Note: this post represents my personal opinions as a Debian maintainer of a single package (Meson). It is not my intention to throw anyone involved in the service under a bus, but some things about it are not good and need to be spoken aloud (in my opinion anyway, other people may disagree and that is fine).

There was a post called Configuring a mail transfert [sic] agent to interact with the Debian bug tracker on Planet Debian. It contained the following statement:

using an email client to create or modify bug reports is not a bad idea per se

Indeed it is not. However, using an email client as the only way of modifying bugs (which is how the Debian bug tracker works) is not only a bad idea, it is terrible idea . To me managing bugs is so awful that it is actively pushing me away from contributing to Debian . The bug statuses on Meson are not kept up to date because I prefer that to having to deal with the bug tracker. I suspect I am not alone in this. In any case it is a major hurdle for new developers and might even cause some people to drop out entirely [1].

Why is it like this?

The Debian bug tracker was originally implemented in 1993 or thereabouts. Pretty much everything IT related was different back then. Manipulating things via email actually made sense at the time. Sadly, the world changed completely but volunteers working on the bug tracker did not have the resources to update it [2]. The end result is a classical legacy system: one that works and does the thing it needs to  do but which no new developer wants to touch.

Notable updates to the system would require major resources, which the project does not have.

FWICT there have been attempts to migrate the tracker to e.g. Bugzilla or Gitlab, but none of those has come even close to succeeding.

Why is the UX bad?

The main problem here is not the format as such, it is the fact that the user has to do the work of the computer :

• Every time you need to manipulate bugs, you need to open the documentation page to remind yourself what the actual syntax is. A program would get it right automatically every time.
• Get it wrong? Sucks to be you. A program would get it right automatically every time.
• Send it to the wrong email address? Sucks to be you. And the person whose bug you just altered. A computer program would get it right automatically every time.
• And so on.

I suspect most Debian developers who spend a lot of time on this have written their own custom scripts for their use cases. But having hundreds of ersatz tools for common tasks seems suboptimal.

As an extra cherry on the cake, the bug tracker will send you an email every! single! time! you edit or comment on any bug. Not only does the service waste your time by forcing you to write syntactically correct batch processing commands by hand, it also wastes it by forcing you to keep deleting spam [3].

How does security on the system work?

It doesn't. The email interface is 100% open. Anyone can edit any bug in any way just by sending a suitably crafted email to the control address [3]. If a 4chan script kiddie would want to screw up the entire Debian bug repository, they could do so fairly easily.

There is an actual term for this approach: security through obscurity . The fact that the main bug tracker of the OS that runs the world does not have strict authentication in place does not fill me with warm fuzzies.

What would be a way forward?

A one-shot conversion to a different bug tracker is out of the question. Instead the situation could be improved incrementally, for example:

1. Create a new web service that parses the existing bug data and displays it in a "rich" format.
2. Update the UI so that registered users can change the state of the bug (close, duplicate, etc).
3. Make the UI send a suitably formatted control email to the backend.
4. Bless the new web service as an official way of editing bugs (hosted under debian.org and all that)
5. Edit the backend service so it only accepts emails from the web UI and registered Debian developers and maintainers
6. Change the backend to something else or improve it for the new UI [optional].

Steps 1 to 3 can be done by a single person or a small team. Since you (probably) don't have access to the backend service, you need to parse the bug state from the current tracker's status page ( example here ). That is a bit gnarly, but should be doable. If someone is looking for a personal project for the holiday season, this is something to consider.

Steps 4 to 6 would take months or years of full time work. Given that this approach was first suggested almost exactly 25 years ago , it is unlikely that resources for it would materialize out of thin air any time soon.

[1] My speculation.

[2] Also my speculation.

[3] You could use email filtering rules but that is again extra work for every user. A better option is not spamming (one thank-you email for new contributors is fine, more than that is not).

[4] Last time I checked at least. I have personally manipulated all sorts of bugs via email even before I was a Debian maintainer. No registration. No checks. Not even GPG signing.

It's that time of year again in (Norther Hemisphere) winter when year's drawing to an end. Which means it's time for the traditional Christmas Maps blogpost.

Sometimes you hear claims about Santa Claus living at the North Pole (though in Rovaniemi, Finland, I bet they would disagree…). Turns out there's a North Pole near Fairbanks, Alaska as well:

😄

OK, enough smalltalk… now on to what's happened since the last update (for the GNOME 49 release in September).

Sidebar Redesign

Our old design when it comes to showing information about places has revolved around the trusted old “popover” menu design which has served us pretty well. But it also had it's drawbacks.

