For some reason, the Address Book tab/pane on Thunderbird’s menu bar had gone missing, and I struggled to find out how to get it back.
So, for future me, what resolved it was:
Ctrl + Shift + b
Some of the UK government’s policy announcements around the Internet - and, in particular, social media and VPNs - are downright concerning me at the moment.
In the name of “online safety”, the fundamental rights of both freedom of expression and privacy appear to be under imminent threat.
I have concerns which go beyond our shores - mostly stemming from Google, frankly - but the UK legislative / policy issues are bothering me especially at the moment.
I value my ability to read, learn, and communicate almost without borders. I don’t like signing up to websites or newsletters (I prefer RSS), I don’t like storing my data on other people’s computers, and I’ve certainly no wish to prove my age or identity outside core government services.
The current proposal to ban people under 16 - who also have the rights to freedom of expression and privacy - from some (as yet not fully delineated) social media services is likely to result in wide-spread verification.
While I am unlikely to be affected directly - although it would depend on the definition of “social media” - I anticipate that more websites will simply choose to block traffic from UK IP addresses, especially if UK-originated traffic does not matter a huge amount to them.
I am already seeing this as a consequence of the Online Safety Act, and I expect any future UK laws in this area to exacerbate that.
I also anticipate that we will soon see the first court-ordered blocking injunctions under the Online Safety Act, when the fines issued by Ofcom against some website providers (so far, most quite niche porn sites, as far as I can tell, plus a “suicide discussion forum”) go unpaid and the “compliance issues” which Ofcom has identified go unresolved.
Some - many - UK ISPs have already implemented, and carry out, DNS blocking, both for mandatory and non-mandatory reasons. Mine - A&A - is probably one of the outliers, with no blocking save for the mandatory sanctions-related requirements.
In any case, so far, since I run my own recursive DNS infrastructure, I have not been affected.
I use Tor quite a lot, but I’ve seen an increase - sure, a small increase, but an increase nevertheless - of sites which are blocking Tor traffic.
And so, for the first time, I am considering locating something (perhaps a WireGuard node, or a SOCKS proxy, or a recursive DNS server / DNS proxy, or perhaps all of them) somewhere on the Internet outside the UK, so that I can route some traffic through that, as needed, to maintain my access to the web.
Honestly, it seems such a shame to me, that UK Internet censorship should reach such a place, but there we go.
I have not decided exactly what I might do, or exactly how, or where, I might do it, but it is far more attractive to me now that it has been ever before, in all the 30ish years that I’ve been online.
To me, the need to even contemplate this kind of thing is the stuff of dystopian sci-fi.
And yet here I find myself.
A while ago, I heard that a friend of a friend was running a close quarters battle training course, at an Airsoft site not far from me (Ironsight, in Andover).
So I schedule a rare mid-week day off, and signed up.
That day was today :)
Honestly, I was a bit nervous going into the day. Would I know anyone? Would everyone be fitter than I am? Or just better at it?
It turned out that I knew, or at least recognised, at least half of the attendees. That made it easier to chat to some of the others too - and they were all a friendly bunch.
Everyone was very supportive, cheering each other on and - especially - offering reassurance and kindness when people screwed up. And we all screwed up at some point, given how much there was to think about at any one time.
Since a lot of the day was about team work, and communicating effectively, that kind of camaraderie was great.
It also turned out that my fitness, while obviously something that I could improve, was more than good enough, and that I am confident and accurate shot. So that was nice.
The training itself was superb.
We had two friendly, knowledgeable instructors, who were able to share their knowledge and experience effectively and with humour. If someone needed a bit of extra help, they got it, and it was all very positive.
It was very practical / hands-on, to get as much time as possible to turn basic theory into practice. Having never done this before, I would certainly benefit from some more practice, to reinforce what I learned today.
We covered a lot of stuff, focussing on how to clear rooms (which may or may not have hostile people in them) quickly and safely (well, safe-ish). Different techniques for different types of room, rooms with and without doors and doors opening in different directions, rooms with obstacles in them, and for corridors.
We also did various shooting drills, focussing on arcs of fire (to avoid hitting other team members) and on ensuring that we put enough rounds into the targets to count them as “down”.
We finished the day with explosives, and how to plant them to breach a closed door, and then follow up into the room. I am very glad that I had my ear protection with me for this, as they were incredibly loud at close range.
Overall, it was a superb day, and I would happily sign up to do another of them soon.
Whether I can count this training as part of my continuing professional development, I’m less convinced. “Conflict resolution”, perhaps.
Three months ago, I moved from hugo to BSSG for this blog (and my work blog). You can get BSSG here.
I’ve been really happy with BSSG, and a couple of recent changes by Stefano have made it even better.
I have a minimalist blog. A list of posts on the front page, and generally text-only posts. I like it to load fast even though it is running on a Raspberry Pi 4, along with a couple of other bits.
This means that there are some features of BSSG that I do not use, including descriptions of blogposts. I use the title for that, on the basis that this should be informative in itself. It suits me, anyway.
There are also some other UI elements that I do not need, such as reading time.
I bodged my way around these, using CSS rules to hide the unwanted content from display.
I could have changed the code to neither generate nor display them, but I didn’t really want to run, and need to maintain, my own branch.
