Against my better judgment, I let my staff start using Basecamp about 8 years ago, and now I want to ditch it for something open source and self-hosted.

Several people suggested Nextcloud. After much pain, I got that installed, and finally convinced my general manager to take a look at it. Here is his review:

I spent more time poking at this today, and on several occasions it took it 20-30 seconds to respond to link clicks.

I've also spent some time reading the manual, and... I hate these people so much. it's all about how to access your data with various protocols, and nothing about how to use the actual software or WTF the software is expected to do or how you might use it.

It looks like the "todo lists" is all those "cards". They even have an example set that implies each card has more details, but opening them, it just says DESCRIPTION and you can't edit it.

I cannot make any sense out of this. Is it mostly hosting infrasrtucture that is used by other, more sane front-ends? it alludes to a bunch of features, but it seems like those are "apps" that you have to add. on it's own, it's about as friendly as teaching a Boomer to set up a linux desktop so they can check emails.

On a scale of 1 to 10, I'd rate this "I'd rather have my gums planed".

A few other people suggested Openproject.

It seems that the only method of installation that Openproject documents is "install an entire VM" or "install these RPMs" and of course they don't have a package for the OS that I use ("Amazon Linux 2023"). There's not a single mention of how one might go about installing from source, so I don't even know where to begin trying to test it out.

Also they say "whatever you do, don't install our software on a server that has anything else running on it, because we might completely scorch anything that isn't ours." Confidence-inspiring!

Even more confidence-inspiring: "A user you've blocked has previously contributed to this repository: Claude". So it's slopware, too.

I am now soliciting suggestions. Please give me non-terrible suggestions.

What I am seeking:

• Create and organize sets of documents.
• Create tasks and assign them to people.
• Sometimes with due dates.
• In both of these things, edit text, with basic styling and inlined images, WYSIWYG, including from a phone.
• Attach things like PDFs.
• 100% locally hosted.
• Not paying a monthly fee to an unhinged fascist to keep my files on their computer.

What I don't care about: Anything not on that list, including but not limited to:

• git;
• Markdown;
• AWS buckets;
• Dropbox;
• Learning what business-brain buzzwords like "Gantt" or "Scrum" mean.

Things that should not need to be said but do:

• Do not suggest software that you do not use.
• Do not just Google it for me.

Previously, previously.]]> https://cdn.jwz.org/blog/2026/04/still-seeking-basecamp-alternative/feed/ 39 https://www.jwz.org/blog/2026/04/popup-video-2/ https://www.jwz.org/blog/2026/04/popup-video-2/#comments Fri, 10 Apr 2026 22:30:45 +0000 https://jwz.org/b/yk6C Last year I wrote popup-video.js, a Google-surveillance-defeating YouTube player. You may have noticed it in action on the DNA Lounge calendar pages and galleries but I've made some improvements recently.

• The web page contains only a locally-hosted thumbnail. Nothing from YouTube is loaded until someone clicks play. This means no surveillance trackers on every one of your pages that has a video, and also the pages load dozens fewer megabytes.

• When you click play, a fake-window pops up inside the page with a YouTube player.

• Clicking anywhere makes it go away.

• There's a "minimize" button that makes it drop back down into the place where the thumbnail was and continue playing.

• If the inline thumb is nearly as wide as the page, it plays inline instead of doing the popup thing (this is often the case on mobile).

• It works on playlists as well as single videos.

• For single videos, it generates an ad-hoc playlist of all of the other YouTube videos linked on the current page, so the "previous" and "next" buttons show those.

• It works on portrait videos and videos with weird aspect ratios.

Dear Lazyweb,

If you understand the ever-changing rules about auto-play, perhaps you can offer some guidance.

On desktop Safari, you have to click twice to get the first video to play: the YouTube player pops up but does not then auto-play, unless you have done "Website settings / Allow all auto-play" for jwz.org. This is -- what's the word -- fucked up, because the creation of the IFRAME and the sending of the "play" event all happen underneath the user's "click" event, so this should be considered interactive.

And on mobile Safari you always have to click twice.

(I don't remember what the situation is on Chrome or Firefox on account of not caring.)

Anyway, if you know how to make it play with one click instead of two, I would like to know how to do that. Your suggestion should take the form of, "Here's a modified version of your JS file that works". Your speculation is acknowledged and ignored.

Previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/04/popup-video-2/feed/ 10 https://www.jwz.org/blog/2026/04/i-just-like-saying-dicks-rewards/ https://www.jwz.org/blog/2026/04/i-just-like-saying-dicks-rewards/#comments Fri, 10 Apr 2026 18:25:39 +0000 https://jwz.org/b/yk58 So what is with all of this amateurish phishing spam that has been sliding right past SpamAssassin like shit through a goose for the past few months? Has someone recently discovered a new technique for finding open relays that will SPF-sign anything?