For one it was never a good fit on small screen sizes (such as on phones). Therefore we had our own “home-made” place bar design with a separate dialog opening up when clicking the bar to reveal full details.

After some discussions and thinking about this, I decided to try out a new approach utilizing the MultiLayout component from libadwaita which gives the option to get an adaptive “auxillary view” widget which works as a sidebar on desktop, and a bottom sheet on mobile.

Now the routeplanner and place information views have both been consolidated to both reside in this new widget.

Clicking the route button will now open the sidebar showing the routeplanner, or the bottom sheet depending on the mode.

And clicking a place icon on the map, or selecting a search result will open the place information, also showing in the sidebar, or bottom sheet.

Route planner showing in sidebar in desktop mode

Routeplanner showing in bottom sheet in mobile/narrow mode

Routeplanner showing public transit itineraries in bottom sheet

Showing place information in sidebar in desktop mode

Showing place information in bottom sheet in mobile mode

Redesigning Public Transit Itinerary Rendering

The displaying of public transit itineraries has also seen some overhaul.

First I did a bit of redesign of the rows representing journey legs, taking some queues from the Adwaita ExpanderRow style. Improving a bit compared to the old style which had been carried over from GTK 3.

List of journey legs, with the arrow indicating possibilty to expand to reveal more information

List of journey legs, with one leg “expanded” to show intermediate stops made by a train

Improving further on this Jalen Ng contributed a merge request implementing an improvement to the overview list utilizing Adwaita WrapBoxes to show more complete information the different steps of each presented itinerary option in the overview when searching for travel options with public transit.

Showing list of transit itineraries each consisting of multiple journey legs

Jalen also started a redesign of rendering of itineraries (this merge request is still being worked on).

Redesign of transit itinerary display. Showing each leg as a “track segment“ using the line's color

Hide Your Location

We also added the option to hide the marker showing your own location. One use for this e.g. if you want to make screenshots without revealing your exact location.

Menu to toggle showing your location marker

And that's not All…

On top of this some other things. James Westman added support global-state expressions to libshumate's vector tile implementation. This should allow us to e.g. refactor the implementation of light and dark styles and language support in our map style without “recompiling”  the stylesheet at runtime.

James also fixed a bug sometimes causing the application to freeze when dragging the window between screens when a route is being displayed.

This fix has been backported to the 49.3 and 48.8 releases which has been tagged today as an early holiday gift.

And that's all for now, merry holidays, and  happy new year!

Introducing Open Forms!

The problem

Ever been to a conference where you set up a booth or attempt to get quick feedback by running around the ground and felt the awesome feeling of -

• Captive portal logout
• Timeouts
• Flaky Wi-Fi drivers on Linux devices
• Poor bandwidth or dead zones
• Do I need to continue?

While setting up the Ubuntu booth, we saw an issue: The Wifi on the Linux tablet was not working.

After lots of effort, it started to work, but as soon as we log into the captive portal, the chip fails, and no Wi-Fi is detected. And the solution? A trusty old restart, just for the cycle to repeat. (Just to be clear, the wifi was great, but it didn't like that device)

We eventually fixed that by providing a hotspot from mobile, but that locked the phone to the booth, or else it would disconnect.

Now, it may seem a one-off inconvenience, but at any conference, summit, or event, this pattern can be seen where one of the issues listed listed above occurs repeatedly.

So, I thought, there might be something to fix this. But no project existed without being reliant on Web :(

The solution

So, I built one, a native, local first, open source and non-answer-peeking form application.

With Open Forms, your data stays on your device, works without a network, and never depends on external services. This makes it reliable in chaotic, un-reliable, or privacy first environments.

Just provide it a JSON config (Yes, I know, trying to provide a GUI for it instead), select the CSV location and start collecting form inputs.

No waiting for WiFi, no unnecessary battery drains, no timeouts, just simple open forms.

The application is pretty new (built over the weekend) and supports -

• Taking input via Entry, Checkbox, Radio, Date, Spinner (Int range)
• Outputs submissions to a CSV
• Can mark fields to be required before submissions
• Add images, headings, and CSS styling
• Multi-tabbed to open more than one form at a time.

Planned features

• Creating form configs directly from the GUI
• A11y improvements (Yes, Federico, I swear I will improve that)
• Hosting on Flathub (would love guidance regarding it)

But, any software can be guided properly only by its users! So, If you’ve ever run into Wi-Fi issues while collecting data at events, I’d love for you to try Open Forms and share feedback, feature requests, bug reports, or even complaints.

The repository is at - Open Forms GitHub The latest release is packaged as a flatpak.

