managed computer that was set up for you, it can still be possible for your IT Department to see what you are browsing, even over an HTTPS connection, because they have administrator access to your computer and the network.

Medium to high effort (1+ hours)

These tasks require more effort but are worth the investment.

Set up a password manager

Why? It is not possible for a person to remember a unique password for every single website and app that they use. I have, as of writing, 556 passwords stored in my password manager. Password managers do three important things very well:

They generate secure passwords with ease. You don't need to worry about getting your digits and special characters just right; the app will do it for you, and generate long, secure passwords.
They remember all your passwords for you, and you just need to remember one password to access all of them. The most common reason people's accounts get hacked online is because they used the same password across multiple websites, and one of the websites had all their passwords leaked. When you use a unique password on every website, it doesn't matter if your password gets leaked!
They autofill passwords based on the website you're visiting. This is important because it helps prevent you from getting phished. If you're tricked into visiting an evil lookalike site, your password manager will refuse to fill the password.

Recommendation: These benefits are extremely important, and setting up a password manager is often one of the most impactful things you can do for your digital security. However, they take time to get used to, and migrating all of your passwords into the app (and immediately changing them!) can take a few minutes at a time... over weeks. I recommend you prioritize the most important sites, such as your email accounts, banking/financial sites, and cellphone provider. This process will feel like a lot of work, but you will get to enjoy the benefits of never having to remember new passwords and the autofill functionality for websites. My recommended password manager is 1Password, but it stores passwords in the cloud and costs money. There are some good free options as well if cost is a concern. You can also use web browser- or OS-based password managers, but I do not prefer these.

Guides:

Limitations: Many people are concerned about the risk of using a password manager causing all of their passwords to be compromised. For this reason, it's very important to use a vetted, reputable password manager that has passed audits, such as 1Password or Bitwarden. It is also extremely important to choose a strong password to unlock your password manager. 1Password makes this easier by generating a secret to strengthen your unlock password, but I recommend using a long, memorable password in any case. Another risk is that if you forget your password manager's password, you will lose access to all your passwords. This is why I recommend 1Password, which has you set up an Emergency Kit to recover access to your account.

Set up two-factor authentication (2FA) for your accounts

Why? If your password is compromised in a website leak or due to a phishing attack, two-factor authentication will require a second piece of information to log in and potentially thwart the intruder. This provides you with an extra layer of security on your accounts.

Recommendation: You don't necessarily need to enable 2FA on every account, but prioritize enabling it on your most important accounts (email, banking, cellphone, etc.) There are typically a few different kinds: email-based (which is why your email account's security is so important), text message or SMS-based (which is why your cell phone account's security is so important), app-based, and hardware token-based. Email and text message 2FA are fine for most accounts. You may want to enable app- or hardware token-based 2FA for your most sensitive accounts.

Guides:

Activist Checklist: Enable two-factor authentication
Electronic Frontier Foundation: How to enable two-factor authentication
Consumer Reports: Set up multifactor authentication
Apps: There are many different choices available. The linked guides recommend the open source app Ente. Other options include Google and Microsoft Authenticator, Duo, etc.
Hardware tokens: Common choices include Yubikey and Google's Titan Security Key

Limitations: The major limitation is that if you lose access to 2FA, you can be locked out of an account. This can happen if you're travelling abroad and can't access your usual cellphone number, if you break your phone and you don't have a backup of your authenticator app, or if you lose your hardware-based token. For this reason, many websites will provide you with "backup tokens"—you can print them out and store them in a secure location or use your password manager. I also recommend if you use an app, you choose one that will allow you to make secure backups, such as Ente. You are also limited by the types of 2FA a website supports; many don't support app- or hardware token-based 2FA.

Remove your information from data brokers

Why? This is a problem that mostly affects people in the US. It surprises many people that information from their credit reports and other public records is scraped and available (for free or at a low cost) online through "data broker" websites. I have shocked friends who didn't believe this was an issue by searching for their full names and within 5 minutes being able to show them their birthday, home address, and phone number. This is a serious privacy problem!

Recommendation: Opt out of any and all data broker websites to remove this information from the internet. This is especially important if you are at risk of being stalked or harassed.

Guides:

Consumer Reports: Remove your contact information from people-search sites
Electronic Frontier Foundation: Manage your digital footprint
Big Ass Data Broker Opt Out List (BADBOOL), maintained by Yael Grauer
State-specific tools for residents of: California, Oregon

Limitations: It can take time for your information to be removed once you opt out, and unfortunately search engines may have cached your information for a while longer. This is also not a one-and-done process. New data brokers are constantly popping up and some may not properly honour your opt out, so you will need to check on a regular basis (perhaps once or twice a year) to make sure your data has been properly scrubbed. This also cannot prevent someone from directly searching public records to find your information, but that requires much more effort.

"Recommended security measures" I think beginners should avoid

We've covered a lot of tasks you should do, but I also think it's important to cover what not to do. I see many of these tools recommended to security beginners, and I think that's a mistake. For each tool, I will explain my reasoning around why I don't think you should use it, and the scenarios in which it might make sense to use.

"Secure email"

What is it? Many email providers, such as Proton Mail, advertise themselves as providing secure email. They are often recommended as a "more secure" alternative to typical email providers such as GMail.

What's the problem? Email is fundamentally insecure by design. The email specification (RFC-3207) states that any publicly available email server MUST NOT require the use of end-to-end encryption in transit. Email providers can of course provide additional security by encrypting their copies of your email, and providing you access to your email by HTTPS, but the messages themselves can always be sent without encryption. Some platforms such as Proton Mail advertise end-to-end encrypted emails so long as you email another Proton user. This is not truly email, but their own internal encrypted messaging platform that follows the email format.

What should I do instead? Use Signal to send encrypted messages. NEVER assume the contents of an email are secure.

Who should use it? I don't believe there are any major advantages to using a service such as this one. Even if you pay for a more "secure" email provider, the majority of your emails will still be delivered to people who don't. Additionally, while I don't use or necessarily recommend their service, Google offers an Advanced Protection Program for people who may be targeted by state-level actors.

PGP/GPG Encryption

What is it? PGP ("Pretty Good Privacy") and GPG ("GNU Privacy Guard") are encryption and cryptographic signing software. They are often recommended to encrypt messages or email.

What's the problem? GPG is decades old and its usability has always been terrible. It is extremely easy to accidentally send a message that you thought was encrypted without encryption! The problems with PGP/GPG have been extensively documented.

What should I do instead? Use Signal to send encrypted messages. Again, NEVER use email for sensitive information.

Who should use it? Software developers who contribute to projects where there is a requirement to use GPG should continue to use it until an adequate alternative is available. Everyone else should live their lives in PGP-free bliss.

Installing a "secure" operating system (OS) on your phone

What is it? There are a number of self-installed operating systems for Android phones, such as GrapheneOS, that advertise as being "more secure" than using the version of the Android operating system provided by your phone manufacturer. They often remove core Google APIs and services to allow you to "de-Google" your phone.

What's the problem? These projects are relatively niche, and don't have nearly enough resourcing to be able to respond to the high levels of security pressure Android experiences (such as against the forensic tools I mentioned earlier). You may suddenly lose security support with no notice, as with CalyxOS. You need a high level of technical know-how and a lot of spare time to maintain your device with a custom operating system, which is not a reasonable expectation for the average person. By stripping all Google APIs such as Google Play Services, some useful apps can no longer function. And some law enforcement organizations have gone as far as accusing people who install GrapheneOS on Pixel phones to be engaging in criminal activity.

What should I do instead? For the best security on an Android device, use a phone manufactured by Google or Samsung (smaller manufacturers are more unreliable), or consider buying an iPhone. Make sure your device is receiving security updates and up-to-date.

Who should use it? These projects are great for tech enthusiasts who are interested in contributing to and developing them further. They can be used to give new life to old phones that are not receiving security or software updates. They are also great for people with an interest in free and open source software and digital autonomy. But these tools are not a good choice for a general audience, nor do they provide more practical security than using an up-to-date Google or Samsung Android phone.

Virtual Private Network (VPN) Services

What is it? A virtual private network or VPN service can provide you with a secure tunnel from your device to the location that the VPN operates. This means that if I am using my phone in Seattle connected to a VPN in Amsterdam, if I access a website, it appears to the website that my phone is located in Amsterdam.

What's the problem? VPN services are frequently advertised as providing security or protection from nefarious bad actors, or helping protect your privacy. These benefits are often far overstated, and there are predatory VPN providers that can actually be harmful. It costs money and resources to provide a VPN, so free VPN services are especially suspect. When you use a VPN, the VPN provider knows the websites you are visiting in order to provide you with the service. Free VPN providers may sell this data in order to cover the cost of providing the service, leaving you with less security and privacy. The average person does not have the knowledge to be able to determine if a VPN service is trustworthy or not. VPNs also don't provide any additional encryption benefits if you are already using HTTPS. They may provide a small amount of privacy benefit if you are connected to an untrusted network with an attacker.

What should I do instead? Always use HTTPS to access websites. Don't connect to untrusted internet providers—for example, use cellphone network data instead of a sketchy Wi-Fi access point. Your local neighbourhood coffee shop is probably fine.

Who should use it? There are three main use cases for VPNs. The first is to bypass geographic restrictions. A VPN will cause all of your web traffic to appear to be coming from another location. If you live in an area that has local internet censorship policies, you can use a VPN to access the internet from a location that lacks such policies. The second is if you know your internet service provider is actively hostile or malicious. A trusted VPN will protect the visibility of all your traffic, including which websites you visit, from your internet service provider, and the only thing they will be able to see is that you are accessing a VPN. The third use case is to access a network that isn't connected to the public internet, such as a corporate intranet. I strongly discourage the use of VPNs for "general-purpose security."

Tor

What is it? Tor, "The Onion Router", is a free and open source software project that provides anonymous networking. Unlike with a VPN, where the VPN provider knows who you are and what websites you are requesting, Tor's architecture makes it extremely difficult to determine who sent a request.

What's the problem? Tor is difficult to set up properly; similar to PGP-encrypted email, it is possible to accidentally not be connected to Tor and not know the difference. This usability has improved over the years, but Tor is still not a good tool for beginners to use. Due to the way Tor works, it is also extremely slow. If you have used cable or fiber internet, get ready to go back to dialup speeds. Tor also doesn't provide perfect privacy and without a strong understanding of its limitations, it can be possible to deanonymize someone despite using it. Additionally, many websites are able to detect connections from the Tor network and block them.

What should I do instead? If you want to use Tor to bypass censorship, it is often better to use a trusted VPN provider, particularly if you need high bandwidth (e.g. for streaming). If you want to use Tor to access a website anonymously, Tor itself might not be enough to protect you. For example, if you need to provide an email address or personal information, you can decline to provide accurate information and use a masked email address. A friend of mine once used the alias "Nunya Biznes" 🥸

Who should use it? Tor should only be used by people who are experienced users of security tools and understand its strengths and limitations. Tor also is best used on a purpose-built system, such as Tor Browser or Freedom of the Press Foundation's SecureDrop.

I want to learn more!

I hope you've found this guide to be a useful starting point. I always welcome folks reaching out to me with questions, though I might take a little bit of time to respond. You can always email me.

If there's enough interest, I might cover the following topics in a future post:

Threat modelling, which you can get started with by reading the EFF's or VCW's guides
Browser addons for privacy, which Consumer Reports has a tip for
Secure DNS, which you can read more about here

Stay safe out there! 🔒

I am very sick

2024-05-12T10:00:00-04:00

I have not been able to walk since February 18, 2023.

When people ask me how I'm doing, this is the first thing that comes to mind. "Well, you know, the usual, but also I still can't walk," I think to myself.

If I dream at night, I often see myself walking or running. In conversation, if I talk about going somewhere, I'll imagine walking there. Even though it's been over a year, I remember walking to the bus, riding to see my friends, going out for brunch, cooking community dinners.

But these days, I can't manage going anywhere except by car, and I can't do the driving, and I can't dis/assemble and load my chair. When I'm resting in bed and follow a guided meditation, I might be asked to imagine walking up a staircase, step by step. Sometimes, I do. Other times, I imagine taking a little elevator in my chair, or wheeling up ramps.

I feel like there is little I can say that can express the extent of what this illness has taken from me, but it's worth trying. To an able-bodied person, seeing me in a power wheelchair is usually "enough." One of my acquaintances cried when they last saw me in person. But frankly, I love my wheelchair. I am not "wheelchair-bound"—I am bed-bound, and the wheelchair gets me out of bed. My chair hasn't taken anything from me.

***

In October of 2022, I was diagnosed with myalgic encephalomyelitis.

Scientists and doctors don't really know what myalgic encephalomyelitis (ME) is. Diseases like it have been described for over 200 years.¹ It primarily affects women between the ages of 10-39, and the primary symptom is "post-exertional malaise" or PEM: debilitating, disproportionate fatigue following activity, often delayed by 24-72 hours and not relieved by sleep. That fatigue has earned the illness the misleading name of "Chronic Fatigue Syndrome" or CFS, as though we're all just very tired all the time. But tired people respond to exercise positively. People with ME/CFS do not.²

Given the dearth of research and complete lack of on-label treatments, you may think this illness is at least rare, but it is actually quite common: in the United States, an estimated 836k-2.5m people³ have ME/CFS. It is frequently misdiagnosed, and it is estimated that as many as 90% of cases are missed,⁴ due to mild or moderate symptoms that mimic other diseases. Furthermore, over half of Long COVID cases likely meet the diagnostic criteria for ME,⁵ so these numbers have increased greatly in recent years. That is, ME is at least as common as rheumatoid arthritis,⁶ another delightful illness I have. But while any doctor knows what rheumatoid arthritis is, not enough⁷ have heard of "myalgic encephalomylitis."

Despite a high frequency and disease burden, post-viral associated conditions (PASCs) such as ME have been neglected for medical funding for decades.⁸ Indeed, many people, including medical care workers, find it hard to believe that after the acute phase of illness, severe symptoms can persist. PASCs such as ME and Long COVID defy the typical narrative around common illnesses. I was always told that if I got sick, I should expect to rest for a bit, maybe take some medications, and a week or two later, I'd get better, right? But I never got better.

These are complex, multi-system diseases that do not neatly fit into the Western medical system's specializations. I have seen nearly every specialty because ME/CFS affects nearly every system of the body: cardiology, nephrology, pulmonology, neurology, opthalmology, and, many, many more. You'd think they'd hand out frequent flyer cards, or a medical passport with fun stamps, but nope. Just hundreds of pages of medical records. And when I don't fit neatly into one particular specialist's box, then I'm sent back to my primary care doctor to regroup while we try to troubleshoot my latest concerning symptoms. "Sorry, can't help you. Not my department."

