1.6.7 (2026-05-17)

Features

• Contacts: vCard 4.0 parsing and generation support
• Admin: Master-user impersonation route with app-top-banner plugin slot rendered on every authenticated page
• Admin: Allow admin password overwrite during setup recovery
• Setup: HTTPS requirement warning in the setup wizard
• Mobile: Show details toggle and expandable panel for sender info

Performance

• Calendar: Speed up calendar invitation banner load

Security

• Mail: Sandbox thread email HTML in srcDoc iframe with a CSP <meta> tag
• Admin: Redact sensitive config secrets from the admin API response
• Admin: Make impersonation cookies session-only

Fixes

• Auth: Read OAUTH_SCOPES at runtime instead of build time
• Auth: Use a relative Location header in redirects
• Auth: Adopt orphan session cookie on first SPA load
• Mail: Per-account push subscriptions so multi-account notifications work (#298)
• Mail: Close attachment preview when clicking outside the content area
• Mail: Pin quick reply to the bottom for short emails
• Mail: Show "no body content" instead of an infinite skeleton for bodyless emails
• Mail: Show contact popup when clicking the sender name in the email header
• Mail: Prevent long addresses from overflowing email details columns (#297)
• Mobile: Align quick reply with the mobile bottom toolbar
• Mobile: Respect safe-area insets on mobile bottom bars
• Mobile: Pad safe-area-inset-top
• UI: Apply dark background to the email content wrapper in dark mode
• UI: Improve dark mode background colors in the email viewer
• UI: Add viewport export with initialScale: 1
• UI: Strip the Stalwart master-user % suffix from the displayed account
• Plugins: Warn and block install when the app version is below the plugin's minAppVersion
• Plugins: Register app-top-banner in plugin-store SLOT_NAMES
• Plugins: Carry configSchema + settingsSchema through marketplace install
• Build: Add outputFileTracingExcludes to reduce Turbopack memory tracing

i18n

• Add missing translation keys across 16 locales

Bug fixes

• remove gzip middleware from agent endpoints (#2627 by @kmendell)

Full Changelog: v1.19.2...v1.19.3

1.19.3

1.19.3

1.19.3

0.5.1 (2026-05-17)

• Feature: [#24242] [Plugin] Add ride-breakdown hooktype.
• Feature: [#24879] [Plugin] Add methods for showing and hiding gridlines.
• Feature: [#26327] Add ‘guests entertained’ statistic to entertainers.
• Improved: [#26374] Add higher resolution app icons for Android.
• Improved: [#26386] Initial window scale and toolbar options on fresh Android installations.
• Change: [#26476] Limit creation of new station styles to prepare for more flexibility with ride stations and entrances.
• Fix: [#25581] Chart drawing issue on some platforms due to compiler optimisation.
• Fix: [#26019] Inverted and Inverted Flying Roller Coaster large half loops glitch with the train and don‘t draw in tunnels at some angles (original bug).
• Fix: [#26183] The ride stat graph placeholder text is not drawn in the expected position.
• Fix: [#26287] Game crashes upon connect/disconnect of physical keyboard.
• Fix: [#26299] Single Rail S-Bend sprites don’t fully connect to the next track piece at certain angles.
• Fix: [#26352] Large scenery items are incorrectly labelled as ‘banners’ in the tile inspector.
• Fix: [#26352] The label for path additions is using the wrong text colour in the tile inspector.
• Fix: [#26360] Inverted Lay-down Roller Coaster helices are invisible when loading old saves.
• Fix: [#26396] [Plugin] Socket interfaces were not closing properly and firing up correctly in parallel.
• Fix: [#26410] Tiles with water can draw incorrectly when there is something underwater and nothing above water.
• Fix: [#26418] Game crashes when a stack overflow occurs in plugin code.
• Fix: [#26419] Drop count & negative g’s stat requirements for Flying Roller Coaster don’t get nullified by having an inversion.
• Fix: [#26421] Wrong scenery tab highlighted when more than 64 scenery groups are selected.
• Fix: [#26425] Benches don’t reduce watching spots from 4 to 2 while other path additions do (should be reversed).
• Fix: [#26432] Guests choose to head for rides they have already ridden if they don’t have a map.
• Fix: [#26492] Drag tool shows per-tile error instead of total cost when running out of money midway through placement.
• Fix: [#26510] Displayed air time overflows after 655.35 seconds instead of the internal maximum of 1966.05 seconds.

Release created in https://github.com/OpenRCT2/OpenRCT2/actions/runs/25987971355

SHA256 checksums:

61cd955dc5820787de844f7b523d56ff5329a908961c4fc48ce4a84584730fb7  ./OpenRCT2-v0.5.1-windows-installer-arm64.exe
4614029327c61247000d1a6a7a249b1e5fe93dfc841ad164e2905196b72aa098  ./OpenRCT2-v0.5.1-windows-portable-x64.zip
5681e8a7d6cf409381c35e6035a91638e39027757f77c5437957b3a9ab478444  ./OpenRCT2-v0.5.1-windows-symbols-arm64.zip
11a7accb196d9dd71e4b76ac50965841f9a0f1ad89866cd2b07a62c9e0ee218e  ./OpenRCT2-v0.5.1-sha256sums.txt
16232c44ca0890b07679a7e37ad0e683e17826f61868ad6363f2fc192fd6f2fa  ./OpenRCT2-v0.5.1-windows-symbols-win32.zip
287a8fa5944b71d41c5a0e77750a6f734eaeb27d9686420d585088d176e3c0b7  ./OpenRCT2-v0.5.1-android.apk
bebe142a2f0148d82c2a941f8d06fd5c12540c59479b8f26d170944ebce44475  ./OpenRCT2-v0.5.1-Linux-resolute-x86_64.tar.gz
91729c3804e165ab1dd1ca0875554970fc013aa8368fe2e41e3894f718eb83ca  ./OpenRCT2-v0.5.1-windows-portable-arm64.zip
dfecc57d87b18ffb78780cac233bebe2eaa8ff1de7e915bfcdfe00e08dd02f2f  ./OpenRCT2-v0.5.1-macos-universal.zip
a4e6450ec12db77fb4663afa1a393bb0d03a46e9c47b1d4b29a603cc8145b512  ./OpenRCT2-v0.5.1-linux-x86_64.AppImage
fdd1846a2f21062f5716204b8de9626892b87c95c6ebbb2f7385e49a150092d0  ./OpenRCT2-v0.5.1-windows-installer-win32.exe
8d0e1dc4fa2ed5ecc76fcaafdec8a198048a953cce90314590961dda53a04da2  ./OpenRCT2-v0.5.1-windows-symbols-x64.zip
6ba42ab9ffcd21ea10eb27880e6ed51bad1663e7e235203db2c4fc4bf73200c5  ./OpenRCT2-v0.5.1-windows-installer-x64.exe
226840077ff14851bc817ddb80bc8b0cf432f141481516e66bf5e05339143195  ./OpenRCT2-v0.5.1-Linux-trixie-x86_64.tar.gz
0976a7d610fa94f6a298133d0293d60f007d92d0cd7f2c971776636a27e2ac3c  ./OpenRCT2-v0.5.1-windows-portable-win32.zip
a53e5a6ec08f792bcc488a04d465d4eb27bf87e25311e644700b14ea79be33d1  ./OpenRCT2-v0.5.1-Linux-noble-x86_64.tar.gz
05ed8d31e04c1f9cd17d5998442d12e4050a56b7f8225f3e5b66478408bad2cd  ./OpenRCT2-v0.5.1-Linux-bookworm-x86_64.tar.gz