We are happy to announce that GUADEC 2026 will take place in A Coruña, Spain, from July 16th to 21st, 2026 .
As in recent years, the conference will be organized as a hybrid event, giving participants the opportunity to join either in person or online.

The first three days, July 16th–18th, will be dedicated to talks, followed by BoF and workshop sessions on July 19th and 20th. The final day, July 21st, will be a self-organized free exploration day.

While the GUADEC team will share ideas and suggestions for this day, there will be no officially organized activities . The c all for proposals and registration will open soon, and further updates will be shared on guadec.org in the coming weeks.

Organizations interested in sponsoring GUADEC 2026 are welcome to contact us at guadec@gnome.org .

About the city:
Hosted on Spain’s Atlantic coast, A Coruña offers a memorable setting for the conference, from the iconic Tower of Hercules , the world’s oldest Roman lighthouse still in use, to one of Europe’s longest seaside promenades and the city’s famous glass-fronted balconies that give it the nickname “City of Glass.”

Welcome to this, the final GNOME Foundation update of 2025! This is an especially large update – there’s been a huge amount happening recently, and it’s also been three weeks since the last update. I hope you’ll agree that, with this final update of the year, there’s plenty to celebrate, as well as look forward to in the year ahead.

GNOME.Asia 2025!

Last week we had a very successful GNOME.Asia 2025 conference in Tokyo, Japan. Having been busy providing organizational support in the run up to the event, Kristi flew out to help the local team on the ground. The Foundation also provided travel sponsorship for 11 attendees, with help from the Travel Committee. I’ve heard that it was a great event with good attendance. For those who didn’t attend I’m hoping that we’ll have a more detailed report soon.

GNOME.Asia is an amazing success story. It’s incredible to think that this event has been running for 17 years now, reaching out to communities and new audiences all over Asia. Huge thanks to the local organizing team for making this year’s edition a success.

Also, thanks to our donors! GNOME.Asia receives funding from the Foundation in order to continue operating, and this event is therefore only possible due to the financial support that the GNOME Foundation receives.

Fundraiser

The GNOME Foundation had its first fundraising campaign in a long time this month. You can read the announcement here , and Cassidy wrote a great followup post . The campaign was relatively small in scope and was intended as a trial balloon for bigger efforts in the future, but it still did some good and resulted in an increase in donations. Huge thanks to the newly formed fundraising committee for working on this.

Those of us at the GNOME Foundation are deeply appreciative of each and every donation we receive, and are working hard to ensure that every dollar is put to good use. The funds we’re receiving are making a real difference, allowing us to do things like increase the community travel budget for the current financial year, and plan new support programs that we would like to launch in the coming year.

Audit preparation

The GNOME Foundation is scheduled to have its first audit in early 2026. This is a routine event triggered by our relatively high income in the previous financial year, and there is currently a lot of activity happening in preparation. This includes new and revised policies that are currently in draft, a lot of work to improve the organization of our records, plus filling in a lot of forms that have been sent to us by the auditors. The written submissions for the auditors is due by mid-February so this is going to be a high priority for us until then.

I’m personally looking on the audit as a great opportunity to improve our processes and documentation, and the audit process is already feeding into other internal improvements that are underway.

Digital Wellbeing

The parental controls work that Philip, Ignacy and Sam have been working on is in the very very final stages now. I’m pleased to report that some of the last few elements of the screen time limits feature have been merged in the past few weeks, and the final remaining changes are currently in the merge queue. This is a vital feature for children and their carers, so it’s excellent to see it being added to GNOME. Congratulations to the team on completing this project on time and on budget!

FOSDEM 2026 preparations

FOSDEM will happen in Brussels at the end of January, and the Foundation has a number of activities scheduled to happen around it. There will be a booth, which director Maria Majadas is in the process of organizing. There will also be one of our biannual Advisory Board meetings, for which we’ve booked the room and confirmed attendance. The Board is also planning to have a short hackfest prior to the conference, giving us an opportunity to meet face-to-face.

More things!