With little available medical expertise, a lot of my disease management has been self-directed in partnership with primary care. I've read hundreds of articles, papers, publications, CME material normally reserved for doctors. It's truly out of necessity, and I'm certain I would be much worse off if I lacked the skills and connections to do this; there are so few ME/CFS experts in the US that there isn't one in my state or any adjacent state.⁹ So I've done a lot of my own work, much of it while barely being able to read. (A text-to-speech service is a real lifesaver.) To facilitate managing my illness, I've built a mental model of how my particular flavour of ME/CFS works based on the available research I've been able to read and how I respond to treatments. Here is my best attempt to explain it:

After a severe (non-COVID) infection, an ongoing interaction between my immune system and my metabolism have stopped my body from being able to do aerobic respiration.¹⁰
I don't know why or how, but my mitochondria don't work properly anymore.¹¹
This means that if I use too much energy, my body isn't able to make enough energy to catch up, and I have severe symptoms over the next few days as my body tries to manage the consequences.
Those symptoms aren't limited to fatigue: I've developed flu-like symptoms and even fevers, limbs so heavy they felt paralyzed, tachycardia in response to even the slightest activity.

The best way I have learned to manage this is to prevent myself from doing activities where I will exceed that aerobic threshold by wearing a heartrate monitor,¹² but the amount of activity that permits in my current state of health is laughably restrictive. Most days I'm unable to spend more than one to two hours out of bed.

Over time, this has meant worsening from a persistent feeling of tiredness all the time and difficulty commuting into an office or sitting at a desk, to being unable to sit at a desk for an entire workday even while working from home and avoiding physically intense chores or exercise without really understanding why, to being unable to leave my apartment for days at a time, and finally, being unable to stand for more than a minute or two or walk.

But it's not merely that I can't walk. Many folks in wheelchairs are able to live excellent lives with adaptive technology. The problem is that I am so fatigued, any activity can destroy my remaining quality of life. In my worst moments, I've been unable to read, move my arms or legs, or speak aloud. Every single one of my limbs burned, as though I had caught fire. Food sat in my stomach for hours, undigested, while my stomach seemingly lacked the energy to do its job. I currently rely on family and friends for full-time caretaking, plus a paid home health aide, as I am unable to prep meals, shower, or leave the house independently. This assistance has helped me slowly improve from my poorest levels of function.

While I am doing better than I was at my worst, I've had to give up essentially all of my hobbies with physical components. These include singing, cooking, baking, taking care of my houseplants, cross-stitching, painting, and so on. Doing any of these result in post-exertional malaise so I've had to stop; this reduction of activity to prevent worsening the illness is referred to as "pacing." I've also had to cut back essentially all of my volunteering and work in open source; I am only cleared by my doctor to work 15h/wk (from bed) as of writing.

***

CW: severe illness, death, and suicide (skip this section)

The difficulty of living with a chronic illness is that there's no light at the end of the tunnel. Some diseases have a clear treatment path: you take the medications, you complete the procedures, you hit all the milestones, and then you're done, perhaps with some long-term maintenance work. But with ME, there isn't really an end in sight. The median duration of illness reported in one 1997 study was over 6 years, with some patients reporting 20 years of symptoms.¹³ While a small number of patients spontaneously recover, and many improve, the vast majority of patients are unable to regain their baseline function.¹⁴

My greatest fear since losing the ability to walk is getting worse still. Because, while I already require assistance with nearly every activity of daily living, there is still room for decline. The prognosis for extremely ill patients is dismal, and many require feeding tubes and daily nursing care. This may lead to life-threatening malnutrition;¹⁵ a number of these extremely severe patients have died, either due to medical neglect or suicide.¹⁶ Extremely severe patients cannot tolerate light, sound, touch, or cognitive exertion,¹⁷ and often spend most of their time lying flat in a darkened room with ear muffs or an eye mask.¹⁸

This is all to say, my prognosis is not great.

But while I recognize that the odds aren't exactly in my favour, I am also damn stubborn. (A friend once cheerfully described me as "stubbornly optimistic!") I only get one shot at life, and I do not want to spend the entirety of it barely able to perceive what's going on around me. So while my prognosis is uncertain, there's lots of evidence that I can improve somewhat,¹⁹ and there's also lots of evidence that I can live 20+ years with this disease. It's a bitter pill to swallow, but it also means I might have the gift of time—something that not all my friends with severe complex illnesses have had.

I feel like I owe it to myself to do the best I can to improve; to try to help others in a similar situation; and to enjoy the time that I have. I already feel like my life has been moving in slow motion for the past 4 years—there's no need to add more suffering. Finding joy, as much as I can, every day, is essential to keep up my strength for this marathon. Even if it takes 20 years to find a cure, I am convinced that the standard of care is going to improve. All the research and advocacy that's been happening over the past decade is plenty to feel hopeful about.²⁰ Hope is a discipline,²¹ and I try to remind myself of this on the hardest days.

***

I'm not entirely sure why I decided to write this. Certainly, today is International ME/CFS Awareness Day, and I'm hoping this post will raise awareness in spaces that aren't often thinking about chronic illnesses. But I think there is also a part of me that wants to share, reach out in some way to the people I've lost contact with while I've been treading water, managing the day to day of my illness. I experience this profound sense of loss, especially when I think back to the life I had before. Everyone hits limitations in what they can do and accomplish, but there is so little I can do with the time and energy that I have. And yet, I understand even this precious little could still be less. So I pace myself.

Perhaps I can inspire you to take action on behalf of those of us too fatigued to do the advocacy we need and deserve. Should you donate to a charity or advocacy organization supporting ME/CFS research? In the US, there are many excellent organizations, such as ME Action, the Open Medicine Foundation, SolveME, the Bateman Horne Center, and the Workwell Foundation. 2025 Update: I am doubly matching any donations through the end of May 2025 if you send me your receipts. I have also launched individual fundraising campaigns for ME Action and Open Medicine Foundation.

But charitable giving only goes so far, and I think this problem deserves the backing of more powerful organizations. Proportionate government funding and support is desperately needed. It's critical for us to push governments²² to provide the funding required for research that will make an impact on patients' lives now. Many organizers are running campaigns around the world, advocating for this investment. There is a natural partnership between ME advocacy and Long COVID advocacy, for example, and we have an opportunity to make a great difference to many people by pushing for research and resources inclusive of all PASCs. Some examples I'm aware of include:

[US] A Long COVID "moonshot" effort, drafted in April 2024 by Senator Sanders. Contact your representatives and encourage them to support it. Ask them to ensure the effort includes support for ME/CFS and other related conditions and PASCS.
[Canada] National ME/FM Action recommended participation in public budget consultation processes and made a submission. Though the 2024 consultation is closed, you can still contact your MP to improve awareness and advocate for budgetary support. It may also be worth contacting your MLA to advocate for better PASC care in provincial clinics.
[UK] Action for ME is advocating for a cross-Government Delivery Plan for ME/CFS care in England. Contact your MP and encourage them to support it.
[Other] MEAction also regularly hosts government advocacy campaigns in the US, UK, and Scotland.

But outside of collective organizing, there are a lot of sick individuals out there that need help, too. Please, don't forget about us. We need you to visit us, care for us, be our confidantes, show up as friends. There are a lot of people who are very sick out here and need your care.

I'm one of them.

I'm hosting a Bug Scrub for Kubernetes SIG Node

2021-06-17T11:20:00-04:00

It's been a long while since I last hosted a BSP, but 'tis the season.

Kubernetes SIG Node will be holding a bug scrub on June 24-25, and this is a great opportunity for you to get involved if you're interested in contributing to Kubernetes or SIG Node!

We will be hosting a global event with region captains for all timezones. I am one of the NASA captains (~17:00-01:00 UTC) and I'll be leading the kickoff. We will be working on Slack and Zoom. I hope you'll be able to drop in!

Details

Date: Thursday, June 24 through Friday, June 25
Start: 00:00 UTC June 24
End: 23:59 UTC June 25
Sign up: Participants do not have to sign up, just show up!
Slack room: #sig-node-bug-scrub on Kubernetes Slack
Docs: See the HackMD docs.
Email: See the kubernetes-dev mailing list.

I'm an existing contributor, what should I work on?

Work on triaging and closing SIG Node bugs. We have a lot of bugs!!

The goal of our event is to categorize, clean up, and resolve some of the 450+ issues in k/k for SIG Node.

Check out the event docs for more instructions.

I'm a new contributor and want to join but I have no idea what I'm doing!

At some point, that was all of us!

This is a great opportunity to get involved if you've never contributed to Kubernetes. We'll have dedicated mentors available to coordinate and help out new contributors.

If you've never contributed to Kubernetes before, I recommend you check out the Getting Started and Contributor Guide resources in advance of the event. You will want to ensure you've signed the contributor license agreement (CLA).

Remember, you don't have to code to make valuable contributions! Triaging the bug tracker is a great example of this.

See you there!

Happy hacking.

Easy risotto

2020-12-16T20:00:00-05:00

I have a secret: risotto doesn't have to involve standing over a pot, stirring for 30 minutes. There is a better way.

I've made risotto using the "stir 5ever" method and frankly this one is half the work and just as good. I took inspiration from Kenji Lopez-Alt, who describes how you can make risotto with only a few minutes of stirring at the end! Yes, this is a secret too good to keep to myself.

The linked recipe is too rich for a weeknight dinner, at least for my tastes, so I've included my typical modifications below, which omits the heavy cream. I usually make mushroom risotto, because all the ingredients are long-lived pantry ingredients, which means I can make this on a whim without having to grocery shop!

👀 pic.twitter.com/9gD4OGLZDs
— e. hashman (@ehashdn) December 17, 2020

Mushroom risotto

Serves 3 as a main course. Active time: 25m. Total time: 45m.

Ingredients:

1oz (28g) dried mushrooms, such as porcini (or morels!)
3 ½ cups chicken or vegetable stock
1 ½ cups short-grained rice (I use arborio)
½ cup white wine
2 tbsp olive oil
2 tbsp unsalted butter
4 cloves garlic, minced
1 small onion, small diced
3oz (85g) grated Parmesan cheese
herbs for garnish (optional)

Recipe:

Leave mushrooms to rehydrate in 1 cup of hot water for at least 10 minutes.
Set a wide saucepan (about 3.5qts) or skillet on medium heat.
Mix stock and wine for a total of 4 cups. You can used homemade stock (the best), boxed, or reconstitute from bouillon (my usual). If you use bouillon, I find you get the best flavour if you use a mix, so I tend to use half "no-chicken" and half "organic chicken" of the Better than Bouillon brand. Let this cool if you used boiling water; you don't want it to be too hot.
Mix the rice and stock in a large bowl, agitating it to release the starch. Reserve stock and set the rice in a strainer to drain.
Small dice an onion. Add olive oil and butter to the pan, and then add the onion. Cook the onion until it's translucent, but don't brown it.
Increase the heat to high and add the rice to the pan to toast until it becomes a little bit brown, stirring occasionally, about 3-4 minutes. Set a timer so it doesn't burn 😀
Meanwhile, drain the mushrooms, making sure you reserve the broth. Chop mushrooms and mince the garlic. Once the rice is toasted, add mushrooms and garlic and stir.
Stir the reserved stock. Add all of the mushroom liquid and all but 1 cup of the starchy stock to the pan. Bring to a boil.
Once it has reached a boil, cover, reduce to the lowest heat, and allow the rice to simmer undisturbed for 10 minutes. In the meantime, you can grate the cheese.
After 10 minutes, stir the rice once, shake the pan to ensure it is level, and return to the heat for 10 more minutes. Sit back, relax, and bask in the very little stirring you are doing.
At this point, the rice should be nearly cooked. Give it a stir, and add the remaining cup of broth. Stir until fully incorporated, turn the heat up to high, and cook until the risotto reaches your preferred consistency. I like mine rather thick.
Once the rice is fully cooked, turn off the heat and stir in the grated cheese a bit at a time, reserving some for garnish. Taste, and season with salt and pepper.
Garnish with the grated cheese, and perhaps some herbs. Serve and enjoy!

Variations

No mushrooms: Okay, okay, you hate mushrooms! Sorry! You can leave them out. Don't bother with the mushrooms, and add broth to make up for the lost liquid.

Mushroom lover: Alternatively, if you love mushrooms and you have fresh ones available, use ⅓ to ½ a pound (150-225g) chopped fresh mushrooms instead of dried. Add them at the same time you add the onions to ensure all the liquid cooks off.

Milanese, with stuff: One of my favourite variations on this dish is a version with shrimp, asparagus, and saffron. Leave the mushrooms out, increase the wine to ¾ or even 1 cup (seafood likes a little extra acidity), ensure you have a total of 5 cups of broth, and add a few strands of saffron. Chop asparagus and shrimp, season with salt and pepper, sauté them with some butter or olive oil in a separate pan so they don't overcook, and fold them in at the very end, after you've added the cheese.

I MUST SUFFER: This was too easy? Want to stir more??? Fine, have it your $*!#ing way.

I'm sure you can be creative and come up with something on your own...

Three talks at DebConf 2020

2020-09-05T00:00:00-04:00

This year has been a really unusual one for in-person events like conferences. I had already planned to take this year off from travel for the most part, attending just a handful of domestic conferences. But the pandemic has thrown those plans into chaos; I do not plan to attend large-scale in-person events until July 2021 at the earliest, per my employer's guidance.

I've been really sad to have turned down multiple speaking invitations this year. To try to set expectations, I added a note to my Talks page that indicates I will not be writing any new talks for 2020, but am happy to join panels or reprise old talks.

And somehow, with all that background, I still ended up giving three talks at DebConf 2020 this year. In part, I think it's because this is the first DebConf I've been able to attend since 2017, and I was so happy to have the opportunity! I took time off work to give myself enough space to focus on the conference. International travel is very difficult for me, so DebConf is generally challenging if not impossible for me to attend.

A panel a day keeps the FTP Team away?

On Thursday, August 27th, I spoke on the Leadership in Debian panel, where I discussed some of the challenges leadership in the project must face, including an appropriate response to the BLM movement and sustainability for volunteer positions that require unsustainable hours (such as DPL).

Your browser does not support the video tag.

On Friday, August 28th, I hosted the Debian Clojure BoF, attended by members of the Clojure and Puppet teams. The Puppet team is working to package the latest versions of Puppet Server/DB, which involve significant Clojure components, and I am doing my best to help.

Your browser does not support the video tag.

On Saturday, August 29th, I spoke on the Meet the Technical Committee panel. The Committee presented a number of proposals for improving how we work within the project. I was responsible for presenting our first proposal on allowing folks to engage the committee privately.

Your browser does not support the video tag.

My term at the Open Source Initiative thus far

2020-09-02T12:15:00-04:00

When I ran for the OSI board in early 2019, I set three goals for myself:

Grow the OSI's membership, and build a more representative organization.
Defend the Open Source Definition and FOSS commons.
Define the future of open source, as part of the larger community.

Now that the OSI has announced hiring an interim General Manager, I thought it would be a good time to publicly reflect on what I've accomplished and what I'd like to see next.

As I promised in my campaign pitch, I aim to be publicly accountable :)

Growing the OSI's membership

I have served as our Membership Committee Chair since the May 2019 board meeting, tasked with devising and supervising strategy to increase membership and deliver value to members.