With the recent changes, Stefano added some new config options:
LoginSHOW_HEADER_MENU=false # Set false to remove nav menu from header
SHOW_INDEX_DESCRIPTIONS=false # Set false to hide descriptions/excerpts on index
GENERATE_EXCERPT=false # Set false to skip auto-generating excerpts
SHOW_READING_TIME=false # Set false to hide reading time on postsThese are set to “true” by default - to preserve the experience for people who already use BSSG and expect these things, which makes sense to me - but now I can set them to “false”, and have an even slicker, faster experience.
The second brilliant change is about the way the scripts handle incremental updates. The idea being that, rather than building every post, every time, it will just build the new posts.
I struggled to get this to work initially, as it was building all posts, every time.
This turned out to be entirely down to me: my build script, which I use to control building and deploying both the cleartext and .onion versions of the blogs, cleared the output directory each time.
I removed that, and bingo, incremental updates!
This combination of things meant that building each site went from ~10 minutes (which was a bit painful) to ~1 minute (which is fine!).
Happy days.
A friend was looking for a new tablet, and they asked me for a recommendation.
And… I just don’t have one.
The only good tablet, because Android can be replaced with GrapheneOS, was the Google Pixel Tablet, and that is no longer available. Secondhand prices are sky high. That was my go-to recommendation for a while. But it looks like Google has abandoned this project too.
Amazon’s range of FireOS tablets are, IMHO, bloated with crapware which one cannot easily remove. Even the Fire-Tools scripts only get one so far. I can’t recommend one.
There are some fun-looking “tablet computers”, but they are all expensive.
A secondhand Surface Go, if one wants a Linux-based tablet, is readily available and pretty cheap, but honestly not what most people will want. And, while I like it as a cheap, touchscreen, Linux machine, it is not particularly powerful, which can be frustrating. And getting the camera working is a nuisance.
I guess that there are some iPads, if one is accepting of Apple / iOS. Again, that wouldn’t be my choice, but I can see why some people like them.
Why is there no good (non-Apple) tablet at the moment?
tl;dr: I removed the “nginx proxy manager” add-on, and replaced it with the Let’s Encrypt add-on and (second) the nginx add-on.
A couple of months ago, I moved my HomeAssistant installation to HAos.
I think that it is fair to say that I was not overly pleased with this. Honestly, I preferred the “Core” python-venv approach, but I also wanted a “supported” installation, and so I switched to HAos.
i got it up and running okay, and I thought that I had got proxying working too, using an add-on called “nginx proxy manager”.
This is not something that I had used before; I’d rather just configure nginx myself.
Well, either I got something wrong, or it just does not work very well, as I kept having problems using HomeAssistant, stuck on a “loading data” screen, or it simply not responding.
This bugged me for quite a while.
Annoyingly, the logs available to me within HAos were unhelpful. I couldn’t spot anything indicating a problem.
Using the console in my web browser, I noted that some files were not loading correctly, but why that was the case, I wasn’t sure.
I thought that I’d had a similar issue with my “Core” installation
years ago, which I got down to the issue of the
trusted_proxies in the configuration.yaml
file, but that looked correct here (which I was able to check, using the
SSH add-on.
I tried various parameters in the nginx proxy manager add-on, but to no avail.
In the end, I tried removing the nginx proxy manager add-on, and replacing it with the Let’s Encrypt add-on (which I installed, configured, and ran first), and then the nginx add-on.
And it immediately started working correctly.
So I don’t know exactly why my original set-up was not working, but at least it is working better now.
I have used RSS (“Really Simple Syndication”) as my default web browser (for some stuff) for ages now.
Ages as in “20+ years”.
It seems to be enjoying a bit of a resurgence, and I am delighted.
RSS is a way of publishing web content in a machine-readable format.
When you publish a blogpost, as well as the new blogpost showing on your site, it is also added to a file, often call index.xml or feed.xml or similar.
I publish RSS feeds for my personal blog and the decoded.legal blog.
Your loyal, eager readers “subscribe” to your RSS feed, but that just means add the link to that RSS file to their RSS reader or aggregator.
I use FreshRSS as my RSS aggregator (the thing which collects all the RSS feeds), and then Readrops on Android and newsboat (I wrote about newsboat) on Linux to read the feeds.
You can see a list of blogs that I follow via RSS.
A reader’s aggregator or reader periodically downloads the RSS .xml file from each of the sites, and, if there’s an update (because of a new blogpost, most commonly), shows the new blogpost(s) to the reader.
They might even have set up a tool like Calibre - an ebook management tool - to download your feed and convert it into a file that they can enjoy on their ereader.
It is a wonderful way for a reader to create their own personalised reading list of their favourite authors, making sure that they never miss a post.
For authors, it is an easy, free way of making their works available, under their own control, without the hassle or cost of running an email subscription service.
One can make available either (or both) an RSS feed containing snippets of posts (e.g. a headline, perhaps an initial paragraph or sentence, and a link to the website), or the full text of posts (as well as a link).
Please, consider making a full-text feed available!
This is probably as simple as adjusting a config setting in WordPress, or whatever else you use for your blog.
By doing so, you give your readers an easy way of enjoying what you write, without you incurring any extra cost, and lessening the risk of them missing one of your posts.
It is not the end of the world if you do not or cannot do it - I’ve written before about using CSS selectors in FreshRSS to get full-text content for a snippet-only feed - but, by giving them full text, they do not have to faff around with this.
It is also advantageous from an accessibility point of view, as your reader can set up their RSS reader however best works for them, be that a different font, or large font sizing, or just a distraction-free environment, and they still get to enjoy what you write.
