Blurblogs
Global
Popular
Log in
jepler's blurblog
6977 stories
·
166 followers

apt, SHA-1 keys + 2026-02-01 by mika
Saturday January 31st, 2026 at 9:00 PM

Planet Debian
1 Comment

You might have seen Policy will reject signature within a year warnings in apt(-get) update runs like this:

root@424812bd4556:/# apt update
Get:1 http://foo.example.org/debian demo InRelease [4229 B]
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
Get:5 http://foo.example.org/debian demo/main amd64 Packages [1097 B]
Fetched 5326 B in 0s (43.2 kB/s)
All packages are up to date.
Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details

root@424812bd4556:/# apt --audit update
Hit:1 http://foo.example.org/debian demo InRelease
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
All packages are up to date.    
Warning:  http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details
Audit:  http://foo.example.org/debian/dists/demo/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound:
              No binding signature at time 2024-06-19T10:33:47Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Audit: The sources.list(5) entry for 'http://foo.example.org/debian' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'http://foo.example.org/debian'
Audit: Consider migrating all sources.list(5) entries to the deb822 .sources format
Audit: The deb822 .sources format supports both embedded as well as external OpenPGP keys
Audit: See apt-secure(8) for best practices in configuring repository signing.
Audit: Some sources can be modernized. Run 'apt modernize-sources' to do so.

If you ignored this for the last year, I would like to tell you that 2026-02-01 is not that far away (hello from the past if you’re reading this because you’re already affected).

Let’s simulate the future:

root@424812bd4556:/# apt --update -y install faketime
[...]
root@424812bd4556:/# export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 FAKETIME="2026-08-29 23:42:11" 
root@424812bd4556:/# date
Sat Aug 29 23:42:11 UTC 2026

root@424812bd4556:/# apt update
Get:1 http://foo.example.org/debian demo InRelease [4229 B]
Hit:2 http://deb.debian.org/debian trixie InRelease                                 
Err:1 http://foo.example.org/debian demo InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound:            No binding signature at time 2024-06-19T10:33:47Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
[...]
Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://foo.example.org/debian demo InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound:            No binding signature at time 2024-06-19T10:33:47Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
[...]
root@424812bd4556:/# echo $?
100

Now, the proper solution would have been to fix the signing key underneath (via e.g. sq cert lint &dash&dashfix &dash&dashcert-file $PRIVAT_KEY_FILE > $PRIVAT_KEY_FILE-fixed).

If you don’t have access to the according private key (e.g. when using an upstream repository that has been ignoring this issue), you’re out of luck for a proper fix.

But there’s a workaround for the apt situation (related see apt commit 0989275c2f7afb7a5f7698a096664a1035118ebf):

root@424812bd4556:/# cat /usr/share/apt/default-sequoia.config
# Default APT Sequoia configuration. To overwrite, consider copying this
# to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the
# desired values.
[asymmetric_algorithms]
dsa2048 = 2024-02-01
dsa3072 = 2024-02-01
dsa4096 = 2024-02-01
brainpoolp256 = 2028-02-01
brainpoolp384 = 2028-02-01
brainpoolp512 = 2028-02-01
rsa2048  = 2030-02-01

[hash_algorithms]
sha1.second_preimage_resistance = 2026-02-01    # Extend the expiry for legacy repositories
sha224 = 2026-02-01

[packets]
signature.v3 = 2026-02-01   # Extend the expiry

Adjust this according to your needs:

root@424812bd4556:/# mkdir -p /etc/crypto-policies/back-ends/

root@424812bd4556:/# cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config

root@424812bd4556:/# $EDITOR /etc/crypto-policies/back-ends/apt-sequoia.config

root@424812bd4556:/# cat /etc/crypto-policies/back-ends/apt-sequoia.config
# APT Sequoia override configuration
[asymmetric_algorithms]
dsa2048 = 2024-02-01
dsa3072 = 2024-02-01
dsa4096 = 2024-02-01
brainpoolp256 = 2028-02-01
brainpoolp384 = 2028-02-01
brainpoolp512 = 2028-02-01
rsa2048  = 2030-02-01

[hash_algorithms]
sha1.second_preimage_resistance = 2026-09-01    # Extend the expiry for legacy repositories
sha224 = 2026-09-01

[packets]
signature.v3 = 2026-02-01   # Extend the expiry

Then we’re back into the original situation, being a warning instead of an error:

root@424812bd4556:/# apt update
Hit:1 http://deb.debian.org/debian trixie InRelease
Get:2 http://foo.example.org/debian demo InRelease [4229 B]
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details
[..]