Being persistent, sticking to a plan and showing up to work every day is generally valued highly across all cultures as virtuous behavior. It is obvious that anything of value and worth achieving is also not easy, but requires significant and recurring effort. Learning a new language, winning a sports competition or building a successful business are all typical scenarios where grit plays a central role above everything else. However, sometimes the virtue of tenacity can result in just a waste of energy.

The question is then: how does one recognize that true progress is being blocked by stubbornness and a pivot would be the correct decision, as opposed to being close to breakthrough where doing more of the same would actually be the right choice?

What is persistence actually?

To think clearly about this topic, one must first grasp the concept of “grit” and what it looks like in practice. Research by psychologist Angela Duckworth on “grit” shows that sustained effort in the face of setbacks separates high achievers from those who quit too soon. Entrepreneurs who iterated through dozens of failed prototypes or writers who revised manuscripts for years understand this truth. Persistence builds resilience, deep expertise, and the kind of compounding results that shortcuts cannot deliver. It also protects against the distraction of shiny new ideas that pull focus from what actually works.

Persistence is about:

1. Believing in an outcome and working towards it despite people around you not sharing the belief, and despite your own work and experiments not being successful.
2. Continuing to hold the belief and sticking to the decision despite other ideas, solutions and competing alternatives surfacing.
3. The more time passes, the firmer the conviction becomes. Time, money, and emotional energy invested in a failing direction create psychological pressure to continue (sunk-cost fallacy).

Simply following through on a plan or upholding a contract is not true persistence. Grit is a personal trait one can cultivate to actually become more energized to do something precisely because it turns out to be harder than expected.

Pivoting: a calculated choice

The opposite of being persistent is giving up. Pivoting is not about giving up, but about redirecting the energy and momentum towards a new goal. Pivoting requires coming to the realization that you were wrong, and going through the painful process of discovering a new truth.

Ideas tend to be abundant, and doing something new isn’t hard as such. The hard part is to abandon a previously held belief and adopt a new one with equal conviction. To have that conviction you need to have data and metrics. This is also the key to how to decide between persisting vs pivoting at any moment in time.

Key metrics of success

Any decision is only as good as the information available at the time it was made. To be set up for success one needs to start by deciding on what the actual goal is, what one values and how progress is measured.

Key metrics are usually easiest to discover by working backwards from the goal. If you want to build an electric car, you might decide that the goal is to have a car that costs 30,000 euros and can drive 300 km on one charge. From that goal you can break down what the cost structure should be, what volume of production is needed to break even, what raw materials are needed and what the battery chemistry needs to achieve to meet the goal. That can further be broken down into a rate of progress. Suppose the plan requires battery energy density to reach 150 Wh/kg to be viable. If the state of the art starts at 100 Wh/kg and funding lasts a maximum of five years, the team needs at least an 8% improvement every year (1.08^5 × 100 Wh/kg ≈ 150 Wh/kg). This can then be used as a guideline. Sometimes progress is not steady, but happens in jumps. Even in those cases there should be a trajectory to benchmark the jumps against.

In an online business, the key metric could, for example, be one of these:

• 7- or 30-day retention rate: Do new users who try the service actually like it?
• Weekly or monthly active users: Is usage trending up?
• Feature adoption rate: In an existing service, how many users are using the new feature?
• Product-Market Fit Score (from Sean Ellis test): Percentage of users who say they would be “very disappointed” if the product disappeared. Above 40% is a strong early indicator. A number below that (after multiple iterations) is a good data point to pivot.
• Revenue run rate or burn rate: The most generic metric everything eventually boils down to. Healthy markets reward good products.

Weekly metrics are better than monthly, as they make the feedback loop faster and allow you to get validation quickly and do minor course corrections along the way. A complete pivot should, however, be based on long-term data, driven by the key metric and supported by additional data points.

Metrics are also needed because they can’t be bribed or convinced to be anything other than what they are. Listening to other people is good, but just relying on the opinion of others is extremely dangerous because people are biased—either for you or against you—depending on whether they see you as a trusted leader or an outcast.

Key metrics are of course domain-specific and everyone needs to come up with their own. However, you must have some key metric. You can’t have the excuse that what you are doing can’t be measured. If you are part of a larger organization and you need to advocate for a difficult decision—for example, to “kill your darlings” when facing a pivot—you need to have the metrics to back up your views, and those metrics need to have been established way before as something the organization values, and not cherry-picked just for this one decision.

It does not matter if you are on a personal improvement journey, running a political campaign, inventing a new product, or growing a business – you need to have some metric you can check at any given time to see if things are improving fast enough to predict success. Metrics can and should also be used in daily work to validate that you are on the correct path, and to optimize execution.

Famous examples of persistence and pivoting that led to breakthroughs

In all of the cases below it is of course in hindsight easy to say they made the right decision. However, take a minute to try to imagine yourself in their shoes at the time of the decision. What metrics might they have had available to support their decision? What would you have wanted to measure or find out if you were in the same situation?