If you care about analytics / readership (and I am not one of those people; I’ve no idea how many people read this), then offering an RSS feed might skew these. But if it is skewing it by a statistically significant amount, this just means that lots of people are enjoying what you write! (And I’d have thought that bots were already skewing your stats, but that’s another topic…)
Your own writing, on your own server, just made available to your own readers in a convenient, free of charge way.
What’s not to like!
No, I don’t want to sign up to your newsletter.
No, I don’t want to create an account to read your site. (Well, I will for paid subscriptions, I guess.)
No, I’m not going to create an account on your system to use my computer, or configure a router. I have a local account on the machine, and that’s just fine.
No, I don’t want your app. You have a website. And yes, if you pretend that I can only do something via your app because I’m on a mobile browser, of course I’ll switch to desktop mode.
No, I’m not installing your “app” to configure this hardware. It is a sodding kettle. I’ll press the button when I want hot water.
No, your tracking will not make my experience better. What would make my “experience” better is if you had not interrupted my “experience” in the first place with your weasel-y worded, bad faith compliance, annoyance of an overlay which probably does nothing anyway.
No, I am not going to “consent or pay”.
No, I don’t want to hear from your sponsor.
No, I don’t want to use your Discord “server”. That’s not documentation.
No, I don’t want to see “promoted” content. Just show me stuff in chronological order.
No, that’s not a “newsletter”, that’s marketing.
No, I don’t want your newsletter anyway.
No, I don’t want adverts. (Although, personally, I can absolutely live with FOSS developers including occasional prompts for support. So I’ve got double standards. Oh well.)
No, I am not going to disable my ad blocker.
No, I am not going to verify my identity or age.
No, I don’t want your chatbot. If I can’t find what I want on your website, you’ve screwed up.
No, I don’t care what “Dave (48), Alabama” had to say about this. (Thanks, “Shut Up” comments blocker extension!)
No, I am not giving you free labour to determine if that blurry image contains a car.
No, I don’t want the upsell.
No, I don’t want your survey.
No, I don’t want a reminder that there’s something left in a basket. I know. I put it there.
No, I don’t want to rate your product, let alone your choice of courier. You took my money, now sod off and leave me alone.
If you make Free software which I can install via apt or F-Droid and just use, thank you.
If you make a full-text RSS feed available for your site, thank you.
If you make your site a pleasure to read in a text-only browser, thank you.
I asked for reading recommendations, for a partner of someone who is going through the perimenopause / menopause.
I got a lot of responses; thank you.
I have included below those which seemed most relevant, for me to follow up on them. Apologies if I didn’t include your particular suggestions.
I received quite a lot of advice too; thank you.
Thayer said:
I often help men understand their partners’ journeys as part of my therapy & coaching as it really affects men as well
I have been using hardware security keys (including YubiKeys and Titan keys) for FIDO2 and TOTP for a while, but not for ssh.
At the moment, I harden the ssh config on my servers, lock down access by IP address, and use password-protected certificates for authentication, blocking password-based authentication.
So I think that I do at least reasonably well as it is.
But I was interested to see if I could introduce a further aspect of security for ssh, using a security key.
My security keys support the generation of both resident and non-resident keys. Resident keys are stored on a slot on the YubiKey, while non-resident keys are stored on the client computer, but require the YubiKey.
I picked non-resident.
I set a passphrase as part of the ssh-keygen process, so, when it comes to using that key, I need to enter that passphrase and insert and touch the security key.
So now someone would need:
I can, I think, add a PIN to the YubiKey but, to date, I have not done this. Perhaps I should.
Honestly, I was probably fine without this, but, well, I had the security keys, so why not.
But, while this works fine from my laptop, I can’t get it to work on my phone (GrapheneOS).
At the moment, I use Termux, and from there, I can ssh in to my servers. But I can’t get Termux to use my _*_-sk keypair.
There is a six year old issue in the Termux Github repo which indicates that it might, some point, be coming, and that would be welcome.
Apparently it can be done using a closed source tool, but since I’m only looking to use FOSS, that’s not on the cards for me.
So that is a bit of a pain, as it is convenient to be able to log in from my phone from time to time.
Over the weekend, Girl on the Net - an esteemed sex blogger who, incidentally, happens to be one of the smartest, strongest, and downright loveliest people that I know - tooted:
If you ever get sick of me banging on about my life and think ‘ugh I wish she would stick to the porn’ then please know: hardly anyone ever boosts the … porn.
And this made me think.
I had an engaging conversation with numerous people about it, and I still don’t have good answers, but I enjoyed the discussion and wanted to keep a note of it. This is that note.
I follow and chat with quite a lot of sex positive / sex work-related people in the fediverse, and many have expressed similar sentiments. They create, they share, they get “likes” - and, of course, ample criticism - but very few boosts / shares.
It must be incredibly demoralising.
(I am in a different position in that I neither know nor care how many views my blogposts get.)
It made me ponder why people do not share sex-related content, when sex is clearly part of life for many (but not all) people.