As part of my election campaign last year, I signed up over 50 new individual members. Since May 2019, we've seen strong 33% growth of individual members, to reach a new all-time high over 600 (638 when I last checked).

I see the OSI as a relatively neutral organization that occupies a unique position to build bridges among organizations within the FOSS ecosystem. In order to facilitate this, we need a representative membership, and we need to engage those members and provide forums for cross-pollination. As Membership Committee Chair, I have been running quarterly video calls on Jitsi for our affiliate members, where we can share updates between many global organizations and discuss challenges we all face.

But it's not enough just to hold the discussion; we also need to bring fresh new voices into the conversation. Since I've joined the board, I'm thrilled to say that 16 new affiliate members joined (in chronological order) for a total of 81:

I was also excited to run a survey of the OSI's individual and affiliate membership to help inform the future of the organization that received 58 long-form responses. The survey has been accepted by the board at our August meeting and should be released publicly soon!

Defending the Open Source Definition

When I joined the board, the first committee I joined was the License Committee, which is responsible for running the licence review process, making recommendations on new licenses, and maintaining our existing licenses.

Over the past year, under Pamela Chestek's leadership as Chair, the full board has approved the following licenses (with SPDX identifiers in brackets) on the recommendation of the License Committee:

LBNL BSD License (BSD-3-Clause-LBNL)
OpenLDAP Public License Version 2.8 (OLDAP-2.8)
CAL Beta 4 (CAL-1.0)
Mulan PSL v2 (MulanPSL-2.0)
BSD 1 Clause (BSD-1-Clause)
PHP License 3.01 (PHP-3.01)
The Unlicense (Unlicense)
MIT No Attribution (MIT-0)

We withheld approval of the following licenses:

I've also worked to define the scope of work for hiring someone to improve our license review process, which we have an open RFP for!

Chopping wood and carrying water

I joined the OSI with the goal of improving an organization I didn't think was performing up to its potential. Its membership and board were not representative of the wider open source community, its messaging felt outdated, and it seemed to be failing to rise to today's challenges for FOSS.

But before one can rise to meet these challenges, you need a strong foundation. The OSI needed the organizational structure, health, and governance in order to address such questions. Completing that work is essential, but not exactly glamourous—and it's a place that I thrive. Honestly, I don't (yet?) want to be the public face of the organization, and I apologize to those who've missed me at events like FOSDEM.

I want to talk a little about some of my behind-the-scenes activities that I've completed as part of my board service:

Pushing for organizational D&O and liability insurance, which we obtained in July 2020
Recruiting and encouraging new board members: I helped recruit both our appointed board members, Deb Bryant and Tracy Hinds, who now serve as officers, and endorsed Megan Byrd-Sanicki's candidacy, also a board officer
Recruiting and interviewing a new interim General Manager, Deb Nicholson
Forming an Incubator Project Working Group to determine graduation criteria for OSI Incubator Projects and serving as Snowdrift.coop's board sponsor

All of this work is intended to improve the organization's health and provide it with an excellent foundation for its mission.

Defining the future of open source

Soon after I was elected to the board, I gave a talk at Brooklyn.js entitled "The Future of Open Source." In this presentation, I pondered about the history and future of the free and open source software movement, and the ethical questions we must face.

In my election campaign, I wrote "Software licenses are a means, not an end, to open source software. Focusing on licensing is necessary but not sufficient to ensure a vibrant, thriving open source community. Focus on licensing to the exclusion of other serious community concerns is to our collective detriment."

My primary goal for my first term on the board was to ensure the OSI would be positioned to answer wider questions about the open source community and its future beyond licenses. Over the past two months, I supported Megan Byrd-Sanicki's suggestion to hold (and then participated in, with the rest of the board) organizational strategy sessions to facilitate our long-term planning. My contribution to help inform these sessions was providing the member survey on behalf of the Membership Committee.

Now, I think we are much better equiped to face the hard questions we'll have to tackle. In my opinion, the Open Source Initiative is better positioned than ever to answer them, and I can't wait to see what the future brings.

Hope to see you at our first State of the Source conference next week!

Presenter mode in LibreOffice Impress without an external display

2020-05-27T21:15:00-04:00

I typically use LibreOffice Impress for my talks, much to some folks' surprise. Yes, you can make slides look okay with free software! But there's one annoying caveat that has bothered me for ages.

Impress makes it nearly impossible to enter presenter mode with a single display, while also displaying slides. I have never understood this limitation, but it's existed for a minimum of seven years.

I've tried all sorts of workarounds over the years, including a macro that forces LibreOffice into presenter mode, which I never was able to figure out how to reverse once I ran it...

This has previously been an annoyance but never posed a big problem, because when push came to shove I could leave my house and use an external monitor or screen when presenting at meetups. But now, everything's virtual, I'm in lockdown indefinitely, and I don't have another display available at home. And about 8 hours before speaking at a meetup today, I realized I didn't have a way to share my slides while seeing my speaker notes. Uh oh.

So I got this stupid idea.

...why don't I just placate LibreOffice with a FAKE display?

Virtual displays with `xrandr`

My GPU had this capability innately, it turns out, if I could just whisper the right incantations to unlock its secrets:

ehashman@red-dot:~$ cat /usr/share/X11/xorg.conf.d/20-intel.conf 
Section "Device"
    Identifier "intelgpu0"
    Driver "intel"
    Option "VirtualHeads" "1"
EndSection

After restarting X to allow this newly created config to take effect, I now could see two new virtual displays available for use:

ehashman@red-dot:~$ xrandr
Screen 0: minimum 8 x 8, current 3840 x 1080, maximum 32767 x 32767
eDP1 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 310mm x 170mm
   1920x1080     60.01*+  59.93  
   ...
   640x360       59.84    59.32    60.00  
DP1 disconnected (normal left inverted right x axis y axis)
DP2 disconnected (normal left inverted right x axis y axis)
HDMI1 disconnected (normal left inverted right x axis y axis)
HDMI2 disconnected (normal left inverted right x axis y axis)
VIRTUAL1 disconnected (normal left inverted right x axis y axis)
VIRTUAL2 disconnected (normal left inverted right x axis y axis)

Nice. Now, to actually use it:

ehashman@red-dot:~$ xrandr --addmode VIRTUAL1 1920x1080
ehashman@red-dot:~$ xrandr --output VIRTUAL1 --mode 1920x1080 --right-of eDP1

And indeed, after running these commands, I found myself with a virtual display, very happy to black hole all my windows, available to the imaginary right of my laptop screen.

This allowed me to mash that "Present" button in LibreOffice and get my presenter notes on my laptop display, while putting my actual slides in a virtual time-out that I could still screenshare!

Wouldn't it be nice if LibreOffice just fixed the actual bug? 🤷

Well, actually...

I must forgive myself for my stage panic. The talk ended up going great, and the immediate problem was solved. But it turns out this bug has been addressed upstream! It's just... not well-documented.

A couple years ago, there was a forum post on ask.libreoffice.org that featured this exact question, and a solution was provided!

Yes, use Open Expert Configuration via Tools > Options > LibreOffice > Advanced. Search for StartAlways. You should get a node org.openoffice.Office.PresenterScreen with line Presenter. Double-click that line to toggle the boolean value to true.

I tested this out locally and... yeah that works. But it turns out the bug from 2013 had not been updated with this solution until just a few months ago.

There are very limited search results for this configuration property. I wish this was much better documented. But so it goes with free software; here's a hack and a real solution as we all try to improve things :)

Beef and broccoli

2020-05-25T19:30:00-04:00

Beef and broccoli is one of my favourite easy weeknight meals. It's savoury, it's satisfying, it's mercifully quick, and so, so delicious.

The recipe here is based on this one but with a few simplifications and modifications. The ingredients are basically the same, but the technique is a little different. Oh, and I include some fermented black beans because they're yummy :3

Made 🥩 and 🥦 pic.twitter.com/cSpyA3hzP6
— e. hashman (@ehashdn) April 21, 2020

🥩 and 🥦

Serves 3. Active time: 20-30m. Total time: 30m.

Ingredients:

¾ lb steak, thinly sliced (leave it in the freezer for ~30m to make slicing easier)
¾ lb broccoli florets
3 large cloves garlic, chopped
1 teaspoon fermented black beans, rinsed and chopped (optional)

For the marinade:

1 teaspoon soy sauce
1 teaspoon shaoxing rice wine or dry sherry
½ teaspoon corn starch
⅛ teaspoon ground black pepper

For the sauce:

2 tablespoons oyster sauce
2 teaspoons soy sauce
1 teaspoon shaoxing rice wine or dry sherry
¼ cup chicken broth (I use Better than Bouillon)
2 tablespoons water
1 teaspoon corn starch

For the rice:

¾ cup white medium-grain rice (I use calrose)
1¼ cup water
large pinch of salt

Recipe:

Begin by preparing the rice: combine rice, water, and salt in a small saucepan and bring to a boil. Once it reaches a boil, cover and reduce to a simmer for 20 minutes. Then turn off the heat and let it rest.
Mix the marinade in a bowl large enough to hold the meat.
Thinly slice the beef. Place slices in the marinade bowl and toss to evenly coat.
Start heating a wok or similar pan on medium-high to high heat. This will ensure you get a good sear.
Prep the garlic, black beans, and broccoli. If you use frozen broccoli, you can save some time here :)
Combine the ingredients for the sauce and mix well to ensure the corn starch doesn't form any lumps.
By this point the beef should have been marinating for about 10-15m. Add a tablespoon of neutral cooking oil (like canola or soy) to the meat, give it one more toss to ensure it's thoroughly coated, then add a layer of meat to the dry pan. You may need to sear in batches. On high heat, cooking will take 1-2 minutes per side, ensuring each is nicely browned. Once the strips are cooked, remove from the pan and set aside.
While the beef is cooking, steam the broccoli until it's almost (but not quite) cooked through. I typically do this by putting it in a large bowl, adding 2 tbsp water, covering it and microwaving: 3 minutes on high if frozen, 1½ minutes on high if fresh, pausing halfway through to stir.
Once all the beef is cooked and set aside, spray the pan or add oil to coat and add the garlic and black bean (if using). Stir and cook for 30-60 seconds until fragrant.
When the garlic is ready, give the sauce a quick stir and add it to the pan, using it to deglaze. Once there are no more bits stuck to the bottom and the sauce is thick to your liking, add the broccoli and beef to the pan. Mix until thoroughly coated in sauce and heated through. Taste and adjust seasoning (salt, pepper, soy, etc.) if necessary.
Fluff the rice and serve. Enjoy!

But I am a vegetarian???

Seitan can substitute for the beef relatively easily. Finding a substitute for oyster sauce is a little bit trickier, especially since it's the star ingredient. You can buy vegetarian or vegan oyster sauce (they're usually mushroom-based), but I have no idea how good they taste. You can also try making it at home! If you do, let me know how it turns out?

Repack Zoom .debs to remove the `ibus` dependency

2020-04-09T00:00:00-04:00

For whatever reason, Zoom distributes .debs that have a dependency on ibus. ibus is the "intelligent input bus" package and as far as I'm aware, might be used for emoji input in chat or something?? But is otherwise not actually a dependency of the Zoom package. I've tested this extensively... the client works fine without it.

I noticed when I installed ibus along with the Zoom package that ibus would frequently eat an entire core of CPU. I'm sure this is a bug in the ibus package or service, but I have no energy to try to get that fixed. If it's not a hard dependency, Zoom shouldn't depend on it in the first place.

Anyways, here's how you can repack a Zoom .deb to remove the ibus dependency:

scratch=$(mktemp -d)

# Extract package contents
dpkg -x zoom_amd64.deb $scratch

# Extract package control information
dpkg -e zoom_amd64.deb $scratch/DEBIAN

# Remove the ibus dependency
sed -i -E 's/(ibus, |, ibus)//' $scratch/DEBIAN/control

# Rebuild the .deb
dpkg -b $scratch patched_zoom_amd64.deb

Now you can install the patched .deb with

dpkg -i patched_zoom_amd64.deb

The upstream fix would be for Zoom to move the ibus "Dependency" to a "Recommends", but they have been unwilling to do this for over a year.

But wait, what version even is my package?

By the way, you may have also noticed that the Zoom client downloads do not conform to the standard Debian package naming scheme (i.e. including the version in the filename). If you're not sure what version a zoom_amd64.deb package you've downloaded is, you can quickly extract that information with dpkg-deb:

dpkg-deb -I zoom_amd64.deb | grep Version
# Version: 3.5.383291.0407

Chili

2020-03-02T19:00:00-05:00

I really like beans. This is one way for me to power through the copious amounts I receive through the beloved Bean of the Month Club. (It took me many months, but I finally got in!)

Cooked beans two days in a row in order to deliver this masterpiece pic.twitter.com/VzIlPKKosJ
— e. hashman (@ehashdn) March 3, 2020

Beef Chili

Serves 5-7. Active time: 20m. Total time: 90m.

Ingredients:

1lb lean ground beef
1 large onion
1 poblano pepper (or use your favourite peppers)
1 stick celery
some fresh garlic (idk, 2-3 cloves?)
2 tablespoons ancho chili powder
3½ teaspoons ground cumin
2 teaspoons oregano
2 teaspoons garlic powder
14oz can diced tomatoes
14oz can crushed tomatoes
3 cups big cooked beans (I love ayacote morado for this)
3 cups small cooked beans (pinto work great)
salt to taste
wedge of lime (optional)
garnishes (sour cream, grated cheese, green onion, etc.)

Recipe:

Heat a dutch oven on high.
Small or medium dice (depending on your preference) the celery, pepper, and onion. You should have about four cups total.
Brown the beef in the dutch oven, using a little bit of cooking oil to avoid sticking if desired.
While the meat is browning, mince the garlic, measure the spices, and combine these all together.
Once the meat is brown, add the diced vegetables and cook until tender and the onion is translucent.
Add the spices and garlic, thoroughly combine, and cook until fragrant, about one minute.
Add the tomatoes. Once the mixture comes to a boil, cover and simmer for about an hour, stirring every ~20 minutes or so.
Add the beans and use bean broth or water to adjust consistency.
This is a good time to taste and add salt. I usually use 1 to 1½ teaspoons.
Bring to a boil again, cover and simmer for 10-15 more minutes.
Turn off the heat, taste, and adjust seasoning if necessary. Add a squeeze of lime if it needs a little acidity.
Serve with sour cream, grated cheese, sliced green onions, or any of your other favourite garnishes.
Enjoy!

before and after pic.twitter.com/CgkeCDPOaO
— e. hashman (@ehashdn) March 3, 2020

Frequently Asked Questions

Q: Why wait until basically the end to add salt?
A: Because canned ingredients will contain salt, and it's hard to predict how much, so you should always salt to taste. Waiting until the end will always ensure you season accurately.

Q: Why are so many of these directions so hand-wavey?
A: Cooking is an adventure. Experiment a little!