• Frustrated that his vacuum lost suction, James Dyson spent five years and built thousands of failed prototypes in a backyard shed. He remortgaged his home, lived on savings, and faced rejection from every major manufacturer who wanted to protect their bag-replacement business. The 5,127th prototype based on an idea from a sawmill with a cyclone finally worked. Launched in 1993, the Dyson DC01 became Britain’s best-selling vacuum within two years.
• As a single mother on welfare in the mid-1990s, J.K. Rowling finished her manuscript for Harry Potter and the Philosopher’s Stone while battling depression and poverty. She hand-typed copies and mailed them to publishers. Twelve rejected it outright, with comments like “children’s books about magic don’t sell.” She nearly quit multiple times but kept revising and submitting. Bloomsbury finally accepted it after the CEO’s eight-year-old daughter read the first chapter and demanded the rest. The series has since sold hundreds of millions of copies worldwide.
• Founded in 1997 as a mail-order DVD rental service, Netflix added unlimited subscriptions in 1999 to compete with Blockbuster. By 2007, broadband growth and declining DVD sales signaled a shift. CEO Reed Hastings pivoted aggressively toward streaming, investing in bandwidth deals and original content while de-emphasizing physical media. The move faced skepticism, but eventually changed the whole culture of how entertainment is consumed.
• YouTube launched in 2005 as a video-dating site. Founders offered money to women who uploaded dating videos, but almost no one did. Meanwhile, users uploaded random clips. The team recognized the mismatch and pivoted within months to a general-purpose video-sharing platform with easy uploading. Google bought it just 18 months later.
• Instagram began in 2010 as Burbn, a location-based check-in app that let users post plans, earn points, and share photos. Co-founders Kevin Systrom and Mike Krieger quickly noticed users ignored most features and mainly used it for photo-sharing. They made the tough call: scrap everything else. Within weeks, they rebuilt the app around clean, simple photography with filters. The pivot launched as Instagram in October 2010. It gained 1 million users in two months and was acquired by Facebook just 18 months later.

Insanity or conviction?

English has several proverbs that warn against excessive persistence, such as “banging your head against the wall”. Insanity is commonly defined as “Doing the same thing over and over again and expecting different results.”

In Finland, the national identity is practically built on the concept of “sisu”. It means much more than just “grit”. The word is derived from the word for “inside” or “guts” and represents an unexplained, almost superhuman force that makes one stoically take action despite seemingly impossible odds and somehow succeed anyway. It became a defining national mythos during the Winter War (1939–1940), where a force 10 times larger than the Finnish army tried to invade the country but was stopped and Finland just barely managed to keep its independence. The word “sisu” transitioned from a character trait to a pillar of national survival.

I think Finns survived because the more you believe in persistence, the more likely you are to persist. I view persistence as a religion that requires faith, while pivoting is a science where you derive the truth from the numbers.

When in doubt, I would always choose persistence over pivoting. Perhaps it is because of my genetic tendency towards having “sisu”, but I would also rather keep on going a bit more and try one more time before giving up and pivoting in order to get more data, so that when I pivot, I know it is absolutely the right thing to do at that point.

Depending on the situation, the costs of postponing the pivot vary. Of course, if the main metric is the burn rate and a company is running out of money, a pivot must be done early enough that the remaining runway is enough to execute the pivot, and then some more.

In some situations a business idea might simply be ahead of its time. If that is the conviction and the key metrics support it, the best way to navigate the situation is to cut down on costs and wait for competitors to appear, help build general awareness, and then ramp up again to ride the wave. Remember that success does not come from grit alone – there is always an element of timing and luck as well. But if you are not persistent and stop showing up every day, you won’t be able to seize the opportunities if and when they arise.

Failure is the likely outcome – you have to avoid it at any cost

One must also realize that most attempts end in failure. Failure is the baseline, and success is the exception. To reach a breakthrough, one must be stubbornly persistent. In particular, if you are a leader, you need to be so high in conviction that it almost becomes an aura that radiates to those around you.

Postponing the decision to pivot allows you to get a bit more data for the decision, so that once you pivot, you have full belief in the new direction. Once you pivot, there is no looking back, otherwise you will undermine morale and most certainly fail with the new thing as people will execute it with hesitation.

Failure is statistically always the more likely outcome. Most things end in failure and we never hear about them. If someone on your team does not believe in what you are doing, it is very easy for them to “prove” that something is a failure by spreading negativity, putting in less effort (perhaps unconsciously due to lack of conviction) and thus actually contributing to a self-fulfilling failure.

In most areas of life, ideas are cheap and the only thing that matters is execution. To be good at executing, you need to be good at making decisions. When drafting plans it is good to have alternatives and a lot of consideration. However, when execution starts, there is no room for doubt, otherwise the chances of success decrease.

Therefore, the best way of balancing persistence vs pivoting is to

1. plan well ahead,
2. establish the key metrics,
3. have thresholds established for what would trigger a pivot, and
4. do everything you can to move the metrics in the direction you want them to go.

Finally, if you decide to pivot, you must do so only with very high conviction, as you can’t undo a pivot, and you should not be doing multiple pivots in a row either. If you are fully convinced yourself about the pivot, you will also be able to convince others about it, and carry the momentum.

Bug fixes

• remove intel-gpu-tools from docker images since its has no effect currently(fea78a5 by @kmendell)
• allow hiding default networks on typology view (#2594 by @kmendell)
• refresh project detail runtime status (#2602 by @kmendell)
• allow LOGIN email authentication type (#2603 by @kmendell)
• keep session across backend version bumps (#2607 by @kmendell)
• missing store prefix on test connection form(5f1645f by @kmendell)
• swarm engine not respecting cpu limits (#2617 by @kmendell)
• only perform auto pairing on edge edgent not direct (#2622 by @kmendell)
• container cache leak from docker subscription (#2624 by @kmendell)

Performance improvements

• increase loading times of project list view (#2596 by @kmendell)

Dependencies

• bump to go 1.26.3(8e819fe by @kmendell)
• bump all go deps(6817e70 by @kmendell)
• bump the npm_and_yarn group across 1 directory with 2 updates (#2600 by @dependabot[bot])
• bump svelte from 5.55.5 to 5.55.7 in the npm_and_yarn group across 1 directory (#2601 by @dependabot[bot])
• bump github.com/danielgtaylor/huma/v2 from 2.37.3 to 2.38.0 in /backend (#2612 by @dependabot[bot])
• bump github.com/docker/cli from 29.4.3+incompatible to 29.5.0+incompatible in /backend (#2613 by @dependabot[bot])
• bump google.golang.org/grpc from 1.81.0 to 1.81.1 in /backend (#2610 by @dependabot[bot])
• bump prettier-plugin-svelte from 3.5.1 to 3.5.2 (#2618 by @dependabot[bot])

Other

• create admin role middleware for each endpoint (#2593 by @kmendell)
• consolidate digest and image updater logic (#2623 by @kmendell)

Full Changelog: v1.19.1...v1.19.2

1.19.2

1.19.2

1.19.2

Review: Unwinding Anxiety, by Judson Brewer

Unwinding Anxiety is a non-fiction self-help book about how to reduce anxiety. The author is a board-certified psychiatrist specializing in addiction and substance abuse, who has subsequently done clinical and research (and commercial, more on that later) work in anxiety. His previous book, The Craving Mind, was a pop science treatment of addiction research. This book is more deliberately structured as a self-help guide.