Please note that this is a workaround, and not a proper solution.

Read the whole story
jepler
6 hours ago
reply
yup I see this error from `download.opensuse.org` apparently where I get lutris from(?). I wonder why opensuse hasn't fixed this on their end.. but at least I can put the problem off by following these instructions...
Earth, Sol system, Western spiral arm
Share this story
Delete

Xfwl4: the roadmap for a Xfce Wayland compositor by jzb
Thursday January 29th, 2026 at 10:38 PM

LWN.net front-page content, full text
1 Comment

The Xfce team has announced that it will be providing funding to Brian Tarricone to work on xfwl4, a Wayland compositor for Xfce:

Xfwl4 will not be based on the existing xfwm4 code. Instead, it will be written from scratch in rust, using smithay building blocks.

The first attempt at creating an Xfce Wayland compositor involved modifying the existing xfwm4 code to support both X11 and Wayland in parallel. However, this approach turned out to be the wrong path forward for several reasons:

  • Xfwm4 is architected in a way that makes it very difficult to put the window management behavior behind generic interfaces that don't include X11 specifics.
  • Refactoring Xfwm4 is risky, since it might introduce new bugs to X11. Having two parallel code bases will allow for rapid development and experimentation with the Wayland compositor, with zero risk to break xfwm4.
  • Some X11 window management concepts just aren't available or supported by Wayland protocols at this time, and dealing with those differences can be difficult in an X11-first code base.
  • Using the existing codebase would require us to use C and wlroots, even if a better alternative is available.

Work has already commenced on the project, and the project hopes to share a development release in mid-2026.

Read the whole story
jepler
2 days ago
reply
I guess I'd like to not stuck on X11 against my will and this is a prerequisite so I'm happy to see it. However, I'll probably stubbornly remain on X11 as long as it's tenable...
Earth, Sol system, Western spiral arm
Share this story
Delete

Gasoline Out of Thin Air? It's a Reality!
Sunday January 25th, 2026 at 8:46 PM

Slashdot
1 Comment
Can Aircela's machine "create gasoline using little more than electricity and the air that we breathe"? Jalopnik reports... The Aircela machine works through a three-step process. It captures carbon dioxide directly from the air... The machine also traps water vapor, and uses electrolysis to break water down into hydrogen and oxygen... The oxygen is released, leaving hydrogen and carbon dioxide, the building blocks of hydrocarbons. This mixture then undergoes a process known as direct hydrogenation of carbon dioxide to methanol, as documented in scientific papers.

Methanol is a useful, though dangerous, racing fuel, but the engine under your hood won't run on it, so it must be converted to gasoline. ExxonMobil has been studying the process of doing exactly that since at least the 1970s. It's another well-established process, and the final step the Aircela machine performs before dispensing it through a built-in ordinary gas pump. So while creating gasoline out of thin air sounds like something only a wizard alchemist in Dungeons & Dragons can do, each step of this process is grounded in science, and combining the steps in this manner means it can, and does, really work.

Aircela does not, however, promise free gasoline for all. There are some limitations to this process. A machine the size of Aircela's produces just one gallon of gas per day... The machine can store up to 17 gallons, according to Popular Science, so if you don't drive very much, you can fill up your tank, eventually... While the Aircela website does not list a price for the machine, The Autopian reports it's targeting a price between $15,000 and $20,000, with hopes of dropping the price once mass production begins. While certainly less expensive than a traditional gas station, it's still a bit of an investment to begin producing your own fuel. If you live or work out in the middle of nowhere, however, it could be close to or less than the cost of bringing gas to you, or driving all your vehicles into a distant town to fill up. You're also not limited to buying just one machine, as the system is designed to scale up to produce as much fuel as you need.