Q: But I have no idea what "to taste" means.
A: Taste it, add the thing, stir, taste it again. Is it salty enough? Sour enough? Sweet enough? You don't know, you say? Keep going. Add a little too much and then you'll find out for next time. 😁

Q: Why do you add so many beans and so little meat?
A: I really like beans.

KubeCon NA 2019 Talk Resources

2020-01-04T00:00:00-05:00

At KubeCon + CloudNativeCon North America 2019, I co-presented "Weighing a Cloud: Measuring Your Kubernetes Clusters" with Han Kang. Here's some links and resources related to my talk, for your reference.

Weighing a Cloud: Measuring Your Kubernetes Clusters

Talk slides (pdf download)
Talk video, hosted on YouTube
Related talk from SREcon: Kubernetes SLOs and debugging cluster issues
Try it yourself: sample code on GitHub
Prometheus documentation

My favourite bash alias for git

2019-08-03T00:00:00-04:00

I review a lot of code. A lot. And an important part of that process is getting to experiment with said code so I can make sure it actually works. As such, I find myself with a frequent need to locally run code from a submitted patch.

So how does one fetch that code? Long ago, when I was a new maintainer, I would add the remote repository I was reviewing to my local repo so I could fetch that whole fork and target branch. Once downloaded, I could play around with that on my local machine. But this was a lot of overhead! There was a lot of clicking, copying, and pasting involved in order to figure out the clone URL for the remote repo, and a bunch of commands to set it up. It felt like a lot of toil that could be easily automated, but I didn't know a better way.

One day, when a coworker of mine saw me struggling with this, he showed me the better way.

Turns out, most hosted git repos with pull request functionality will let you pull down a read-only version of the changeset from the upstream fork using git, meaning that you don't have to set up additional remote tracking to fetch and run the patch or use platform-specific HTTP APIs.

Using GitHub's git references for pull requests

I first learned how to do this on GitHub.

GitHub maintains a copy of pull requests against a particular repo at the pull/NUM/head reference. (More documentation on refs here.) This means that if you have set up a remote called origin and someone submits a pull request #123 against that repository, you can fetch the code by running

$ git fetch origin pull/123/head
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 4 (delta 3), reused 3 (delta 3), pack-reused 1
Unpacking objects: 100% (4/4), done.
From github.com:ehashman/hack_the_planet
 * branch            refs/pull/123/head -> FETCH_HEAD

$ git checkout FETCH_HEAD
Note: checking out 'FETCH_HEAD'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at deadb00 hack the planet!!!

Woah.

Using pull request references for CI

As a quick aside: This is also handy if you want to write your own CI scripts against users' pull requests. Even better—on GitHub, you can fetch a tree with the pull request already merged onto the top of the current master branch by fetching pull/NUM/merge. (I'm not sure if this is officially documented somewhere, and I don't believe it's widely supported by other hosted git platforms.)

If you also specify the --depth flag in your fetch command, you can fetch code even faster by limiting how much upstream history you download. It doesn't make much difference on small repos, but it is a big deal on large projects:

elana@silverpine:/tmp$ time git clone https://github.com/kubernetes/kubernetes.git
Cloning into 'kubernetes'...
remote: Enumerating objects: 295, done.
remote: Counting objects: 100% (295/295), done.
remote: Compressing objects: 100% (167/167), done.
remote: Total 980446 (delta 148), reused 136 (delta 128), pack-reused 980151
Receiving objects: 100% (980446/980446), 648.95 MiB | 12.47 MiB/s, done.
Resolving deltas: 100% (686795/686795), done.
Checking out files: 100% (20279/20279), done.

real    1m31.035s
user    1m17.856s
sys     0m7.782s

elana@silverpine:/tmp$ time git clone --depth=10 https://github.com/kubernetes/kubernetes.git kubernetes-shallow
Cloning into 'kubernetes-shallow'...
remote: Enumerating objects: 34305, done.
remote: Counting objects: 100% (34305/34305), done.
remote: Compressing objects: 100% (22976/22976), done.
remote: Total 34305 (delta 17247), reused 19060 (delta 10567), pack-reused 0
Receiving objects: 100% (34305/34305), 34.22 MiB | 10.25 MiB/s, done.
Resolving deltas: 100% (17247/17247), done.

real    0m31.495s
user    0m3.941s
sys     0m1.228s

Writing the `pull` alias

So how can one harness all this as a bash alias? It takes just a little bit of code:

pull() {
    git fetch "$1" pull/"$2"/head && git checkout FETCH_HEAD
}

alias pull='pull'

Then I can check out a PR locally with the short command pull <remote> <num>:

$ pull origin 123
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Total 5 (delta 4), reused 4 (delta 4), pack-reused 1
Unpacking objects: 100% (5/5), done.
From github.com:ehashman/hack_the_planet
 * branch            refs/pull/123/head -> FETCH_HEAD
Note: checking out 'FETCH_HEAD'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at deadb00 hack the planet!!!

You can even add your own commits, save them on a local branch, and push that to your collaborator's repository to build on their PR if you're so inclined... but let's not get too ahead of ourselves.

Changeset references on other git platforms

These pull request refs are not a special feature of git itself, but rather a per-platform implementation detail using an arbitrary git ref format. As far as I'm aware, most major git hosting platforms implement this, but they all use slightly different ref names.

GitLab

At my last job I needed to figure out how to make this work with GitLab in order to set up CI pipelines with our Jenkins instance. Debian's Salsa platform also runs GitLab.

GitLab calls user-submitted changesets "merge requests" and that language is reflected here:

git fetch origin merge-requests/NUM/head

They also have some nifty documentation for adding a git alias to fetch these references. They do so in a way that creates a local branch automatically, if that's something you'd like—personally, I check out so many patches that I would not be able to deal with cleaning up all the extra branch mess!

BitBucket

Bad news: as of the time of publication, this isn't supported on bitbucket.org, even though a request for this feature has been open for seven years. (BitBucket Server supports this feature, but that's standalone and proprietary, so I won't bother including it in this post.)

Gitea

While I can't find any official documentation for it, I tested and confirmed that Gitea uses the same ref names for pull requests as GitHub, and thus you can use the same bash/git aliases on a Gitea repo as those you set up for GitHub.

Saved you a click?

Hope you found this guide handy. No more excuses: now that it's just one short command away, go forth and run your colleagues' code locally!

How to grant (Tom Marble) Debian Maintainer access

2019-07-24T00:00:00-04:00

I run the Debian Clojure Team, which means that occasionally folks volunteer to help out with Clojure packaging. This is awesome! Since I'm lazy, I don't want to have to sponsor every package upload for folks who have proven their aptitude at packaging. Hence, sometimes I need to grant Debian Maintainers upload access to team packages.

Folks typically point at this email as documentation of how to grant DM access on packages. However, I have zero desire to hand-craft artisanal dak commands. So, I try to leverage some existing tools I already have installed on my system to help me out—namely, the dcut tool from the dput-ng package.

The commands

Tom Marble wanted DM access to the libjava-jdbc-clojure package, after I suggested he try doing a new version upload for it. I previously gave him DM access to maintain shimdandy and com-hypirion-io-clojure. But I couldn't remember exactly how I did it...

According to the dcut manpage, this should be as simple as running

dcut dm --uid "Tom Marble" --allow libjava-jdbc-clojure

However, there is a slight problem: I don't normally run dput (or dcut) on a machine with my Debian key present, since I keep my only copy on my laptop. For various reasons (mostly related to intertia, external monitors, and wifi drivers), I run Linux Mint on my laptop, and the version of dcut available there doesn't actually work properly, so I can't just run dcut locally...

What to do about this?

It turns out that there is an undocumented flag, -S or --save, that will save the generated commands locally.

dcut -s -S dm --uid "Tom Marble" --allow libjava-jdbc-clojure

The -s flag, or --simulate, ensures that we don't try to upload the file to the archive just yet. This will produce a file in the current directory with a name similar to ehashman-1564016122.dak-commands. Take a look:

ehashman@corn-syrup:~$ cat ehashman-1564016122.dak-commands

Archive: ftp.upload.debian.org
Uploader: Elana Hashman <ehashman@debian.org>

Action: dm
Fingerprint: 884A52C4AC8ABB931D158FA840BFEE868B055D9A
Allow: libjava-jdbc-clojure

Now is a good time to verify that the key and package is correct. You can then sign this file:

gpg --sign --armour --clearsign ehashman-1564016122.dak-commands

And use dcut to upload it:

dcut upload -f ehashman-1564016122.dak-commands

Once the file has been processed, check the FTP Master DM log to make sure your DM changes have been set correctly.

See you on the next episode of "me creating problems for myself with scary Debian tools" 👋

References

PyCon 2019 Talk Resources

2019-05-01T00:00:00-04:00

At PyCon US in 2019, I reprised my talk "The Black Magic of Python Wheels", originally presented at PyGotham 2018. I based this talk on my three years of work on auditwheel and the manylinux platform, hoping to share some dark details of how the proverbial sausage is made.

After this talk, I will be retiring from auditwheel maintainership.

The Black Magic of Python Wheels

Follow-up readings

Linux Programmer's Manual: format of Executable and Linkable Format (ELF) Files
The Linux Programming Interface: 42.3.2 "Symbol Versioning", pg. 870. (Note: all of chapter 42 would be a great resource on the topic! This is a great book.)
ELF Symbol Versioning
Linking to Older Versioned Symbols
PLT and GOT - the key to code sharing and dynamic libraries

All the PEPs referenced in the talk

In increasing numeric order.

PEP 376 "Database of Installed Python Distributions"
PEP 426 "Metadata for Python Software Packages 2.0"
PEP 427 "The Wheel Binary Package Format 1.0"
PEP 513 "A Platform Tag for Portable Linux Built Distributions" (aka manylinux1)
PEP 571 "The manylinux2010 Platform Tag"

Image licensing info

Tree Cat Silhouette Sunset: Public Domain (CC0) @besshamiti
Happy Halloween! (Costume Dog): Public Domain (CC0) @milkyfactory

I'm stepping down as maintainer of auditwheel

2019-04-10T22:15:00-04:00

For the last three years I've been a regular contributor and core maintainer of auditwheel, a Python Packaging Authority (or "PyPA") tool used to build portable binary/extension wheels on Linux. auditwheel's "show" command allows developers to check if their Python wheel's external symbol dependencies comply with the manylinux policies, and its "repair" command enables developers to more easily build policy-compliant wheels inside an appropriate environment like a manylinux Docker image without having to make significant changes to their build processes.

Most recently, at the last Python Packaging Authority sprints in November 2018, I finished work to support the manylinux2010 platform tag in auditwheel. After extensive testing, this functionality was released in version 2.0 in January of 2019.

But why?

auditwheel is a very technically challenging tool to maintain. It requires deep knowledge of dynamic linking, ELF binaries, and symbol versioning on the Linux platform. While this is very exciting technical work, it's not the sort of project that I can work on sustainably in my free time and off hours. I'm currently the only active auditwheel maintainer, and I don't feel like I can give the project the attention it deserves on an ongoing basis, especially given community interest in updating the manylinux specification and supporting new platform policies.

On the bright side, concluding my work with auditwheel and manylinux will allow me to dedicate more quality time to other FOSS projects I'm excited about! In a personal capacity, I have just started a two year term as an individual member of the Open Source Initiative Board of Directors, and I will continue my work in Debian. In a professional capacity, I recently started a new job at Red Hat and I intend to significantly increase my upstream Kubernetes and OpenShift contributions over the next year.

I'm making this announcement now to avoid surprising anyone at PyCon, and I'd love to spend my time at the conference working on a transition plan. I will be giving an introductory talk about auditwheel and the manylinux toolchain if you're interested in learning more about the space and want to get involved! At PyCon, I hope I will have the opportunity to provide some outgoing input on the future of auditwheel and manylinux, especially after the bumpy rollout of manylinux2010.

So long and thanks for all the fish 🐟

SREcon19 Americas Talk Resources

2019-03-22T00:00:00-04:00

At SREcon19 Americas, I gave a talk called "Operating within Normal Parameters: Monitoring Kubernetes". I also reprised this talk at the Cloud Native PDX meetup in October 2019 and the Portland DevOps meetup in May 2020. Here's some links and resources related to my talk, for your reference.

Operating within Normal Parameters: Monitoring Kubernetes

Talk slides (pdf download)
Talk video, hosted on YouTube
Try it yourself: sample code on GitHub
Prometheus documentation
kube-state-metrics documentation
metrics-server documentation
Grafana documentation (for dashboards and visualization)

Additional Prometheus metrics sources

I'm running for the Open Source Initiative Board of Directors

2019-03-02T11:00:00-05:00

The 2019 election for the Open Source Initiative Board of Directors is upon us, and I'm running for a seat on the board as an Individual Member.

The Open Source Initiative (OSI) is a ~~shadowy cabal~~ global non-profit organization that is primarily responsible for maintaining the Open Source Definition and list of approved Open Source Licenses, in addition to promoting and representing the wider open source community. If you use or care about open source software, the OSI impacts you!

Why am I running?

There are three main things that I'd like to accomplish as a board member:

Grow the OSI's membership, and build a more representative organization.
Defend the Open Source Definition and FOSS commons.
Define the future of open source, as part of the larger community.

You can read more of the specifics of my platform on the OSI election wiki.

Why vote for me?

My platform is actionable, specific, and measurable. For example, when I say I want to grow the OSI's membership, this isn't just a platitude: I'm running a membership drive to recruit 25 new members and I've nearly met my goal already! If you vote for me, it's easy for you to hold me accountable to these specific commitments.

I have a cross-cutting, boots-on-the-ground view of the challenges and needs of the FOSS community. I'm active as a developer in many different open source communities: the Python community, the Clojure community, the JavaScript community, the Kubernetes and CNCF communities. I bring a new, broad perspective to the Board as a primarily technical contributor from communities who are not yet deeply involved with the OSI, and pledge to represent their interests.

As a packager, I have a practical understanding of software licensing and redistribution. Defending the Open Source Definition isn't just about ideology for me: threats to the FOSS commons directly impact my work as a downstream developer. Packaging FOSS for distribution in Debian, applying patches, and sharing derivative works all require a deep understanding of the practice of software licenses and copyright. Hence, I have important and applicable experience for license review.

This sounds great, sign me up!

If you like what you've seen here, I'd be thrilled if you considered joining the OSI as a new member and voting for me.

You can sign up for a membership here.

Do let me know if I was your inspiration for joining, as I'd love to count you towards my membership drive! You can reach out via Mastodon, Twitter, or email. I'll also make sure to send you a reminder to vote in the election. Voting opens Monday, March 4 at 12:00am PST and closes Friday, March 15 at 11:59PM PST.

get that (multigrain) bread 🍞

2019-02-23T17:15:00-05:00

I've been baking a lot of bread over the past year: about one loaf a week, give or take. It's a fun hobby, and it saves me a bit of money because homemade bread lasts longer than the stuff at the grocery store and also costs less. There are some occupational hazards, like burning my arm, but the payoff seems to be mostly worth it, because homemade bread tastes so good. The thing that got me hooked was this basic recipe from Donna Currie—something about the overnight rest and use of good olive oil make this loaf really magical, and the active time is minimal which made it easy for me to get into baking regularly!