My thoughts were:
stigma about sex as pleasure. It’s fine to have sex, but not to talk about it. One of Girl on the Net’s regular themes is about communication, and simply asking questions (not just about sex, but also including about sex and one’s preferences and horizons). But I imagine that, for some, talking about sex is uncomfortable, including sharing other people talking about sex.
concerns relating to professional expectations and obligations. I fall into this category. I am sex positive, but I do not know where the Solicitors Regulation Authority would draw the line, and I don’t wish to be even close to where that line might be. So I play it safe, even though there is stuff that I would like to post or share. But, oh well, self-censorship ftw. Sometimes, I would love not to be “me” online.
being embarrassed about what others here might think. Similar, but different, to the points above. This is about other fedizens, who might be co-workers, employers, family members, or whatever.
sex as being in the sphere of one’s private life.
older people, perhaps especially men, being self-aware of engaging with younger adults posting sex-related stuff, and coming across as creepy. I completely get this, and I am somewhat paranoid about it myself. Several people responded to say that, yes, they felt like this. They might want to engage with public content (and I’m not talking about responding lasciviously, or sending dick pics), but do not want to be perceived as being inappropriate.
I received some thought-provoking feedback too:
women and non-binary people said that they felt unsafe boosting or posting sex-related content, because of reactions from men hitting on them. That, by posting about sex, some men took it as an unwelcome opportunity to solicit sex with them.
some people not wanting to boost as they feel that they don’t have enough followers to make it worthwhile. And, in terms of increasing the distribution of a toot, yes, that makes sense. It probably still sends a nice endorphin boost to the poster though, that someone likes their work enough to want to boost it :) Where someone has a popular “main” account, and a less popular “alt” account, but would only be willing/able to post sex-related stuff via that alt, this perhaps comes into play.
just not liking the stuff enough to boost it. Fair enough!
concerns over whether their server rules allow boosting of this kind of content, and not wanting to get blocked / banned.
I can understand each of these, and why they might lead to a “like” rather than a “boost”.
None of them inhibit paying or tipping someone, as a thank you for their work though, which is another way of being supportive.
But this also comes against a backdrop of increasing difficulties for sex workers and other people post sex-related stuff.
Payment processors denying income streams.
Platform operators enforcing their ever more restrictive morality rules, making working harder, and requiring more admin just to keep going.
If people take, take, take, without giving back in some meaningful way, then that is challenging even for those who create and share for fun (for appreciation, perhaps, rather than tooting into the void), let alone those for whom this is their livelihood.
I wish that I had better answers than I do.
Three months ago, I stopped reading the news.
I made a note to force myself to reflect on it, after three months, and this is that reflection.
I still read lots of RSS feeds of people’s blogs. I love this.
I still read industry-specific news sites (mainly law-related stuff), and other sources of information which are often the basis of news coverage (e.g. government or regulator press releases and updates).
I still read local news, but wow is that a rubbish experience. I get that local news needs funding to survive, but making the product so unappetising makes selling me a subscription a very hard sell indeed. Frankly, I could probably just not read the local news and keep an eye on the local council’s roadworks website instead.
I still have my 404Media subscription although, to be honest, I am a bit on the fence about it. I am not sure if I will renew it or not at this point. No slight to the quality of their journalism.
What I have basically stopped doing is reading the BBC, the FT, the Guardian etc.
I had not appreciated just how conditioned I was to reading the news when I had a spare moment.
It took me quite a while to get used to the idea of not opening the BBC website, in particular.
I did not go to the extent of blocking news sites, so this was just based on self-control / choosing not to do it.
Curiously, what I found hard was that almost instinctive “fingers move to open a news site” behaviour, rather than actually missing reading the news.
I had to train myself out of it, and now, it doesn’t cross my mind.
I have not managed to avoid general news entirely, nor was I really intended to do so. This was about lessening my exposure, rather than doing all that I can to avoid it.
I still see people posting news-related stories in the fediverse, and I just scroll on by. In some cases, I can filter by keywords, and so no If someone posts news too much (or, in particular, posts party political stuff), I either unfollow them or mute them. I’ve no temptation to click the links.
Yes, and that is by design!
Before, I was informed about a whole load of things, in a way, and to an extent, that I didn’t find helpful or healthy.
Now, I am aware, in broad terms, of major stuff going on around the world, but I am far less familiar with the minutiae, or the endless “up to the minute” reporting. That feels like a good level of awareness for me.
I am also far less exposed to stuff that I never cared about in the first place, especially “celebrity” news, of which I remain blissfully ignorant, sport, and so on. To each, their own.
For now, anyway, I don’t miss reading the news.
At all.
I’ve overcome that reflex of opening a news site.
I have not - as far as I know, anyway, which I appreciate is quite a caveat - missed anything which, had I known about it, would have made a significant difference to anything important.
I read far more books (and buying the tiny, pocketable, X4 ereader was an attempt to distract me from my phone more often, letting me read even more).
So I am going to carry on with this experiment for now, and see how I get on.
I can’t prove that this experiment has been good for my mental health, but it certainly feels that way.
Even though I do not want to read the news, I wonder if a monthly, edited, one-or-two page kind of approach, of key / important news stories, might be welcome.
Of course, there would be complexity in determining what is “key” or “important”, as that is subjective.
Terence blogged about adding a human.json file to his website.
I wanted to do the same.
The specification for human.json describes itself as
a lightweight protocol for humans to assert authorship of their site content and vouch for the humanity of others. It uses URL ownership as identity, and trust propagates through a crawlable web of vouches between sites.
A bit like signing each other’s PGP keys, really.
There are a few steps:
I made a simple bash script to simplify the process of creating the json to vouch for someone:
#!/bin/bash
set -euxo pipefail
FILE=/home/neil/neilzone_bssg/static/human/human.json
URL="$1"
SANITISEDURL="$(echo "$URL" | sed 's/\//\\\//g')"
VOUCHEDDATE="$(date -I)"
COMMAND=".vouches += [{
\"url\": \"$SANITISEDURL\",
\"vouched_at\": \"$VOUCHEDDATE\",
}]"
jq "$COMMAND" "$FILE" > temp.json && mv temp.json "$FILE"
cp -r /home/neil/neilzone_bssg/static/human /var/www/neilzone.co.uk/public_html/I am sure that there are better ways of doing this, but it works for me.