The main reason why this process isn't "something for nothing" is that it takes twice as much electrical energy to produce energy in the form of gasoline. As Aircela told The Autopian " Aircela is targeting >50% end to end power efficiency. Since there is about 37kWh of energy in a gallon of gasoline we will require about 75kWh to make it. When we power our machines with standalone, off-grid, photovoltaic panels this will correspond to less than $1.50/gallon in energy cost."
Thanks to long-time Slashdot reader Quasar1999 for sharing the news.
Read the whole story
jepler
6 days ago
reply
ugh just make electric cars happen finally. this is terrible.
Earth, Sol system, Western spiral arm
denubis
6 days ago
Terraform's take on this is far more sensible. https://terraformindustries.com/ They at least have considered logistics.
Share this story
Delete

US Insurer 'Lemonade' Cuts Rates 50% for Drivers Using Tesla's 'Full Self-Driving' Software
Sunday January 25th, 2026 at 10:26 AM

Slashdot
1 Comment
An anonymous reader shared this report from Reuters: U.S. insurer Lemonade said on Wednesday it would offer a 50% rate cut for drivers of Tesla electric vehicles when the automaker's Full Self-Driving (FSD) driver assistance software is steering because it had data showing it reduced accidents. Lemonade's move is an endorsement of Tesla CEO Elon Musk's claims that the company's vehicle technology is safer than human drivers, despite concerns flagged by regulators and safety experts.

As part of a collaboration, Tesla is giving Lemonade access to vehicle telemetry data that will be used to distinguish between miles driven by FSD — which requires a human driver's supervision — and human driving, the New York-based insurer said. The price cut is for Lemonade's pay-per-mile insurance. "We're looking at this in extremely high resolution, where we see every minute, every second that you drive your car, your Tesla," Lemonade co-founder Shai Wininger told Reuters. "We get millions of signals emitted by that car into our systems. And based on that, we're pricing your rate."

Wininger said data provided by Tesla combined with Lemonade's own insurance data showed that the use of FSD made driving about two times safer for the average driver. He did not provide details on the data Tesla shared but said no payments were involved in the deal between Lemonade and the EV maker for the data and the new offering... Wininger said the company would reduce rates further as Tesla releases FSD software updates that improve safety. "Traditional insurers treat a Tesla like any other car, and AI like any other driver," Wininger said. "But a driver who can see 360 degrees, never gets drowsy, and reacts in milliseconds isn't like any other driver."
Read the whole story
jepler
6 days ago
reply
Selling your fine grained information is worth so much to this insurance company ... !
Earth, Sol system, Western spiral arm
Share this story
Delete

The Gold Plating of American Water
Wednesday January 21st, 2026 at 7:16 PM

Slashdot
1 Comment
The price of water and sewer services for American households has more than doubled since the early 1980s after adjusting for inflation, even though per-capita water use has actually decreased over that period. Households in large cities now spend about $1,300 a year on water and sewer charges, approaching the roughly $1,600 they spend on electricity. The main driver is federal regulation.

Since the Clean Water Act of 1972 and the Safe Drinking Water Act of 1974, the U.S. has spent approximately $5 trillion in contemporary dollars fighting water pollution -- about 0.8% of annual GDP across that period. The EPA itself admits that surface water regulations are the one category of environmental rules where estimated costs exceed estimated benefits.

New York City was required to build a filtration plant to address two minor parasites in water from its Croton aqueduct. The project took a decade longer than expected and cost $3.2 billion, more than double the original estimate. After the plant opened in 2015, the city's Commissioner of Environmental Protection noted that the water would basically be "the same" to the public. Jefferson County, Alabama, meanwhile, descended into what was then the largest municipal bankruptcy in U.S. history in 2011 after EPA-mandated sewer upgrades pushed its debt from $300 million to over $3 billion.
Read the whole story
jepler
10 days ago
reply
"The EPA itself admits" <-- a very suspect sentence in 2026
Earth, Sol system, Western spiral arm
Share this story
Delete

Catching the last train in Tokyo, an interactive visualization by Anne Barela
Wednesday January 21st, 2026 at 7:14 PM

Adafruit Industries – Makers, hackers, artists, designers and engineers!
1 Comment

Ever missed Tokyo’s last train? Dive into this interactive visualization of the city’s sprawling rail network!

Slide from 11PM to 1:30AM and watch routes vanish as trains depart.

It covers 100+ stations, station-specific views, and mobile magic

See the interactive map at tokyo-last-train-map.pages.dev. Via X.

Read the whole story
jepler
10 days ago
reply
25:30? Yeah that's just standard notation in Japan for 1:30AM when it's more logically associated with the previous day than the next day. You see this e.g., for bar opening hours, e.g., 16:00-26:00
Earth, Sol system, Western spiral arm
Share this story
Delete
Next Page of Stories