My beautiful golden son :') pic.twitter.com/dNnwd0j8ZH
— (:e hashman) (@ehashdn) January 5, 2019

A thing I really appreciate about baking bread is that it's very forgiving. I've only once ever made a loaf so bad that it turned out inedible, and that was one among dozens. My bread-shaping technique was non-existent when I started making bread, but now it's a lot better. I like making loaves on the smaller side, but my loaf pans are the wrong size, so sometimes I end up with a short, stout loaf—who cares. Every week I get the opportunity to try a new experiment and see what works and what doesn't, and my technique and knowledge get better every time. Your loaves will not judge you. You do not have to be perfect.

Compare this guy to the first loaf I baked when I got into bread earlier this year :D

As they say, practice makes perfect. pic.twitter.com/nbF8l1e5UH
— (:e hashman) (@ehashdn) January 5, 2019

Since I am Serious about breadmaking—or, at least, relatively committed to the cause—I decided to make my own sourdough starter in December of last year. His name is Yeästeroth, Keeper of the Seal, Sourer of the Dough: Yeästeroth the Undying, Who has Slept a Thousand Years... and Rises Again. (Name courtesy of my roommate. Other names submitted for consideration include "Allison the Mermaid" and "libsour.so.5".)

7 days of Yeästeroth! To celebrate, my roommate started playing a chant from Mozart's Requiem.

Still moving along slower than I would like so I have swaddled him in a blanket. pic.twitter.com/CceLXjz1Xy
— (:e hashman) (@ehashdn) December 7, 2018

According to various experiments, Yeästeroth sort of sucks at making dough rise and I am not nearly patient enough to try to fix this. So I just appreciate his nice flavour and spare him a little help in the rising department. When I bake sourdough bread, I throw in an extra teaspoon of instant yeast and call it a day.

So it turns out that little bit of commercial yeast I was adding *was* doing something 😂 I have learned my lesson this week...

Still tastes great, dense but good texture! pic.twitter.com/O52jf8R9I0
— (:e hashman) (@ehashdn) January 12, 2019

Whole wheat: the final frontier

While getting started with white bread and sourdough was relatively easy, baking with whole wheat flour is... a challenge, to say the least. It's much less forgiving than baking with white flour, the doughs need much more hydration so they're sticky and make a mess, and they rise at a different rate than white bread.

My favourite whole wheat breads tend to be multigrain, so that was the first kind of whole wheat loaf I tried to bake. I wasn't super happy with it, although I did bake the recipe again to try to improve on my technique, and that one turned out a bit better.

CRUMB pic.twitter.com/8LZNO7q2M5
— (:e hashman) (@ehashdn) July 30, 2018

To be honest I didn't think that getting better at baking whole wheat bread was actually worth the effort, so I stopped doing it for a while. Whole wheat bread is not morally superior to white bread, and it's way harder to work with and make taste good, so why bother with all the trouble?

Well, one of my coworkers went to the UK over the winter break and brought me back a bag of flour from his mother's local mill, and it turned out to be a whole wheat seed mix flour for multigrain bread, so I felt compelled to get better at this. Look at how charming it is! The label uses Comic Sans!!

Since this flour has seeds already mixed in, a new and exciting thing for me, I looked for a bread recipe using it specifically (which was really just this recipe, modified) and made some modifications of my own (sourdough starter/instant yeast mix, no vitamin C tablet, half the salt, less sugar and used olive oil in place of butter). That turned out pretty well.

Baked my best multigrain loaf yet today! With the flour my coworker gave me 😊 pic.twitter.com/G4EYApU8zR
— (:e hashman) (@ehashdn) February 1, 2019

While I baked a pretty decent first loaf with the Wessex Mill flour, it still felt like it lacked something. I missed the butter and the brown sugar and so this time I figured I'd be a little more decadent and go all out. But I didn't really trust myself to do that with a 100% whole wheat loaf and succeed, so I decided to try an experiment by using a little more white flour. This new recipe is a hybridization of all the various multigrain loaf recipes I've tried thus far, and it worked out better than I could have hoped for!

My most successful multigrain loaf yet

Ingredients:

8oz Wessex Mill Six Seed Flour
4oz white bread flour (I use King Arthur brand)
1 tsp instant yeast (I use Saf-instant red)
1 tsp salt
2 tbsp dark brown sugar
8oz sourdough starter at 100% hydration, unfed
6oz warm water
1-2 tbsp melted butter (it's fine if it's salted)
canola/vegetable oil for greasing

Note: This recipe involves a rest in the fridge. I recommend mixing the dough in the evening and baking it in the next morning.

Recipe:

Mix the dry ingredients in a stand mixer until thoroughly combined.
Measure in the wet ingredients and mix in the stand mixer until they come together. At this point the dough will be an extremely sticky mess, completely attached to the sides of the bowl.
Fear not. Add about a tablespoon of white bread flour and mix until it just starts to unstick from the sides of the mixer bowl.
Grease a plastic bag with a bit of canola oil. Make sure you grease it really well, because otherwise the dough will stick to the bag and you will be sad. Scrape the dough out of the mixing bowl into the bag and seal it. Stick this in the fridge overnight so it can develop some nice flavour.
In the morning, take the bag out of the fridge and let it come up to room temperature. This will take one to two hours, depending on how warm your kitchen is.
When the dough is warmed up, sprinkle some flour on the counter and shape the dough into a log.
Grease a loaf pan and transfer the dough into the pan. Cover the pan with plastic wrap and let this rest in a warm place until the loaf is fully risen. I usually let mine go about an hour and a half to two hours, depending on how long it rested coming up to room temperature.
When the dough is just about ready (it should double in size, give or take), preheat the oven to 350F convection (or 375F conventional bake). Put the loaf in the oven and bake for 20 minutes.
At this point, turn the loaf around and lower the oven temperature to 325F convection (or 350F conventional bake). Bake for an additional 15 minutes.
Remove the loaf from the oven, pop out of the pan and cool on a cooling rack. Enjoy once cool... assuming you can wait that long!

Hot chocolate

2019-01-08T22:00:00-05:00

My roommate once told me that “[I] make the best hot chocolate [he's] ever tasted.” This was a little surprising to me, because my hot chocolate recipe is not sophisticated, but I guess it does taste pretty good. 😊

Today I will share my secrets with the world.

Homemade hot chocolate

Ingredients:

1 tsp granulated sugar
1 tbsp unsweetened cocoa powder
splash of vanilla extract (or paste, if you're really fancy)
hot water
10-12oz milk (I like whole milk)
pinch salt

Recipe:

Mix the sugar, cocoa, and vanilla in a microwave-safe liquid measuring cup. Add a small amount of hot water and stir until the mixture is fully combined.
Add milk while stirring until you have about one serving of hot chocolate, about 10-12oz. Taste.
Adjust any ingredients to taste (more sugar, more cocoa, etc.) and add salt.
Microwave for about 1 minute on high. Stir and taste for a temperature check.
Microwave for about 30 more seconds or until sufficiently hot.
Pour into a mug or thermos for serving.
Enjoy!

Variations

Spicy hot chocolate: substitute ¼ tsp cinnamon for the vanilla. Add a dash of cayenne.

Peppermint hot chocolate: substitute a splash of mint extract for the vanilla.

Non-dairy hot chocolate: use your favourite non-dairy milk substitute in place of milk. If it's vanilla-flavoured, leave out the vanilla. If it's sweetened, you may need to reduce the amount of sugar added.

Software Freedom Conservancy: Governance & Federation are the Future

2018-12-27T12:00:00-05:00

This entry is cross-posted from the Software Freedom Conservancy's blog.

This is part of our ongoing series on generous matching donors. Elana is the Queen of Debian Clojure, Empress of Symbol Versioning, Conqueress of ABIs, Python Packaging Authority, ELF Herder and the Winner of this year's Award for most odd, but needful volunteer assistance this year (keeping people from eating pizza on top of the Conservancy tablecloth and so, so much more.) Elana and several other outstanding individuals are joining Private Internet Access and a big anonymous donor in offering a total of $90K in matching funds to the Conservancy for our continued work to provide both support for important free software and a clear voice in favor of community-driven licensing and governance practices.

Deb: What's the most exciting thing you've seen recently in free software?

EH: I'm really excited about a bunch of different emerging free social technologies based on the ActivityPub specification that make up the so-called "fediverse." I think Mastodon might be the most popular—it fills a niche similar to Twitter—but there's also Pleroma, which is Mastodon-compatible and a little simpler to deploy, a peer-to-peer replacement for YouTube called PeerTube, and a federated image sharing app you can use instead of Instagram called PixelFed.

Mastodon has demonstrated that when we prioritize user experiences and work together, we can build free software to sustainably run social collectives on independent infrastructure, and even achieve widespread adoption. This is so meaningful to me: the fediverse embodies all of user freedom, consent, autonomy, self-governance, and community in practice. Independent, federated social networks come with the promise of building online social spaces that better reflect the social needs of individuals and their communities in a way that centralized, corporate social media cannot.

Deb: What do you wish people knew about Conservancy, that they might not know?

EH: Many folks have heard of the wonderful projects that all live together under the Conservancy banner, but I'm not sure if many people are familiar with what it takes to become a Conservancy project!

Conservancy members are required to serve the public interest, develop their software in public, and use a FOSS license. They must also be community-run: a Conservancy project should have a community-elected oversight committee or a minimum of three governing members, so a project can't be run by a single developer, and when members are appointed there can't be more than one employed by a particular company. I think it's really cool that all Conservancy member projects must uphold rigorous standards for community governance.

Deb: You work on several well-known free software projects (Debian, Clojure, Python). Do you have any advice for folks who are just starting with free software contributing?

EH: It's funny when you put it that way---I got started in free software barely five years ago, and I'm almost surprised by how much I've contributed since then. One of the big barriers for me was believing I could do it at all. Even though I've been using free software since 2006 or so, I didn't really see a lot of people like me in the community, and having lurked in IRC channels for years I was so afraid of trying to contribute and getting yelled at for messing up something obvious.

In 2013, I decided to attend an open source day at a conference, and met Asheesh Laroia and Carol Willing. They jumped to onboard me with OpenHatch, a project whose mission was to help newcomers get involved in free and open source software. That chance meeting grew into a GSoC internship with OpenHatch the next summer; later, I became a core maintainer of the project until it wound down. Once I had the right skills, it's become harder for me to say no to contributing to new projects than to just contribute! The fear of messing up spectacularly in public is still there, but it doesn't stop me anymore.

Part of OpenHatch's legacy was encouraging projects to identify and publicly label issues that were relatively small (or "bite-sized") and good for beginners. Now, many spiritual successors to OpenHatch exist, including Your First PR and Up For Grabs.

Deb: What do you hope to see Conservancy accomplish in the next five years?

EH: I think Conservancy is increasingly important for the future of sustainable free software. Recently, we've seen the proliferation of a number of new protectionist licenses, as corporations become more concerned about their open source projects being monetized by other corporations that don't contribute back. I think corporate sustainability and community sustainability are different things, and I'm concerned that the idea of "sustainability" is being co-opted by companies that define it as seeing greater financial returns from their open source projects.

Conservancy fights this co-option with a two-pronged strategy: through its software license advocacy, by helping to educate the public on software licenses and by providing license enforcement to member projects to ensure free software remains free; and through its support of member project operations, by enabling the practice of sustainable community free software in providing fiscal sponsorship and administrative services. I think both are very important and I'd love to see Conservancy continue to grow in both areas over the next five years; perhaps it will even accept some fediverse projects as members :)

Deb: Anything else you'd like to add?

EH: If any of this speaks to you, dear reader, then I'd love to encourage you to support Conservancy by making a donation. But if that's not something you're able to do, you can always volunteer with Conservancy or a member project, or help spread the word for this year's fundraiser!

I was a podcast guest on The REPL

2018-10-26T16:00:00-04:00

Daniel Compton hosted me on his Clojure podcast, The REPL, where I talked about Debian, packaging Leiningen, and the Clojure ecosystem in Debian. It's got everything: spooky abandoned packages, anarchist collectives, software security policies, and Debian release cycles. Absolutely no shade was thrown at other distros.

Give it a listen:

Your browser does not support the audio element.

Download: MP3

More Q&A

After the podcast was published, Ivan Sagalaev wrote me with a great question about how the different versions of Clojure in Ubuntu 18.04 work:

First of all, THANK YOU for making sudo apt install leiningen work! It's so much better and more consistent than sourcing bash scripts :-)

I have a quick question for you. After installing leiningen and clojure on Ubuntu 18.04 I see that lein repl starts with clojure 1.8.0, while the clojure package itself seems to be independent and is version 1.9.0. How is it possible? I frankly haven't even seen lein downloading its own clojure.jar...

I replied:

Leiningen is "ahead-of-time (AOT) compiled", which is a fancy way of saying that the Leiningen you download from Ubuntu is pre-built. This means it is already compiled to Java bytecode, which can be run directly by Java. I ship the binary Leiningen package as an "uberjar", which means all its dependencies are also included inside the Leiningen jar.

Leiningen depends on and is built with Clojure 1.8, so the Leiningen uberjar in Debian also depends on Clojure 1.8. The "clojure" package in 18.04 defaults to installing Clojure 1.9, but that can be installed simultaneously with the "clojure1.8" package that Leiningen depends on in order to build. You can change your default Clojure to 1.8 using alternatives.

When you launch lein repl, by default the Clojure 1.8 runtime that's compiled in is used. If you run lein repl in the root of a Clojure 1.9 project, Leiningen will download Clojure 1.9 from Clojars and launch a 1.9 repl. If you want to use the Clojure 1.9 shipped with Debian, you can change :local-repo to point at /usr/share/maven-repo, but be careful to also set :offline? to true so you don't try to install things into the system maven repo by accident.

PyGotham 2018 Talk Resources

2018-10-13T00:00:00-04:00

At PyGotham in 2018, I gave a talk called "The Black Magic of Python Wheels". I based this talk on my two years of work on auditwheel and the manylinux platform, hoping to share some dark details of how the proverbial sausage is made.

It was a fun talk, and I enjoyed the opportunity to wear my Python Packaging Authority hat:

A very witchy @PyGotham talk from @ehashdn about dark ELF magic pic.twitter.com/W8JMEVW8GE
— Geoffrey Thomas, but spooky (@geofft) October 6, 2018

The Black Magic of Python Wheels

Follow-up readings

Linux Programmer's Manual: format of Executable and Linkable Format (ELF) Files
The Linux Programming Interface: 42.3.2 "Symbol Versioning", pg. 870. (Note: all of chapter 42 would be a great resource on the topic! This is a great book.)
ELF Symbol Versioning
Linking to Older Versioned Symbols
PLT and GOT - the key to code sharing and dynamic libraries

All the PEPs referenced in the talk

In increasing numeric order.