Received: from mail.vividdreamqb.name (milestone.clevervistakb.com [170.130.167.11])
From: Dicks Rewards Team <dicksp0@vividdreamqb.name>
Subject: Final notice: YETI Beach Lounge Wagon unlocked by your gear score
Message-ID: <RUxA2tTL-gy3-hDiWXM33jfhjh3zp@vividdreamqb.name>
X-Request-ID: d36d3311-8a4b-4ac9-91b0-4afeee106923
Feedback-ID: jhkmk:vividdreamqb.name:mail
X-Spam-Report:
    * 0.0 HTML_MESSAGE BODY: HTML included in message
    * 0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS

I can't even tell who has been popped here. "clevervistakb.com" and "vividdreamqb.name" have the same IPs but different registrars (maybe that's a TLD thing?) It's also not clear to me which of those domains sender_access matches on.

I have, however, come to the conclusion that that there are simply too many web sites.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/04/i-just-like-saying-dicks-rewards/feed/ 9 https://www.jwz.org/blog/2026/03/gles-1-x-transparency/ https://www.jwz.org/blog/2026/03/gles-1-x-transparency/#comments Sat, 28 Mar 2026 05:48:50 +0000 https://jwz.org/b/yk5Y glColor but not with glMaterial.

GL_VERSION in the Android simulator is "OpenGL ES-CM 1.1 (4.1 Metal - 88.1)".

This works fine on iOS and Cocoa, so it's not strictly a GLES thing, just Android. GLSL is not involved.

Test case:

Bool lights_p = time(0) & 1; glClear (GL_COLOR_BUFFER_BIT | GL_DEPTH_BUFFER_BIT); glEnable (GL_BLEND); glDisable (GL_COLOR_MATERIAL); glBlendFunc (GL_SRC_ALPHA, GL_ONE_MINUS_SRC_ALPHA); #define glColor4fv(v) glColor4f (v[0], v[1], v[2], v[3]) GLfloat c1[] = { 1, 0, 0, 0.5 }; GLfloat c2[] = { 0, 1, 0, 0.5 }; GLfloat v[] = { 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, }; glVertexPointer (3, GL_FLOAT, 0, v); glEnableClientState (GL_VERTEX_ARRAY); if (lights_p) { GLfloat amb[] = {0.5, 0.5, 0.5, 1}; glLightfv (GL_LIGHT0, GL_AMBIENT, amb); glEnable (GL_LIGHTING); glEnable (GL_LIGHT0); glColor3f (0, 0, 0); } else { glDisable (GL_LIGHTING); glDisable (GL_LIGHT0); } if (lights_p) glMaterialfv (GL_FRONT_AND_BACK, GL_AMBIENT_AND_DIFFUSE, c1); else glColor4fv (c1); glDrawArrays (GL_TRIANGLES, 0, 6); glPushMatrix(); glTranslatef (0.5, 0.25, 0); if (lights_p) glMaterialfv (GL_FRONT_AND_BACK, GL_AMBIENT_AND_DIFFUSE, c2); else glColor4fv (c2); glDrawArrays (GL_TRIANGLES, 0, 6); glPopMatrix(); glDisableClientState (GL_VERTEX_ARRAY); glVertexPointer (3, GL_FLOAT, 0, 0);

Four years ago I asked whether "Google Pass" was a thing that I needed to give a shit about and consensus was, "no, nobody uses that." But I have heard anecdotally, recently, that this might no longer be true. Thoughts?

The goal here is, "reduce the amount of time it takes for someone standing in front of my nightclub to wave their QR code at the door staff." On iOS, Apple Wallet supports that goal very well.

Note: I don't use Android and know as little about its ecosystem as possible, so please use small words.

Previously, previously, previously, previously, previously, previously, previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/03/google-pass-redux/feed/ 125 https://www.jwz.org/blog/2026/03/macos-26-guest-user/ https://www.jwz.org/blog/2026/03/macos-26-guest-user/#comments Sun, 15 Mar 2026 10:33:55 +0000 https://jwz.org/b/yk4f Back in the heady days of macOS 14, you could customize the default reset-to environment of the "guest" user (Safari bookmarks, items on Dock, etc.) by copying stuff into "/System/Library/User Template/English.lproj/". And of course macOS 26 seems to have completely fucked this. How do you accomplish this now?

