I am privileged to work for a non-profit organization, the Freedom of the Press Foundation, which allows me to work full-time on free and open-source software, namely SecureDrop. It also pays the bills and lets me spend me free time doing other stuff that's good for humanity, like contributing to wikis, running a Mastodon server and riding bikes.
FPF accomplished a lot of important things this year, but like every other non-profit, we're currently doing our end of the year fundraising drive, hence this blog post.
If you like my work, whether on SecureDrop or just in general, and have the means to do so, I'd appreciate you donating to FPF: https://freedom.press/donate/ (if you live in the US, this donation is tax deductible). Click the checkbox that says "This donation is in tribute of someone", and then say the gift is in honor of me, "Kunal". (You're also welcome to type other stuff, like "legos" or "boba tea".)
Hate my work? That's fine too, just pick the option that says "This gift is in opposition to" and mention my name. You could also type other stuff here, like "the Kragle" or "boba tea haters".
Now that you've read this far, I'll also mention that we have a merch store with FPF and SecureDrop swag, including stickers! If you use the coupon code "FPF2023" you'll get a 15% discount (only on Nov. 27 aka Cyber Monday).
I haven't been very good with writing about what I've been working on in SecureDrop-land, but here is: Migrating SecureDrop’s PGP backend from GnuPG to Sequoia
over on the SecureDrop website. You should read it, and then come back to read the rest of this.
We had been discussing Sequoia internally for a while, but I officially filed an issue titled "Use Sequoia-PGP instead of gpg/pretty_bad_protocol" in April 2022. I pushed
a first WIP of the Rust code to a branch named
oxidize on July 8, 2022 and had it working in the development environment by the 14th. TBH that was the easy part, migrating existing sources from GPG to Sequoia was going to be
the hard part.
Small tangent, I was very fortunate to grow up around a lot of Sequoia trees, and I have very fond memories of visiting Muir Woods National Monument as a kid. So when I had
to pick a name for the Rust crate, I tried to stay with the theme, and went to the Wikipedia disambiguation page for Sequoia, clicked on the first link, Sequoioideae,
read "...commonly referred to as redwoods", and then immediately ran
cargo new redwood --lib. I anticipated we'd switch to a generic, boring, name like
rust but that didn't end up happening :-).
Exporting public keys is pretty easy, but GPG stores secret keys in its own custom s-expression thing (documented as "...easier to read and edit by human beings", okay.), which we would have to write something
custom to read. I flailed around trying to do so but never really got anywhere. Sequoia opened a ticket on their end for supporting GPG's format, but as of this writing, it hasn't seen any real progress (which is fine and understandable!).
Also I got busy with other SecureDrop things (e.g. "Reorganize Debian packaging, have debhelper do most of the work", which deserves its own blog post).
At the end of December 2022, Sequoia announced their chameleon project to replace the
gpg CLI. In January 2023 (this year!) I discussed whether using that was an
option in the Sequoia IRC channel, and Neal (who is fantastic), suggested just using GPG directly. Great idea!
Now that we had a real migration plan, February and March had some internal discussions on whether to move forward with this, and I started working on it for real in May. The first PR
was up by the end of May and landed the first week of June.
The second major PR was posted mid-July and merged at the beginning of October! There were a number of smaller
PRs in the middle, but that was "step 2" in my high-level roadmap.
There was a lot of good back and forth during review from SecureDrop team members, Sequoia developers and other volunteer contributors. And related PRs from other SecureDrop team members.
Everything else landed in October, and then this week I finished running some benchmarking, which, surprise surprise, showed that calling the Sequoia Rust code was faster than
shelling out to GPG.
SecureDrop 2.7.0 powered by Sequoia should be (knocks on wood) released in a few days, which will be the largest milestone to date of this multi-year project. And as the blog post pointed out, there's still a lot of work to do.
This is the first Rust project that I've worked on that is being shipped to production users (all the wiki bots I've written really don't count), and it's been a blast. It certainly won't be the last ;-)
I tend to spend a lot of time reading. When I was a kid it was as many books I could carry home from the library; later it would become newspapers, blogs and online things.
I never bothered to track what I was reading, because there was so much of it and re-reading something you enjoyed isn't that bad. It also felt invasive (in a privacy sense), but that was mostly because everyone was using the
Amazon-owned Goodreads. For a while I used the perfectly named "Badreads" app, but I never felt comfortable with it.
Anyways, this is all to say that I now have an account on bookrastinating.com (also perfectly named!!), which runs the ActivityPub-enabled BookWyrm software.
You can follow me as: @email@example.com.
I've been posting everything as followers-only, and I'm planning to only approve people I know well (my current vague criteria is that we've met in real life).
The actual federation from Mastodon is pretty meh, you can see when I add books to my "to read"
list and when I start and finish books, but can't read the actual reviews I've been writing. I'm curious to see if it's better for people who are federating from other BookWyrm instances.
If I end up writing something brilliant that I want public I'll probably publish it on my blog.
