almet/blog.notmyidea.org
1
0
Fork 0
mirror of https://github.com/almet/notmyidea.git synced 2025-04-28 11:32:39 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

update

Browse source
This commit is contained in:
Alexis Métaireau 2025-01-15 15:56:09 +01:00
parent 9979ee9003
commit 63461206d7
No known key found for this signature in database
GPG key ID: 1C21B876828E5FF2
23 changed files with 1426 additions and 139 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

107
content/Journal/2024-12-07-bilan.md Normal file
View file

@ -0,0 +1,107 @@
---
status: draft
title: 2024
---
Après quelques années passées à [faire de la bière](https://vieuxsinge.com), 2024 aura signé mon retour vers le développement logiciel au niveau pro.
J'ai bossé sur les projets suivants:
- [Argos Monitoring](https://argos-monitoring.framasoft.org/), un système de supervision de services HTTP, fait pour et avec l'association [Framasoft](https://framasoft.org/)
- L'ajout de collaboration temps réel dans l'outil de cartographie Web [uMap](https://umap-project.org/). L'occasion de bosser avec Yohan et David.
- La maintenance de [Dangerzone](https://dangerzone.rocks/) un outil qui transforme des documents potentiellement dangereux en documents *safe*, pour le compte de [Freedom of the Press Foundation](https://freedom.press)
### Argos
Un des besoins derrière ce projet était de faire un outil qui corresponde vraiment aux usages de Luc, l'administrateur système de chez Framasoft. Il existe d'autres systèmes de supervision, mais aucun ne répondait à ses besoins, et je pense qu'il y avait aussi une envie de pouvoir modifier facilement le projet pour le faire aller là où il voulait sur le moyen terme.
C'était pour moi un vrai plaisir que de bosser sur ce projet, parce je partage assez fortement certaines des valeurs défendues par l'association, et que j'avais l'impression de répondre à un vrai besoin de leur côté, tout en étant en plein dans mon domaine de compétences.
L'occasion pour moi de découvrir certains outils (le framework [fastapi](https://fastapi.tiangolo.com/), de remettre le pied à l'étrier et de prendre du plaisir.
C'était une mission assez courte (10 jours de travail), mais je suis très satisfait du résultat et de la manière dont on a pu travailler sur le projet.
### uMap
J'ai ensuite bossé sur le projet uMap, qui est un outil pour réaliser et partager ses propres cartes sur le Web, ma mission étant de faire en sorte qu'il soit possible d'être plusieurs à collaborer sur une carte en même temps.
C'était en fait un challenge de taille parce qu'il fallait réussir à comprendre le code actuel, écrit en partie il y a quasiment une dizaine d'années, le faire évoluer pour intégrer des changements qui rendent possible le travail à plusieurs, tout en gérant un niveau de confiance en moi assez faible.
Des challenges humains aussi, parce que passer d'un projet écrit et maintenu pendant une dizaine d'années à un projet écrit à plusieurs mains ne se fait pas *d'un coup d'un seul*. Quelques discussions difficiles, parfois frustrantes, mais le mouvement général aura été très intéressant à accompagner, et je suis content de la dynamique que semble prendre l'équipe en fin de parcours (pour moi). Pour preuve, je pense continuer de contribuer à titre bénévole sur certains aspects.
J'ai tenté de [documenter une partie du parcours](https://blog.notmyidea.org/tag/umap.html), et le travail n'est pas encore tout à fait terminé. Bientôt, bientôt.
J'ai réduit la voilure sur la fin du projet parce que *Dangerzone* + *uMap*, c'était trop. Content d'avoir réussi à le voir et de m'être adapté. Content aussi que l'équipe ait rendu ça possible.
### Dangerzone
Dangerzone est un outil qui permet de transformer des documents potentiellement dangereux en documents *safe*.
Le périmètre fonctionnel est réduit, mais tout ça reste assez en dehors des compétences spécifiques que j'ai pu avoir autour des technologies Web. C'est l'occasion pour moi de continuer de travailler sur des questions de vie privée, tout en faisant le pont avec des technologies quasiment inconnues pour moi.
J'en ai donc profité pour me former autour des enjeux de sécurité et de comment ceux-cis peuvent êtres apportés par des conteneurs Docker, et le noyau Linux.
Un peu difficile au départ, mais passionnant :-)
## Apprentissages
J'ai peu faire quelques apprentissages cette année:
### Conflits et collectifs
En parallèle, je me forme en autodidacte à la *gestion de conflits* dans les collectifs, motivé entre autres par des expériences « riches mais douloureuses » en la matière. A travers quelques lectures sur le sujet, mais aussi des rencontres humaines. J'aimerai que 2025 me laisse un peu plus de temps pour continuer cette exploration.
### Estime de soi
Une des choses qui m'aura pris le plus de temps, et qui aura été le plus difficile à accepter et à surmonter c'est mon manque d'estime de moi. Par moments, cela passe par avoir besoin de validation extérieure, et par le fait de faire le travail d'accepter et d'affirmer ses points de vues.
Je ne renterais pas trop dans les détails, mais ça à été un de mes apprentissages majeurs de l'année. Il fallait à la fois défaire plusieurs années de critiques et de dévalorisation, et démêler la part de vérité dans ma peur de ne pas être à la hauteur.
Parce que... de fait, après quelques années à faire « autre chose », j'étais parfois un peu rouillé.
### L'accueil
Ça a été criant pour moi sur le dernier projet en date, « Dangerzone » puisque
j'y travaille sur des technologies auxquelles je n'ai quasiment jamais été
exposé jusqu'ici (docker, le noyau Linux et Qt).
Finalement, je me rends compte que les compétences techniques ne sont qu'une partie de l'équation, et pas la plus importante. La manière dont nous interagissons ensemble, dont l'accueil est pensé, dont finalement nous faisons équipe me semble plus importante pour le développement du projet sur le long court.
Je repense [aux étapes du faire équipe](https://blog.notmyidea.org/oser-la-confiance.html#faire-equipe), qui nous montrent qu'il est indispensable de sortir de « la logique des territoires » (qu'on pourrait nommer compétition) pour aller vers une vraie collaboration.
> Dans léquipe performante, troisième étape, **les personnes ont suffisamment conscience de leur identité et de leur complémentarité pour pouvoir la dépasser et se centrer sur le sens et la vision commune**. Chacun se sent porteur du tout et vit une approche de type holomorphique; chaque fonction est porteuse du tout et chacun se sent responsable de la pérennité [du groupe].
Je retrouve dans mon journal, des notes publiées pour un point d'étape après
deux ans et demi chez Mozilla :
> Dire que l'on comprends pour éviter de passer pour un idiot est un biais qui
> se prends assez rapidement, et qu'il faut éviter à tout prix.
>
> Connaître ses limites techniques est un bon début pour pouvoir les
> surpasser. Chercher à les rencontrer est un processus actif.
>
> — Notes perso de 2014 (il y a 10 ans)
## Poser un cadre
Une des choses qui m'a énormément aidé à été de me poser un cadre de travail et de m'y tenir.
Travailler sur des horaires spécifiques, rester concentré uniquement sur des tâches liées au travail m'est un peu étrange : parfois j'ai envie de penser à autre chose, parfois j'ai envie de travailler le soir, et de faire autre chose en journée. C'est l'un des avantages de travailler en tant qu'indépendant, mais c'est aussi, bien-sur, un piège. Pour le moment, j'ai décidé de cadrer fortement, en allant travailler
dans un lieu autre que chez moi, et je suis assez content de ce que cette séparation m'apporte.
Aussi, je me retrouve à vouloir poser un cadre **relationnel** dans mon travail. Comment faire la séparation entre la relation professionnelle et la relation personnelle ? Est-ce souhaitable ?
Il y a quelques années, c'est une question que je n'avais pas considérée, mais les les moments de désaccords et leur impact sur ma vie personnelle me donnent envie de poser une séparation. Séparation d'ailleurs questionnée par bell hooks [dans son livre "La volonté de changer"](https://blog.notmyidea.org/la-volonte-de-changer.html).
J'ai envie maintenant de clarifier ce genre de situations avant même de
commencer à travailler: je me connais mieux, et je sais ce dont j'ai besoin, et ce que ces limites peuvent apporter dans les moments de difficulté pro.
Je me rends compte de la qualité de travail et de relation que cela amène. Je veux de la clarté, et je sais la demander quand elle me semble utile.
## Du soin dans nos collectifs
Aussi, une des envies pour cette *saison* 2024-2025 est de me donner de l'espace pour me former sur la gestion des conflits.
Mon expérience m'a montré que parfois, des collectifs qui souhaitent travailler en auto-gestion créent en fait de la souffrance dans leurs structures, vécue durement par les personnes qui composent ces collectifs.
Le sujet me passionne à la fois parce que cette souffrance fait perdre beaucoup d'élan personnel, et peut mener à des situations de détresse psychologique ; mais aussi parce que je souhaite sincèrement trouver des outils qui permettent à nos collectifs de tenir la route sur le moyen terme.

2
content/Journal/2025-01-05-38c3.md Normal file
View file

@ -0,0 +1,2 @@
https://media.ccc.de/v/38c3-reticulum-unstoppable-networks-for-the-people

14
content/Lectures/2024-07-vivantes-et-dignes.md
View file

@ -1,14 +0,0 @@
---
title: Vivant·es et dignes
author: Victoria Berni-André
headline: Des petits gestes à l'écologie politique
tags: ecologie, politique, radicalité
isbn: 97823825716821
status: draft
---
> Nous exprimons des rêves assez flous, avec des mots fourre-tout dans lesquels chacun·e peut voir ce qu'iel souhaite : « Célébrer, vivant, créatif, joyeux, utopie, bienveillance, inspirer, partage, désirable ». Rien n'est vraiment explicité, ni traduit concrètement en pratiques de vie. C'est bien là que cela va coincer, mais je ne vois pas les signaux d'alerte.
> Dans cette écologie positive, toute une série de pratiques monopolisent les préoccupations. Un exemple-phare est la communication non-violente (CNV). ll fait partie d'une palette d'outils comme la facilitation et la gouvernance partagée qui constitue une cadre d'interactions 't d'organisation largement diffusé dan les milieux alternatifs et écologistes. Si cette palette est précieuse, elle est parfois surestimée. Or ces prets-à-penser peuvent aiguiller mais aussi inhiber : ils peuvent laisser croire que sans eux, on ne peut rien faire; éroder la capacité à trouver par soi même des façons de faire et de penser. On les ingurgite et on les recrache comme des automates sans les incarner en profondeur, puisqu'ils ne correspondent pas à nos vécus, nos émotions, nos conditions d'existence. Tout simplement, ils ne viennent pas de nous.
> Si, heureusement, certain·es s'attachent à politiser ces outils, je les ai si surtout vus transmis, conceptualisés et pratiqués en mettant sous silence, encore une fois les oppressions systématiques et les enjeux poilitiques. Je l'ai vu utilisée de manière à imposer un cadre d'expression méprisant les contextes et les trajectoires psycho-sociales. Dans une