(The cover will assure you that he has an M.D. and a Ph.D. I don't include honorifics and degrees in author listings as a small protest against the weird social rules about which degrees count and which don't.)

There are a lot of self-help books out there about anxiety. There are a lot fewer that say something relatively original. I think this is one of the latter, but I certainly have not done a survey of the subgenre, and it's possible the ideas here are only new to me. Brewer makes three basic claims in this book, all of which I found personally useful:

1. Anxiety can be usefully analyzed as a habit. The rumination loop and other related anxiety behaviors such as excessive analysis, reassurance-seeking, and negative anticipation take the form of deeply ingrained habits triggered by stimuli.

2. Raw willpower is not a useful way to break habits in general and anxiety habits in particular. In order to displace the habit, you have to retrain the part of your brain that runs habits on autopilot. Attempting to override it with willful effort is exhausting and likely to fail.

3. Habit loops in general, and anxiety loops in particular, can be defused and replaced using mindfulness techniques.

This is not the way Brewer lays out the book. He goes to some effort to lead the reader slowly through three techniques for handling anxiety (for which he uses the metaphor of "gears," like for a bicycle or car) by introducing them one at a time and encouraging the reader to become thoroughly familiar with each one before moving on to the next. Since this is a book review, I'm going to give you the whole argument at once so that you know where this book is going. This may be less helpful in practice; if you're trying to use this technique on your own anxiety, you may want to read the book instead and not jump ahead.

Brewer's three gears are:

1. Identify your habit loops and recognize when they're happening. (This part felt the most similar to traditional cognitive behavioral therapy to me.)

2. Focus on how those habit loops make you feel. Rather than trying to force the habit loop to stop, let it happen but pay very close attention to the outcome and its effects on you.

3. Find and focus on a different reaction that provides better rewards than the anxiety habit loop. Brewer suggests curiosity.

For me, the point where I thought "okay, you have my attention" is when Brewer described the way many people, particularly people without anxiety, tell people with anxiety to "just stop thinking about it" or "just do the thing you're anxious about anyway and you'll see it will be fine" and then described in detail why he believes that doesn't work. This is one of the few discussions of anxiety I've read where the author goes out of his way to stress that you cannot simply think your way out of anxiety and that repeatedly trying to do so and failing is exhausting and demoralizing.

Everyone is different and I know some people find cognitive behavioral therapy very helpful, but I find the constant effort to challenge cognitive distortions more draining and demoralizing than useful. His second gear, of not directly confronting the habit loop but instead watching its effect and thinking about its outcome, feels so much more approachable to me. Assuming, of course, it works.

Brewer's approach is essentially just mindfulness, although he mostly avoids the (to me at least) somewhat off-putting typical introduction to mindfulness via religious practice or general well-being and instead ties it to a theorized model of how habits work in the human brain. His contention is that habits, including anxiety, exist because at some point they provided a reward that was sufficiently compelling to make the habit-following part of your brain seek that reward. You were getting some benefit (a sense of control, a sense of being prepared, temporary reassurance, etc.) out of the anxiety reaction, which is why the anxiety habit formed in the first place. Once that habit is in place, it can continue without the reward. (Although in my experience there is probably still some short-term reward.)

Rather than trying to force yourself to stop following the habit, Brewer instead suggests letting the habit happen but then focusing (via mindfulness) on how following the habit makes you feel, whether it improves your sense of well-being or worsens it, and whether other actions produce different feelings. The goal, in other words, is to undermine the assumption of reward and to challenge any short-term reward with the long-term discomfort that made you want to stop being anxious.

This avoids using your conscious brain to exert direct willpower, which is exhausting and usually unsuccessful since the habit-following part of your brain is stronger (for various evolutionary psychology reasons he explains and that I found at least partly credible). Instead, you are using its strengths of observation and classification. You pay close attention to the ways in which the habit loop makes you feel bad, which in theory provides feedback to the habit-following part of your brain that can dislodge the habit. If the habit is recognized as no longer rewarding, it will weaken.

Brewer's background is in addiction treatment, so he is predisposed to see addiction in everything and one should probably be a bit cautious about his enthusiasm. He claims a great deal of success with this approach in clinical settings, mostly with addiction but also with anxiety, but this is always hard to verify. (Few doctors who write self-help books rigorously document their failures.) He apparently also has a company that produces various phone apps that assist with this technique. I'm rather cynical about anyone who talks about products their company has produced in self-help books of this type, and I'm also rather cynical about anyone who calls himself "Dr. Jud," but the book doesn't seem to be a sales pitch and there's no direct information in it about how to get the apps.

For me, the first two parts of the book were the most useful and the conception of anxiety reactions as habits made a surprising amount of intuitive sense. I thought the third part of the book, where he tries to describe a better in-the-moment reaction that you can try to build into a more beneficial habit, to be the weakest. It's mostly stock mindfulness advice that I've seen in other places, and you will be entirely unsurprised to learn that Brewer meditates and has studied meditation. I think it's clear that, for him, a feeling of curiosity works as an anxiety replacement; I'm not sure that's universal and I'm not sure it works for me.

That core idea that anxiety reactions are a type of addictive habit that have outlived their useful rewards but continue because habits are hard to change felt both useful and at least a little bit true, though. Your mileage may, of course, vary, but I've been trying out various ideas from this book since I first started reading it, and I think it's helping. If any of this clicks with you and you're also prone to anxiety, it might be worth a read.

One warning, though: Brewer's previous work on addiction includes binge eating, and while it's not a primary focus, he uses several weight loss and disordered eating examples and has a very traditional medical attitude towards weight. I'm somewhat dubious of the addiction model of weight gain in general, but more to the point, it's rather off-putting in a book supposedly about anxiety. It's something I was able to skim over, but be aware going in if you're likely to find this obnoxious.

I do think this book is a case of an addiction researcher seeing everything through the lens of addiction, and I'm a little dubious this is the right model for everyone's anxiety. But this is one of the good reasons why there are a lot of books about anxiety: Different approaches suit different people. This one made more sense to me than most; maybe you are similar.

I can't really recommend or not recommend a book like this, since I think so much will depend on whether you are one of the people for whom this specific explanation will click, but I'm glad that I read it and I think it's good to know that this model of anxiety exists.

Rating: 8 out of 10

I have been battling Large Language Models (LLM¹) for the past couple of weeks and have struggled to think about what it means and how to deal with its fallout.