I am using a separate directory for this json file, as it wants
specific headers. I am using apache, so in the .htaccess
file in human, I have:
header set Access-Control-Allow-Origin "*"
header set Content-Type "application/json"Using the Firefox browser extension, which is probably available for other browsers too, I can see if a site offers human.json file, or is vouched for by another person whose own human.json file I have already trusts.
Will it catch on? I doubt it. It is a bit of whimsy, and that is no bad thing.
I have only included URLs where the site owner has consented for me to do so. If you are such a person and wish me to remove the “vouch” from my site, then please do just let me know. Consent is sexy.
Because I am low-key “vouching” for people, I’ve only vouched for people that I know, even for a relatively limited definition of “know”. Not strangers, but not limited to the most intimate of relationships either. Mostly fedi friends, which is nice.
Is it bad? I don’t think so. I have seen a couple of comments about it being a useful thing for AI scrapers to follow, but frankly they seem to be doing just fine anyway. If signalling to fellow humans also attracts unwanted traffic well, in this case, so be it.
A friend asked:
Have you thought about your gender? What it would be like to not be your current gender?
Until 2017, no, I had not thought about my gender.
This might not be quite the turn of words that I want here, but I had no reason to think about my gender.
I grew up as a boy, and I never disliked, or doubted, that I was a boy.
As I turned into a man, it never crossed my mind that I was not a man.
I never had any reason or motivation - internal or otherwise - to think about it.
I have had no sense of gender dysphoria, or not feeling comfortable in my own body shape / appearance, and such like.
So what changed in 2017?
What changed was a book.
Sarah Jamie Lewis’s edited book, “Queer Privacy”, was eye opening for me.
Not only was it thoroughly fascinating, from the perspective of privacy, it showed my ignorance: I did not know what some of the terms meant.
So I think that it was 2017 when I learned that I was “cis”, in the sense of learning that there is a term which described what I was: someone whose gender identity matches their assigned sex at birth.
When I joined the fediverse, and started spending more time there from 2018 onwards, I got to rub virtual shoulders with a whole load of amazing people, with all sorts of gender identities and no gender identities.
This was a new experience for me. I’d grown up with gay friends, but not, as far as I know (appreciating that gender identity is about what someone is, rather than how someone looks etc.) any trans, non-binary, or agender friends.
Over the last few years, yes, I do occasionally think about my own gender identity, generally stimulated by conversations on the fediverse with others.
And, so far at least, the conclusion has always been the same: I am a cis man.
It might be interesting to experience being something other than a cis man, but I have no longing to be so, or a feeling that, actually, that is me.
What fits nicely in my hand and gives me hours of pleasure? A tiny ereader!
I - like, it seems, quite a lot of people - bought an XTEINK X4 ereader.
I bought an X4 because I love reading, and I was drawn to the idea of having a tiny ereader in my pocket.
Instead of reaching for my phone, I hope that I will instead reach for the ereader, and enjoy some more reading.
I am in the very privileged position on having the X4 as an extra / secondary ereader, which perhaps colours my view of the device, in the sense of being willing to put up with more of its quirks than if it were my only ereader.
(Since someone asked me about it, perhaps because of some of the marketing photos: this is a standalone ereader. Yes, one needs to transfer books to it (see below), but it is not tied to a phone / does not require a phone to function. One can attach it, magnetically, to the back of a phone, for reasons which are not entirely obvious to me.)
I had no plans to use the stock firmware, and used it only so far as to change the language to English before flashing the Free software alternative firmware, CrossPoint. (There are other firmwares for the device; I chose CrossPoint.)
I did, however, note that the stock firmware does not require a user account / registration or anything like that, which I appreciated.
I flashed CrossPoint using the tool at [https://xteink.dve.al].
When I tried to backup the existing firmware, I got an error of
Failed to execute 'open' on 'SerialPort': Failed to open serial port."
I ran setfacl -m u:neil:rw /dev/ttyACM0, to give my user
the right permissions.
With that done, I could dump the existing flash (which did indeed take about 25 minutes).
I had the same error when flashing the CrossPoint firmware, so I ran
setfacl -m u:neil:rw /dev/ttyACM0 again, and it worked
again.
Once I had reset the device - hold the small button at the bottom on the right edge of the X4 for a second, then press-and-hold-for-a-few-seconds the power button at the top on the right edge of the X4 - it booted into CrossPoint very quickly.
The device comes with a screen protector. This is an excellent idea. It would have been even better if this has been installed in the factory, but never mind.
I bought a cheap (£4) clear plastic shell, to protect the back of it.
It add a bit of bulk to the device, but I’d like to protect it.
I replaced the included 16GB (the manual says that it comes with a 32GB card…) XTEINK-branded microSD card as soon as I received the device, with a 128GB SanDisk card.
This was mostly down to force of habit, as it would not be a particular problem for me if the microSD card in the device died. Annoying, for sure, but I could just pop in a new card and reload all my books from Calibre.
The card slot is recessed, so pressing it to remove it, and to get it back in place, was quite tricky with short fingernails.
This, it turns out, is a bit of a pain.
I use Calibre for managing my ebook library.