89
content/Notes/2024-12-27-breaking-nato-radio-encryption.md Normal file
View file

@ -0,0 +1,89 @@
---
title: Breaking NATO Radio Encryption
speaker: Lukas Stennes
link: https://events.ccc.de/congress/2024/hub/en/event/breaking-nato-radio-encryption/
date: 2024-12-27
type: talk
tags: 38c3, radio
---
<iframe width="1024" height="576" src="https://media.ccc.de/v/38c3-breaking-nato-radio-encryption/oembed" frameborder="0" allowfullscreen></iframe>
This was a fairly technical talk, in which the speaker explained how the cypher scheme used for NATO radion encryption works, why it was weak, and how he broke it.
## Intro to symmetric cryptography
Alice, Benjamin and Chalie are used as a replacement for Alice and Bob.
AES is Advanced Encryption Standard, it's one of the most used crypto out there, and it works well.
It takes an input and generate ciphertext from a key. It's the US standard since the 2000. [There is a lecture by Chirstof Paar if you want to understand how it works in depth: [Lecture 8: advanced Encryption Standard (AES)](https://www.youtube.com/watch?v=NHuibtoL_qk)
## High frequency radio
Frequencies between 3MHz and 30MHz. These signals can cover large distances, because the signals are reflected by upper atmosphere, and they don't need external infrastructure.
For radio, SoDark / HALFLOOP is used for encrypting some of the material.
### Automatic Link Establishement / HALFLOOP
Here is how it works:
1. 3-way handshake in the beginning (authenticated with SoDark or HALFLOOP)
2. Voice or Data (unauthenticated ?)
3. Finish (authenticated)
SoDark was used more in the past, now it's more HALFLOOP.
It's encrypted:
- Authentication (be sure that who claims an id is the right one)
- Nobody can read else from the recipient.
### HALFLOOP24
<fig1>
<fig2>
HALFLOOP used a *tweakable* block cypher. SoDark cipher used 56-bits keys, which was easy to bruteforce.
- In addition to the key, it is ussing a "tweak" as another input: the current time a word counter and the used frequency.
- It's using the same S-box as AES
- It's using the same key schedule
- State is represented as 3x1 matrix.
- 10 rounds are used
### ECB is broken ?
It's a block cipher, and because it's possible to see the whole picture if you just use it (because it's applied on a block by block basis), except if you add a tweak.
- Split the input in 3 (8 bits each)
- On the two last ones we bit shift 6 and 4
### Presentation of how it works in detail.
He then went onto how this works and how he broke it. I didn't took note in there because it was already hard to follow along :-)
### Papers
Interestingly, one of the researchers is coming from Rennes: Patrick Derbrez (@IRISA, Rennes)
### Attacks
When trying to find attackers, they are often given extra power. In our exemple, Alice can answer to Charlie (the attacker), to encrypt, decrypt some stuff.
It's security in depth, because in practice the attackers might not have these "superpowers".
### Takeaways
It would have been possible to just use AES. The size of the block size is not a real reason for not using it.
The attack is basically using the tweak and knowing it to get back the key used to do the cypher.
### QA
Is there closer collaboration now between military and researchers in the public now than before? No real answer, as they asked NATO about this but never got an answer.
There is [an actual implementation of this](https://github.com/rub-hgi/destroying-HALFLOOP-24/blob/main/halfloop.c)

73
content/Notes/2024-12-27-police-2.0.md Normal file
View file

@ -0,0 +1,73 @@
---
title: Police 2.0
subtitle: Peaceful activism is terrorism & fakenews are facts
date: 2024-12-27
speakers: Datarights, Frank van der Linde.
tags: 38c3, datarights, fakenews
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
<iframe width="100%" height="576" src="https://media.ccc.de/v/38c3-police-2-0-peaceful-activism-is-terrorism-and-fakenews-are-facts/oembed" frameborder="0" allowfullscreen></iframe>
[Datarights](https://www.datarights.ngo/) is a new NGO in Europe, coming from LQDN in France. It's goal is to have a broader look at what's going on in Europe. See the [Defend the defenders](https://www.datarights.ngo/targeted-communities) section on their website.
The talk was greatly about and by [Frank van der Linde](https://www.frankvanderlinde.net/blog), a Netherlands activist, telling us his story.
At some point, his personal address has been leaked, and he has been put away from his home because it was "threatening for the neighbors".
After which the dutch police started to write fake news about him. He asked for rectifications to the police but didn't ended up being accepted. He ended up as a CTER 04 subject, which is what they use for terrorism.
SIENA system is how europol is organised. At some point he got a digital forensic IT expert to look for his files, that have been removed from the police hard drive, but of course the Police refused to cooperate.
## What the police does
- Infrared camera is used by Bellingham police (in the US, I think)
- The presumption of innocence is not really used in some cases
- Populism is used to legitimise brutality (e.g. opponents are tagged as "ecoterrorists", we have also seen this in France with the so called "Water wars")
- Fake data is sometimes used, and amplification of anecdotal facts
- There is a disproportion of resources, and criminal charges are used against people to do investigation on them.
- There have been reported cases of undercover officers infiltrating groups of activists (having children with them, even)
See the ["police have crossed the line" campaign by Privacy international](https://privacyinternational.org/campaigns/unmasking-policing-inc)
## The united nations
A rapporteur of the united nation, [in a 2024 report on the state repression](https://web.archive.org/web/20240804193748/https://unece.org/sites/default/files/2024-02/UNSR_EnvDefenders_Aarhus_Position_Paper_Civil_Disobedience_EN.pdf) mentioned:
> State response to peaceful environmental protest is increasingly to repress rather than to enable and protect.
States started to include env activism in the terrorism report (or is it in Europe all together?).
Civil disobetience is:
1. Deliberate law-breaking
2. Public interest topic
3. Non violence
EU rapporteur says that symoblic violence should be accepted (!!)
## Questions
Q: What should we do?
R:
- Organise.
- Never end up in a database of the police.
- Protect yourself.
- Know your rights.
Q: Why governments are doing this?
R: Framing you as an extermist allows them to do some stuff. They don't care if they're doing something illegal. At some point they tried to recruit somebody in his friends, and that wouldn't be possible if he wasn't marked as a "terrorist"
Q: How much of your life is impacted?
R: It became his life now. 60h/week.
Q: What's the name of the case in the french criminal court
Q: Is it possible to go against individuals in the organisations rather than organisations? Would that work?
R: Good point, they're worried about this and want to give a lot of money in exchange of withdrawing charges. (So, yes it works)
Q: With our world turning more chaotic, do you see
R: Putting themselves as reports; Having people documenting in reports is really useful.

138
content/Notes/2024-12-27-security-5g-roaming.md Normal file
View file

@ -0,0 +1,138 @@
---
title: How roaming agreements enable 5G MitM Attacks
link: https://events.ccc.de/congress/2024/hub/en/event/how-roaming-agreements-enable-5g-mitm-attacks/---
date: 2024-12-27
tags: 38c3, telecoms
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
<iframe width="1024" height="576" src="https://media.ccc.de/v/38c3-how-roaming-agreements-enable-5g-mitm-attacks/oembed" frameborder="0" allowfullscreen></iframe>
High value targets (politicians, journalists, activisits) can hardly hide right now.
## TL; DR
5G Roaming is done to avoid/prevent billing fraud, not to enhance security.
- It is difficult for a trusted operator to decide if an authentication request is legitimate or not
- Smartphones are unable to verify roaming decisions and trust assumptions
- Visited networks can arbitrarily choose the network name displayed on the screen
## Introduction of protocols
- 2G has been used with rogue-based attacks. Turning off 2G saves us from these.
- 3G adds network authentication, and so limits the attack sruface to pre-authentication messages. But it's possible to use roaming for attacks. Past talks on this (but I didn't found which ones).
- 4G added crypto session keys, which are bound the one network. But you can bind session keys to roaming networks as well. Session keys only valid for one roaming network.
- 5G: Adds a concpet of "proof of presence" in roaming. It's more secure, but there are reports that law enforcement agencies use roaming to exploit the target phones. How can they do this?
## How roaming attacks work?
Legitimate roaming: when you travel, you can connect to the visited network, it then asks the home network to get the authentication. Between the two parts there is an agreement, and the home network can see the traffic only if it's routed there.
An attacker would: rogue base station a network looking like an extended network. The networks don't really check if the remote network is legitimate or not.
A state-sponsored attacker might force the operator to get access to the station.
Decrypted at the base station. So the good candidate for MiTM. It's encrypted by TLS. Basement exploits.
## From the user perspective
- There is a roaming operator. Like "F SFR | Telecom.de". There are local lists with the names and network IDs, but it can be out of sync (and it's expected that they'll be). You see an "R" indicating that the phone is roaming.
- The network ID is whatever the attacker want, so it's possible to impersonate legit networks.
- Roaming indicator disapears if the name is the proper one.
AV = Authtentication Network
Client cannot observe who requested AV, only if we're billed for it.
## Mitigations?
### Turning off roaming?
If the base station says it's your home network, it's sent before the Authentication. No proof required. The phone has to accept. The connection doesn't differentiate from the real legit connection.
### Firewalls?
There are firewalls, but they're not public, we don't know.
### End to end encryption
- Rogue based stations provide aacess to decrypted traffic of any connected phone. It could be prevented by E2EE. But they don't want this because of law enforcement.
### Visible trust chain
- Visible trust chain: trust decisions would be taken by core networks. Indicate information used to build trust to the user. Enable user to inspect network properties. The home networks checks identity of visited networks and roamning intermediaries.
### Indicators of Roamnig Abuse
1. Trace the routing path
2. Detect rogute base station
3. Measure the duration of authentication
Also rogue stations are very specialized. Measuring the time is not reliable, and not really possible to use right now.
### Disable 2G
Lockdown mode in apple, disables 2G. Lockdown mode will change a bit the behaviour of your apps.
## Turn off automatic network detection
Picking it yourself, but it means that you need to know what you're doing.
## CellGuard (beta test)
It's a tool to collect information, the idea being to being able to notify you when it's needed.
### Roaming intermediaries
It's not clear exactly how the contracts are defined between the oeprators.
## Q & A
### How much of it is by design?
Lawful interception is meant to be used. States and Law Enforcement agencies should be able to inspect the traffic in their countries.
### What do we know about the intermediaries
We don't really know. These companies have a big impact, they collaborate with a lot of operators and are in the middle of the system. They are everywhere. Companies sitting in the middle, and they have political agency.
### Did yoy look on using hardware to improve security?
We looked in the specification and looked for how the phones behave. CellGuard looks on a database where the base stations are supposed to be, and warns you if there is another one?
### Is diabling roaming okay?
As shown, you can impersonate the home network, so no.
### Have you looked at Starlink, as they might be able to do the same kind of stuff?
Nope, not looked.
### What is the real risk? Is it only SMS? Did you do threat modeling?
We didn't do this, but I can say that SMS is unencrypted so yeah. The more TLS, the more secure it gets. it's used to target a single person, so it's really for speicifc people, and not for groups.
This is an expensible attack.
### is this used in the wild?
In our reeasearch, we didn't look so much on compromise, Citizen Lab and Amnesty Tech are trying to document this.
### How does the connection work between base and
You need to connect to the base operator (different from the "plain" internet). You have to contect the core network, I want to add more notes here as to how it works.
### How can this be fixed without changing the infra?
You have to have E2EE? Is VPN fixing this? Right from the start of the connection.
Having such a VPN would be good, BUT phone calls and SMS are not gong trough internet.
## How much does it cost?
A rogue station is about 10k€ and then exploits are pretty costly.
---
@swantje@chaos.social