Because the fight has come from many fronts, I've come to articulate this in terms of the Four Horsemen of the Apocalypse.

Sound track: Metallica's The Four Horsemen, preferably downloaded from Napster around 2000, but now I guess you get it on YouTube.

War: bot armies

Let's start with War. We've been battling bot armies for control of our GitLab server for a while. Bots crawl virtually infinite endpoints on our Git repositories (as opposed to downloading an archive or shallow clone), including our fork of Firefox, Tor Browser, a massive repository.

At first, we've tried various methods: robots.txt, blocking user agents, and finally blocking entire networks. I wrote asncounter. It worked for a while.

But now, blocking entire networks doesn't work: they come back some other way, typically through shady proxy networks, which is kind of ironic considering we're essentially running the largest proxy network of the world.

Out of desperation, we've forced users to use cookies when visiting our site. We haven't deployed Anubis yet, as we worry that bots have broken Anubis anyways and that it does not really defend against a well-funded attacker, something which Pretix warned against in 2025 already.

(We have a whole discussion regarding those tools here.)

But even that, predictably, has failed. I suspect what we consider bots are now really agents. They run full web browsers, JavaScript included, so a feeble cookie is no match for the massive bot armies.

Side note on LLM "order of battle"

We often underestimate the size of that army. The cloud was huge even before LLMs, serving about two thirds of the web. Even larger swaths of clients like government and corporate databases have all moved to the cloud, in shared, but private infrastructure with massive spare capacity that is readily available to anyone who pays.

LLMs have made the problem worse by dramatically expanding the capacity of the "cloud". We now have data centers that defy imagination with millions of cores, petabytes of memory, exabytes of storage.

I thought that 25 gigabit residential internet in Switzerland could bring balance, but this is nothing compared to the scale of those data centers.

Those companies can launch thousands, if not millions of fully functional web browsers at our servers. Computing power or bandwidth are not a limitation for them, our primitive infrastructure is. No one but hyperscalers can deal with this kind of load, and I suspect that they are also struggling, as even Google is deploying extreme mechanisms in reCAPTCHA.

This is the largest attack on the internet since the Morris worm but while Robert Tappan Morris went to jail on a felony, LLM companies are celebrated as innovators and will soon be too big to fail.²

Which brings us to the second horsemen, famine.

Famine: shortages

All that computing power doesn't come out of thin air: it needs massive amounts of hardware, power, and cooling.

Earlier this year, I've heard from a colleague that their Dell supplier refused to even provide a quote before August. Dell!

In February, Western Digital's hard drive production for 2026 was already sold out. Hard drives essentially doubled in price within a year, and some have now tripled. A server quote we had in November has now quadrupled, going from 10 thousand to FORTY thousand dollars for a single server.

But regular folks are facing real-life shortages as well, as city-size data centers are being built at neck-breaking speed, stealing fresh water and energy from human beings to feed the war machine.

We've been scared of losing our jobs, but it seems that Apocalypse has yet to fully materialize. Regardless for engineers, the market feels tighter than it was a couple years ago, and everyone feels on edge that they will just have to learn to operate LLMs to keep their jobs.

Update: it turns out I was clearly too optimistic. Cisco is laying off 4,000 or 5% of its staff in a jolly announcement celebrating a record $15.8 billion revenue, and Meta will lay off 8,000 or 10% of its workforce, in horrifying conditions. See also the jobloss.ai tracker which counts 125,000 jobs lost since January 2025, as of May 2026.

Which brings us, of course, to Death.

Death: security and copyright

Our third horseman is one I did not expect a couple of months ago. Back at FOSDEM, curl's maintainer Daniel Stenberg famously complained about the poor quality of LLM-generated reports but then, a few months later, everyone is scrambling to deal with floods of good reports.

In the past two weeks, this culminated in a significant number of critical security issues across multiple projects. Chained together, remote code execution vulnerabilities in Nginx and Apache and two local privilege escalations in the Linux kernel (dirtyfrag and fragnesia) essentially gave anyone root access to any unpatched server to the web.

As I write this, another vulnerability dropped, which gives read access to any file to a local user, compromising TLS and SSH private keys.

All those vulnerabilities were released without any significant coordination while people scrambled to mitigate.

Many people including Linus Torvalds are now considering issues discovered through LLMs to be essentially public. This puts some debates about disclosure processes in perspective, to say the least.

But this is not merely the death of the traditional coordinated disclosure process, the C programming language, or the Linux kernel: remember that those bots are trained on a large corpus of copyrighted material. Facebook has trained their models on pirated books and Nvidia has done deals with Anna's Archive to secure access to large swaths of copyrighted material. The US Congress seems to think LLM outputs are not copyrightable, like any other machine outputs.

With many people now vibe coding their way out of learning or remembering how computers work, is this the Death of Copyright?

And that, of course, brings us to the final horseman: Pestilence.

Pestilence: slop

There is a growing meme that programming is essentially over as we know it. That you can simply vibe-code applications from scratch and it's pretty good.

Maybe that's true.

So far, most of my attempts at resolving any complex problem with a LLM have often failed with bizarre failures. Some worked surprisingly well. Maybe, of course, I am holding it wrong.

I personally don't believe LLMs will ever be good enough to produce and maintain software at scale. They're surprisingly good at finding security flaws right now. But what I see is also a lot of Bullshit, with a capital B. It's not lying: it does not "know" anything, so it can't lie. It's misleadingly cohesive and deliberate, but it lacks meaning, intent, will.

I have not been confronted with much slop, apart from the lobster Jesus or the yellow man atrocities, and particularly not in my work. But I see what it is doing to my profession: beyond vibe-coding, people are now token-maxxing, and land-grabbing their colleagues.

I don't like what LLMs do to our communities, or the fabric of software we live with.

Software does not evolve in a void. It is a team effort, be it free software or a corporate product. Generations of humans have carefully built the scaffolding of technology required for modern networks and software to operate, in a convoluted contraption that no single human fully understands anymore.

The idea of simply giving up on that understanding entirely and delegating it to an unproven model is not only chilling, it feels just plain stupid. Not stupid as in Skynet, stupid as in "I can't get inside the data center because the authentication system is down". Except we're in a "the power plant doesn't reboot" or "their LLM found an 0day in our slop" kind of stupid.

The fifth horsemen

Researching for this article, I looked up the four horsemen and found out they original seems to have been:

• Famine
• War
• Death
• Conquest (??)