For my other ereaders, I load books via a cable.
Somewhat annoyingly, the X4 and its microSD card do not mount as a USB-writable device.
The options are Wi-Fi-based, or else remove the microSD card.
I have gone with the microSD card approach, despite it being a bit of a pain.
In Calibre, I used the “Save to disk” / “Save only the EPUB format to disk in a single folder” option.
This did - as expected - dump 500+ ebooks into a single directory, which is not ideal on the X4 with CrossPoint, given that they appear as a list, with no way to search. Press-and-hold on the side buttons does jump between full screens though (a bit like Page Up / Page Down), so it is not terrible.
Perhaps I need to treat the X4 less like a portable library, and just move onto it a small number of books that I want to have so readily available.
CrossPoint seems to struggle with books with a special character (e.g. “$”) in the title; I have yet to dig into this though.
I have not tried to connect it to Wi-Fi; I have no need for this.
I have not found a way to turn off Wi-Fi, which is a bit annoying, as I don’t need to be on all the time, both in terms of battery life and privacy.
The reading experience is… good. Neither terrible nor amazing.
What makes it good is that it is pocketable and there when I want it.
The 4.3” screen is, apparently, 220 PPI. It is not as crisp/sharp as the screen on my Kobo or Tolino.
A backlight would be wonderful, but I knew that it did not have one when I bought it.
CrossPoint does not (currently, anyway) support dark mode - light text on a black background. I prefer dark mode when reading, but I can easily live without it on this device. There is a pull request to add dark mode to CrossPoint, but I note:
Did you use AI tools to help write this code? YES
sigh
The X4 can fit a surprisingly large amount of text on the small screen. But, nevertheless, it means pressing the “next page” button a lot.
The buttons on the front are bit “clicky”, but fortunately the buttons on the side are much quieter / softer. I imagine that, if I was using the front buttons to turn the page, and I was sitting next to my wife at the time, she would find it very annoying. I would.
Note that the two buttons on the front are, in fact, four buttons; each button is a bit like a rocker switch, I guess, with different actions for the left and right sides. I should have worked that out sooner (or read the manual)…
I am quite content with the lack of a touch screen; I much prefer pressing a button to turn a page than mimicking a “swipe” action, as I don’t have to move my hand or hold the device awkwardly.
It has 128 megabytes of RAM, which both feels like loads, and not much at all, at the same time. Books load more than fast enough, and page turns are rapid.
It has a 650mAh battery, and although my initial experience has been fine, I wonder just how long this is going to last with Wi-Fi on the whole time (needlessly).
But the X4 charges via USB-C, which is excellent, as it means that I don’t need to carry yet another cable.
I have used HomeAssistant for years.
So many years, that I do not remember how many.
Nothing I do with it is particularly fancy, but things like having my office lights turn on when I open the door if the light is below a certain luminosity, or turning off my Brompton bike charger once it has finished charging, are fun and convenient.
We also have solar panels and a battery now, so I will be interested to see if I use HomeAssistant more for that.
But anyway. I have been using HomeAssistant, on a Raspberry Pi 4, using Python venvs for years.
It has worked absolutely fine for me, and I have (or, at least, had) no compelling reason to change.
For me, this was the ideal setup, in that I could set the Pi up how I wanted, in terms of security and monitoring, and just run HomeAssistant on it.
Updating HomeAssistant was as easy as running a simple bash script.
I liked it.
But… that approach is no longer supported, and, where possible, I prefer to use supported means of running software.
That means either running HomeAssistantOS, or else using a containerised instance of HomeAssistant.
While I could probably find my way through setting up a HomeAssistant container via podman, it would not be my preference, so I decided to give HomeAssistantOS a go, albeit with some trepidation.
As expected, it was easy to install HAOS: write the image to a microSD card, and pop it into the Pi.
I already had the switch port set up to the right VLAN, so I plugged in the Pi and waited a few minutes.
I had anticipated that it would offer https, via a self-signed certificate, so I was a bit baffled to get a TLS error when I connected to it.
“Never mind”, I thought. “I’ll just ssh into it and sort it out.”
But no, no ssh either.
Fortunately, I discovered quite quickly that, out of the box, it does not offer TLS, and I was able to access the web interface.
I had taken a backup from my existing HomeAssistant installation, and I used the web interface on the new installation to restore it.
It took a few minutes, but restored absolutely everything. I was impressed.
I was anticipating - indeed, hoping - to set up TLS and reverse proxying using certbot and nginx. But that is not possible.
Instead, I achieved it (reasonably easily, but not as easily as using a command line) via Add-ons from within the HomeAssistant UI.
I’d have prefer to have done it the normal way, via ssh, but oh well.
Annoyingly, I’d also like to have configured a firewall on the machine, but that is not an option either. I’ve yet to determine if that is going to be a dealbreaker for me, or whether relying on the network-level firewall, controlling access to and from that VLAN, and that machine, will be sufficient.
I have also not been able to set up a separate ssh account for my greenbone scanning software, or to configure Wazuh to get the machine talking to my SIEM. Again, I will need to consider the impact of this, but intuitively it does not sit comfortably with me.
Nor can I find a way to use restic to backup the configuration and other bits, incrementally and automatically, onto another machine, liked I am used to doing. I will have a poke around with the backup tooling offered but again, this does not enthral me. I want to know that, if there’s a problem, I have a backup on my restic server.
Since I have used HomeAssistant for so long, and since I just restored a backup, the most I can say really is that it is all still working.