PEP 376 "Database of Installed Python Distributions"
PEP 426 "Metadata for Python Software Packages 2.0"
PEP 427 "The Wheel Binary Package Format 1.0"
PEP 513 "A Platform Tag for Portable Linux Built Distributions" (aka manylinux1)
PEP 571 "The manylinux2010 Platform Tag"

Image licensing info

Tree Cat Silhouette Sunset: Public Domain (CC0) @besshamiti
Happy Halloween! (Costume Dog): Public Domain (CC0) @milkyfactory

Report on the Debian Bug Squashing Party

2018-06-30T15:30:00-04:00

Last weekend, six folks (one new contributor and five existing contributors) attended the bug squashing party I hosted in Brooklyn. We got a lot done, and attendees demanded that we hold another one soon!

So when's the next one?

We agreed that we'd like to see the NYC Debian User Group hold two more BSPs in the next year: one in October or November of 2018, and another after the Buster freeze in early 2019, to squash RC bugs. Stay tuned for more details; you may want to join the NYC Debian User Group mailing list.

If you know of an organization that would be willing to sponsor the next NYC BSP (with space, food, and/or dollars), or you're willing to host the next BSP, please reach out.

What did folks work on?

We had a list of bugs we collected on an etherpad, which I have now mirrored to gobby (gobby.debian.org/BSP/2018/06-Brooklyn). Attendees updated the etherpad with their comments and progress. Here's what each of the participants reported.

Elana (me)

I filed bugs against two upstream repos (pomegranate, leiningen) to update dependencies, which are breaking the Debian builds due to the libwagon upgrade.
I uploaded new versions of clojure and clojure1.8 to fix a bug in how alternatives were managed: despite /usr/share/java/clojure.jar being owned by the libclojure${ver}-java binary package, the alternatives group was being managed by the postinst script in the clojure${ver} package, a holdover from when the library was not split from the CLI. Unfortunately, the upgrade is still not passing piuparts in testing, so while I thoroughly tested local upgrades and they seemed to work okay I'm hoping the failures didn't break anyone on upgrade. I'll be taking a look at further refining the preinst script to address the piuparts failure this week.
I fixed the Vcs error on libjava-jdbc-clojure and uploaded new version 0.7.0-2. I also added autopkgtests to the package.
I fixed the Vcs warning on clojure-maven-plugin and uploaded new version 1.7.1-2.
I helped dkg with setting up and running autopkgtests.

Clint

was hateful in #901327 (tigervnc)
uploaded a fix for #902279 (youtube-dl) to DELAYED/3-day
sent a patch for #902318 (monkeysphere)
was less hateful in #899060 (monkeysphere)

Lincoln

Editor's note: Lincoln was a new Debian contributor and made lots of progress! Thanks for joining us—we're thrilled with your contributions 🎉 Here's his report.

Got my environment setup to work on packages again \o/
Played with 901318 for a while but didn't really make progress because it seems to be a long discussion so its bad for a newcomer
Was indeed more successful on the python lands. Opened the following PRs
- Kronuz/pyScss#374
- ionelmc/pytest-benchmark#114
Now working on uploading the patches to python-pyscss & python-pytest-benchmark packages removing the dependency on python-pathlib.

dkg

worked on debugging/diagnosing enigmail in preparation for making it DFSG-free again (see #901556)
got pointers from Lincoln about understanding flow control in asynchronous javascript for debugging the failing autopkgtest suites
got pointers from Elana on emulating ci.debian.net's autopkgtest infrastructure so i have a better chance of replicating the failures seen on that platform

Simon

Moved python-requests-oauthlib to salsa
Updated it to 1.0 (new release), pending a couple final checks.

Geoffrey

Worked with Lincoln on both bugs
Opened #902323 about removing python-pathlib
Working on new pymssql upstream release / restoring it to unstable

By the numbers

All in all, we completed 6 uploads, worked on 8 bugs, filed 3 bugs, submitted 3 patches or pull requests, and closed 2 bugs. Go us! Thanks to everyone for contributing to a very productive effort.

See you all next time.

Looking back on "Teaching Python: The Hard Parts"

2018-06-13T19:00:00-04:00

One of my goals when writing talks is to produce content with a long shelf life. Because I'm one of those weird people that prefers to write new talks for new events, I feel like it'd be a waste of effort if my talks didn't at least age well. So how do things measure up if I look back on one of my oldest?

"Teaching Python: The Hard Parts" remains one of my most popular talks, despite presenting it just one time at PyCon US 2016. For most of the past two years, it held steady as a top 10 talk from PyCon 2016 by popularity on YouTube (although it was recently overtaken by a few hundred views 😳), even when counting it against the keynotes (!), and most of the YouTube comments are shockingly nice (!!).

Well, actually

Not everyone was a fan. Obviously I should have known better than to tell instructors they didn't have to use Python 3:

Did I give bad advice? Was mentiontioning the usability advantage of better library support and documentation SEO with Python 2 worth the irreparable damage I might have done to the community?

Matt's not the only one with a chip on his shoulder: the Python 2 → 3 transition has been contentious, and much ink has been spilled on the topic. A popular author infamously wrote a long screed claiming "PYTHON 3 IS SUCH A FAILURE IT WILL KILL PYTHON". Spoiler alert: Python is still alive, and the author updated his book for Python 3.

I've now spent a few years writing 2/3 compatible code, and am on the cusp of dropping Python 2 entirely. I've felt bad for not weighing in on the topic publicly, because people might have looked to this talk for guidance and wouldn't know my advice has changed over the past two years.

A little history

I wrote this talk based on my experiences teaching Python in the winter and fall of 2014, and presented it in early 2016. Back then, it wasn't clear if Python 3 adoption was going to pick up: Hynek wrote an article about Python 3 adoption a few months before PyCon that contained the ominous subheading "GLOOM". Python 3 only reached a majority mindshare of Python developers in May 2017!

Why? That's a topic long enough to fill a series of blog posts, but briefly: the number of breaking changes introduced in the first few releases in Python 3, coupled with the lack of compelling features to incentivize migration led to slow adoption. Personally, until the Python 3.3 release, I don't think Python 3 had that balance right to really take off. Version 3.3 was released in fall of 2012. Python 3.4 was only released in early 2014, just before I mentored at my first set of workshops!

This is a long-winded way to say, "when I gave this talk, it wasn't clear that telling workshop organizers to teach Python 3 would be good advice, because the ecosystem wasn't there yet."

The brave new world

But this is no longer the case! Python 3 adoption is overtaking Python 2 use, even in the enterprise space. The Python 2 clock keeps on ticking. Latest releases of Python 3 have compelling features to lure users, including strong, native concurrency support, formatted strings, better cross-system path support, and type hints.

This is to say, if I had to pick just one change to make to this talk if I gave it today, I would tell folks

USE PYTHON 3! ✨

Other updates

The documentation for packaging Python is a lot better now. There have been many good talks presented on the subject.
Distributing Python is still hard. There isn't a widely adopted practice for cross-platform management of compiled dependencies yet, although wheels are picking up steam. I'm currently working on the manylinux2010 update to address this problem on Linux systems.

Endorsements

Not to let one YouTube commenter rain on my parade, I am thrilled to say that some people in the community have written some awfully nice things about my talk. Thanks to all for doing so—pulling this together really brightened my day!

Blog Posts

Roxanne Johnson writes, "Elana Hashman’s PyCon talk on Teaching Python: The Hard Parts had me nodding so hard I thought I might actually be headbanging." 😄

Georgia Reh writes, "I am just in love with this talk. Any one who has seen me speak about teaching git knows I try really hard to not overload students with information, and Elana has a very clear idea of what a beginner needs to know when learning python versus what they can learn later." 💖

Tweets

When I presented this talk, I was too shy to attach my twitter handle to my slides, so all these folks tweeted at me by name. Wow!

Elana Hashman's talk on teaching programming has a lot of practical take-aways! @pycon #pycon2016
— Susan Tan (@ArcTanSusan) June 1, 2016

Learned a bunch from this video: Elana Hashman - Teaching Python: The Hard Parts - PyCon 2016 :: https://t.co/IVeaq0XugJ
— Mita Williams (@copystar) June 2, 2016

Muy buenos consejos en la presentación de Elana Hashman - Teaching Python: The Hard Parts - #PyCon2016 https://t.co/5dhNX5KO8y
— José Carlos García (@quobit) June 11, 2016

Elana cool talk! Explaining scope: maybe use analogy of person having same name as a celebrity @pycon #pycon2016 https://t.co/LAoGbY4uGO
— robin chauhan (@robinc) July 17, 2016

If you're about to teach a hands-on #Python workshop/tutorial/class, go watch Elana Hashman's #pycon2016 talk 🎓🐍💖https://t.co/xVJ6YBKFtV
— ✨ Trey Hunner 🐍 (@treyhunner) November 11, 2016

Other

My talk was included in the "Awesome Python in Education" list. How cool 😎

Declaring a small victory

Writing this post has convinced me that "Teaching Python: The Hard Parts" meets some arbitrary criteria for "sufficiently forward-thinking." Much of the content still strikes me as fresh: as an occasional mentor for various technical workshops, I still keep running into trouble with platform diversity, the command line, and packaging; the "general advice" section is evergreen for Python and non-Python workshops alike. So with all that said, here's hoping that looking back on this talk will keep it alive. Give it a watch if you haven't seen it before!

If you like what you see and you're interested in checking out my speaking portfolio or would like to invite me to speak at your conference or event, do check out my talks page.

I'm hosting a small Debian BSP in Brooklyn

2018-06-02T15:20:00-04:00

The time has come for NYC Debian folks to gather. I've bravely volunteered to host a local bug squashing party (or BSP) in late June.

Details

Venue: 61 Local: 61 Bergen St., Brooklyn, NY, USA
More about the venue: website, good vegetarian options available
Date: Sunday, June 24, 2018
Start: 3pm
End: 8pm or so
RSVP: Please RSVP! Click here

I'm an existing contributor, what should I work on?

The focus of this BSP is to give existing contributors some dedicated time to work on their projects. I don't have a specific outcome in mind. I do not plan on tagging bugs specifically for the BSP, but that shouldn't stop you from doing so if you want to.

Personally, I am going to spend some time on fixing the alternatives logic in the clojure and clojure1.8 packages.

If you don't really have a project you want to work on, but you're interested in helping mentor new contributors that show up, please get in touch.

I'm a new contributor and want to join but I have no idea what I'm doing!

At some point, that was all of us!

Even though this BSP is aimed at existing contributors, you are welcome to attend! We'll have a dedicated mentor available to coordinate and help out new contributors.

If you've never contributed to Debian before, I recommend you check out "How can you help Debian?" and the beginner's HOWTO for BSPs in advance of the BSP. I also wrote a tutorial and blog post on packaging that might help. Remember, you don't have to code or build packages to make valuable contributions!

See you there!

Happy hacking.

A tale of three Debian build tools

2018-04-03T00:00:00-04:00

Many people have asked me about my Debian workflow. Which is funny, because it's hard to believe that when you use three different build tools that you're doing it right, but I have figured out a process that works for me. I use git-buildpackage (gbp), sbuild, and pbuilder, each for different purposes. Let me describe why and how I use each, and the possible downsides of each tool.

Note: This blog post is aimed at people already familiar with Debian packaging, particularly using Vcs-Git. If you'd like to learn more about the basics of Debian packaging, I recommend you check out my Clojure Packaging Tutorial and my talk about packaging Leiningen.

`git-buildpackage`: the workhorse

I use git-buildpackage (aka gbp) to do the majority of my package builds. Because it runs by default without any special sandboxing from your base system, gbp builds things fast—much faster than other build tools—and as such, it's a great tool if you are iterating quickly to work bugs out of a build.

I usually invoke gbp like this:

gbp buildpackage -uc -us

The flags ensure that 1) we don't sign the .changes file generated (-uc) 2) we don't sign the .dsc file (-us), since typically I only want to sign build artifacts right before upload.

Other handy flags include

--git-ignore-new, which proceeds with a build even when you have an unclean working tree
--git-ignore-branch, to build when you've checked out a branch that's not master
--git-pristine-tar, to automatically check out and build with the corresponding pristine tar checked into the repository

Typically, if I use gbp to build binary packages, I will only do so in the confines of an updated, minimal sid LXC container, in order to reduce the risk of contaminating my build with stuff that's not available in a clean build environment.

gbp tastes great with sadt, a script in devscripts that runs your package's autopkgtests directly on your base system without root. You will need to install your test package and any dependencies before you can run sadt, but it requires much less setup and infrastructure than autopkgtest does.

***

So while gbp is awesome for the majority of my development workflow, I don't rely on the output of gbp when I want to upload a package, however clean I think my build LXC is. For uploads, I still use gbp, but exclusively to perform source-only (-S) builds:

gbp buildpackage -S -uc -us

Sometimes I may also need to pass the -d flag when building source packages to ignore installed build dependencies. By default, gbp won't proceed with a build when build dependencies are not installed, but when a said dependency is only needed for building the binary (and not the source) package, we can safely override this check.

Typically, when I'm uploading an update to a package, I'll just build the source package with gbp as above, sign the .changes and .dsc files, and complete a source-only upload so the buildds can handle all the build details.

`sbuild`: the gating build

"But wait!" you undoubtedly object. "How do you know your source package isn't full of garbage?!" That's a great question, because... I don't. So it behooves me to test it. And since the buildds use sbuild, why not use that for my own QA?

Setting up sbuild is a giant pain. You need a machine you have root access on, which wasn't the case for git-buildpackage.

To use sbuild without sudo, you'll need to add your user to the sbuild group:

sudo sbuild-adduser myusername

And create a schroot for builds:

sudo sbuild-createchroot unstable /srv/chroot/unstable-amd64-sbuild http://deb.debian.org/debian

If you ever need to update your sbuild schroot (you will), you can run:

sudo sbuild-update -udcar unstable-amd64-sbuild

I remember these flags by pronouncing them as one word, "ud-car", which sounds absurd and is hence memorable. I can never remember the name of my schroot, but I can look that up by running ls /srv/chroot.

Okay, time to build. Once we have our source package from gbp, we should have a .dsc file to pass to sbuild. We can build like so:

sbuild mypackage_1.0-1.dsc -d unstable -A --run-autopkgtest

We specify the target distribution with -d unstable, and -A ensures that our "arch: all" package will actually build (not necessary if your package targets specific architectures). To run the autopkgtests after a successful build, we pass --run-autopkgtest.

I don't like typing very much so I stick all these parameters in an .sbuildrc in my home directory. You can reference or copy the one in /usr/share/doc/sbuild/examples/example.sbuildrc because it's a Perl script that ends in 1;.

I add

$distribution = 'unstable';
$build_arch_all = 1;

# Optionally enable running autopkgtests
# $run_autopkgtest = 1;

so I don't have to type these in all the time. I don't enable autopkgtests by default because they prompt for a sudo password midway through the build (but perhaps that won't bother you, so feel free to uncomment those lines). Once we have our ~/.sbuildrc created, then we can just run

sbuild mypackage_1.0-1.dsc

Much better!