I was surprised. I grew up thinking about the horsemen being Famine, War, Pestilence, and Death. So I went back to my original source which actually claims the horsemen are:

Time has taken its toll on you, the lines that crack your face.
Famine, your body, it has torn through, withered in every place.
Pestilence for what you've had to endure, and what you have put others through
Death, deliverance for you, for sure, now there's nothing you can do

So I guess that makes no sense either, which, fair enough, I shouldn't rely on Metallica for theological references. Especially since that song was originally called Mechanix and was "about having sex at a gas station".

Anyways.

The point is, there are actually five horsemen, and the fifth one is, in my opinion, Conquest.

Those companies (and not "AI", mind you) are taking over the world. I sense a strong connection with the "post-truth" world imposed on us by fascists like Trump and Putin. It's not an accident, it's a power grab part of the Californian Ideology³. Just like Airbnb broke housing, Uber destroyed the transportation and Amazon is taking over retail and server hosting, LLM companies are essentially trying to take over if not everything, at least Cognition as a whole.

But the capitalization of those companies (OpenAI and Nvidia in particular) are so far beyond reason that their inevitable collapse will likely lead to a global financial collapse of biblical proportions.

Because they will inevitably fail like previous bubbles they are built on. And when they fail, I hope it zips all the way back through the blockchain scam, the ad surveillance system, and the dot com then git me back my internet.

The Tower of Babel

While I'm off in the woods hallucinating (ha!) on biblical allegories, I feel there's another sign that the apocalypse is coming.

The Tower of Babel myth says that humans tried to create a big tower up to heaven and become god. God confounds their speech and scatters the human race. End of utopia.

This is what is happening to our human translators now. LLMs being, after all, Language Models, they are excellent at translation work. So much that the only translators not replaced by LLMs right now are interpreters, who translate vocally in real time. But interpreters are worried about their jobs as well.

This concretely means we will lose the human capacity, as a civilization, to translate between each other. It is still an open question whether the remaining revision work will be enough for translators to avoid deskilling, but other research has shown that LLM use leads to cognitive decline, impacts critical thinking, and generally, that deskilling is a common outcome.

Ultimately, I think this is where LLMs bring us. Towards collapse.

So this is a call to arms. Fight back!

Poison bots. Build local real-world communities.

Go low tech. Moore's law is dead, make use of it.

Patch your shit. Go weird.

Refuse slop. Train your brain. Refuse distillation.

The horsemen will collapse, but let's not go down with them.

Butlerian Jihad!

This article was written without the use of a large language model and should not be used to train one.

Updates

• A paragraph was added about the job apocalypse, which was of course under-estimate.

• Why Timnit Gebru was fired is extremely important and interesting. The co-lead of the Ethical AI team at Google was fired because they blew the whistle on "stochastic parrots" essentially destroying the world as we know it:

  The fifth warning was the one Google cared about most. [...]

  The internet would become a place where the dominant voice was a statistical average of dominant voices, presented as a neutral assistant.

  The warnings from the paper are eerily similar to my horsemen:

  1. predicted the hallucination (pestilence)
  2. bias amplification (war?)
  3. environmental cost (famine)
  4. un-auditable training corpus (death?)
  5. "centralize linguistic and cultural power in the hands of the small number of companies" (conquest)

• See also Tim Wu's "The Master Switch" which says:

  The industry learned how to secure the enactment of seemingly innocuous and sensible regulations that nonetheless spelled doom for any rival.

  People claim the same about Anthropic.

Releases Notes for 30.0.2

Windows Installer
Windows No Installer (zip)
macOS - Universal
Linux - deb, AppImage or rpm

Windows intel x32 releases are marked -ia32-

ChangeLog:

• Uses electron 42.1.0
• Updates to draw.io core 30.0.2.

Today, we’re happy to share a closer look at Stonehenge, one of Britain’s most iconic and mysterious landmarks, which will be featured in our UK Rework for Euro Truck Simulator 2. This prehistoric circular megalithic stone structure has stood watch over the rolling countryside for thousands of years, and continues to captivate visitors from around the world with its scale, history, and mystery.

Postfix stable release 3.11.3 and legacy releases 3.10.10, 3.9.11, 3.8.17

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.3.html]

Fixed in Postfix 3.8-3.11:

• Bitrot: builds with musl libc broke, because they were using an obsolete NO_SNPRINTF code path that had not been updated for Claude Code findings.

• Two fixes for a signed integer overshift condition (a left shift into the sign bit). This "works" on contemporary CPUs, but may break in the future. One reported by Kamil Frankowicz, and one by Robert Sayre.

• Viktor Dukhovni fixed an 'uninitialized value' error in the 'collate.pl' script.

Fixed in Postfix 3.11:

• Test code fixes by Viktor Dukhovni for a deprecation warning with OpenSSL 4.0, and for a race condition that caused a test script to fail.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Fixes and improvements

RTSP

• fix compatibility with Verint.Vms.MediaGateway (#5292) (bluenviron/gortsplib#1061)
• fix crash when stream is closing (bluenviron/gortsplib#1062) when ServerStream.Close() is called, stream readers might have their setuppedTransport set to nil, causing the server to crash. Prevent this.
• fix race condition when tearing down connection (bluenviron/gortsplib#1063) ServerConn.session was not properly protected.
• fix leak in case of failure during multicast initialization (bluenviron/gortsplib#1064)

RTMP

• prevent nil / unconfigured tracks from appearing (bluenviron/gortmplib#66) (#5724) (#5729)

HLS

• fix error 500 caused by in-stream params (bluenviron/gohlslib#355) (#5728) (#5745) PR bluenviron/gohlslib#344 caused a regression. Many codecs (AV1, H264, H265, VP9) use in-stream parameters, that were not taken into consideration anymore when generating init.mp4 and playlists. This has been solved.