In any case, I'm fine with those limitations for now, this is largely an exercise in tracking what I read rather than trying to be uh, social about what I read. I appreciate that BookWyrm seems to have some actual privacy controls in place instead
of Mastodon's "everything is public".
Last week The New Republic published an article by Melissa Gira Grant titled, "The Mysterious Case of the Fake Gay Marriage Website, the Real Straight Man, and the Supreme Court" about how the request for a gay wedding website underpinning the 303 Creative LLC v. Elenis case was supposedly fake.
TNR followed it up with "The Supreme Court Doesn’t Care That the Gay Wedding Website Case Is Based on Fiction", which really
gets to the heart of the matter in the opening line: "If the Supreme Court persists in making rulings based on fiction, how can we take any ruling seriously?"
But this is far from a new issue. We can look at the landmark 2003 Lawrence v. Texas decision for another example of a ruling based on incredibly questionable "facts". In that case, Lawrence, Garner and Eubanks (all gay),
were at Lawrence's apartment. Eubanks, who had supposedly been drinking, became jealous that Lawrence and Garner were flirting. Eubanks left the apartment to go to a vending machine and called the police, falsely reporting
that there was a black man with a gun at Lawrence's apartment.
Four officers respond, one claimed they saw Lawrence and Garner having anal sex, another said they were having oral sex and the other two didn't make any mention of it in their reports.
They were arrested and charged with having "deviate sex", specifically anal sex. They would eventually be represented by Lambda Legal and win in a 6-3 United States Supreme Court ruling
that struck down all remaining sodomy laws and reaffirmed the unenumerated right to privacy.
Except...the facts of this case were also a lie. Lawrence and Garner weren't having sex, they weren't even in the same room when the police entered!
This would be first revealed in the 2012 book Flagrant Conduct: The Story of Lawrence v. Texas by law professor Dale Carpenter.
Dahlia Lithwick wrote a good summary of the book for The New Yorker, explaining that Lambda Legal needed to find actual plaintiffs who had been charged under a sodomy law
to challenge their constitutionality. But being convicted of such a charge had significant consequences, so attorneys wanted clients with "with little to lose". Enter Lawrence and Garner.
Here's how Lithwick described it:
The legal opportunity depended, however, upon persuading the defendants to go along with an unusual strategy. High-powered lawyers would represent Lawrence and Garner, as long as they agreed to stop saying they weren’t guilty and instead entered a “no contest” plea. By doing so, the two were promised relative personal privacy, and given a chance to become a part of gay-civil-rights history. The cause was greater than the facts themselves. Lawrence and Garner understood that they were being asked to keep the dirty secret that there was no dirty secret.
That’s the punch line: the case that affirmed the right of gay couples to have consensual sex in private spaces seems to have involved two men who were neither a couple nor having sex. In order to appeal to the conservative Justices on the high court, the story of a booze-soaked quarrel was repackaged as a love story. Nobody had to know that the gay-rights case of the century was actually about three or four men getting drunk in front of a television in a Harris County apartment decorated with bad James Dean erotica.
They pled no contest to the charges and largely stayed out of the limelight while their attorneys took the lead and won a landmark victory. (Lithwick has a parenthetical stating, "Carpenter is careful throughout to show that
none of the civil-rights lawyers lied or misrepresented the facts.")
You could presumably write a similar article titled, "The Supreme Court Doesn't Care That the Anal Sex Case Is Based on Fiction" (consider this to be the alternative title for this blog post). It is entirely believable that a cop in
Texas in 1998 would falsely accuse two gay men of having sex so they could be arrested for something after responding to a false report.
It's not hard to find other cases where the Court relied on faulty facts, take a look at the dissent in last year's Kennedy v. Bremerton School District
It's certainly worth asking whether this even matters. Dareh Gregorian wrote a piece for NBC News this week titled, "'Sham' website customer likely didn't affect Supreme Court ruling on same-sex weddings, experts say".
Good to know, but this doesn't address the opening question: "If the Supreme Court persists in making rulings based on fiction, how can we take any ruling seriously?"
To put it another way, in Lithwick's New Yorker piece, she pointed out, "Since the days of Brown v. Board of Education, and right up to District of Columbia v. Heller, the 2008 handgun-ban case, major test cases, [attorneys] knew, have turned as much on selecting the perfect plaintiffs as on the law being challenged."
And if you can't find them, just make them up.
I had a wonderful time at the 2023 Wikimedia Hackthon in Athens, Greece, earlier this month. The best part was easily seeing old friends that I haven't met in person since
probably 2018 and getting to hack and chat together. I also met a ton of new friends for the first time, even though we've been working together for multiple years at this point! I very much enjoy the remote, distributed nature
of working in Wikimedia Tech, but it's also really nice to meet people in person.
This post is very scattered because that was my experience at the hackathon itself, just constantly running around, bumping into people.