35
content/Notes/2024-12-28-bgp.md Normal file
View file

@ -0,0 +1,35 @@
---
title: BGP-enabled hackerspaces
tags: 38c3, network, bgp
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
I went to this session because I don't know anything about BGP and how it works. It was a bit hard to follow, but I got some knowledge out of it!
- The conversation on how to have BGP-enabled hackerspaces started a few years back at CCC
- Some people do this in Montreal, and in the Netherlands
- The more people do this, the easier it will be to reduce the friction.
- A `/32` block of IP adresses is worth 60k€ (!!)
In germany, there is Community AX which is here to connect non-profits together.
## Tools
- [bgp.tools](https://bgp.tools) where you can navigate the different AS. For instance [Labitat](https://bgp.tools/prefix/185.38.175.0/24#connectivity)
- Labitat, a hackerspace in Copenhagen is [documenting how they do it](https://labitat.dk/wiki/Labicolo)
- [bgp.wtf](bgp.wtf)
- [https://freetransit.ch/](https://freetransit.ch/)
- [https://coloclue.net/en/](https://coloclue.net/en/)
- [peeringdb.com](peeringdb.com)
## Ideas
If you want to do it, find some people and get an AS number. It is possible on a business address, and requires a phone number.
The cost is of 90€ immediatly + 60€/y to get an AS number. It's useful to connect with somebody directly.
Getting people working at ISPs helps a lot because they know how it works.
Connect with your local university, they might want to help you and sponsor the AS number.

87
content/Notes/2024-12-28-guardians-of-the-onion.md Normal file
View file

@ -0,0 +1,87 @@
---
title: Guardians of the onion
speakers: gus and hiro
tags: 38c3, Tor
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
<iframe width="1024" height="576" src="https://media.ccc.de/v/38c3-guardians-of-the-onion-ensuring-the-health-and-resilience-of-the-tor-network/oembed" frameborder="0" allowfullscreen></iframe>
This was a talk to discuss what makes a "good" community, and a good Tor network. I liked how it was focused on politics mainly, rather than tech stuff.
So, is the Tor network healthy? And how do we assess it?
It should have:
- Strong community support
- Continuous improvements, protocol updates
- Wide adoption
Currently, relay diversity could be improved, the community is not necessarily sustainable, and there are adversaries.
## Is tor still safe to use?
First they wanted to adress the elephan in the room, as [attacks on Tor](https://blog.torproject.org/tor-is-still-safe/) have been advertized in the past few months. They believe that the attacks were conducted before they added some security measures to the Tor network, and that the affected sotware was using a now deprecated protocol.
They learned these lessons:
- Somebody used a retired version of Ricochet, that didn't use new security measures implemented in Tor now.
- [Vanguard measures](https://spec.torproject.org/vanguards-spec/index.html) are able to protect service operators running behind `.onion` services.
They added documentation on how to run hidden services. As part of this discussion, they've seen people stating things that don't really make a lot of sense:
- Traffic padding is already used in the protocol ;
- Some people said that mixnets is the solution, but because it adds traffic it is currently slow. They believe it will lead to people leaving the network because it is not usable.
## So, how to check the health of the network?
They are using some numbers to objectify this. 8 000 relays and 2500 exit nodes.
Performance has been better, and they see a concentration of the nodes, that needs to be adressed.
A lot of nodes are hosted in germany and in the US, this can be better.
[Shannon entropy](https://en.wikipedia.org/wiki/Entropy_(information_theory)) quantifies the diversity in the distribtion of network attributes.
Diversity is important for obvious reasons, but also for legal reasons. They compared this with some other data, and has seen that the distribution is the same.
They looked at Cloudfare data about [AS](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)) and it seem that WHAT ?
They believe taht the Tor network is well distributed against AS and ISPs.
## What can we do about it?
They have [a tool named bandwisth scanner](https://blog.torproject.org/how-bandwidth-scanners-monitor-tor-network/) that picks a relay and look a its bandwidth. That allows to keep a list of running relays and influence how circuits are built.
Location bias is a thing when measuring performance, because of how we measure (and from where we measure).
Congestion control eleminates the speed limit of current C-Tor., it reduces the latency by minimizing queue lenghts at relays.
So it results in signifcant perfomance improvements, and increase the overall network capacity.
They say that the concentration they see in the Tor network is the concentration of the infrastructure.
## Community
It's important to have a diverse community that is able to trust each other.
To combat bad relays, and because it's very common to have false negatives, [they now have a policy](https://gitlab.torproject.org/tpo/community/policies/-/issues/25) explaining how to operate relays.
The relay operator community governance is also important. They have a documentation with ["expectations" for relay operators](https://community.torproject.org/policies/relays/expectations-for-relay-operators/). Excerpt:
> not run more than 20% of the total exist capacity or more than 10% of consensus weight.
## Outreach with the global south
They have a micro-grant to support the Tor community in the global south and to add geographical diversity to the network.
Snowflake outreach in the GS seem a better approach for their current capacity and resources.
## Impact on the environment
Partnership between SEEKCommons and Tor project. They want to measure the Tor network carbon footprint.
## Call to action
They need more bridges. This can be a Snowflake proxy or a WebTunnel bridge. They launched a campaign [and you can get Tshirts ](https://blog.torproject.org/call-for-webtunnel-bridges/)
;)

113
content/Notes/2024-12-28-pegasus-to-predator.md Normal file
View file

@ -0,0 +1,113 @@
---
title: From Pegasus to Predator
speaker: Matthias Frielingsdorf
tags: 38c3, iOS, spyware
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
Subtitle: the evolution of Commercial Spyware on iOS
<iframe width="1024" height="576" src="https://media.ccc.de/v/38c3-from-pegasus-to-predator-the-evolution-of-commercial-spyware-on-ios/oembed" frameborder="0" allowfullscreen></iframe>
A talk by a researcher on how exploits are being used on iOS devices over time. He is the VP of research at [iVerify](https://iverify.io/).
He is offering an overview of the evolution on the field of malwares for iOS in the past years.
## History of commercial spyware
It's covering offensive capabilities provided by companies for nation states to infect individuals.
It's clear by now that this use is not for terrorism detection, because we've seen it being used against journalists and activists.
Unfortunately, their detection is non trivial on iOS. There are cases of jounalists that were killed after such infections
### Pegasus
2016: Pegasus. It was detected after a jounalist sent the SMS to Citizen Lab, and they were able to analyse and reveal it. It was pretty amateurish. Pretty easy to detect.
2021: Pegasus was a lot more advanced. The exploit is pretty famous. Google project Zero blogpost. Zero click attack. With iCloud account or phone number. There is nothing the user can stop. It was very public, a lot of organisations talked about it. Amnesty research on the topic is very good.
The main change is the move to zero click attack, because it is invisible. 1-click attacks need to use persistence to continue, 0-click attacks leaves a lot less traces, because a reboot removes the attack, but it can be applied again.
In 2021 they were hiding (launch from a specific `/private/var/db/com.apple.xpc.roleaccountd.staging`), and they were disguising as normal system processes.
So it looks like pegasus is a normal process, so it's harder to find.
2023 Pegasus Blastpass exploit
2019: A campagin against Uyghures (Ouïghours) / I-SOON. 14 individual exploits. The target was in Nepal, they were transmitting the details in plain text (so anybody looking at the network could see it)
2022, Hermit: Google TAG unveiled this, It was targeting Kazakhstan and Italy, This was using a side-loaded App as a vector.
2023: Last year, by Kasperky ([see talk at 37C3](https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers)). The infection vector was iMessage. The interesting case here is that it started with malicious domains. Backup Agent is not used in recent versions of iOS, so it's possible to detect.
In terms of cleanup, they were taking a lot of steps to avoid being found.
2021 Predator, infection vector by Webkit. uncovered by Citizen Lab, Google Tag and Cisco Talos.
2023: Predator v2: Webkit via O-click. Targets the EU commission, the former MP of egypt. Here in this version they were checking for additional root certificates authorities and check if developer mode is enabled, to hide even more. They were also checking for log monitoring, and checked running processes from `/private/var/tmp` to not do anything if specific processes were running.
2024: NoClip. Unveiled by Google TAG. Using Webkit as an infection vector. There is even a function named `pwnCitizenLab` in there. It's deleting all crashlogs, delete unified logs, delete aggregates and clean the application state.
[!Comparison table](comparison-table.png)
## How to detect commercial spyware
It's possible to run a Desktop Application, and if you trust the app you can get crash logs, get a list of apps, get transport traffic intercetion.
- [MVT](mvt.re) is a tool to analyze backups, a project done by Citizen Lab.
- Sysdiagnose is a diagnosing tool from Apple, it's running on the backups, it's in fot585.com/sysdiagnose. There are guides on this.
With sysdiagnose you can get a lot of info. Things to note:
- It takes 10-15mn
- iTunes backups may take hours depending on the size and USB.
- It needs user interaction. They require some knowledge of IT (python, etc). So it's a challenge for end users to do it themselves. It's actually better to ship the phone in some areas.
It's great to check for old malware, IOCs are not publicly available, because they don't want to expose it to attackers.
## BlastPass
Vuln disclosed, and used directly by NSO, in about the same day (!!).
They found 25x crashes of `homed` which was a bit suspicious. The crashes from homed looked normal, the `messagesBlastDoorServices` crashes looked weird.
He used the backup to see `IMTransferAgent` was using `sample.pkpass` files. It was containing files that were a bit weird (image not using the proper image format).
The image contained an `NSExpression`; It's been used in the past in Pegasus and operation triangluation. It's a way to execute code on iOS.
The NSExpression has different payloads, but it was a bit scrumbled together.
After trying to debug what were the NSExpressions, he found [`dlsym`](https://linux.die.net/man/3/dlsym) was used. He got a number back that was `-2`, so that looked like a way to access a place it wasn't supposed to access.
They were using Imsg to receive the messages, not sure exaclty what it does and why it matters. It seems a nice to way to hide.
## Current state and outlook
iOS added a bunch of mitigations, but it doesn't make it easier to detect malware. There are a bunch of orgs that publish research on these: RSF, Amnesty International,.
In 2024:
- we don't have ways to share data between the different organisations.
- The security higiene is not great, people aren't keeping their systems updated properly.
- Apple doesn't provide specific devices to people that would like to work on this.
## Security VS privacy VS visibility
- Too less visibility harms security
- Too less security harms privacy
- Too much visibility harms privacy
## Lockdown mode
Unfortunately, doesn't prevent all attacks, but it reduces the attack surface. It's not a silver bullet. Attackers are going to find ways around it.
## What will happen in the future?
The attack surface might change, and also target directly the applications (Signal, WhatsApp).
## Wishlish
- It could be great to avoid duplication of work.
- Apple could start a programme for people doing forensics
- Research could also discuss who is being targeted, and scientific study on this could be done to objectify.
- Forensics on Apple Vision, and other hardware that's getting used nowadays.