WebRTC

• fix checking POST responses (#5758)
• support interacting with servers with no trickle ICE (#5273) (#5757)
• support WHIP ICE restarts (https://github.com/bluenviron/mediamtx/issues/5183) (#5770)

RPI Camera

• support changing text overlay dynamically (#5270) (#5748)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.70.0 to v0.72.0
• github.com/Masterminds/semver/v3 updated from v3.4.0 to v3.5.0
• github.com/bluenviron/gohlslib/v2 updated from v2.3.1 to v2.3.2
• github.com/bluenviron/gortmplib updated from v0.3.1 to v0.3.2
• github.com/bluenviron/gortsplib/v5 updated from v5.5.2 to v5.5.3
• github.com/datarhei/gosrt updated from v0.10.0 to v0.11.0
• github.com/fsnotify/fsnotify updated from v1.10.0 to v1.10.1
• github.com/go-git/go-billy/v5 updated from v5.8.0 to v5.9.0
• github.com/go-git/go-git/v5 updated from v5.18.0 to v5.19.0
• github.com/gookit/color updated from v1.6.0 to v1.6.1
• github.com/matthewhartstonge/argon2 updated from v1.5.2 to v1.5.3
• github.com/pion/rtp updated from v1.10.1 to v1.10.2
• golang.org/x/crypto updated from v0.50.0 to v0.51.0
• golang.org/x/net updated from v0.53.0 to v0.54.0
• golang.org/x/sys updated from v0.43.0 to v0.44.0
• golang.org/x/term updated from v0.42.0 to v0.43.0
• github.com/cyphar/filepath-securejoin updated from v0.4.1 to v0.6.1
• github.com/pjbgf/sha1cd updated from v0.3.2 to v0.6.0
• golang.org/x/text updated from v0.36.0 to v0.37.0
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.6 to v2.5.7

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

How well do you know Éire? Our team is hard at work creating the Isle of Ireland for Euro Truck Simulator 2, and we’ve got some early work in progress screenshots to share with you!

The following contributors got their Debian Developer accounts in the last two months:

• Filip Strömbäck (fstromback)
• Arthur Diniz (arthurbd)
• Manuel Traut (manut)
• Xiyue Deng (manphiz)
• kpcyrd (kpcyrd)

The following contributors were added as Debian Maintainers in the last two months:

• Chris Talbot
• Gabriel Filion
• Mate Kukri

Congratulations!

1.6.6 (2026-05-15)

Features

• Mail: Sync onboarding completion state across devices so the welcome flow only runs once per account (#285)
• Mail: Distinct icons for Shared, Important, Memos, Scheduled, and Snoozed folders (#288)
• Compose: Raise HTML identity signature length cap to 50,000 characters
• Compose: Allow <img> tags in HTML identity signatures for inline logos and banners

Fixes

• Files: Hide Files settings entry and sidebar nav when the filesEnabled policy is off (#291)
• Admin: Honor the cookieSameSite admin config override instead of always defaulting (#284)
• UI: Standardize punctuation in tooltips and inline comments across locales

i18n

• Add Danish localization
• Clean up Danish locale wiring and sort the language picker alphabetically (#286)

I just tested out the ssh-keysign-pwn exploit [1] on Debian kernel 6.12.74+deb13+1-amd64 which was released before these exploits.

When sshkeysign_pwn is run as user_t the following is logged in the audit log and it fails to exploit anything:

type=SYSCALL msg=audit(1778831599.951:22353257): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=c a2=0 a3=1b8020 items=0 ppid=5632 pid=6654 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="sshkeysign_pwn" exe="/home/test/a/ssh-keysign-pwn/sshkeysign_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"
type=PROCTITLE msg=audit(1778831599.951:22353257): proctitle="./sshkeysign_pwn"
type=AVC msg=audit(1778831599.951:22353258): avc:  denied  { ptrace } for  pid=6654 comm="sshkeysign_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0

When it is run as unconfined_t the contents of the /etc/ssh/ssh_host_ecdsa_key file are correctly displayed on standard out in about 10ms, the file in question is only readable by root and a non-root user can use this exploit to read it.

It wouldn’t be uncommon to have a system configured to allow users to trace their own processes. The following policy addition grants access for the user to trace their own processes:

allow user_t self:process ptrace;

With that in place the sshkeysign_pwn exploit still doesn’t work and there are logs like the following:

type=AVC msg=audit(1778833455.726:57355191): avc:  denied  { read } for  pid=6941 comm="ssh-keysign" name="ssh_host_rsa_key" dev="vda" ino=15492 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1778833455.726:57355191): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=55eadec43061 a2=0 a3=0 items=0 ppid=6933 pid=6941 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="ssh-keysign" exe="/usr/lib/openssh/ssh-keysign" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="test" UID="test" GID="test" EUID="root" SUID="root" FSUID="root" EGID="test" SGID="test" FSGID="test"

So if you could find some secret data in a file that’s only restricted by Unix permissions and user_t is granted ptrace access then a variant of that exploit could work.

When user_t is allowed ptrace access the chage_pwn exploit fails with the following log entries, so any binary that runs in a different domain can’t be used in that situation.

type=AVC msg=audit(1778833908.020:57434896): avc:  denied  { ptrace } for  pid=7037 comm="chage_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:passwd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1778833908.020:57434896): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=5 a2=0 a3=1b7e00000000 items=0 ppid=5632 pid=7037 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="chage_pwn" exe="/home/test/a/ssh-keysign-pwn/chage_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"

Conclusion

In a “strict” configuration with users having the user_t domain a Debian system is not vulnerable to these exploits unless there is some configuration error or some unusual configuration choices. Users with the unconfined_t domain can successfully run the exploits.

• [1] https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

Debian Contributions: 2026-04

Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Undeclared file conflicts, by Helmut Grohne

The duplication checker, the Multi-Arch hinter, and the /usr-move analyzer share significant parts of their code. While the /usr-move transition is complete, the other tools needed a bit of love. Helmut added Python type annotations, slightly improved the performance of the duplication website and shared more code between these tools.

Building upon this Helmut looked into file conflicts of various kinds such as unrelated packages installing overlapping files, file type conflicts, mismatching directory metadata and shared files of Multi-Arch: same packages with varying content. Implementing reliable detection proved to be difficult due to the amount of corner cases. So Helmut semi-manually filed bugs. In that process, it became apparent that binNMUs do not reproduce SOURCE_DATE_EPOCH across architectures and therefore some shared files embedding the build date would vary in content. Additionally, a significant number of reports required further correspondence.

contributors.debian.org mini-sprint, by Enrico Zini

Enrico Zini met with Mattia Rizzolo to continue the work started at DebConf 25 on crediting contributions done via salsa, and to catch up with accumulated site issues.

Building on the same kind of infrastructure used to notify tag2upload, salsa.debian.org triggers a webping on pushes and merge request activity, which causes a small JSON payload to be queued in a private directory on contributors.debian.org.

We worked on processing, filtering and aggregating the files in the queue into a private, staging database table. When configuring a data source on the site, it is now possible to configure automated submission of contributions from information in the staging table. This makes it significantly simpler to credit contributors for all teams that use Salsa as their code repository and coordination tool, as the site can take care of the data mining for you.

See more details in the sprint report posted to debian-devel-announce.

MiniDebConf Campinas, by Lucas Kanashiro, Santiago Ruano Rincón and Antonio Terceiro

MiniDebConf Campinas was held between April 23rd and 25th, at the State University of Campinas, and was preceded by a MiniDebcamp between April 20th and 22nd. Freexian was Gold sponsor for the event, and Freexian collaborators were active contributors to the conference success.