Previously, previously, previously, previously, previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/03/macos-26-guest-user/feed/ 20 https://www.jwz.org/blog/2026/03/linux-xft-unicode-fonts/ https://www.jwz.org/blog/2026/03/linux-xft-unicode-fonts/#comments Mon, 02 Mar 2026 20:11:33 +0000 https://jwz.org/b/yk39 XftDrawStringUtf8 that succeeds in displaying Japanese characters? On Debian 13 with "fonts-noto" installed, "lxterminal" can do it but XScreenSaver still can't seem to display anything more complicated than Cyrillic.

E.g. "unicrud --block Katakana".

The actual XFT font I get from XftFontOpenXlfd("-*-sans serif-bold-r-*-*-*-180-*-*-*-*-*-*") is

Noto Sans-300 :familylang=en :style=Bold :stylelang=en :fullname=Noto Sans Bold :fullnamelang=en :slant=0 :weight=200 :width=100 :pixelsize=401.899 :foundry=GOOG :antialias=True :hintstyle=1 :hinting=True :verticallayout=False :autohint=False :globaladvance=True :file=/usr/share/fonts/truetype/noto/NotoSans-Bold.ttf :index=0 :outline=True :scalable=True :dpi=96.4557 :rgba=5 :scale=1 :minspace=False :fontversion=131334 :capability=otlayout\:DFLT otlayout\:cyrl otlayout\:grek otlayout\:latn :fontformat=TrueType :embolden=False :embeddedbitmap=True :decorative=False :lcdfilter=1 :namelang=en :prgname=unicrud :postscriptname=NotoSans-Bold :color=False :symbol=False :variable=False :fonthashint=True :order=0 :namedinstance=False :fontwrapper=SFNT

Previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/03/linux-xft-unicode-fonts/feed/ 42 https://www.jwz.org/blog/2026/02/let-friction-ring/ https://www.jwz.org/blog/2026/02/let-friction-ring/#comments Fri, 27 Feb 2026 18:55:15 +0000 https://jwz.org/b/yk33 Dear Lazyweb,

I have this pulley wheel, 50mm inside diameter, 4mm groove. I need a rubber traction ring to go inside it. I cannot find anyone who will sell this to me.

The ring must be flat or concave, not round like a typical gasket seal O-ring, or the string its pulling will just slide off the track.

Alternately, any similar-sized metal pulley wheel that comes with a friction surface pre-attached, 8mm axis hole with set screw.

I have tried coating it with sugru, but that is too soft and wears off after not-very-long.

Update: If you're going to say "why don't you just" or "have you searched for" without a purchase link to a product of the correct size, please know that you are not helping.

Previously.]]> https://cdn.jwz.org/blog/2026/02/let-friction-ring/feed/ 115 https://www.jwz.org/blog/2026/02/youtube-oauth-api-fuckery/ https://www.jwz.org/blog/2026/02/youtube-oauth-api-fuckery/#comments Tue, 24 Feb 2026 19:08:53 +0000 https://jwz.org/b/yk3r I have two YouTube accounts, jwz and dnalounge, and I'm using the oauth API with both of them to automate uploads and stuff. With the DNA account, I am getting a refresh_token that lasts forever. But with the jwz one, I am getting a refresh_token that can only refresh the access_token for a week, and then I have to log in again. Any ideas what fuckery is afoot?

The DNA token does this:

GET https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=DNA_ACCESS_TOKEN_1 => access_type	=> "offline", audience	=> "DNA_PROJECT_ID.apps.googleusercontent.com", expires_in	=> 3574, issued_to	=> "DNA_PROJECT_ID.apps.googleusercontent.com", scope 	=> "https://www.googleapis.com/auth/youtube" POST https://accounts.google.com/o/oauth2/token client_id	=> "DNA_PROJECT_ID.apps.googleusercontent.com", client_secret	=> "DNA_CLIENT_SECRET", grant_type	=> "refresh_token", refresh_token	=> "DNA_REFRESH_TOKEN" result: access_token	=> "DNA_ACCESS_TOKEN_2", expires_in	=> 3599, scope 	=> "https://www.googleapis.com/auth/youtube", token_type	=> "Bearer" token expiration 0:00:59:34 => 0:00:59:59

but the jwz token does this:

GET https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=JWZ_ACCESS_TOKEN_1 => access_type	=> "offline", audience	=> "JWZ_PROJECT_ID.apps.googleusercontent.com", expires_in	=> 3413, issued_to	=> "JWZ_PROJECT_ID.apps.googleusercontent.com" scope 	=> "https://www.googleapis.com/auth/youtube", POST https://accounts.google.com/o/oauth2/token client_id	=> "JWZ_CLIENT_ID", client_secret	=> "JWZ_CLIENT_SECRET", grant_type	=> "refresh_token", refresh_token	=> "JWZ_REFRESH_TOKEN" result: access_token	=> "JWZ_ACCESS_TOKEN_2", expires_in	=> 3599, refresh_token_expires_in	=> 201701 scope 	=> "https://www.googleapis.com/auth/youtube", token_type	=> "Bearer", token expiration 0:00:56:53 => 0:00:59:59 refresh expires in 2:00:01:41