After my package successfully builds and tests, I take a quick look at the changes, build environment, and package contents. sbuild automatically prints these out, which is very convenient. If everything looks okay, I will sign the source package with debsign and upload it with dput (from dput-ng).

`pbuilder`: I need to upload binaries!

One irritation I have with sbuild is I can never figure out the right flags to get the right build artifacts to do a binary upload. Its defaults are too minimal for sending to NEW without some additional fancy incantations (it doesn't include the package tarball, only the buildinfo and produced .deb), and I have a hard enough time remembering the flags that I listed above. Remember, this is what the manpage for sbuild looks like:

MANPAGE OF THE DAY: sbuild https://t.co/e7nwB5PUUZ

...this was a little traumatizing tbh pic.twitter.com/zSSEbe4ROH
— e. hashman (@ehashdn) December 24, 2017

So when I have to upload a NEW package, I usually use pbuilder.

There are two ways to invoke pbuilder. The first is the easiest, but "not recommended" for uploads by the manpage: simply navigate to the root of the repository you want to build and run pdebuild.

pdebuild

Wow, that's the simplest thing we've run yet! Why don't we run it all the time?! Well, because of the way pbuilder sets up its filesystem, it can be slower than sbuild, so I've moved it out of my development workflow. It also requires my sudo password, and as I mentioned earlier, I don't particularly like having to enter that mid-build.

The second way I usually apply when I need to upload a build: invoking pbuilder directly. Like with sbuild, we need to provide it a .dsc, so we should build a source package first. However, pbuilder is smarter than sbuild and doesn't need me to give it architectures and target distros and whatnot, so there is significantly less headache if I haven't tweaked a personal configuration. With pbuilder, I can run

sudo pbuilder build mypackage_1.0-1.dsc

and I get a package!

One of the annoying things about pbuilder is that it doesn't output files in my current build directory. Instead, by default, it places build artifacts inside /var/cache/pbuilder/result. So I always have to remember to copy things out of there before I upload.

Also, pbuilder doesn't print out some build information that I should check over before uploading, so I have to do that manually with dpkg:

# Print out package information, including dependencies
dpkg -I libmypackage_1.0-1_all.deb

# List all contents of the package
dpkg -c libmypackage_1.0-1_all.deb

Now I can go ahead and sign my built .changes file and perform an upload!

In summary

Here are what I'd say the pros and cons of each of these three build tools I run are.

`git-buildpackage`

Pros:

Super speedy (gotta go fast)
Uses version control
No rootz

Cons:

Way too much typing
Constantly have to run d/rules clean or pass --git-ignore-new
Can't produce production build artifacts

`sbuild`

Pros:

Supposedly "fast"
Prints helpful information once the build is complete
Runs autopkgtests with no marginal effort
Only needs root like every third time I run it
Conforms with the buildds

Cons:

Setup is way too complicated
Manpage is terrifying
Doesn't actually give me the build artifacts I want

`pbuilder`

Pros:

The least typing!!!
Gets me all the build artifacts I want
Not the reason I get rejected by FTP Master

Cons:

Slow
Sticks build artifacts into /var/run/wheretheheck
People will yell at you for not using sbuild

cowbuilder, qemubuilder, whalebuilder, mylittlepersonalbuilder, etc.

Pros:

I don't use these.

Cons:

I don't use these.

Hope you enjoyed the tour. Happy building!

References

git-buildpackage homepage
sadt manpage
autopkgtest homepage
sbuild wiki page
debsign manpage
dput manpage
pbuilder homepage
dpkg manpage

ClojureSYNC Talk Resources

2018-03-17T00:00:00-04:00

At the inaugural ClojureSYNC in 2018, I gave a talk called "apt-get install leiningen: Bootstrapping the Clojure Ecosystem for Debian". This was the culmination of the year of work I put into packaging Leiningen 2.x and other Clojure software for Debian.

It was incredibly exciting to present there, and Eric ran a fabulous conference! I wish more tech conferences would send me to New Orleans.

`apt-get install leiningen`: Bootstrapping the Clojure Ecosystem for Debian

Follow-up readings

How web bloat affects people with slow connections, by Dan Luu
The Ethics of Unpaid Labor and the OSS Community, by Ashe Dryden
Debian Social Contract
Debian Free Software Guidelines
Debian Dunc-Tank Controversy via LWN

Image licensing info

"There's no NEW queue for talk slides." – lamby, Debian Project Leader

Debian logo, copyright 1999 Software in the Public Interest, Inc. used under the Attribution-ShareAlike 3.0 Unported License.
Images on "The '90s" and "Walnut Creek GIFs Galore CDROM" slides were obtained from The Internet Archive and included under their Terms of Use. It is believed the inclusion of these images, for illustration of the history of computing and file distribution, constitutes fair use under US copyright law.
Dynamic Duo: the Gnu and the Penguin in flight in colour, used under the GNU Free Documentation License, v1.3.
Yggdrasil Computing Plug and Play Linux was obtained from Wikipedia. It is believed the inclusion of this image, for illustration of the history of early Linux distributions, constitutes fair use under US copyright law.
Debian family tree, authors Andreas Lundqvist, Donjan Rodic, modified by Michaeldsuarez, used under the GNU Free Documentation License, v1.3.

Stop streaming music from YouTube with this one weird trick

2018-03-07T00:00:00-05:00

Having grown up on the internet long before the average connection speed made music streaming services viable, streaming has always struck me as wasteful. And I know that doesn't make much sense—it's not like there's a limited amount of bandwidth to go around! But if I'm going to listen to the same audio file five times, why not just download it once and listen to it forever? Particularly if I want to listen to it while airborne and avoid the horrors of plane wifi. Or if I want to remove NSFW graphics that seem to frequently accompany mixes I enjoy.

`youtube-dl` to the rescue

Luckily, at least as far as YouTube audio is concerned, there is plenty of free software available to help with this! I like to fetch and process music from YouTube using youtube-dl and ffmpeg. Both are packaged and available in Debian if you like to apt install things:

Saving audio files from YouTube

Well, let's suppose you want to download some eurobeat. youtube-dl can help. The -x flag tells youtube-dl to skip downloading video and to only fetch audio.

$ youtube-dl -x https://www.youtube.com/watch?v=8B4guKLlbVU
[youtube] 8B4guKLlbVU: Downloading webpage
[youtube] 8B4guKLlbVU: Downloading video info webpage
[youtube] 8B4guKLlbVU: Extracting video information
[youtube] 8B4guKLlbVU: Downloading js player vflGUPF-i
[download] Destination: SUPER EUROBEAT MIX-8B4guKLlbVU.webm
[download] 100% of 60.68MiB in 20:57
Deleting original file SUPER EUROBEAT MIX-8B4guKLlbVU.webm (pass -k to keep)

YouTube sometimes throttles connections to approximate real-time buffer rates, so the download could take a while. If you need to interrupt the download for some reason, you can use SIGINT (Ctrl+C) to stop it. If you run youtube-dl again, it's smart enough to resume the download where you left off.

Once the download is complete, there's not much more to do. It will be saved with the appropriate file extension so you can determine what audio codec it uses. You might want to rename the file:

$ mv SUPER\ EUROBEAT\ MIX-8B4guKLlbVU.ogg super_eurobeat_mix.ogg

Now we can enjoy many plays of our super_eurobeat_mix.ogg file! 🚗🎶

Re-encoding audio to another format

Suppose that I have a really old MP3 player I'd like to put this file on, and it doesn't support the OGG Vorbis format. That's not a problem; we can use ffmpeg to re-encode the audio.

The -i flag to ffmpeg specifies an input file. -acodec mp3 says that we want to use the mp3 codec to re-encode our audio. The last positional argument, super_eurobeat_mix.mp3, is the name of the file we want to output.

$ ffmpeg -i super_eurobeat_mix.ogg -acodec mp3 super_eurobeat_mix.mp3
ffmpeg version 3.4.2-1+b1 Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 7 (Debian 7.3.0-4)
  configuration: --prefix=/usr --extra-version=1+b1 --toolchain=hardened
 --libdir=/usr/lib/x86_64-linux-gnu --incdir=/usr/include/x86_64-linux-gnu
 --enable-gpl --disable-stripping --enable-avresample --enable-avisynth
 --enable-gnutls --enable-ladspa --enable-libass --enable-libbluray
 --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libflite
 --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libgme
 --enable-libgsm --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg
 --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librubberband
 --enable-librsvg --enable-libshine --enable-libsnappy --enable-libsoxr
 --enable-libspeex --enable-libssh --enable-libtheora --enable-libtwolame
 --enable-libvorbis --enable-libvpx --enable-libwavpack --enable-libwebp
 --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzmq
 --enable-libzvbi --enable-omx --enable-openal --enable-opengl --enable-sdl2
 --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint
 --enable-frei0r --enable-libopencv --enable-libx264 --enable-shared
  libavutil      55. 78.100 / 55. 78.100
  libavcodec     57.107.100 / 57.107.100
  libavformat    57. 83.100 / 57. 83.100
  libavdevice    57. 10.100 / 57. 10.100
  libavfilter     6.107.100 /  6.107.100
  libavresample   3.  7.  0 /  3.  7.  0
  libswscale      4.  8.100 /  4.  8.100
  libswresample   2.  9.100 /  2.  9.100
  libpostproc    54.  7.100 / 54.  7.100
Input #0, ogg, from 'super_eurobeat_mix.ogg':
  Duration: 01:06:35.57, start: 0.000000, bitrate: 124 kb/s
    Stream #0:0(eng): Audio: vorbis, 44100 Hz, stereo, fltp, 128 kb/s
    Metadata:
      LANGUAGE        : eng
      ENCODER         : Lavf57.83.100
Stream mapping:
  Stream #0:0 -> #0:0 (vorbis (native) -> mp3 (libmp3lame))
Press [q] to stop, [?] for help
Output #0, mp3, to 'super_eurobeat_mix.mp3':
  Metadata:
    TSSE            : Lavf57.83.100
    Stream #0:0(eng): Audio: mp3 (libmp3lame), 44100 Hz, stereo, fltp
    Metadata:
      LANGUAGE        : eng
      encoder         : Lavc57.107.100 libmp3lame
size=   62432kB time=01:06:35.58 bitrate= 128.0kbits/s speed=22.4x    
video:0kB audio:62431kB subtitle:0kB other streams:0kB global headers:0kB
muxing overhead: 0.000396%

Voila! We now have a super_eurobeat_mix.mp3 file we can copy to our janky old MP3 player.

Extracting audio from an existing video file

Sometimes I accidentally forget to pass the -x flag to youtube-dl, and get a video file instead of an audio track. Oops.

But that's okay! Extracting the audio track from the video file with ffmpeg is just a couple of commands away.

First, we should determine the encoding of the audio track. The combined video file is a .webm file, but we can peek inside using ffmpeg.

$ ffmpeg -i SUPER\ EUROBEAT\ MIX-8B4guKLlbVU.webm 
ffmpeg version 3.4.2-1+b1 Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 7 (Debian 7.3.0-4)
  configuration: --prefix=/usr --extra-version=1+b1 --toolchain=hardened
 --libdir=/usr/lib/x86_64-linux-gnu --incdir=/usr/include/x86_64-linux-gnu
 --enable-gpl --disable-stripping --enable-avresample --enable-avisynth
 --enable-gnutls --enable-ladspa --enable-libass --enable-libbluray
 --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libflite
 --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libgme
 --enable-libgsm --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg
 --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librubberband
 --enable-librsvg --enable-libshine --enable-libsnappy --enable-libsoxr
 --enable-libspeex --enable-libssh --enable-libtheora --enable-libtwolame
 --enable-libvorbis --enable-libvpx --enable-libwavpack --enable-libwebp
 --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzmq
 --enable-libzvbi --enable-omx --enable-openal --enable-opengl --enable-sdl2
 --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint
 --enable-frei0r --enable-libopencv --enable-libx264 --enable-shared
  libavutil      55. 78.100 / 55. 78.100
  libavcodec     57.107.100 / 57.107.100
  libavformat    57. 83.100 / 57. 83.100
  libavdevice    57. 10.100 / 57. 10.100
  libavfilter     6.107.100 /  6.107.100
  libavresample   3.  7.  0 /  3.  7.  0
  libswscale      4.  8.100 /  4.  8.100
  libswresample   2.  9.100 /  2.  9.100
  libpostproc    54.  7.100 / 54.  7.100
Input #0, matroska,webm, from 'SUPER EUROBEAT MIX-8B4guKLlbVU.webm':
  Metadata:
    ENCODER         : Lavf57.83.100
  Duration: 01:06:35.57, start: 0.000000, bitrate: 490 kb/s
    Stream #0:0(eng): Video: vp9 (Profile 0), yuv420p(tv,
bt709/unknown/unknown), 1920x1080, SAR 1:1 DAR 16:9, 29.97 fps, 29.97 tbr, 1k
tbn, 1k tbc (default)
    Metadata:
      DURATION        : 01:06:35.558000000
    Stream #0:1(eng): Audio: vorbis, 44100 Hz, stereo, fltp (default)
    Metadata:
      DURATION        : 01:06:35.572000000
At least one output file must be specified

The important line is here:

Stream #0:1(eng): Audio: vorbis, 44100 Hz, stereo, fltp (default)

The audio uses the "vorbis" codec. Hence, we should probably use the .ogg extension for our output file, to ensure we specify a compatible audio container format. If it were mp3-encoded, we'd use .mp3, and so on.

Let's extract the audio track from our video file. We need a couple new flags for ffmpeg. The first is -vn, which tells ffmpeg to not include a video track. The second is -acodec copy, which says we want to copy the existing audio track, rather than re-encode it.