Lucas and Santiago delivered a talk about Debian LTS during MiniDebConf Campinas 2026, where they described how the LTS project benefits Debian users and developers, while strengthening Debian itself.

Lucas and Antonio delivered a talk about internship programs in Debian during MiniDebConf Campinas 2026, with the goal of getting students interested in working in and with Debian.

Lucas took part in the MiniDebConf Campinas content team, reviewing/accepting talks and building the schedule.

Antonio led a session where he invited the audience to weigh in on current controversies in Debian. The session presented playful elements as colored signs to denote agree/disagree, and was not recorded, to help people feel more comfortable about speaking up. He might be convinced to lead a similar session at the next DebConf.

Antonio also organized a debate to discuss the consequences of new Brazilian regulation for the protection of children and adolescents in digital spaces for Debian and other free operating systems, but also for the free software community in general. This session was very fruitful and will lead into further actions, as one of the main outcomes was the realization that the free software community must follow the discussion leading up to similar regulations more closely to avoid being caught by surprise when they come into effect.

security-tracker performance, by Helmut Grohne and Emilio Pozuelo Monfort

Prompted by spontaneous influx of web requests on Freexian’s security-tracker back in February, we considered the options for managing that demand. One of our mitigations was making it faster. To that end, Helmut sent two MRs towards improving the situation. There are four notable improvements. The use of Python’s str.translate generally speeds up rendering of larger templates. Indexing the CVE names avoids a costly sequential table scan. Avoiding FFI calls while sorting and reducing the queryset speeds up the source package view. Emilio reviewed and deployed the changes on to the Debian instance. Together these changes provide a twofold speedup on both Freexian’s and Debian’s instance on average.

dput-ng data loss bug, by Colin Watson

Ian Jackson (not affiliated with Freexian) reported that dput-ng could lose data when using the local install method, which could cause misleading results in tests of other packages; they also filed an initial merge request to fix it. Colin improved this to isolate its tests properly, and uploaded it.

Miscellaneous contributions

• Lucas coordinated the src:valkey update to version 9 in unstable with a potential co-maintainer.
• Lucas provided a security update for src:valkey targeting “trixie”.
• Thorsten did two uploads of foo2zjs, one to fix a bug and one to improve packaging. As there have been several CVEs published for cups he also did an upload of a new upstream version. Unfortunately this introduces a regression and another upload was needed to take care of a crash. The patch for one CVE also broke a test script, which is used by lots of printing packages in Debian. As a result some autopkgtest runs failed. This could be fixed as well and the only remaining issue that needs some more investigation is related to cups-pdf. It is also worth mentioning that some issues related to the apparmor configuration of cups could be resolved.
• Helmut sent patches for 11 cross build failures.
• Helmut sent a MR for enabling the new mainline YT6801 ethernet Linux driver and it is now working fine with Debian’s 7.x kernels.
• Helmut upgraded a crossqa.debian.net autobuilder to “trixie”.
• Carles using po-debconf-manager, improved Catalan translations: reviewed 2 packages, submitted 3 packages, deleted 5 packages.
• Carles did further code developments for check-relations: steps towards making it production ready when the initial round of reports are analyzed. New “show-package” (information) command, improvements for “report_missing” cases, added support for ignoring packages for specific reasons, added unit tests, added CI. Used it to open 39 new bugs. Also followed up different open bugs
• Raphaël completed the French translation of Zulip for the release of version 12.0. Zulip is a nice 100% free software threaded communication platform for distributed teams.
• Stefano did routine uploads of python-pipx, python-mitogen, platformdirs, python-authlib, python-discovery, distro-info-data, python-virtualenv, python-certifi, python-wheel, pypy3.
• Stefano uploaded distro-info-data updates to stable and oldstable proposed updates, with the latest Ubuntu release.
• Stefano took part in DebConf 26 preparation meetings.
• Stefano prepared DebConf’s online video streaming infrastructure for MiniDebConf Campinas, and configured the Debian reimbursement system to handle their travel bursary claims.
• Stefano helped MiniDebConf Hamburg prepare their website for 2027.
• Stefano did some sysadmin work on debian.social infrastructure.
• Stefano reviewed Matthias’ python3.15 packaging and rebased his work on top of it.
• Antonio implemented several improvements to the Debian CI platform, including but not limited to adding support for dark mode, dropping compatibility with ActiveRecord < 7 which is no longer shipped in Debian stable, and generating content-based links to static assets, in two parts.
• Antonio debugged a general slowness in salsa, caused by loss of IPv6 connectivity between the salsa host and the remote object storage in “the cloud”, which is a problem due to an open upstream bug in gitlab.
• Santiago reviewed different changes to the Salsa CI pipeline, including the new uscan test job, prepared by Thaís Rebouças Araujo, and the final review to introduce faketime testing, made by Áquila Macedo.
• Santiago continued helping the DebConf 26 local team to prepare the conference.
• Emilio updated libxpm to address a security issue.
• Colin finished upgrading groff to 1.24.1; 1.24.0 and 1.24.1 were the first upstream releases since 2023 and had extensive changes, so this took some time to get right.
• Colin released “bookworm” and “trixie” fixes for CVE-2026-3497 in openssh, and issued the corresponding BSA-130 for trixie-backports.
• Colin upgraded openssh to 10.3p1.
• Anupa worked on the accounting tasks for MiniDebConf Kanpur and prepared and submitted a report to the fiscal host.

• [p]Fixed various holes in map[/p][/*]
• [p]Fixed surfacetypes for various materials.[/p][/*]
• [p]Added grating to some windows to make them block bullets.[/p][/*]
• [p]Tweaks to player and grenade clipping.[/p][/*]

• [p]Fixed a case where it was possible to cancel a grenade throw after the throw was started near the end of the pin pull animation.[/p][/*]
• [p]Miscellaneous stability improvements.[/p][/*]

• [p]Fixed bug that prevented the asset in use from being selected when model browser was opened.[/p][/*]
• [p]Fixed bug with layered materials with same surface property on all layers. [/p][/*]

• [p]Added roundmvpanthem_02 for all NIGHTMODE II music kits which plays at 1:5 ratio.[/p][/*]

Changelog

Bug fixes

• 7b8bcfa: fix: switch cron-parser to named import (CronExpressionParser) (#1737) (@codeanish)

• Enhanced smoothness when DLSS Frame Generation is used with V-SYNC. [5999586]

• Foundry Mari 7.0v2 viewport displays flickering [6102981]