In addition to those larger items, there’s good list of other notable events from the last three weeks:

• I have recently been working on the outstanding 2023-2024 GNOME Foundation annual report , which was finally completed today. The report covers the period from October 2023 to September 2024, so is somewhat historical in nature at this point. However, I’ve already started work on the next report, which is for 2024-2025, which I plan to have published on schedule in January.
• In case you missed the news earlier in the week, the Board was thrilled to welcome Deepa Venkatraman as a Director . Deepa has been doing a fantastic job as treasurer since June, and having her as a voting director will solidify her presence on the Board.
• Bart has been continuing his Flathub performance work. Additional caching servers have been deployed and according to initial testing a number of known performance issues have been resolved. Enjoy those faster download speeds, everyone!
• I’m pleased to share the news that the code for donate.gnome.org has now been open sourced . This was blocked on getting consent from contributors for the new license, but that is thankfully resolved now.
• Banking and finance system changes continue to roll on at a slow pace. The banking changes I previously announced as done are, it seems, not done, but are getting done. Additionally, we are currently on stage three of the approval process for our new finance system.
• It’s great to see our Outreachy intern for the December 2025 round getting to work . We are delighted to be able to provide funding for Outreachy interns. Please join me in giving Asman a warm welcome.

That’s it for another GNOME Foundation update, and also for 2025! I’m personally very happy with the Foundation’s recent progress and achievements, and I’m looking forward to this work bearing fruit in 2026. Thanks for reading and for your interest, and please feel free to ask questions in the comments.

I’ll be taking a break for a couple of weeks over Christmas and New Year, so the next update will likely be on January 9th.

Update on what happened across the GNOME project in the week from December 12 to December 19.

Third Party Projects

revisto reports

Drum Machine: Add Your Own Sounds!

Drum Machine 2.0.0 brought custom samples, you’re no longer limited to the default sounds. Drag and drop your own audio files and they show up as new drum parts. You can reorder them by dragging, and each one can be mapped to a specific MIDI note so when you export to MIDI, it’s clear which sound is which note.

The latest release adds a Reset to Defaults option that restores everything back to factory settings. The old Reset button is now called Clear and just clears the pattern while keeping your custom samples.

https://flathub.org/apps/io.github.revisto.drum-machine

https://github.com/Revisto/drum-machine

Gir.Core ↗

Gir.Core is a project which aims to provide C# bindings for different GObject based libraries.

Marcel Tiede says

The final version of GirCore 0.7.0 got released. There are more APIs generated, bugs got fixed, dotnet 10 support was added, GdkWin32 bindings were added and more. See the release for an overview of all changes.

Shell Extensions

Mahyar Darvishi reports

Yet Another Radio , the GNOME extension for streaming internet radio directly from your panel, has been updated with a range of QoL improvements, including:

• Search thousands of stations via the Radio Browser network API
• Favorites system for quick access to your preferred stations
• Song metadata display showing album art, artist, title, and bitrate
• Media key support for play/pause/stop controls from your keyboard
• Volume control integrated directly in the panel menu
• Import/Export functionality for sharing station lists across devices
• Custom station support for adding your own radio URLs manually

The extension also features localization support. If you are interested, you can checkout the Github Repo .

You can get it from GNOME Extensions website

GNOME Foundation

Allan Day announces

Another GNOME Foundation update is available , covering highlights from the last three weeks. It’s a particularly full update, covering the recent GNOME.Asia summit, audit preparation, digital wellbeing progress, and much more.

Digital Wellbeing Project ↗

Ignacy Kuchciński (ignapk) reports

As part of the Digital Wellbeing project, sponsored by the GNOME Foundation, there is an initiative to redesign the Parental Controls to bring it on par with modern GNOME apps and implement new features such as Screen Time monitoring, Bedtime Schedule and Web Filtering.

Recently the ‘time is almost up’ notification inside child session has been implemented and merged in GNOME Shell , while preventing children from unlocking after their bedtime and allowing parents to extend their screen time are being polished up. You can track the progress at their merge requests at !3980 and 3999 respectively.

That’s all for this week!

See you next week, and be sure to stop by #thisweek:gnome.org with updates on your own projects!

Welcome to mid-December! Where I am this month is a pretty cold affair… at night it’s 2 or 3 degrees above freezing. Maybe you’re in a tropical place and the nights are 30 degrees warmer. Or maybe you’re somewhere that drops down to 20 or 30 below freezing. The world is a big place! (Or maybe you’re in one of those 10 remaining countries that use fahrenheit to measure temperature.. if so, I’m sorry for you ; -)

I didn’t do much in the world of open source this month besides reviewing a few patches.

I am still using GNOME and Fedora every day for my work… at zero cost! If I’d paid for Microsoft Windows I’d be down almost 200€. So I made a few one off donations split between:

• GNOME Foundation
• Hari Rana
• Sophie Herold

Thanks to Hari’s blog post for reminding us how important it is to donate.

Who did I miss that is contributing to making excellent desktop software in difficult times?

(I know that regular donations are more helpful … I have a few dozen of those already, listed here . The list can always change : -).