I wrote that I wanted to work on: "mwbot-rs and Rust things, technical governance (open to nerd sniping)". I definitely did my fair share of Rust evangelism and had good discussions regarding technical governance (more on that another
time). And some Mastodon evangelism and a bunch of sticker trading.
But before I got into hacking things, I tabulated and published the results of the 2022 Commons Picture of the Year contest, which I think turned out
pretty well this year. Of course, the list of things to improve for next year keeps getting longer and longer (again, more on that in a future post).
At some point during conversation, I/we realized that the GWToolset extension was still deployed on Wikimedia Commons despite being, well, basically dead. It hadn't been used in over a year and last rites were administered back in November (literally, you have to look at the photos).
With a thumbs-up from extension-undeploying expert Zabe (and others), I undeployed it! There was a "fun" moment when the venue WiFi dropped so the scap output
froze on my terminal, but I knew it sucessfully went through a few minutes later because of the IRC notification, phew. Anyways, RIP, end of an era.
And then Taavi deployed the RealMe extension, which allows wiki users to verify their Mastodon accounts and vice versa. But we went for dinner immediately after so Taavi wasn't even the
first one to announce it, Raymond beat him to it! :-)
I spent a while rebasing a patch to bring EventStreams output to parity with the IRC feed that was first posted in April 2020 and got it merged (you're welcome Faidon ;)).
One of the last things I did before leaving was an interview about MediaWiki in the context of spinning up a new MediaWiki platform team (guess which one I am). At one point the
question was "What is the single biggest pain point of working in MediaWiki?" Me: "can I have two?"
Reviewed a bunch of stuff:
Probably the most important patch I wrote at the hackathon was to add MaxSem, Amir (Ladsgroup), TheDJ and Petr Pchelko to the primary MediaWiki authors list on
Despite having a bunch of wonderful people being there, it was also very apparent who wasn't there. We need more regional hackathons and after a bit of reassurance from Siebrand and Maarten, it became clear that we have enough
Wikimedia Tech folks in New York City already, so uh, stay tuned for details about some future NYC-based hackathon and let me know if you're interested in helping!
Final thanks to the Wikimedia Foundation for giving me a scholarship to attend. I really can't wait until the next time I get to see everyone again.
I did a lot of new, crazy things in 2022, but by far, the most unplanned and unexpected was running a social media server for my friends.
Somehow it has been six months since Taavi and I launched Wikis World, dubbed "a Mastodon server for wiki enthusiasts".
Given that milestone, it's time for me to come clean: I do not like microblogging. I don't like tweets nor toots nor most forms of character-limited posting. I'm a print journalist by training and mentality (there's a reason
this blog has justified text!); I'd so much rather read your long-form blog posts and newsletters. I want all the nuance and detail that people leave out when microblogging.
But this seems to be the best option to beat corporate social media, so here I am, co-running a microblogging server. Not to mention that I'm attempting to co-run accounts for two projects I've basically dedicated the past decade
of my life to: @MediaWiki and @Wikipedia.
Anyways, here are some assorted thoughts about running a Mastodon server.
I feel like I have a good amount of "content moderation" experience from being a Wikipedia administrator and my conclusion is that I don't like it (what a trend, I promise there are actually things
I like about this) and more importantly, I'm not very good at it. For the first few months I read literally every post on the Wikis World local timeline, analyzing to see whether it was okay or problematic.
This was, unsurprisingly, incredibly unhealthy for me and once I realized how unhappy I was, I stopped doing it.
Especially once we added Lucas and now AntiComposite as additional moderators, I feel a lot more comfortable skimming the local timeline with the intent of actually seeing what people are posting, not pure moderation.
This is not to eschew proactive moderation (which is still important!), just that my approach was not working for me, and honestly, our members have demonstrated that they don't really need it. Which brings me to...
I've said in a few places that I wanted Wikis World to grow organically. I never really defined what un-organically was, but my rough idea was that we would build a community around/through Wikis World instead of just importing
one from elsewhere. I don't think that ended up happening, but it was a bad goal and was never going to happen. We have slightly under 100 accounts, but it's not like all of us are talking to and with each other. Instead,
I feel like I'm in a circle of ~5-15 people, largely Wikimedians active in tech areas, who regularly interact with each other, and half of those people host their account elsewhere. Plus the common thread bringing everyone
together is wikis, which is already an existing community!
So far I'm pretty happy with how Wikis World has grown. I have a few ideas on how to reduce signup friction and automatically hand out invites, hopefully in the next few months.
The rewarding part
It is incredibly empowering to exist in a social media space that is defined on my own terms (well, mostly). We are one of the few servers that defaults to a free Creative Commons license (hopefully not the only server). We have
a culture that promotes free and open content over proprietary stuff. And when I encourage people to join the Fediverse, I know I'm bringing them to a space that respects them as individual human beings and won't deploy unethical
dark patterns against them.
To me, that makes it all worth it. The fact that I'm also able to provide a service for my friends and other wiki folks is really just a bonus. Here's to six more months of Wikis World! :-)