It doesn’t seen faster or slower.
The limitations of the appliance-based approach are annoying me, and may be sufficient to drive me towards a container-based approach instead (although that does not appeal to me either).
Ultimately, I accept that I am but one user, and perhaps many users do not want the things that I want.
Importantly, I am not the developer, and so what I want may simply not be things that they wish to provide. And that is their choice.
I guess - personal opinion - that I would prefer a computer and not an appliance.
I’ve heard a lot about “digital sovereignty” recently.
I’ve heard it mostly in connection with USA-based tech companies, big ones in particular.
I am not aware of a clear, agreed, definition, but it seems to boil down to wanting control over (all? some of?) one’s digital systems. Or, at least, not depending on technologies which are controlled by people/organisations in other countries.
But I wonder how far the notion of “digital sovereignty” goes.
Take me, for instance.
I use almost exclusively Free software, which I run locally on my own hardware.
No-one can - short of hacking my systems - remove or limit the software that I use. No-one can lock me out, or delete my data.
Does that make me “digitally sovereign”?
If it does, that seems like a very shallow concept of sovereignty.
Sure, it is better than being subject to the whims of a SaaS provider. But I am still dependent on a whole range of other people, whose software I benefit from using. And the people who maintain that software. And the people who package that software. And the people who distribute that software. And so on.
I, personally, could not expect to have control over anything but a tiny, tiny part of that.
Perhaps I can never, realistically, be “digitally sovereign”?
These wonderful, generous people could be anywhere in the world. They are - most likely - all over the world.
So while I might have control over the software that I have already installed, I have no (realistic) control over updates, security patches, and the like.
And while I might host everything myself, I have to get that software from somewhere.
Sometimes - often - it is from Debian’s repositories.
Sometimes, that is from people’s own code forges.
And sometimes it is from Github. My Mastodon (glitch-soc) instance, for example. Were Github to stop hosting that code, or to stop me from accessing it, I’d either need to find another way to obtain it (to maintain patching/updates), or cease to run it.
Let’s Encrypt is a USA-based organisation, so perhaps I should find another ACME TLS certificate provider…
Perhaps viewing this from the perspective of me - just one person - is fundamentally flawed? Because of course I am dependent on others - if I chose not to be so, I, and the vast majority of the population, would not be “digitally sovereign”, but rather digitally neutered.
But individuals are indeed vulnerable to the whims of third parties, just as much as governments or big businesses. In fact, perhaps more so, based on the number of software providers that I’ve seen switch from on-machine software to SaaS, and then proceed to screw over their customers with increasingly expensive subscriptions and lock-ins.
I wonder, to what extent geographic borders are relevant.
Does “digital sovereignty” require that a nation (or company? Or individual? not sure…) can support all its own software, hardware, routing, hosting requirements etc. solely by or with people and companies from within its own geographic borders?
Does it extend beyond supporting software, into only running software which is created within its regions?
If it does, then that sounds incredibly inefficient, with each country needing to develop its own operating system, its own applications etc. What a waste of effort, competing rather than collaborating.
From an individual point of view, sure, placing my trust in a company in another country may not be a great idea, but is placing my trust in a company within my own country’s borders significantly better? I self-host for a reason.
I could have the rug pulled out from under my feet by a domestic provider, with just as great an impact as a foreign provider.
I question if I can be “sovereign” at all, if I am reliant on someone else.
If this is true, is geography-based “digital sovereignty” little more that digital xenophobia?
Perhaps the principle of “digital sovereignty” only relates to governments, and others who have significant bargaining power.
I’ve yet to see a good, solid indication of how “digitally sovereignty” is to be funded.
Yes, sure, an organisation might be spending a small fortunate on Microsoft’s services. They could indeed channel that money into a Free software alternative, and associated training.
But are they going to do so?
I’ve seen press releases about “savings”, which suggests money not being spent, rather than that money being spent elsewhere.
I imagine that, in reality, “digital sovereignty” would be a remarkably expensive undertaking. Perhaps more expensive than buying commodity services from overseas third parties.
Digital sovereignty may come at premium pricing, rather than being a cheaper alternative, and that money needs to come from somewhere.
And, beyond money, and beyond tech, there might be issues of incentivising local development (boosting local employment), removing tax breaks available to behemoth organisations, making laws comprehensible and applicable for small organisations with a cadre of lawyers and lobbyists, and so on.
Digital sovereignty might be grounded in considerations of technology, but likely requires far, far broader thinking.
I enjoy blogging. I blog on my own personal site (this blog), and I also have a blog for my work site, decoded.legal.
In 2023, I moved my blog to a static site generated by hugo.
I’ve been reasonably pleased with hugo, and it does the job, but I find it complex.
In short, if an update broke my site, I am not 100% convinced that I would be able to fix it.
I don’t need much in the way of complexity; I have a simple, predominantly text, blog, and all I want is to be able to write posts in markdown, generate a static html site from it, andrsync it to a webserver, along with an RSS feed.
I am using a Raspberry Pi 4 as my webserver, and this works fine, given my lightweight, low complexity, sites.
On the fediverse, I saw Stefano Marinelli discussing his own static site generator - the Bash Static Site Generator, also called “BSSG” - and I was keen to give it a try.
I guess that I am simply more confident that, if there was a problem, I’d be more confident about fixing something written in bash.
I am running hugo (and now BSSG) on my Raspberry Pi 4 webserver. I could install it on something beefier, like my laptop, and then just rsync the output files to the webserver, but, again for simplicity, it makes sense to me to run the static site generator on the webserver itself.