47
content/Notes/2024-12-28-security-lab-surveillance.md Normal file
View file

@ -0,0 +1,47 @@
---
title: State of Surveillance, A year of digital threats to civil society
speaker: Jurre van Bergen
link: https://events.ccc.de/congress/2024/hub/en/event/state-of-surveillance-a-year-of-digital-threats-to-civil-society/---
tags: 38c3, spyware
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
19 countries have been impacted by attacks on journalists and the civil society.
Spyware systems are sold for millions of euros. Each successful attack may cost 10-20+ thousand euros, according to intellexa quotes.
## Landscape is ever evolving - spyware
Modern iOs and android full chains are hard. Some states have moved to using tools like Cellebrite.
**Not a single victim has won a lawsuit aainst a spyware company.**
WhatsApp VS NSO Group, in 2019, they won (will be public in 2025), they violated the CFAA (hacking laws in the US) and the Californian equivalent.
Wintego. Found malicious domains targeting indonesia and two companies in Singapore.
Two spywares: WINT, used by singapore police. Helios is another one.
## NSO Group
They seem to be in 5 countries, known for Pegasus.
## Naraphorn "Bie" Onnkhaow
She was found 14 times infected with Pegasus, A student in Thailand. For democracy protest movements, that began in 2020.
They are connecting together the fact that activists with different genders can be at higher risk, because they fear that what's private goes public, as a pressure against them.
Thai court case against NSO: Human right defender from Thailand (Jatupat Boonpattararaksa), but he lost the case because he cannot connect the spyware with NSO itself.
## Novispy
A new spyware named "novispy", coming from Serbian Intelligence Agency.
- In Serbian, Krokodil (an NGO organising lecture festival) was targeted, they exported contacts while being interviewed.
- It was installing packages. They managed to recover screenshots they took.
IP range was the same than previous IP in FinFisher (a previous malware)
## Notable
There are IP ranges that were used for predator. Could be just blacklist them ?

87
content/Notes/2024-12-29-hello-quitx.md Normal file
View file

@ -0,0 +1,87 @@
---
title: Hello Quit X
speakers: grrr, Vinci and somebody else
tags: 38c3, musk, X
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
I met with a collective of people behind the "Hello, Quit X" project. They are trying to help folks to get out of X / Twitter, and prepared a presentation about why they are doing it.
TLDR is: Fachism is coming, and Musk is really helping in that regard, controling twitter and changing its algorithm.
One of the questions they are trying to answer is how to assess if a social media is "good" or not.
They believe that these are the questions to ask yourself:
- Portability: do you own your data?
- How the contents are selected / editorialized? How the protocol makes you see the environment?
- Can it be bought by somenone?
Note how this last bullet point gets BlueSky out of the picture, as it's possible for it to be bought (it's even what they want it to happen).
## So, what did Musk do to Twitter?
When Musk bought and destroyed Twitter, it was something foreseable. (I personally can relate to this, we very much knew that having a social media this centered would become a problem at some point)
They displayed [one tweet from Musk](https://x.com/elonmusk/status/1625368108461613057) that I wasn't aware of, where you can see an image of a guy putting milk in the mouth of a women. They expained how milk is a symbol of nazism, and stated that "the message is clear here".
I found [an interesting article](https://knowyourmeme.com/editorials/guides/what-is-the-forced-to-drink-milk-meme-heres-the-explanation-behind-that-image-elon-musk-tweeted) about this, explaining where the "forced to drink milk" meme is coming from, and [another one from the NYT](https://www.nytimes.com/2018/10/17/us/white-supremacists-science-dna.html) explaining how white supremacists thought that white people are more common to get a gene to digest milk. I also found out an article explaning [how milk is a symbol of the neo-nazis](https://theconversation.com/milk-a-symbol-of-neo-nazi-hate-83292). As they put it:
> Milk as a symbol of white supremacy has also entered the Twitterverse. In early 2017, it replaced Pepe the Frog as the newest emoji symbolizing white superiority.
---
Here is a list of what happend to Twitter since Musk bought it:
- Abandonned moderation. People doing moderation were fired. On this subject, they mentioned that even before Musk, Twitter weren't really moderating far-right.
- Suspension of accounts / journalists / activists (see [the Wikipedia article about it](https://en.wikipedia.org/wiki/December_2022_Twitter_suspensions))
- Threatened of cybersquatting to get back the handles.
- Blackmailing of advertisement companies, framing it like they were doing it on purpose to destroy twitter. Musk threats have big impact.
- Algorithmic censorship.
- He took for instance @america and gave it to the Trump presidency (not with the followers)
### Polarisation
[David Chavalarias](https://iscpif.fr/chavalarias/), a CNRS researcher, pointed that Twitter contained 49% more toxic content after Musk joined ([link to the research](https://www.nature.com/articles/s41598-023-43980-4)).
People at standford university found that when you see toxic content, you stay longer on the platforms. So it's a way to hack attention.
There is [a book](https://editions.flammarion.com/toxic-data/9782080274946) (in French) about it.
It has been measured that there is a political polarisation going on, for instance two separae groups with pro climate and denialists.
Musk promotes white-supremacist contents, and he is "very close" to the Kremlin, and relays Kremlin propaganda and attacks against the media. One of the way he does it is by telling people they don't need the media anyore, saying to them that "the people is the media now". I'm just reproducing their claims here, and I've not searched for sources yet.
In mastodon, we see that people participate more and more in different topics. You see people from different point of views, because there is no algorithm that filters everything.
![The picture, description below](/images/38c3/chavalarias-twitter-evolution.png)
A picture comparing 2016 VS 2022 with Left and Right wing in Twitter. We see that the connections between people shifted and do not exist a lot now.
### Hello Quit X
Okay, so what are they proposing?
They built [a tool](https://www.helloquitx.com/) to help peolpe get away from Twitter / X. It's currently in beta, and the goal is to help people migrate. The way they intend to do that is by fixing the biggest problem if the way: the network effect.
They have a public database where they make connecitons between accounts on X and accounts on Mastodon and Bluesky. They bootstrapped their database partially manually and you can help this go further by registering yourself and letting them know the connection between your different accounts.
As a symbol, the goal is to flee away from Twitter on the 20th of january, the day Trump will access the presidency.
They want to also help you request the data out of Twitter, by using the RGPD (the law in France for data protection) to retrieve your tweets as a `.zip` archive.
It's a pretty fresh project, and they need help. If you know how to translate in your language, please pop up :-)
### Some technical stuff
As part of the OAuth authorisation, the process might request some specific permissions. They are only using OAuth to prove the identities.
This has been coded by Fanny (from CNRS), who lead the thing. It's based on SPIP, but I couldn't find where the actual codebase is.
### On mastodon and engagement
Mediapart (a French media) is on Mastodon and Twitter. They have (had?) millions of followers on twitter, but actually very few interaction, compared to mastodon, where they have less followers but a lot more replies, retoots, etc. The engagement ratio is really better.
A lot of accounts on Twitter were inactive for years, and also a lot of bots.