Maybe I'm logging in wrong? I log in with user/pass/TOTP "jwz@jwz.org" which takes me to the channel "@yesthatjwz" then I load:

https://accounts.google.com/o/oauth2/auth?client_id=JWZ_PROJECT_ID.apps.googleusercontent.com&redirect_uri=https://localhost&response_type=code&scope=https://www.googleapis.com/auth/youtube&access_type=offline

and it asks me to choose my "brand" account. There are three listed: "DNA Lounge", "yesthatjwz", and another "jwz" account. The selection that works is the "yestthatjwz" one. The mystery account is @alsojwz1853 and I don't know why it exists but I'm afraid to delete it in case that breaks something.

When I sign in with "jwz@jwz.org", it takes me directly to my real channel, @yesthatjwz.

When I sign in with: "yesthatjwz" or "youtube@jwz.org" or "yesthatjwz@jwz.org", it asks me to select a channel: @yesthatjwz or "also jwz" @alsojwz1853.

Trying to sign in with "alsojwz1853" says "could not find your account".

Another clue: both the "DNA Lounge" and "yesthatjwz" accounts work with or without at-signs, /dnalounge, /@dnalounge, /yesthatjwz and /@yesthatjwz, but the other one only works as /@alsojwz1853, not as /alsojwz1853. Maybe because they are old accounts that pre-date YouTube being purchased by Google? Another difference is that the thing in console.cloud.google.com/auth/clients/*_PROJECT_ID for DNA is an "iOS client" created in 2014, but for "jwz" is a "Desktop client" created in 2024. There don't seem to be any settings.

But I still don't understand why the DNA and jwz accounts have different behavior.

Previously, previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/02/youtube-oauth-api-fuckery/feed/ 32 https://www.jwz.org/blog/2026/02/remote/ https://www.jwz.org/blog/2026/02/remote/#comments Tue, 17 Feb 2026 08:29:26 +0000 https://jwz.org/b/yk3k https://cdn.jwz.org/blog/2026/02/remote/feed/ 49 https://www.jwz.org/blog/2026/02/svg-triangulation/ https://www.jwz.org/blog/2026/02/svg-triangulation/#comments Wed, 04 Feb 2026 02:04:01 +0000 https://jwz.org/b/yk25 I need this SVG as a DXF, DWG or SKP with all of the polylines converted to triangular meshes. Can someone show me how, or just do it for me?

The conversion must preserve group names so that I can tell which ones are which.

Bonus level: can you find a similar source map that also has US states? Must be equirectangular.

Previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/02/svg-triangulation/feed/ 27 https://www.jwz.org/blog/2026/01/zipbomb-json/ https://www.jwz.org/blog/2026/01/zipbomb-json/#comments Sun, 01 Feb 2026 06:25:50 +0000 https://jwz.org/b/yk2x Update: Ok fine, since you have all failed me, I wrote a JSON bomb generator. With a 10GB file, "jq" 1.8.1 takes a full minute to produce no output.

Previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/01/zipbomb-json/feed/ 34 https://www.jwz.org/blog/2026/01/re-implementing-patreon/ https://www.jwz.org/blog/2026/01/re-implementing-patreon/#comments Thu, 29 Jan 2026 18:36:37 +0000 https://jwz.org/b/yk2l Do you have experience implementing recurring payments using authorize.net? Specifically, I'm interested in gotchas with replaying CIM tokens; best practices for retrying declines; dealing with expired cards, changed addresses, etc. Email me.

IMPORTANT: If you have never created a "createCustomerProfileFromTransactionRequest" XML node, this question is not for you.

I am not soliciting advice about what third party intermediary company I should pay rent to, and I don't ever want to hear the word Stripe.

Previously, previously, previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/01/re-implementing-patreon/feed/ 9 https://www.jwz.org/blog/2026/01/ipad/ https://www.jwz.org/blog/2026/01/ipad/#comments Sat, 24 Jan 2026 22:33:02 +0000 https://jwz.org/b/yk2S https://cdn.jwz.org/blog/2026/01/ipad/feed/ 69 https://www.jwz.org/blog/2026/01/wp-remember-me/ https://www.jwz.org/blog/2026/01/wp-remember-me/#comments Mon, 19 Jan 2026 20:30:13 +0000 https://jwz.org/b/yk2J Previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/01/wp-remember-me/feed/ 8 https://www.jwz.org/blog/2026/01/gpio-madness/ https://www.jwz.org/blog/2026/01/gpio-madness/#comments Sun, 18 Jan 2026 19:24:49 +0000 https://jwz.org/b/yk2F

1. Boot Pi with HDMI monitor attached: works fine.
2. Boot without monitor: all GPIO inputs "flap" about once a second.
3. Plug in monitor: 10 seconds later, inputs start behaving normally.
4. Unplug monitor: remains good. Until reboot.