I don’t have anything particular to note about the basic installation.
I wanted to make quite a few changes to the default configuration, so I decided that the simplest thing to do was to copy the whole config file from the BSSG installation directory into my site directory, and then amend it.
Here is my configuration file.
(I have a separate file, in the same directory, for my .onion site; this is much the same, but referencing the .onion URL instead, and with a separate output directory.)
I was happy with how my old blog looked, and, for the work blog, I wanted it to remain consistent with the main website.
I started with the BSSG “minimal” theme, and then made the changes that I wanted to support “dark mode”, remove transitions/transformations, and to generally get to the look that I wanted.
Once can also have site-specific templates, so I copied the templates directory from the BSSG directory into my site directory, and made changes there.
In particular, in the header template, I:
<link rel="me" href="https://mastodon.neilzone.co.uk/@neil"/>)<meta name="fediverse:creator" content="@neil@mastodon.neilzone.co.uk" />)Update 2026-03-17: Stefano has kindly added
rel_me_url and fediverse_creator variables to
the config, which can be pulled into the header automatically. Thank
you!
In the footer, I amended the copyright information, and, on the work blog, added a short disclaimer. (My footer.)
There is a significant (but not total) overlap between the header material of blogposts for hugo and blogposts for BSSG.
I’m not entirely sure that I needed to do anything at all, aside from
copying the raw markdown files into BSSG’s src directory,
but I used a few regexes to align the header material anyway:
# Change the date format
sed -r -i 's/(^date: ".*)(T)(.*)(\+)(.*)(:)(.*$)/\1 \3 +\5\7/g' *.md
# Change the date format in the "publishdate" field, and change the field name to "lastmod"
sed -r -i 's/(^publishdate: ".*)(T)(.*)(\+)(.*)(:)(.*$)/\1 \3 +\5\7/g' *.md
sed -r -i 's/publishdate/lastmod/g' *.md
# Remove the year and month lead-in to the slug, and change the name to "slug"
sed -r -i 's/(^url: )(.{8})(.*)/\1\3/g' *.md
sed -r -i 's/^url/slug/' *.md
# Remove the brackets from the tags, remove the quotation marks, and remove spaces
sed -r -i 's/(^tags: )(\[)(.*)(\]$)/\1\3/' *.md
sed -r -i '/^tags/ s/"//g' *.md
sed -r -i '/^tags/ s/, /,/g' *.md(Yes, there might be shorter / cleaner / faster etc. ways of doing this. This worked for me.)
I also found - thanks to an error message when I first tried to build the BSSG content - that BSSG does not like src files with spaces in the names. I did not have many (although one was enough), so I fixed that:
rename 's/ /-/g' *.mdOne thing that I did not do with hugo is have descriptions for my posts.
I think that I’d prefer not to have descriptions displayed at all, but I’ve yet to find a way to suppress them in BSSG without editing the underlying scripts, which (for ease of updating), I am loathe to do.
I am not using BSSG’s editing tool, or its command line tools for adding new posts (although I might need to use it for deleting posts).
Instead, I prefer to write markdown in vim, and then upload that to the webserver and then build the site.
I have a small shell script on my laptop and phone, which generates a text file (with a .md extension) with the correct header material, and it pre-populates the date and time in the correct format.
I then have a separate script which I use to push the new blogpost to the webserver, and then, via ssh, runs a script in the relevant BSSG site directory to build the site and rsync it into place.
Here is that build script. (Although “build script” makes it sound fancier than it is.)
It is early days, so these are little more than my immediate notes.
I’d like to find a way to remove the descriptions from the index page.
But, other than that, I am very happy with BSSG, and I am very grateful to Stefano for making it available.
Building this blog on a Raspberry Pi 4, even using the (newly-fixed; thanks, Stefano!) “ram” mode, is not exactly rapid, but that is not a particular concern for me.
I am very pleased.
And, if you can read this - my first new blogpost since adopting BSSG - then everything is going well :)
tl;dr: As of 2026-02-23, http://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion no longer offers TLS. It just has Tor’s own transport encryption.
I have run .onion sites for a long time. I like the idea of people being able to access resources within the Tor network, without needing to access the clearweb.
These .onion services benefit from Tor’s transport encryption.
For the last four years, the decoded.legal onion site (http://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion) also had a “normal” TLS certificate. Setting this up was relatively straightforward.
However, renewing it is a manual operation and a bit a of a faff, which suggests that I am spoiled by Let’s Encrypt.
When the certificate came up for renewal this year, I decided to remove it.
Why? Because I’m just not persuaded that the incremental benefits of having TLS over Tor justifies the faff, or the (low) cost.
The site still has Tor’s transport encryption.
And, if I’m wrong, and I get loads of complaints (of which I am not really expecting a single one), I can also put it back.
I did it this way:
A few weeks ago, I turned off auto-redirection within my apache2
configuration. This meant that requests to the http onion site would not
redirect automatically to the https onion site. I also changed the
alt-srv and onion-location headers, sent when
someone visits the clearweb site (https://decoded.legal), in favour of
the http, rather than https, URL for the .onion site.
In /etc/tor/torrc/, I commented out the
HiddenServicePort line which I had put in place for port
443. I restarted Tor (systemctl restart tor).
For apache2, I removed the config file symlink, for the https
config file, from /etc/apache/sites-enabled/. I restarted
apache2 (systemctl restart apache2).