129
content/Notes/2024-12-29-websec.md Normal file
View file

@ -0,0 +1,129 @@
---
title: Attack Mining
subtitle: How to use distributed sensors to identify and take down adversaries
link: https://events.ccc.de/congress/2024/hub/en/event/attack-mining-how-to-use-distributed-sensors-to-identify-and-take-down-adversaries/
speaker: Lars König
tags: 38c3, security
---
*These are notes taken during and after the 38C3 conference in Hambourg. Notes might be a bit sketchy at times*
<iframe width="1024" height="576" src="https://media.ccc.de/v/38c3-attack-mining-how-to-use-distributed-sensors-to-identify-and-take-down-adversaries/oembed" frameborder="0" allowfullscreen></iframe>
## A honeypot
This was a pretty cool talk from somebody who found out that a lot of
connections to openssh server were going on, and wanted to know more. So he made
some changes in the openssh server to deny and log all the attempts, did some
more investigation based on it and was able to take control of a botnet.
On the system, replace the openssh system with an Attack pot
It's putting the data in a database.
Because it's a docker container, it's possible to scale.
He deployed 250 sensors in 25 different countries, and found something like 12,5/million attacks/day.
## Analysing the data
The users tried are:
- Admin accounts ("root", or admin or ubuntu)
- the domain as username.
- Default applications acounts (ftp, accounts that are usually used for applications)
The passwords that were tried are really common,
- 123456, 123, password.
Probably these are real passwords, used in the wild, which is always a bit frustrating.
## Fingerprinting the users
He used IP, username, password as a fingerprint. Filtered-off all the common
username/password combination, and then did some feature extraction using TF-IDF
vectorization, and stored the data in a vector DB.
Then, he clusterizes everything, and then created a visualisation.
450 million attacks (40 days), removed the common ones (320 milion attacks). And out of it he got 530 clusters.
## Analysing a cluster
Each IP used 169 username and password combinations. Looking at the geo info, it's actually coming from everywhere, so it's hard to make assumptions based on the geo info.
Most of the IPs are used by residential ISPs.
He also did some OS fingerprinting, and found raspbian, ubuntu, Linux, ASUWRT
He found some specific information in the password/username combination (in this case, some words in spanish).
Some passwords were used.
## Access to one machine used for attacks
He managed to get access to the device, by just asking to one operator who put
his contact info on a website that was running on the default HTTP port.
From there:
`netstat -apn` to see all the internet connections open.
`pstree -a` shows all the process running on the system.
He found hundreds of `apcid` processes. He found that the processes were started by root.
By looking in the `/root/.bash_history`, found that some commands were used.
One of them was `su pi`, to connect as the `pi` user, which is kind of strange
as usually you connect as `pi` and then elevate privilege. He then used `stat`
to know when the file was last used, which got him an approximate date of
connection.
Looking in the `/var/log/authlog`, he found the login and IP adress of the
attacker. They added a ssh public key.
Because he was able to time when this was done, found out it was very fast, and
assumed it's probably automated.
## IP of the attacker
Virus Total was saying that the IP adress was a Tor exit node.
## What's the malware used?
Apparently the hash of the binary that was used there wasn't already reported (they usually hash the binaries to report them, in order to not leak the fact that they uncovered something).
He then found 6 "dead drops" systems, to which multiple "nodes" were reporting to. Every time a new device is infected, they write a line in there.
To authenticate to the deadrops, it was using private keys that were direclty encoded in the binaries. And these keys were also the keys of the root account there (!!)
He found 8654 infected systems in the end, all reporting to deaddrops.
## How to stop the attacker?
With the IP adresses, he turned to the ISPs, and some of them were actually responding to emails. Because it was a lot of emails to send, he wanted to automate it.
He found all the atacks from the same IP, then identifies the ISP and send abuse, monitores the answers and automates the answer with LLMS (LLAMA3)
[XARF](https://github.com/abusix/xarf) is a format to handle the reports. (eXtensible Abuse Reporting Format).
After looking as the AS:
- China Telecom doesn't answer to the mails at all
- Digital Ocean: supports XARF and takedown requests
- Tencent answers but say they don't process them.
## Data
The data is public and available at https://github.com/NetWatch-team
Contact them at data@netwatch.team
## QA
Q: Do the ISP want to join the network?
Yes, a really big one in the US.
Q: Do you know what happened by the ISP?
it depends. They send an email / mail, etc; or, if the ISP are hosting themselves, they take the VSP offline. They do verification to ensure it's legit.
Q: Lowering of the attacks ?
Overall we see an increase in attacks because we have more sensors.

BIN
content/images/38c3/chavalarias-twitter-evolution.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.4 MiB

41
content/pages/resume.md
View file

@ -4,10 +4,6 @@ slug: resume
title: Alexis Métaireau
---
Here is a resume.
---
| **Email** | [alexis@notmyidea.org](mailto:alexis@notmyidea.org) |
| ----------- | ------------------------------------------------------------------------------------------------------------- |
| **Code** | [https://github.com/almet](https://github.com/almet) and [https://gitlab.com/almet](https://gitlab.com/almet) |
@ -24,39 +20,54 @@ Here is a resume.
## Projects
- #### 🗺️ [uMap](https://umap-project.org) (2023-2024)
#### ⚠ [Dangerzone](https://dangerzone.rocks) (2024-2025)
A tool to convert potentially unsafe documents into safe ones. For the [Freedom of the Press Foundation](https://freedom.press)
#### 🗺️ [uMap](https://umap-project.org) (2023-2024)
Collaborative web-based map creation tool. Working on real-time collaborative features.
- #### 🚨 [Argos](https://framasoft.frama.io/framaspace/argos/) (2023-2024)
#### 🚨 [Argos](https://framasoft.frama.io/framaspace/argos/) (2023-2024)
Web supervision software and status board created for the [Framasoft Association](https://framasoft.org).
- #### 🧶 [Jacquard Pattern Generator](https://bekeko.notmyidea.org/) (2022)
#### 🧶 [Jacquard Pattern Generator](https://bekeko.notmyidea.org/) (2022)
Tool for designing knitting patterns. Simplifies color and pattern choices for hand-crafted projects. ([Coded in Elm](https://github.com/almet/bekeko))
- #### 🙌 [Copanier](https://github.com/spiral-project/copanier) (2019-2024)
#### 🙌 [Copanier](https://github.com/spiral-project/copanier) (2019-2024)
Web software to facilitate group purchases, modified for a co-op. ([Coded in Python](https://github.com/almet/copanier))
- #### 💸 [I Hate Money](http://ihatemoney.org) (2011-2023)
#### 💸 [I Hate Money](http://ihatemoney.org) (2011-2023)
Expense management web service for groups. Maintains an open instance at [ihatemoney.org](https://ihatemoney.org). ([Coded in Python+Flask](https://github.com/spiral-project/ihatemoney))
- #### 🔄 [Kinto](https://github.com/kinto/kinto) (2012-2015)
#### 🔄 [Kinto](https://github.com/kinto/kinto) (2012-2015)
Generic backend for web applications, initiated at Mozilla. Used for data synchronization in Firefox. ([Coded in Python+Pyramid](https://github.com/Kinto/kinto))
- #### ✍️ [Pelican](http://getpelican.com) (2010-2017)
#### ✍️ [Pelican](http://getpelican.com) (2010-2017)
Written a static site generator for transforming Markdown files into easily hosted websites. Used by projects like the [Linux Kernel](https://www.kernel.org/pelican.html) and [Debian](https://bits.debian.org/pages/about.html). ([Coded in Python](https://github.com/getpelican/pelican))
## Professional Experience
- #### Independent Developer (Since 2023)
#### Independent Developer (Since 2023)
Contractor for different projects. [Blog](https://blog.notmyidea.org)
- #### Co-founder, [Brasserie du Vieux Singe](https://www.vieuxsinge.com/) (2017 - 2023)
#### Co-founder, [Brasserie du Vieux Singe](https://www.vieuxsinge.com/) (2017 - 2023)
Established an organic craft brewery promoting cooperation. Transitioned out in the summer of 2023 to return to development.
- #### Engineer, [Mozilla](https://mozilla.org) (2011 - 2016)
#### Engineer, [Mozilla](https://mozilla.org) (2011 - 2016)
Part of the "Services" team working on user data, encryption, scaling sites like addons.mozilla.com, and data synchronization.
- #### [Le Grappe](https://www.reseaugrappe.org/) (2007 - 2012)
#### [Le Grappe](https://www.reseaugrappe.org/) (2007 - 2012)
Co-created and engaged in managing a network of environmental project organizations during student years, fostering collectivist values.
## Technical Skills