WTF?

Raspberry Pi 4 Model B Rev 1.5, Debian GNU/Linux 12 (bookworm) 12.11. Two different Pis, same behavior.

I guess I don't care why it wants a monitor so badly, so I tried to fake it out and convince it that one is there. Are are all of my config.txt changes:

#dtoverlay=vc4-kms-v3d dtoverlay=vc4-kms-v3d,noaudio max_framebuffers=2 [all] dtoverlay=disable-wifi dtoverlay=disable-bt framebuffer_width=1280 framebuffer_height=720 hdmi_force_hotplug=1 hdmi_drive=2 core_freq_min=500 core_freq=500

I tried adding this to commandline.txt, didn't help: video=HDMI-A-1:1920x1080M@60

Previously.]]> https://cdn.jwz.org/blog/2026/01/gpio-madness/feed/ 76 https://www.jwz.org/blog/2026/01/fail2ban-gc/ https://www.jwz.org/blog/2026/01/fail2ban-gc/#comments Thu, 08 Jan 2026 08:30:44 +0000 https://jwz.org/b/yk1e Previously, previously, previously.]]> https://cdn.jwz.org/blog/2026/01/fail2ban-gc/feed/ 35 https://www.jwz.org/blog/2026/01/what-the-fib/ https://www.jwz.org/blog/2026/01/what-the-fib/#comments Tue, 06 Jan 2026 21:49:53 +0000 https://jwz.org/b/yk1X

Why, why would you do that!

A square tiling makes sense. A triangular or hexagonal tiling makes more sense. A Fibonacci spiral makes the most sense. But what the absolute clustering-fuck is this shit? This layout gets more cursed the more you look at it.

Apparently Google is dropping support for Gmail accounts being able to fetch mail from outside accounts. At all. And they announced this change less than 60 days ago. (The announcement was in the basement, stairs, leopard, etc.)

What I want to accomplish is simple:

1. When email arrives for employee@dnalounge.com, have it delivered to the inbox of dna_employee@gmail.com.
2. When that employee is logged into that gmail account, have them able to send email with employee@dnalounge.com in the From: header.

This cannot be accomplished by simply having mail.dnalounge.com forward messages for employee@dnalounge.com to dna_employee@gmail.com because SPF destroyed email forwarding. Specifically:

1. customer@example.com sends mail to employee@dnalounge.com.
2. The SPF record of example.com includes "-all" (strict) as is now common.
3. mail.dnalounge.com forwards that messages to dna_employee@gmail.com.
4. Gmail says, "example.com does not permit dnalounge.com to send email on their behalf" and rejects it with "550 SPF hard fail".

My current email flow is this:

1. Inbound mail:
   1. Email for employee@dnalounge.com arrives at my server.
   2. Message is stored in my server's Dovecot/Maildir.
   3. dna_employee@gmail.com has "Import emails from my other account (POP3)" selected, and Gmail has a saved plaintext copy of their mail.dnalounge.com email password to accomplish this.
   4. Gmail polls and downloads their email over POP3 every 30-90 minutes, sometimes longer. ← This is the thing that is going away.
   5. Gmail runs their aggressive spam filtering on that, and puts some subset of it into their Gmail inbox.

2. Outbound mail:
   6. dna_employee@gmail.com has its outgoing From address configured as employee@dnalounge.com (via "Add another email address").
   7. When they use Gmail to send mail from their employee@dnalounge.com address, Gmail delivers it to mail.dnalounge.com, authenticating with the saved plaintext copy of the employee's mail.dnalounge.com password.
   8. mail.dnalounge.com delivers it to customer@example.com, so the SPF record matches mail.dnalounge.com as the origin (and I don't have to have my SPF record say "any spammer on gmail.com is allowed to send mail pretending to be any dnalounge.com address.").

The linked article says "Gmail will continue to support IMAP" which sounds like: "Gmail can still poll your server to download email, you just have to switch from POP to IMAP". That would be fine if it were true, but it is not. Gmail does not and has never supported importing email via IMAP into the Gmail MDA/MTA. It only supports adding an IMAP server as a second account in the MUA, which is not the same thing at all.

Now that Google is removing the ability to have Gmail poll my server to download messages, what are my options?