$ ffmpeg -i SUPER\ EUROBEAT\ MIX-8B4guKLlbVU.webm -vn -acodec copy super_eurobeat_mix.ogg
ffmpeg version 3.4.2-1+b1 Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 7 (Debian 7.3.0-4)
  configuration: --prefix=/usr --extra-version=1+b1 --toolchain=hardened
 --libdir=/usr/lib/x86_64-linux-gnu --incdir=/usr/include/x86_64-linux-gnu
 --enable-gpl --disable-stripping --enable-avresample --enable-avisynth
 --enable-gnutls --enable-ladspa --enable-libass --enable-libbluray
 --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libflite
 --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libgme
 --enable-libgsm --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg
 --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librubberband
 --enable-librsvg --enable-libshine --enable-libsnappy --enable-libsoxr
 --enable-libspeex --enable-libssh --enable-libtheora --enable-libtwolame
 --enable-libvorbis --enable-libvpx --enable-libwavpack --enable-libwebp
 --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzmq
 --enable-libzvbi --enable-omx --enable-openal --enable-opengl --enable-sdl2
 --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint
 --enable-frei0r --enable-libopencv --enable-libx264 --enable-shared
  libavutil      55. 78.100 / 55. 78.100
  libavcodec     57.107.100 / 57.107.100
  libavformat    57. 83.100 / 57. 83.100
  libavdevice    57. 10.100 / 57. 10.100
  libavfilter     6.107.100 /  6.107.100
  libavresample   3.  7.  0 /  3.  7.  0
  libswscale      4.  8.100 /  4.  8.100
  libswresample   2.  9.100 /  2.  9.100
  libpostproc    54.  7.100 / 54.  7.100
Input #0, matroska,webm, from 'SUPER EUROBEAT MIX-8B4guKLlbVU.webm':
  Metadata:
    ENCODER         : Lavf57.83.100
  Duration: 01:06:35.57, start: 0.000000, bitrate: 490 kb/s
    Stream #0:0(eng): Video: vp9 (Profile 0), yuv420p(tv,
bt709/unknown/unknown), 1920x1080, SAR 1:1 DAR 16:9, 29.97 fps, 29.97 tbr, 1k
tbn, 1k tbc (default)
    Metadata:
      DURATION        : 01:06:35.558000000
    Stream #0:1(eng): Audio: vorbis, 44100 Hz, stereo, fltp (default)
    Metadata:
      DURATION        : 01:06:35.572000000
Output #0, ogg, to 'super_eurobeat_mix.ogg':
  Metadata:
    encoder         : Lavf57.83.100
    Stream #0:0(eng): Audio: vorbis, 44100 Hz, stereo, fltp (default)
    Metadata:
      DURATION        : 01:06:35.572000000
      encoder         : Lavf57.83.100
Stream mapping:
  Stream #0:1 -> #0:0 (copy)
Press [q] to stop, [?] for help
size=   60863kB time=01:06:35.54 bitrate= 124.8kbits/s speed=1.03e+03x    
video:0kB audio:60330kB subtitle:0kB other streams:0kB global headers:4kB
muxing overhead: 0.884396%

We've successfully extracted super_eurobeat_mix.ogg from our video file! Go us!

Happy listening, and drive safely while you eurobeat. 🎵

Brooklyn.js' Fourth Birthday! November 2017

2017-11-16T00:00:00-05:00

This year, after being saddened about the state of the Javascript ecosystem in Debian, I decided to propose a talk to Brooklyn.js to help raise awareness of some of the problems and solutions, and encourage people to volunteer.

First, @ehashdn is teaching us about the wonders of Debian & answering some questions about the peculiarities of node & JavaScript in it 🐧🌀 pic.twitter.com/M9KTmxW3aT
— BrooklynJS (@brooklyn_js) November 17, 2017

"Why can't we just use /usr/bin/node?!" An introduction to Javascript in Debian

Image licensing info

"There's no NEW queue for talk slides." – lamby, Debian Project Leader

Debian logo, copyright 1999 Software in the Public Interest, Inc. used under the Attribution-ShareAlike 3.0 Unported License.
The image of Tux is attributed to Larry Ewing and The GIMP.
Debian family tree, authors Andreas Lundqvist, Donjan Rodic, modified by Michaeldsuarez, used under the GNU Free Documentation License, v1.3.

Fun Facts About Email

2017-10-23T00:00:00-04:00

About a month ago, I put together a "1 like = 1 bad fact about email" thread on Twitter. This got pretty popular and I'm too lazy to turn it into a real blog post, so here's a link to the thread:

Okay let's do this

1 like = 1 bad fact about email
— e. hashman (@ehashdn) September 20, 2017

AnsibleFest 2017 Talk Resources

2017-09-07T00:00:00-04:00

At AnsibleFest 2017, I gave a talk called "Infrastructure Testing with Molecule". I also presented this talk at our annual Rackspace tech conference, RAX.IO 2017. Here's some links and resources related to my talk, for your reference.

.@ehashdn just pulled off a live demo of Molecule complete w/ writing expected cowsay output and got it right on the first try. #AnsibleFest pic.twitter.com/2GFftwei6Y
— Lisa Danz (@LisaDanz) September , 2017

Infrastructure Testing with Molecule

Talk video
Talk slides (pdf download)
Live demo code
Official Molecule documentation, version 1.25.0
Official Ansible documentation on testing
ansible-test by Nylas
Test Kitchen documentation
Testing Windows Ansible Roles with Test Kitchen, by Matthew Hodgkins

Protect Yo'Self! Jan. 2017 Encryption Workshop Resources

2017-01-28T00:00:00-05:00

Saron Yitbarek of CodeNewbie hosted a friendly cryptoparty for beginners called "Protect Yo'Self! A day of workshops on security and online privacy" that I was thrilled to be able to lead a workshop at. I wrote a lecture, activities, and curriculum for a section on encryption, which I led four times in a row from noon to 4PM. Phew!

Candid shot of my lecture, with messaging and network diagrams

An Encryption Workshop for Beginners

If there's enough popular demand, I may work to turn my lecture notes into a series of blog posts.

Brooklyn.js' Third Birthday! November 2016

2016-11-17T00:00:00-05:00

Brian of Brooklyn.js had been bugging me to submit this talk ever since I gave a rather weak pitch for it in May? of 2016. Eventually, I got around to writing up a proposal and was accepted for the momentous third birthday of Brooklyn.js! No one warned me that Brendan Eich would be in attendance...

Audience member's photo of a fun QSL card slide

AMATEUR RADIO: or, the original world wide indie web

Eventually, I will upload the slides and my notes (since the slides are all pictures and mostly meaningless without context). For now, enjoy the yam.

UWaterloo Steam Tunnels

2016-10-29T00:00:00-04:00

A couple years ago I took my camera down with me for a tour of the UWaterloo steam tunnels.

The only photos I've ever been able to find online are Matt Wandel's, but they long predate DSLR technology. While things haven't changed much since the 1990s, I wondered if people wouldn't appreciate a fresh perspective.

I am both an amateur photographer and a weird free software zealot who doesn't understand how to use a Mac or proprietary software in general, so these were all processed using software called darktable, an Adobe Lightroom clone.

I assert my copyright on all these photos, but I'm pleased to distribute them in unwatermarked format for the viewer's enjoyment. If you'd like to request copies of the higher resolution originals for some reason, please get in touch.

Open Source Bridge 2016 Talk Resources

2016-06-21T00:00:00-04:00

At Open Source Bridge 2016, I gave a talk called Bringing OOP Best Practices to the World of Functional Programming. Then I gave a modified version of this talk for the University of Waterloo Computer Science Club and for the Lambda Ladies DC chapter. Here's some links and resources related to my talk, for your reference.

Candid shot of my presentation at Open Source Bridge 2016

Bringing OOP Best Practices to the World of Functional Programming

"Meta" UML diagram, Adapter Pattern UML Diagram, Strategy Pattern UML diagram are all public domain images.

The following images were used under the Attribution-ShareAlike 3.0 Unported License:

UML diagram of composition over inheritance by Sae1962
Template Method: UML Class Diagram by Giacomo Ritucci
Facade Design Pattern in UML by Fuhrmanator

PyCon 2016 Talk Resources

2016-05-29T00:00:00-04:00

At PyCon 2016, I gave a talk called Teaching Python: The Hard Parts. Here's some links and resources related to my talk, for your reference.

Teaching Python: The Hard Parts

CDSW Photo in talk slides is by Benjamin Mako Hill and is used under the Attribution-Share Alike 3.0 Unported License.

"Questions?" kitten photo in talk slides is by latch.r and is used under the Attribution-ShareAlike 2.0 Generic License.

What is a speech without an audience?

2015-06-12T00:00:00-04:00

Having now officially convocated, I feel comfortable posting what I wrote for my valedictory nomination. I was not selected for the honour, but sometimes I like to indulge in a bit of ahistorical fantasy. What would today have been like if I had delivered some polished version of this piece?

Valedictory Address, Mathematics Class of 2015, First Draft

Mr. Chancellor, members of convocation, fellow graduates, and ladies and gentlemen... I must say I am ecstatic to be here, as this means I have seen my last contour integral, if I have any say in the matter.

I have the honour to stand before you today and reflect on your future. It is so energizing to welcome the threshold of your new and exciting life.

The University of Waterloo, is, of course, famous for "the spirit of 'Why not?'" We are the most innovative university in Canada, for God knows how many years in a row now. I suppose it wouldn't be particularly welcome to innovate on that trend, so I expect you graduates to keep up the good work. Now, don't worry; if you didn't live at Velocity for the past five years, I intend to give you a primer right now to ensure the long life of our fine reputation here at the University of Waterloo.

Let's begin with a brief discussion of the properties of the Riemann zeta function, despite your voiced objections—now, I hope you're all familiar with this beautiful enigma, and it does spark some interesting conversations. For instance, earlier in the term I was speaking with a post-doctorate student who was telling me that his calculus students were thoroughly convinced that the sum of all the positive integers is -1/12! Now, I'm not sure what branch of analysis you subscribe to, but surely you must agree that the sum of all positive integers diverges. I can see some of your heads spinning already... no matter, the flashback to first year calculus will end shortly. So this postdoc was telling me his students had told him that their physics professor had taught them this result, and if you're not familiar, an analytic continuation of the zeta function at the point -1 gives us this curious answer of -1/12. Beautiful result from complex analysis. This is useful in making string theory and quantum electrodynamics work, among other things.

So you tell me: which is it? Infinity or -1/12? [pause] I expected a good representation of the two answers: both are correct. We know that the zeta function evaluated at -1 gives us -1/12, but of course, we also know that the implication—that the sum of all positive integers converges, let alone to a negative number—is absurd. One of them must be wrong! Yet there is deep theory that we can use consistently to justify either answer. I can imagine those frosh thinking, "I didn't sign up for this!" Maybe you recall a similar experience.

One thing I've noticed in the time I've spent here is that many of us are attracted to mathematics for its elegance, its logic, its consistency. Sometimes—and perhaps I romanticize a bit—but sometimes I feel as though in mathematics lies the key to truth. And, then Dr. Kurt Gödel comes along, in strict postmodernist style, and softly explains that it is not possible for our mathematics to be consistent and complete. It seems that the further we advance in our studies of the field, the less certain we can be about any truth. We say that Choice is obvious, but then Banach-Tarski devours my enthusiasm. Sometimes it feels as though my refuge is a sanatorium.

You've spent four or five years now collecting knowledge, learning to think critically, perfecting your procrastination techniques, cooking on a shoestring budget, and kicking yourself over and over again for that STAT midterm. For the most part, change in our lives has been gradual, but every so often—and this is something I just adore about mathematics—there's this burst of inspiration, an epiphany, and the answer just clicks into place. Or sometimes, you see things so clearly that everything unravels and you realize that you can't tie the loose threads back together. Change is frightening.

These are moments in which danger lies: we may come tantalizingly close to the threshold of understanding, but then, out of fear and uncertainty, we back away. We lure ourselves into false comfort that mathematics is logical and complete and it holds all the answers: and then it strikes us back with emptiness and paradox. But this is not confined to math: when I see students on this campus faced with issues like discrimination and the challenges of mental health, too often do I see my peers justify injustice by arguing it must have been deserved. Too often do I watch "The Meritocracy" of STEM held up as tautological evidence of its own superiority, while simultaneously watching these pundits tear down another classmate's circular proof. How do you explain this contradiction?

My fellow graduates, I promised you a primer on how to innovate, how to enact change. And so I take this these few, precious minutes to focus on this simple, uncomfortable concept. Because as we all know, a mathematics degree alone is neither necessary nor sufficient for success, but we stand here together to tell the world that it matters, that we can think, that we can solve problems. I know you can solve problems. So let us tackle the hard ones. Let us embrace the cognitive dissonance.

For the last five years of my life, I have experienced contradiction after contradiction that struck me with discomfort, tore my eyes open, spurned me to change, spurned me to action. They tell me that Waterloo students are some of the most apathetic in the country, but when I watch you persist in your studies I know this cannot be further from the truth. You have the fundamentals mastered, but I suggest you consider cross-training. I challenge you: let us embrace the contradiction inherent in the pursuit of any complete and consistent system. The world is waiting for you, and someone is going to ask you to choose between infinity and -1/12. And I hope you pick one, and I hope you justify it to the fullest of your ability, and I hope that you hold in your heart that you are still wrong, and embrace it.

Thank you.

hashman.ca

A beginner's guide to improving your digital security

What can I do to improve my security right away?

Low effort (<15 minutes)

Upgrade your software to the latest versions

Use Signal

Set passwords and turn on device encryption

Install an ad blocker

Enable HTTPS-Only Mode

Medium to high effort (1+ hours)

Set up a password manager

Set up two-factor authentication (2FA) for your accounts

Remove your information from data brokers

"Recommended security measures" I think beginners should avoid

"Secure email"

PGP/GPG Encryption

Installing a "secure" operating system (OS) on your phone

Virtual Private Network (VPN) Services

Tor

I want to learn more!

I am very sick

I'm hosting a Bug Scrub for Kubernetes SIG Node

Details

I'm an existing contributor, what should I work on?

I'm a new contributor and want to join but I have no idea what I'm doing!

See you there!

Easy risotto

Mushroom risotto

Variations

Three talks at DebConf 2020

A panel a day keeps the FTP Team away?

My term at the Open Source Initiative thus far

Growing the OSI's membership

Defending the Open Source Definition

Chopping wood and carrying water

Defining the future of open source

Presenter mode in LibreOffice Impress without an external display

Virtual displays with xrandr

Well, actually...

Beef and broccoli

🥩 and 🥦

But I am a vegetarian???

Repack Zoom .debs to remove the `ibus` dependency

But wait, what version even is my package?

Chili

Beef Chili

Frequently Asked Questions

KubeCon NA 2019 Talk Resources

Weighing a Cloud: Measuring Your Kubernetes Clusters

Related readings

My favourite bash alias for git

Using GitHub's git references for pull requests

Using pull request references for CI

Writing the pull alias

Changeset references on other git platforms

GitLab

BitBucket

Gitea

Saved you a click?

How to grant (Tom Marble) Debian Maintainer access

The commands

References

PyCon 2019 Talk Resources

The Black Magic of Python Wheels

Follow-up readings

All the PEPs referenced in the talk

Image licensing info

I'm stepping down as maintainer of auditwheel

But why?

SREcon19 Americas Talk Resources

Operating within Normal Parameters: Monitoring Kubernetes

Additional Prometheus metrics sources

Related readings

I'm running for the Open Source Initiative Board of Directors

Why am I running?

Why vote for me?

This sounds great, sign me up!

get that (multigrain) bread 🍞

Whole wheat: the final frontier

My most successful multigrain loaf yet

Virtual displays with `xrandr`

Writing the `pull` alias

`git-buildpackage`: the workhorse

`sbuild`: the gating build

`pbuilder`: I need to upload binaries!

`git-buildpackage`

`sbuild`

`pbuilder`

`apt-get install leiningen`: Bootstrapping the Clojure Ecosystem for Debian

`youtube-dl` to the rescue