253
content/pages/worklog/dangerzone.md
View file

@ -5,18 +5,243 @@ template: worklog-en
---
## Jeudi 17 Octobre 2024 (8h, 5/5)
## Mardi 24 Décembre 2024 (6h, 3/5)
Merge-day today :-)
The release
- We finally merged the on-host conversion PR! Good work by A_pyrgio on this one. Happy to have it incorporated in time for the 0.8.0 release in the next few weeks: https://github.com/freedomofpress/dangerzone/pull/748
- Automating the closing of stale issues with the `needs info` tag after some inactivity: https://github.com/freedomofpress/dangerzone/pull/955
## Lundi 23 Décembre 2024 (4h, 3/5)
Found a security issue in Dangerzone via our security scans, we published a new
0.8.1 release. At the wrong time, but we've managed to keep things fast, and
release in one day where in the past we had to take way longer for this.
## Jeudi 19 Décembre 2024 (7h, 5/5)
- Moving our packages pyproject.toml to the new PEP 508 format, and use `uv` on it. Not completely there yet, but it's able to install and build, I'm expecting to hit some issues with packaging on macOS, windows and Linux, so that's the missing step right now.
- Discussing with Alex on ICU, trying to understand some of the missing pieces. It's not completely clear clear, but it's better than before. Bundles everywhere!
- Meeting with A_lex, A_da and G_iulio on ICU, it was very interesting to have their point of view and general "approval"
- Quick 1:1 with Alex, wrapping up for the year.
## Mercredi 18 Décembre 2024 (7h, 4/5)
- Quick sync with a_pyrgio
- Quick pairing session on blocked tests and blocked io for stderr
- Two PRs about these two, one for a `--debug` flag that can get debug information from gVisor, and the other one about checking Docker Desktop version.
## Mardi 17 Décembre 2024 (6h, 5/5)
- Opened issues about Independent Container Updates in our repository, summarizing where we are at, proposed a meeting with A_da and G_iulio about it. [Here is the main issue, if you want to follow along](https://github.com/freedomofpress/dangerzone/issues/1006)
- 1:1 with Harris
- Tour of the open PRs, merging what could be. (We now have ruff support!)
## Lundi 16 Décembre 2024 (8h, 5/5)
- Sync point with Alex this morning, where we discussed the overall state of ICU (Idependent Container Updates)
- Some more discussions about sigstore. Agreed upon the signing and attestation story about Sigstore
- Started porting our packaging to the PEP 508, as a first step to replace `poetry` with `uv`. Will continue tomorrow.
## Jeudi 12 Décembre 2024 (6h, 3/5)
Continued looking at the documentation for sigstore in order to have a better understanding of how it works, with the goal in mind to be able to generate Sigstore's bundles attached to container registries myself, without having to use GH Actions (that will prove useful when building the images on our own infra).
We synced with Alex, as we're getting both pieces of the overall context that's needed to understand how it works. I've been able to create attestations locally and add them to a container registry, but cosign follows its own signing scheme (when attaching the info to the container registries), rather than following sigstore's bundles. It's about the same place as yesterday, but with better understanding of how things work.
Updated the ruff PR, waiting for the CI to be green before merging.
## Mercredi 11 Décembre 2024 (9h, 4/5)
Trying to have image verification working for both GHA attestations and signature done via the cosign client.
It turns out that there are differences between signing / verifying container images and doing the same with attestations.Mainly, this means reading documentation around sigstore, the different specs and trying to get the whole picture. Not there yet, but making progress !
## Mardi 10 Décembre 2024 (4h, 5/5)
- Had a quick look at how python-sigstore is organised, to see if it would be possible to use our own certificate to verify sigstore bundles.
- Documented the HTTP requests and Accept headers needed to interact with the container registry in order to get the attestations / bundles to verify.
- Final review of the work by Alex on image references and using pydoit to paralellize the generation of the release assets.
- 1:1 with Harris
- Started using cosign (rather than a Github Action) to create attestations
## Lundi 09 Décembre 2024 (9h, 4/5)
- We synced this morning with Alex, focusing on what's next for the Independent container update effort.
- We discussed quickly about [an exploit](https://github.com/ultralytics/ultralytics/issues/18027) that was used to poison the Github actions cache. Interesting because we're on the verge of trusting Github at some point for our build process, so this gives us some more weight to wait on this until we reach reproducibility.
- I did another round of reviews (ruff integration from an external contributor, the change of how we refer to our images, integration of pydoit to help the release process)
- Integrated a few comments from H_arris in the blog platform, which is now able to detect the last published version from the posts metadata.
- Consolidated our findings from last week in [a script able to get the attestation from the container registry](https://gist.github.com/almet/de10e2b258df5a666c94fbb91be7e315#file-registry_client-py-L8) with python and requests.
## Jeudi 05 Décembre 2024 (7h, 4/5)
Discussions and implementation around Independent Container Updates with Alex, find a way to do the HTTP calls ourselves rather than relying on an external tool to interact with the container registry.
Team meeting, with E_than around :slightly_smiling_face:
## Mercredi 04 Décembre 2024 (7h, 4/5)
No notes taken
## Mardi 03 Décembre 2024 (8h, 4/5)
- Finally understood why Podman Desktop wasn't working as a drop-in replacement for Docker Desktop on macOS, as it was not mounting the volumes properly.
- Reviewed Alex's work where image IDs are changing from IDs to tags.
- 1:1 discussion with Harris
- Some discussion with Giulio about Webcat, to get some more understanding around the project
- Continuation of the work checking the Podman Desktop version and displaying a warning to the users when that happens.
## Lundi 02 Décembre 2024 (7h, 4/5)
- Sync with Alex
- Some more research on ICU (Indep. Container Updates)
- Progress on checking the version of Docker Desktop and mentionning it to the user
- Review of ruff format / lint as a replacement to black / isort
## Jeudi 28 Novembre 2024 (7h, 5/5)
- [An exploration](https://freedomofpress.slack.com/archives/C03FVBEFA86/p1732807630508179?thread_ts=1732525206.464909&cid=C03FVBEFA86) on signing container images and verifying them
- The beginning of adding checks for minimum Docker Desktop version on macOS and Windows
- Some discussion with Tails devs to see if they would like to give us a hand on Debian integration
- Listening to [Bonobo's Animal Magic album](https://www.youtube.com/watch?v=clsczmHXf9U). It's still magic.
## Mercredi 27 Novembre 2024 (7h, 4/5)
- Looking at the needed changes to bump our runners to `ubuntu-24`
- Finish a PR for the Dangerzone.rocks website, making it find the latest released version automatically and generate links for the releases automatically
- Started playing with independent container updates: created a GH action to release container images, generate, sign with cosign and upload to the ghcr. Currently the digests generated on the runner differ from the ones of the container registry, and that's where I left it.
- Took some time to organize the project issues and fit them in the next `0.9.0` release
## Mardi 26 Novembre 2024 (7h, 4/5)
- Checked the situation of the VFS driver on Debian, to see if we are missing something.
- Updated the release instructions so they're clearer and easier to reproduce
- Updated `apt-tools-prod` to use podman rather than docker, since that's what we're now using
- Proposed a change to the issue templates so the docker/podman info is included more often
- Update all the PRs that were pending and getting a bit out of date
- Applied changes to the "check changelog entry" PR, which should make it easier to populate changelog with each PR.
- Merged the "drop fedora 39 support" PR
- Removed the container scan on mac silicon for now, since it's not working well
- Investigated a bit on this subject to understand why colima isn't able to run on our silicon mac runners.
Mainly tidying and some post 0.8.0 stuff. Tomorrow I want to change the way we generate the release notes on the blog (it's still missing one small thing).
## Lundi 25 Novembre 2024 (5h, 4/5)
- Refining a bit the proposal about independent container updates;
- Meeting with Alex, synchronizing, talking about general directions for the project, redefining a bit how we organize during our syncs
- Had a look at the FOSDEM devrooms to see where it would make more sense to answer an RFP
- Organizing myself for the rest of the week, the goal being to finish post 0.8.0 pending tasks
- Debug macOS runners not doing parameter expansion the same way as other shells, and also trying to install docker on the macOS runners to do some more CI there.
## Jeudi 21 Novembre 2024 (7h, 2/5)
- Merged a few more post-release fixes
- Discussed with Alexis about independent container updates, how we can use Sigstore. Probably we will reach to our security experts within FPF with more questions.
- Dangerzone biweekly meeting, where we met Leila!
## Mercredi 20 Novembre 2024 (7h, 3/5)
- Rebased and merged a few PR that were waiting for me: [https://github.com/freedomofpress/dangerzone/pull/975](https://github.com/freedomofpress/dangerzone/pull/975), [https://github.com/freedomofpress/dangerzone/pull/961](https://github.com/freedomofpress/dangerzone/pull/961) [https://github.com/freedomofpress/dangerzone/pull/994](https://github.com/freedomofpress/dangerzone/pull/994) [https://github.com/freedomofpress/dangerzone/pull/959](https://github.com/freedomofpress/dangerzone/pull/959)
- Reviewed some work by Alex, his document on GH merge queues
- We had a meeting on this. It looks promising, and we need to decide on our trust model on GH
## Mardi 19 Novembre 2024 (7h, 3/5)
- Sync up with Alex on what happened last week while I was out
- Reviewing all notifications and acting on them.
- Updated PRs, reviewed some that were pending, and trying to get everything that's in the pipes closer to the exit side.
- All-staff meeting, with a dropping connection just when I needed it ![:wink:](https://a.slack-edge.com/production-standard-emoji-assets/14.0/google-medium/1f609@2x.png)
## Lundi 11 Novembre 2024 (3h, 5/5)
Created a stats dashboard for dangerzone.
# Jeudi 07 Novembre 2024 (7h, 4/5)
Post release stuff.
## Mercredi 06 Novembre 2024 (7h, 4/5)
We released DZ 0.8.0, after fixing some issues with it, rebuilt the container image and the .deb files, signed and published everything.
I've started doing some post-release tasks, which should help us in the long run.
## Mardi 05 Novembre 2024 (7h, 4/5)
- We really close to releasing Dangerzone 0.8.0. We have built and pushed all the required artifacts, and sent a PR for our website.
- .... but we are investigating a last minute issue with old Podman versions
- 1:1 with Harris
- 1:1 with Erik
It was a bit hard to continue facing problems when we wanted to "just release", and that really build a motivation for me to streamline the whole process.
## Lundi 04 Novembre 2024 (7h, 3/5)
Today was mostly release-related: Sync with Alex + Preparation of the release, hit again some "out of space" issues, but we're almost there.
## Jeudi 31 Octobre 2024 (8h, 4/5)
Today was mainly some QA on different platforms, testing that the next 0.8.0 release works on Ubuntu, Silicon macOS. I've hit a few issues down the road, the mac mini was full and I didn't figured why it wasn't working out directly.
My general feeling is that it takes too much time on repetitive tasks. I would like to find ways to streamline the whole process.
Then, the DZ Biweekly meeting. I have a feeling that things aren't really smooth between Alex and I, and I would like to ensure that
## Mercredi 30 Octobre 2024 (4h, 3/5)
- Prepared the CHANGELOG
- Reviewed some PRs by a_pyrgio
- Started QA on Debian and derivatives
## Mardi 29 Octobre 2024 (9h, 5/5)
- Sync with Alex about the upcoming 0.8.0 release
- Updated the deprecation warning message for ubuntu focal users
- Wrote release notes + a small script to gather them.
- Found out via user feedback that our CI isn't actually running the produced .exe files on windows. Trying to update the CI accordingly.
- Started to have a look at how to "attest" our artifacts on Github, using sigstore.
## Lundi 28 Octobre 2024 (11h, 5/5)
- Catchup on last week work
- Adding a deprecation warning for Ubuntu Focal users, asking them to upgrade their system to continue using Dangerzone
- Continue research on independent container updates.
- Removed the duplication of the action runs on the Github CI. We now only run on PRs
- Publish artifacts built in the CI (.msi, .app, .deb and .rpms). Not signed for now.
## Jeudi 17 Octobre 2024 (9h, 4/5)
Merge-day :-)
- We finally merged the on-host conversion PR! Nice work by A_pyrgio. Happy to have it incorporated in time for the 0.8.0 release in the next few weeks: https://github.com/freedomofpress/dangerzone/pull/748
- Automating the closing of stale issues with the needs info tag after some inactivity: https://github.com/freedomofpress/dangerzone/pull/955
- Rebased and merged a PR catching installation errors (and other podman/docker errors) and displaying them in the UI to help gather feedback from users when things go wrong: https://github.com/freedomofpress/dangerzone/pull/952
- Small reviews: https://github.com/freedomofpress/dangerzone/pull/958.
- Rebased the PR adding a `--debug` flag to `dangerzone-cli`. Running with gVisor in debug mode seem to block, not sure if it's related to the on-host conversion or some work I did in there. Will investigate later on.
- Investigated the signing situation on Windows
- Did some more investigation on the relationship between App Armor and flags passed to the container runtime. Commented about that on https://github.com/freedomofpress/dangerzone/issues/865
- Biweekly meeting, planning for 0.8.0 release and discussions on indep. container updates / container signing.
- Rebased the PR adding a --debug flag to dangerzone-cli. Running with gVisor in debug mode seem to block, not sure if it's related to the on-host conversion or some work I did in there. Will investigate later on.
## Mercredi 16 Octobre 2024 (6h, 4/5)
- Sync with Alex
- Published the Ubuntu 24.10 package
- Continued exploring the possibilities for signing container images. The fact we're using podman and/or docker on different platforms doesn't make it easy, as the two have different ways to sign / verify.
## Mardi 15 Octobre 2024 (6h, 5/5)
- Reviewed PRs for F41 and Ubuntu 24.10 support
- Changed the approach to testing the container installation failures. It's more reliable now and easier to think about. Submitted a PR for it.
- Proposed a change to close automatically stale issues with a specific `need-info` tag
## Lundi 14 Octobre 2024 (9h, 3/5)
We've started with a sync point with Alex, where we discussed the next items on the table. We found out that there are new releases out for Fedora 41 and Ubuntu 24.10, and they will need to be supported on the next 0.8.0 release.
As spinoffs of this discussion, I've had a look at how distrowatch could provide us RSS feeds for when new beta/RC releases are out, but the feeds doesn't seem to be that customisable, unfortunately.
I also created an issue about moving from argparse to click and from urllib to requests, as it seem it will allow for more uniformisation.
I've had a look at all the open issues. I wanted to do it for quite some time but never manage to find the time. It's good to now see what are a few blind spots, and seeing that the whole project can fit in my head.
Also built the package for ubuntu 24.10, and updated our CI to reflect this. Unfortunately it's not currently working (that's expected).
Summary:
- Sync with Alex on the tasks on the table + a few discussion points.
- Built a .deb file for ubuntu 24.10, to find out it's not working out of the box.
- Started having a look at why it's failing, and updating our CI to test for this platform.
- Had a look at all the issues in the repo. I wanted to do this since quite some time. Happy to see it fits in my head nicely, made a few comments on my way.
- Pushed a PR for #193 (Error detection and display)
## Jeudi 10 Octobre 2024 (9h, 5/5)
@ -29,6 +254,7 @@ We continued discussing a bit with Alex on different matters, and one of them wa
I also attended Giulio "braindump" session, where he explained how TUF and Sigstore work. My takeaway is that TUF can be seen as a kind of framework to decide how to validate new certs, and how to make it possible for the end users to have some sort of canary: if there are no updates, there is a problem somehow.
Sigstore is basically a way to a) have a proof that you are the owner of a {Google, Github} account, issuing certificates for this and b) sign and publish information related to artifacts you want to publish. There is an observatory inside it, to publish what's going on, following the same principles as Google CT for TLS certificates.
## Mercredi 09 Octobre 2024 (8h, 5/5)
I've reviewed the work done by Alex on the on host conversion, which spawned some interesting discussions about how to deal with our scripts generally speaking, covered by [#946](https://github.com/freedomofpress/dangerzone/issues/946) . I tested the branch locally on a M1 mac and it works well 🎉
@ -94,7 +320,13 @@ Started reviewing the onhost conversion PR Alex proposed. Will resume tomorrow o
- Did some reviewing on the preparation of the on host conversion PR
- Team meeting !
## Lundi 30 Septembre 2024 (7h, 4/5)
## Mardi 01 Octobre 2024 (7h, 4/5)
- Release of the DZ 0.7.1 hotfix release, announcements etc. with Alex!
- Attended Trevor's brownbag presentation on the history of FPF
- Updated the "move to GHA" branch
## Lundi 30 Septembre 2024 (8h, 4/5)
- Sync with @a_pyrgio about last week
- Review the 0.7.1 hotfix, updated commits, and created assets via our mac minis (.dmg for silicon, .deb and fedora 39,40 rpms). Tested the hotfix on an Apple M1 machine, it works.
@ -110,8 +342,6 @@ Started reviewing the onhost conversion PR Alex proposed. Will resume tomorrow o
- Had a quick look at the CSS for the DZ blogpost
- 1:1 with Harris
- DZ team meeting
## Mercredi 18 Septembre 2024 (8h, 4/5)
- Merged #906 - Fix wrong container runtime detection on Linux
@ -417,4 +647,3 @@ What I did today (a lot of reading, some meetings):
- I'm discovering how everything is structured. I find out about [yum-tools-prod](https://github.com/freedomofpress/yum-tools-prod) and [apt-tools-prod](https://github.com/freedomofpress/apt-tools-prod)
- I'm reading the [Code of Conduct](https://github.com/freedomofpress/.github/blob/main/CODE_OF_CONDUCT.md). It's nice to see this is though of, and well phrased.
- I'm reading the [meeting notes](https://github.com/freedomofpress/dangerzone/wiki/Meeting-Notes) and clicked on some issues to see what's worked-on at the moment ([Explore how to Simplify Save Options · Issue #427 · freedomofpress/dangerzone · GitHub](https://github.com/freedomofpress/dangerzone/issues/427))
-