Here are some things that people will suggest that are unacceptable:

1. Have the dnalounge.com MX record point to some Google thing and let them take over 100% of my company's email. Fuck no. Also it wouldn't integrate with our internal systems, store, transactional emails, bounce processing, etc.

2. Have my employees' official business email addresses end in @gmail.com. Obviously no. (Maybe @aol.com though.)

3. Use "Sender Rewriting Scheme" to have dnalounge.com rewrite customer@example.com to customer%example.com@dnalounge.com before forwarding it to dna_employee@gmail.com, which is insane, but also will cause any forwarded spam to be tallied against dnalounge.com and Google will just stop delivering them. At some point, Google's "best practices for forwarding" document specifically dis-recommended SRS.

4. Find some other third-party email provider that still offers the POP3-download service that Gmail used to, and tell my staff, "Great news everybody! You have to switch from Gmail to Hotmail now."

So the only options that I think I have left are:

5. Self-host IMAP.
   1. Every employee gets their own IMAP account, hosted on my own server.
   2. They can add that account to the Gmail mobile app or whatever, as a second IMAP account that is not Gmail. Which is apparently still supported. For now.
   3. My server is now responsible for storing all of their messages, including all of their spam. It is a vast amount of data. I will have to implement quotas.
   4. My employees will be wasting a bunch of time trying to find and delete emails with the same giant attachment in each of the 30 messages in the same thread, and if they don't, mail to them will bounce.
   5. "I can't find that old email any more" is a conversation that we will be having all the time.
   6. My employees will be receiving way more spam, since Gmail's spam filtering is (presumably?) still more effective than what I can accomplish with some stock set of spamassassin rules.

6. Walk North until I reach the nearest fjord, board an ice floe, lie down, and wait for my bones to turn to dust. The ocean will sequester my carbon. I hope this email does not find you.

Do I have other options?

In summary, everything is terrible.

Previously, previously, previously, previously, previously, previously, previously.]]> https://cdn.jwz.org/blog/2025/12/today-in-google-broke-email-2/feed/ 196 https://www.jwz.org/blog/2025/12/xquartz-egl-2/ https://www.jwz.org/blog/2025/12/xquartz-egl-2/#comments Mon, 15 Dec 2025 01:58:39 +0000 https://jwz.org/b/yk0d Some time in the last ~6 months, eglCreatePlatformWindowSurface vanished from the libraries provided by MacPorts "mesa". Where do I find it? It is not in libGL and there is no libEGL.

macOS 14.7.7, mesa 25.3.1, xorg-libX11 1.8.12.

Previously.]]> https://cdn.jwz.org/blog/2025/12/xquartz-egl-2/feed/ 6 https://www.jwz.org/blog/2025/12/under-attack-please-stand-by-2/ https://www.jwz.org/blog/2025/12/under-attack-please-stand-by-2/#comments Fri, 12 Dec 2025 15:26:16 +0000 https://jwz.org/b/yk0T Since yesterday my server has again been getting absolutely obliterated by AI scrapers. This time, though, load is below 1, but I'm getting up to 10 requests a second and all of my Apache workers are in state "R". "apachectl restart" fixes it... for a while. And fail2ban is banning IPs full-tilt.

What levers do I have to pull on this? E.g. maybe it would be sensible to drop connections if they stay in "R" for more than a couple seconds?

This 12 year old post suggests some sysctl.conf changes, but I have no idea whether those suggestions are sensible today. My current settings for those are the defaults:

net.ipv4.tcp_fin_timeout = 60 net.ipv4.ip_local_port_range = 32768 60999 net.core.somaxconn = 4096 net.core.netdev_max_backlog = 1000

In httpd.conf, some vhosts have "Timeout 240" because I really do have some CGIs that take that long to run, and you can't make exceptions on a per-URL basis.

I have reqtimeout_module loaded, with the default settings, which I believe are:

handshake=0 header=20-40,MinRate=500 body=20,MinRate=500

Previously, previously.]]> https://cdn.jwz.org/blog/2025/12/under-attack-please-stand-by-2/feed/ 96 https://www.jwz.org/blog/2025/12/video-text-remover/ https://www.jwz.org/blog/2025/12/video-text-remover/#comments Sat, 06 Dec 2025 04:42:20 +0000 https://jwz.org/b/ykyK adequate but has some annoyances so I would like to try anything else.

Only use case I care about is: scrub thru video; select a series of rectangles and start/end times; run ffmpeg with a series of "delogo" filters.

Auto-detection or anything "AI" is an explicit non-goal.

Web search for this topic has been utterly poisoned by grifters.