I recently won a lawsuit against Roy and Rianne Schestowitz, the authors and publishers of the Techrights and Tuxmachines websites. The short version of events is that they were subject to an online harassment campaign, which they incorrectly blamed me for. They responded with a large number of defamatory online posts about me, which the judge described as unsubstantiated character assassination and consequently awarded me significant damages. That's not what this post is about, as such. It's about the sole meaningful claim made that tied me to the abuse.

In the defendants' defence and counterclaim [1], 15.27 asserts in part The facts linking the Claimant to the sock puppet accounts include, on the IRC network: simultaneous dropped connections to the mjg59_ and elusive_woman accounts. This is so unlikely to be coincidental that the natural inference is that the same person posted under both names . "elusive_woman" here is an account linked to the harassment, and "mjg59_" is me. This is actually a surprisingly interesting claim to make, and it's worth going into in some more detail.

The event in question occurred on the 28th of April, 2023 . You can see a line reading *elusive_woman has quit (Ping timeout: 2m30s) , followed by one reading *mjg59_ has quit (Ping timeout: 2m30s) . The timestamp listed for the first is 09:52, and for the second 09:53. Is that actually simultaneous? We can actually gain some more information - if you hover over the timestamp links on the right hand side you can see that the link is actually accurate to the second even if that's not displayed. The first event took place at 09:52:52, and the second at 09:53:03. That's 11 seconds apart, which is clearly not simultaneous, but maybe it's close enough. Figuring out more requires knowing what a "ping timeout" actually means here.

The IRC server in question is running Ergo (link to source code ), and the relevant function is handleIdleTimeout() . The logic here is fairly simple - track the time since activity was last seen from the client. If that time is longer than DefaultIdleTimeout (which defaults to 90 seconds) and a ping hasn't been sent yet, send a ping to the client. If a ping has been sent and the timeout is greater than DefaultTotalTimeout (which defaults to 150 seconds), disconnect the client with a "Ping timeout" message. There's no special logic for handling the ping reply - a pong simply counts as any other client activity and resets the "last activity" value and timeout.

What does this mean? Well, for a start, two clients running on the same system will only have simultaneous ping timeouts if their last activity was simultaneous. Let's imagine a machine with two clients, A and B. A sends a message at 02:22:59. B sends a message 2 seconds later, at 02:23:01. The idle timeout for A will fire at 02:24:29, and for B at 02:24:31. A ping is sent for A at 02:24:29 and is responded to immediately - the idle timeout for A is now reset to 02:25:59, 90 seconds later. The machine hosting A and B has its network cable pulled out at 02:24:30. The ping to B is sent at 02:24:31, but receives no reply. A minute later, at 02:25:31, B quits with a "Ping timeout" message. A ping is sent to A at 02:25:59, but receives no reply. A minute later, at 02:26:59, A quits with a "Ping timeout" message. Despite both clients having their network interrupted simultaneously, the ping timeouts occur 88 seconds apart.

So, two clients disconnecting with ping timeouts 11 seconds apart is not incompatible with the network connection being interrupted simultaneously - depending on activity, simultaneous network interruption may result in disconnections up to 90 seconds apart. But another way of looking at this is that network interruptions may occur up to 90 seconds apart and generate simultaneous disconnections[2]. Without additional information it's impossible to determine which is the case.

This already casts doubt over the assertion that the disconnection was simultaneous, but if this is unusual enough it's still potentially significant. Unfortunately for the Schestowitzes, even looking just at the elusive_woman account, there were several cases where elusive_woman and another user had a ping timeout within 90 seconds of each other - including one case where elusive_woman and schestowitz[TR] disconnect 40 seconds apart . By the Schestowitzes argument, it's also a natural inference that elusive_woman and schestowitz[TR] (one of Roy Schestowitz's accounts) are the same person.

We didn't actually need to make this argument, though. In England it's necessary to file a witness statement describing the evidence that you're going to present in advance of the actual court hearing. Despite being warned of the consequences on multiple occasions the Schestowitzes never provided any witness statements, and as a result weren't allowed to provide any evidence in court, which made for a fairly foregone conclusion.

[1] As well as defending themselves against my claim, the Schestowitzes made a counterclaim on the basis that I had engaged in a campaign of harassment against them. This counterclaim failed.

[2] Client A and client B both send messages at 02:22:59. A falls off the network at 02:23:00, has a ping sent at 02:24:29, and has a ping timeout at 02:25:29. B falls off the network at 02:24:28, has a ping sent at 02:24:29, and has a ping timeout at 02:25:29. Simultaneous disconnects despite over a minute of difference in the network interruption.

comments