73
content/pages/worklog/umap.md
View file

@ -2,9 +2,80 @@
title: uMap
save_as: umap/index.html
template: worklog
total_days: 90
total_days: 78
---
Total prévu sur uMap pour moi = 90 jours (y compris le mécénat de Scopyleft)
NLNet = 40 000€ = 62 jours
Fait = 87 jours.
MAIS: pas terminé le travail, il manque:
a. Scale things up:
- Throttling: frequency of sync: ability to send messages by batches
- Handle running multiple processes to handle more load, distribute the load on different WebSocket workers.
- Deal with maximum number of peers connected (what happens when the limit is met?)
b. Handle security:
- Find a mechanism to revoke permissions when the owner changes them
- Deal with an evil client sending messages to an elevated client.
- Process external security review
Ce qui représente 8000€ restant à payer de la part de NLNet pour:
8000€ = 12 jours (en moins)
- Actuellement: 61h de « non payé » = 5 664€ (à la fin de cette semaine) = 9j
Deux sujets:
- Comment est-ce qu'on termine ma « mission » ?
- Des sous ont été mis de côté (par Scopyleft ? Par David ?) plus tôt, qu'il n'a pas consommé, et il proposait de les utiliser ici.
## Mardi 12 Novembre 2024 (3h, 5/5)
## Mercredi 13 Novembre 2024 (8h, 5/5)
## Jeudi 14 Novembre 2024 (7h, 5/5)
## Vendredi 15 Novembre 2024 (7h, 5/5)
## Vendredi 25 Octobre 2024 (6h, 2/5)
Je continue le boulot sur la reconection des websockets, pour pouvoir afficher un dialogue quand on est déconnecté. Je teste et ça semble fonctionner, plutôt.
Je fais un test rapide sur le fait que le debounce peut fonctionner, c'est une première approche mais ça montre que déjà ce sera possible. J'aimerai bien cibler un peu plus pour que uniquement les modifications liées aux mêmes *properties* passent par debounce.
Le manque de motivation suite au sujet conflictuel de la veille (non réellement traité) et au fait que je me sens seul pour travailler sur ce projet de manière générale. Le stress aussi arrivant avec le fait que c'est bientôt la fin du temps prévu et disponible pour avancer.
## Jeudi 24 Octobre 2024 (6h, 1/5)
Dans la matinée, on discute avec Yohan, sur la manière de faire des reviews, et sur les interconnections avec la motivation de participer au projet. Je suis assez frustré par le questionnement de mes propositions et la forme que ça prends. On décide que Yohan prendra le lead sur les changements qu'il demande pour la gestion des layers.
L'après-midi, la motivation est à la baisse, je propose une manière de faire en sorte que les websockets se reconnectent automatiquement.
## Mercredi 23 Octobre 2024 (9h, 5/5)
Je change d'approche pour la gestion des layers, et j'utiliseune approche qui permet de stocker le futur UUID, avant qu'il soit envoyé sur le serveur, je passe du temps à débugger les tests pour finalement me rendre comptes des cas limites.
On discute de l'approche en commentaires interposés, et je commence en parallèle à travailler sur la reconnection des websockets.
## Mardi 22 Octobre 2024 (9h, 4/5)
Je commence par débugger des tests fonctionnels qui ne marchaient pas sur ma branche, parce que je ne vérifiais pas que `options.*` pouvait être envoyé dans le fonction qui vérifiait que le champ était bien dans le schema. Les tests passent. Je merge.
Jenchaîne sur la gestion des layers, et je change la manière dont ils sont enregistrés sur le serveur. Je fais un changement qui permet aux clients de specifier l'UUID lors de la sauvegarde. Certains tests ne passent pas, et c'est compréhensible, il manque encore un peu de travail. J'ai cru à un moment qu'il était normal que les layers ne soit pas demandés par requête spécifique, mais un appel avec Yohan me dit que c'est autre chose.
Biweekly de synchro, il faut que je prenne mes billets de train :-)
## Lundi 21 Octobre 2024 (6h, 5/5)
La reprise sur uMap. C'est l'avant dernière semaine. Je fais un tour des changements faits depuis la dernière fois, et je fait des modifications sur la PR qui permet d'afficher le nombre de pairs connectés.
On a une discussion avec Yohan sur la manière de rendre des données de titre et visibilité, qui est actuellement faite en dehors du `map.render()`. On se dit que ça peut être pas mal de passer par là si possible.
Je fais une revue du code qui permet d'ajouter le support de asgi. J'organise aussi un peu la semaine, en terme de tâches à faire. Demain, j'aimerai bien changer la manière dont la synchronisation des layers fonctionne, en proposant d'inverser l'assignation des UUIDs pour que ce soit le client qui s'en occupe, en tout cas qui puisse suggérer les modifications au serveur.
## Vendredi 27 Septembre 2024 (7h, 5/5)
Je trouve une manière de faire le déploiement avec uWsgi pour le serveur de websockets.

3
mnmlist/templates/article.html
View file

@ -9,6 +9,9 @@
<figure>
<h1 class="post-title">{{ article.title }}</h1>
<figcaption>
{% if article.subtitle %}
{{ article.subtitle }},
{% endif %}
{% if lectures %}
Lu en {{ article.date | strftime("%B %Y") }}
{% else %}

4
mnmlist/templates/category.html
View file

@ -1,8 +1,8 @@
{% extends "base.html" %} {% block content %}
<header class="{{ category }}">
<figure>
{% if category in CATEGORIES_DESCRIPTION.keys() %}
{% set cat = CATEGORIES_DESCRIPTION[category] %}
{% if category in CATEGORIES_DESCRIPTION.keys() %} {% set cat =
CATEGORIES_DESCRIPTION[category] %}
<h1 class="post-title">{{ cat[0] }}</h1>
<figcaption>
<a id="feed" href="{{ SITEURL }}/feeds/{{ category.slug }}.atom.xml">