Previously.]]> https://cdn.jwz.org/blog/2025/12/video-text-remover/feed/ 16 https://www.jwz.org/blog/2025/12/xscreensaver-and-pam/ https://www.jwz.org/blog/2025/12/xscreensaver-and-pam/#comments Thu, 04 Dec 2025 04:14:55 +0000 https://jwz.org/b/ykx_ Lazyweb, I have PAM questions.

I added support for PAM to XScreenSaver in 1998, when PAM itself was a little two-year-old baby. Your keyboard was still PS2 and HDMI hadn't been invented yet. For lo these many decades, nobody could agree on what went in /etc/pam.conf or /etc/pam.d/login and it was all a giant mess.

Things that used to sometimes be true:

• If /etc/pam.d/xscreensaver didn't exist you couldn't unlock the screen at all.
• "cp /etc/pam.d/login /etc/pam.d/xscreensaver" was insufficient, some lines had to be omitted.
• You have to call pam_chauthtok() or an unauthorized user might be able to unlock.
• No, if you call pam_chauthtok() it will always fail so don't do that.
• No wait, actually you have to call pam_chauthtok() because it has side effects but you have to ignore its failure.
• You have to PAM_REFRESH_CRED every time.
• No wait, that doesn't work, you have to PAM_REINITIALIZE_CRED every time instead. But not on Solaris.

I could not even hazard a guess as to which of these things are still true, or how many decades ago they stopped being true, or which of them are influenced by Linux versus BSD versus Solaris versus HPUX versus AIX versus Kerberos or other things that nobody cares about any more.

So I am considering making the following changes:

• Always call pam_chauthtok() and respect its result status. I think sshd does this.
• Remove the configure option --enable-pam-check-account-type (which probably should always have been a runtime option, not a compile-time option, but here we are).
• At installation time, create /etc/pam.d/xscreensaver as a file containing the single line "@include login"

What I would like to know is: will this break things on your system? Particular emphasis for this question on people running weird-assed obscure systems.]]> https://cdn.jwz.org/blog/2025/12/xscreensaver-and-pam/feed/ 23 https://www.jwz.org/blog/2025/12/xattr/ https://www.jwz.org/blog/2025/12/xattr/#comments Tue, 02 Dec 2025 09:18:05 +0000 https://jwz.org/b/ykx2 Debian 12.11:

extern ssize_t getxattr (const char *__path, const char *__name, void *__value, size_t __size) __THROW __attr_access ((__write_only__, 3, 4));

macOS 14.7.7:

ssize_t getxattr(const char *path, const char *name, void *value, size_t size, u_int32_t position, int options);]]> https://cdn.jwz.org/blog/2025/12/xattr/feed/ 11 https://www.jwz.org/blog/2025/11/today-in-hoffman-lenses-4/ https://www.jwz.org/blog/2025/11/today-in-hoffman-lenses-4/#comments Tue, 18 Nov 2025 20:58:37 +0000 https://jwz.org/b/ykxj

I have been asking for access to this important technology for years but have not found it. Here is some circumstantial evidence that one such filter exists. I guess this is a Snapchat thing? How can I download and run this without using Snapchat? I assume the answer is "no". Ok, how else can I press button receive candy?

Previously, previously, previously.]]> https://cdn.jwz.org/blog/2025/11/today-in-hoffman-lenses-4/feed/ 12 https://www.jwz.org/blog/2025/11/wtf-ssh/ https://www.jwz.org/blog/2025/11/wtf-ssh/#comments Sat, 15 Nov 2025 20:48:35 +0000 https://jwz.org/b/ykxZ interactively ssh in to my home Mac. "ssh host whoami" works but if I try to get a shell, it hangs forever. ^C, ^Z and ~. don't work. The socket is in ESTABLISHED, and after about 2 1/2 minutes it dies with "client_loop: send disconnect: Broken pipe". The -v log looks exactly like it does for successful connections to other hosts up to that point. WTF?

macOS 14.7.7 running openssh @10.2p1.

Update: The fix was to put "IPQoS none" in sshd_config. It used to be sufficient for that to be in .ssh/config on the client side, but it seems that changed recently.]]> https://cdn.jwz.org/blog/2025/11/wtf-ssh/feed/ 48 https://www.jwz.org/blog/2025/11/pi-4-spi-lossage/ https://www.jwz.org/blog/2025/11/pi-4-spi-lossage/#comments Wed, 05 Nov 2025 07:47:01 +0000 https://jwz.org/b/ykxE behaves properly. Same CF card, so no software differences.

Previously, previously, previously, previously.]]> https://cdn.jwz.org/blog/2025/11/pi-4-spi-lossage/feed/ 81 https://www.jwz.org/blog/2025/10/excluding-a-volume-from-overlayfs/ https://www.jwz.org/blog/2025/10/excluding-a-volume-from-overlayfs/#comments Sun, 26 Oct 2025 04:09:41 +0000 https://jwz.org/b/ykw5 I have enabled overlay via raspi-config, but I would like my second "/rw/" partition on the same drive to remain writable. How do I do that? Raspberry Pi, Debian 12.11.

Filesystem Size Used Avail Use% Mounted on /dev/mmcblk0p2 7.8G 6.5G 896M 89% /media/root-ro tmpfs-root 454M 28M 427M 6% /media/root-rw overlayroot 454M 28M 427M 6% / /dev/mmcblk0p3 7.7G 37M 7.2G 1% /media/root-ro/rw /media/root-ro/rw 454M 28M 427M 6% /rw /etc/fstab: LABEL=rw /media/root-ro/rw ext4 ro,defaults,noatime 0 2 /media/root-ro/rw /rw overlay lowerdir=/media/root-ro/rw,upperdir=/media/root-rw/overlay/rw,workdir=/media/root-rw/overlay-workdir/rw 0 2

Previously, previously, previously.]]> https://cdn.jwz.org/blog/2025/10/excluding-a-volume-from-overlayfs/feed/ 18 https://www.jwz.org/blog/2025/10/nextclown-sso-saml/ https://www.jwz.org/blog/2025/10/nextclown-sso-saml/#comments Fri, 10 Oct 2025 03:23:12 +0000 https://jwz.org/b/ykwT user_saml plugin might be the thing to mess with, since it uses the words "Authentication via Environment Variable" but I have no idea what it means by that.

Ideally I'd have it just run a shell command for authentication, the way Qmail / Dovecot "passdb driver = checkpassword" works, since I already have that working for IMAP... But if instead I have to write some stupid XML endpoint, that's not out of the question.

Any clue where to start? When I mess around on the /settings/admin/saml page it does not seem to be even attempting to load the URLs I entered.

Update: I got it working! It was... a lot.

1. First activate the "External user authentication" app.
2. Note that it seems to be unmaintained and does not work, and apply this patch.
3. Create a "run a shell command" plugin for it. There's this thing which showed me how to do it, but that one passes passwords on the command line which is a WTF level of nope. So I wrote one that uses the Qmail / Dovecot "passdb checkpassword" protocol. It looks like this:

    <?php declare(strict_types=1); namespace OCA\UserExternal; class Shell extends Base { public function __construct(private string $command) {} public function checkPassword(string $uid, string $password): false|string { $fd = 3; $desc = [ $fd => [ "pipe", "r" ]]; $env = [ 'SERVICE' => 'nextcloud', 'AUTH_SERVICE' => 'nextcloud', 'REMOTE_IP' => $_SERVER['REMOTE_ADDR'] ?? '', ]; $proc = proc_open ($this->command, $desc, $pipes, null, $env); if (is_resource ($proc)) { fwrite ($pipes[$fd], "$uid\000$password"); fclose ($pipes[$fd]); $ret = proc_close ($proc); if ($ret === 0) { $this->storeUser ($uid); return $uid; } } return false; } }

4. Then enable it by adding this to config/config.php:

    'user_backends' => [ [ 'class' => '\OCA\UserExternal\Shell', 'arguments' => [ '/where/it/is/checkpassword true' ]]], 

5. If you had a stock account with a NextCloud password, and then switch to logging in to that account with this mechanism, it will log you out every 5 minutes with "Session token credentials are invalid". The only solution I found was to delete the account and allow it to be re-created when logging in for the first time via user_external.

Previously.]]> https://cdn.jwz.org/blog/2025/10/nextclown-sso-saml/feed/ 37 https://www.jwz.org/blog/2025/10/basecamp-alternative/ https://www.jwz.org/blog/2025/10/basecamp-alternative/#comments Tue, 07 Oct 2025 18:00:09 +0000 https://jwz.org/b/ykwH Against my better judgment, I let my staff start using Basecamp about 7 years ago, and now, for reasons, I would prefer to just be self-hosting everything like we should have done from the start. Do you have experience making the transition from Basecamp to something open source and self-hosted?

To be clear, what we use Basecamp for is task management, document editing and file storage, and that's about it. I gather that Basecamp is buzzword-compatible with all kind of other business-brain crap that we have never used, but I don't know what "Gantt" or "Scrum" mean and don't care to.

I think what we need is just a bug tracker and a wiki, whose UI isn't terrible, and that also works well on mobile.

Suggestions?

Things that should not need to be said but do:

• Do not suggest software that you do not use.
• Do not just Google it for me.

Previously, previously.]]> https://cdn.jwz.org/blog/2025/10/basecamp-alternative/feed/ 93