113
mnmlist/templates/index.html
View file

@ -1,41 +1,74 @@
{% extends "base.html" %}
{% block content %}
<article>
<translated-text>
<div slot="fr">
<p>👋 <strong>Bienvenue par ici</strong>, je suis Alexis, un développeur intéressé par les
dynamiques collectives et les libertés numériques.</p>
<p>J'aime aussi explorer comment participer à des pratiques collectives, via la résolution de conflit et l'écoute.</p>
<p>Vous retrouverez sur ce site quelques
<a href="/journal" class="link-journal">billets de blog</a>, des <a href="/lectures" class="link-lectures">notes de lectures</a>, <a class="link-code" href="/code">des bouts
de code</a> et <a href="/ecriture" class="link-textes">des textes</a> que je veux garder quelque part. Bonne lecture !</p>
<p>Pour me contacter, envoyez-moi un email sur <code>alexis@</code> ce domaine (en enlevant <code>blog.</code>).</p>
</div>
<div slot="en">
<p>👋 <strong>Welcome here</strong>, I'm Alexis Métaireau, a software engineer interested by digital freedom and privacy.</p>
<p>I'm also a fellow human, exploring how to participate to healthy collectives via listening and conflict-resolution techniques.</p>
<p>I mostly publish here in French, but some stuff is in English. You can find here <a class="link-journal" href="/journal">journal entries (fr)</a>,
<a class="link-lectures" href="/lectures">reading notes (fr)</a> and some stuff related to <a class="link-code" href="/code">software engineering (en)</a>. Also, some <a class="link-ecriture" href="/ecriture">writing (fr)</a></p>
<p>To contact me, send me an email on <code>alexis@</code> this domain (without <code>blog.</code>).</p>
</div>
</translated-text>
</article>
{% if articles %}
<hr />
<div id="articles">
<filtered-articles>
{% set articles_in_categories = articles | rejectattr('category', 'in', HOMEPAGE_EXCLUDED_CATEGORIES) | list %}
{% set limited_articles = articles_in_categories[:20] %}
{% for article in articles_in_categories %}
<li class="item link-{{ article.category }}">
{% set category_description = CATEGORIES_DESCRIPTION.get(article.category)[0] or "" %}
<a href="{{ SITEURL }}/{{ article.url }}" class="page-title">
{{ category_icon }} {{ category_description }}: {{ article.title.replace(category_description, "") }}
</a>
<time datetime="{{ article.date.isoformat() }}">{{ article.date.strftime("%Y-%m-%d") }}</time>
</li>
{% endfor %}
</filtered-articles>
{% extends "base.html" %} {% block content %}
<article>
<translated-text>
<div slot="fr">
<p>
👋 <strong>Bienvenue par ici</strong>, je suis
<a href="/projets">Alexis</a>, un développeur intéressé par les
dynamiques collectives et les libertés numériques.
</p>
<p>
J'aime aussi explorer comment participer à des pratiques collectives,
via la résolution de conflit et l'écoute.
</p>
<p>
Vous retrouverez sur ce site quelques
<a href="/journal" class="link-journal">billets de blog</a>, des
<a href="/lectures" class="link-lectures">notes de lectures</a>,
<a class="link-code" href="/code">des bouts de code</a> et
<a href="/ecriture" class="link-textes">des textes</a> que je veux
garder quelque part. Bonne lecture !
</p>
<p>
Pour me contacter, envoyez-moi un email sur <code>alexis@</code> ce
domaine (en enlevant <code>blog.</code>).
</p>
</div>
{% endif %}
{% endblock content %}
<div slot="en">
<p>
👋 <strong>Welcome here</strong>, I'm
<a href="/resume">Alexis Métaireau</a>, a software engineer interested
by digital freedom and privacy.
</p>
<p>
I'm also a fellow human, exploring how to participate to healthy
collectives via listening and conflict-resolution techniques.
</p>
<p>
I mostly publish here in French, but some stuff is in English. You can
find here
<a class="link-journal" href="/journal">journal entries (fr)</a>,
<a class="link-lectures" href="/lectures">reading notes (fr)</a> and
some stuff related to
<a class="link-code" href="/code">software engineering (en)</a>. Also,
some <a class="link-ecriture" href="/ecriture">writing (fr)</a>
</p>
<p>
To contact me, send me an email on <code>alexis@</code> this domain
(without <code>blog.</code>).
</p>
</div>
</translated-text>
</article>
{% if articles %}
<hr />
<div id="articles">
<filtered-articles>
{% set articles_in_categories = articles | rejectattr('category', 'in',
HOMEPAGE_EXCLUDED_CATEGORIES) | list %} {% set limited_articles =
articles_in_categories[:20] %} {% for article in articles_in_categories %}
<li class="item link-{{ article.category }}">
{% set category_description =
CATEGORIES_DESCRIPTION.get(article.category)[0] or "" %}
<a href="{{ SITEURL }}/{{ article.url }}" class="page-title">
{{ category_icon }} {{ category_description }}: {{
article.title.replace(category_description, "") }}
</a>
<time datetime="{{ article.date.isoformat() }}"
>{{ article.date.strftime("%Y-%m-%d") }}</time
>
</li>
{% endfor %}
</filtered-articles>
</div>
{% endif %} {% endblock content %}

59
mnmlist/templates/worklog-en.html
View file

@ -44,32 +44,53 @@
"name": "table",
"values": [
{% for date, item in page.metadata.worklog.data.items() %}
{"date": "{{ date }}", "series": "Worked", "count": {{ item['payed_hours'] }}},
{"date": "{{ date }}", "series": "Worked", "count": {{ item['payed_hours'] }}, "happiness": {{ item['happiness'] }}},
{% endfor %}
]
}
,
"mark": "bar",
"encoding": {
"x": {
"timeUnit": {"unit": "", "utc": true},
"field": "date",
"axis": {"format": "%d/%m"},
"title": "Date"
"layer": [
{
"mark": "bar",
"encoding": {
"x": {
"timeUnit": {"unit": "", "utc": true},
"field": "date",
"axis": {"format": "%d/%m"},
"title": "Date"
},
"y": {
"aggregate": "sum",
"field": "count",
"title": "Hours"
},
"color": {
"field": "series",
"scale": {
"domain": ["Worked"],
"range": ["#1f77b4"]
}
}
}
},
"y": {
"aggregate": "sum",
"field": "count",
"title": "Hours",
},
"color": {
"field": "series",
"scale": {
"domain": ["Worked"],
"range": ["#1f77b4"]
{
"mark": "line",
"encoding": {
"x": {
"timeUnit": {"unit": "", "utc": true},
"field": "date"
},
"y": {
"field": "happiness",
"title": "Happiness",
"scale": {"reverse": true} // Reverse only the y-axis for happiness
},
"color": {
"value": "green"
}
}
}
}
]
};
vegaEmbed("#vis", spec)

63
mnmlist/templates/worklog.html
View file

@ -24,7 +24,7 @@
<summary>Stats</summary>
<ul>
<li>{{ page.metadata.worklog['total_hours'] }}h prévues</li>
<li>{{ page.metadata.worklog['payed_hours'] }}h rémunérées</li>
<li>{{ page.metadata.worklog['payed_hours'] }}h faites</li>
<li>{{ page.metadata.worklog['volunteer_hours'] }}h bénévoles</li>
</ul>
<table>
@ -61,33 +61,54 @@
"name": "table",
"values": [
{% for date, item in page.metadata.worklog.data.items() %}
{"date": "{{ date }}", "series": "Rémunéré", "count": {{ item['payed_hours'] }}},
{"date": "{{ date }}", "series": "Bénévole", "count": {{ item['volunteer_hours'] }}},
{"date": "{{ date }}", "series": "Rémunéré", "count": {{ item['payed_hours'] }}, "happiness": {{ item['happiness'] }}},
{"date": "{{ date }}", "series": "Bénévole", "count": {{ item['volunteer_hours'] }}, "happiness": {{ item['happiness'] }}},
{% endfor %}
]
}
,
"mark": "bar",
"encoding": {
"x": {
"timeUnit": {"unit": "", "utc": true},
"field": "date",
"axis": {"format": "%d/%m"},
"title": "Date"
"layer": [
{
"mark": "bar",
"encoding": {
"x": {
"timeUnit": {"unit": "", "utc": true},
"field": "date",
"axis": {"format": "%d/%m"},
"title": "Date"
},
"y": {
"aggregate": "sum",
"field": "count",
"title": "Heures"
},
"color": {
"field": "series",
"scale": {
"domain": ["Bénévole", "Rémunéré"],
"range": ["#e7ba52", "#1f77b4"]
}
}
}
},
"y": {
"aggregate": "sum",
"field": "count",
"title": "Heures",
},
"color": {
"field": "series",
"scale": {
"domain": ["Bénévole", "Rémunéré"],
"range": ["#e7ba52", "#1f77b4"]
{
"mark": "line",
"encoding": {
"x": {
"timeUnit": {"unit": "", "utc": true},
"field": "date"
},
"y": {
"field": "happiness",
"title": "Happiness",
"scale": {"reverse": true} // Reverse only the y-axis for happiness
},
"color": {
"value": "green"
}
}
}
}
]
};
vegaEmbed("#vis", spec)

7
pelicanconf.py
View file

@ -47,10 +47,10 @@ INDEX_SAVE_AS = "index.html"
CATEGORY_SAVE_AS = "{slug}/index.html"
CATEGORY_URL = "{slug}/"
ARTICLE_URL = '{slug}.html'
ARTICLE_URL = "{slug}.html"
ARTICLE_LANG_URL = '{slug}.html'
ARTICLE_LANG_SAVE_AS = '{slug}.html'
ARTICLE_LANG_URL = "{slug}.html"
ARTICLE_LANG_SAVE_AS = "{slug}.html"
MENU = [
# ("Journal", "/journal/index.html", "journal"),
@ -97,6 +97,7 @@ CATEGORIES_DESCRIPTION = {
"fr",
),
"ecriture": ("Écriture", "Textes rédigés lors d'ateliers d'écriture", "✍️", "fr"),
"recettes": ("Recettes", "Bah oui!", "", "fr"),
}
HOMEPAGE_EXCLUDED_CATEGORIES = [

28
plugins/simplereader.py
View file

@ -65,8 +65,7 @@ class WorklogPreprocessor(Preprocessor):
happiness,
) = match.groups()
volunteer_hours = int(
volunteer_hours) if volunteer_hours else 0
volunteer_hours = int(volunteer_hours) if volunteer_hours else 0
payed_hours = int(payed_hours)
happiness = int(happiness)
date = datetime.strptime(f"{day} {month} {year}", "%d %B %Y")
@ -93,8 +92,7 @@ class WorklogPreprocessor(Preprocessor):
This is run once, after everything has been parsed
"""
payed_hours = sum([item["payed_hours"] for item in self.data.values()])
volunteer_hours = sum([item["volunteer_hours"]
for item in self.data.values()])
volunteer_hours = sum([item["volunteer_hours"] for item in self.data.values()])
data = dict(
data=self.data,
@ -122,8 +120,7 @@ class SimpleReader(MarkdownReader):
def __init__(self, *args, **kwargs):
super(SimpleReader, self).__init__(*args, **kwargs)
self.settings["MARKDOWN"]["extensions"].append(
"markdown.extensions.toc")
self.settings["MARKDOWN"]["extensions"].append("markdown.extensions.toc")
self.settings["MARKDOWN"]["extensions"].append(
MarkdownInclude({"base_path": self.settings["PATH"]})
)
@ -171,17 +168,24 @@ class SimpleReader(MarkdownReader):
if len(parts) > 3:
metadata["date"] = get_date("-".join(parts[:3]))
if "slug" not in metadata:
metadata["slug"] = slugify(
metadata["title"], self.settings.get(
"SLUG_REGEX_SUBSTITUTIONS", [])
)
category = os.path.basename(
os.path.abspath(os.path.join(source_path, os.pardir))
)
if category in ("Desserts", "Lactofermentation", "recettes"):
category = "recettes"
if not metadata.get("date"):
metadata["date"] = get_date("2024-05-02")
metadata["title"] = Path(source_path).stem
metadata["category"] = self.process_metadata("category", category)
if "slug" not in metadata:
metadata["slug"] = slugify(
metadata["title"], self.settings.get("SLUG_REGEX_SUBSTITUTIONS", [])
)
try:
lang = self.settings["CATEGORIES_DESCRIPTION"].get(category)[3]
except Exception: