Blog

Occasional updates about Divested projects and other fun from Tavi.
The text on this page is licensed CC BY-SA 4.0 unless stated otherwise.

Resigning ucode to mitigate security issues2025-07-14

Today's real-ucode update now includes an optional subpackage `amd-ucode-firmware-resigned` which contains new microcodes resigned with the old format to allow loading on pre 2025-01 BIOSes. This is necessary to mitigate security issues such as the recent TSA vulnerability on systems without vendor updates.

  • Remove the exclusion if you had one from /etc/dnf/dnf.conf first
  • Update package list: sudo dnf install https://divested.dev/rpm/fedora/divested-release-20250714-1.noarch.rpm
  • Update real-ucode: sudo dnf update --refresh
  • Swap them: sudo dnf swap amd-ucode-firmware amd-ucode-firmware-resigned
  • Update initramfs: sudo dracut -f
  • Disable hash verification: sudo grubby --update-kernel=ALL --args="microcode.amd_sha_check=off"
  • sudo dmesg | grep microcode >> before
  • lscpu >> before
  • Reboot to apply new microcode
  • sudo dmesg | grep microcode >> after
  • lscpu >> after
  • Compare: meld before after
  • Enjoy!

Comment on this: Fediverse

Sundry Updates2025-07-13

  • 12th: Brace had a fix to the fapolicyd enablement script thanks to @lucasmz.
  • 11th: I removed the bear from the website. I replaced it with a fun slogan, but I'm not too sure about it yet.
  • 10th: real-ucode has been synced with latest CPUMicrocodes, adding two new ucodes.
  • 9th & 11th: Firejail in Divested-RPM has been synced to latest master.
  • 9th: Five other older repositories were also made available again.
  • 8th & 9th: Two new repositories were published: ech-tester and mini-divested.css.
  • 8th: Udderance is now available on F-Droid.
  • 7th: Divested-WRT had its usually twice monthly update.

ECH rollout stats2025-07-08

Fresh results of ECH availability on the top 10k domains (as ranked by Open PageRank) is available here. I've updated the script to also discern between hosted on Cloudflare or not.

Comment on this: Fediverse

Packaging Udderance2025-06-26

Today I spent a few hours packaging Udderance as an Android app for true/reliable offline usage with all assets bundled. I had some small issues encountered during the process and noted them below.

  • My assets directory was getting clobbered in the URI to load. This was annoying but easy to workaround by intercepting and rewriting it.
  • The Android WebView does not support using the speechSynthesis API for TTS. Fine, whatever. I'll just strictly enable Sherpa.
  • Sherpa wasn't loading, but then I remembered I had the JIT disabled by default for apps on GrapheneOS. Toggling that and Sherpa works.
  • When Udderance detects it is running as a PWA, it hides the header & footer. I adjusted that to handle running from Android app assets to match. But strangely then the page was getting cropped off by the status and nav bar. I worked around this by replacing them with line breaks instead.
  • I then remembered that I'd have to compile Sherpa from source to meet the F-Droid inclusion criteria. So I did. However the fdroidserver instance fails to compile it with the Emscripten toolchain available in Debian repositories and generated a corrupted binary when using Emscripten from git. So I instead dropped Sherpa for this and manually proxy the TTS requests from the page to the system.
  • Then fdroidserver was failing to run the scripts to assemble everything. Turns out Debian's default dash shell does not support arrays or &> redirection and bash doesn't run aliases by default when non-interactive.

I've submitted it to F-Droid for inclusion, and it should hopefully land soon!

Comment on this: Fediverse

Security Sliders2025-06-25

Long ago in August of 2021 I disabled the JIT for Firefox in Brace. During testing I realized that the browser needed to be restarted for this to take effect.

Back in October of 2024 I was made aware of how the Tor Browser security slider changes these settings without a restart, preventing them from having effect and also creating a fingerprinting mess. For months after this every time I used the slider myself I was reminded of this. The issue was made public in March, but was still unfixed. It concerned me a bit so at the end of April I noted this issue to Jonah of Privacy Guides so they could publish a writeup and put impetus on Tor Project to fix it. Yesterday's Tor Browser update, version 14.5.4, finally fixes this years long issue on both desktop and Android platforms.

Tor Project had this issue explicitly documented since at least May of 2024 and it was likely known offhandedly for years longer. I won't use this against them, but more so as a call to the community to get more involved. If you have the time and skills please consider contributing to the Tor Project, their mission is critical and everyone can benefit from it.

Comment on this: Fediverse

Moving Against GenAI2025-06-23

I've a new zebra profile picture, crudely hand drawn by me. It took quite a few steps with GIMP to cleanup/convert from photo to lineart, I may make a short tutorial on that in the future. I've also removed the quick overviews from Kairoscope in favor of proper sources.

Sundry Updates2025-06-22

  • dnsrm had ~1,800 domain additions.
  • real-ucode has been synced with latest CPUMicrocodes, adding one new ucode.
  • Firejail in Divested-RPM has been synced to latest master.

Archiving YouTube Channels2025-06-21

Over the past few years YouTube has been adding more and more restrictions in place to watching videos ranging from fake buffering to adding DRM to completely blocking playback. I've used Tor Browser for years to watch my favorite content creators, but that has been impacted by these changes which made even short videos a tedious chore. So I started instead just bulk archiving my favorite channels, both as a way to watch them normally and as a way to preserve their content in the event YouTube decides to more aggressively enforce their restrictions (eg. mandatory account requirement). If you're reading this you've probably heard of yt-dlp (or its predecessor youtube-dl), however the defaults will miss quite a bit of necessary extras, so below I document strongly recommended options as well as some tips. I will get straight to the point with the whole command.

yt-dlp --format 'bestvideo+bestaudio/best' --merge-output-format=mkv --embed-chapters --embed-metadata --embed-thumbnail --convert-thumbnails jpg --write-subs --write-auto-subs --sub-langs=en --write-description --download-archive 0COMPLETED --batch-file 0SOURCES

OK so how to use this command?

First have your top level directory which you will do the processing in. Save that command in a file eg. archive.sh, then create a folder for each given channel you want to save. In each channel folder you will want to create the 0SOURCES file containing the link to their channel (eg. https://www.youtube.com/@CHANNEL_HERE). Then simply invoke the script: sh ../archive.sh.

What do the options do?

  • --format 'bestvideo+bestaudio/best': Prefer the best quality video and best quality audio by merging two distinct streams, or falling back to best singular stream if unavailable.
  • --merge-output-format=mkv: Put everything into an MKV container.
  • --embed-chapters: Adds chapter markers to the MKV.
  • --embed-metadata: Adds the video description, release date, and ID to the MKV.
  • --embed-thumbnail: Adds the thumbnail to the MKV.
  • --convert-thumbnails jpg: Convert the thumbnail from Google's default WebP to JPG, which is better supported by media players.
  • --write-subs --write-auto-subs: Write subtitles, prefer real ones with fallback to automatically generated ones.
  • --sub-langs=en: Specify the language you want for subtitles. List of codes here.
  • --write-description: Write the video description to a .description file.
  • --download-archive 0COMPLETED: This keeps a list of every video that has been downloaded to prevent rechecking/redownloading them each run.
  • --batch-file 0SOURCES: This specifies what links to download.

Any tips?

  • Always update yt-dlp first! Some distros fall behind, so best to just use their GitHub release and run yt-dlp --update before continuing.
  • With the external .description and .vtt (subtitles) files, you can grep through them as a rough method of full text search of a channel!
  • Setup a Jellyfin instance and add your top-level archive directory as a 'Home Videos and Photos' collection, and it will put each channel into its own sub-folder. This lets you correctly sort them by release date and track your watch progress/history.
  • If you're downloading over Tor using torsocks you must use the standard yt-dlp binary, as their yt-dlp_linux binary is statically linked which is incompatible and will bypass torsocks.
  • Sometimes you can download videos but not their subtitles depending on your IP, so watch out for that.
  • Sometimes if a video was recently added, the highest quality format is unavailable, even if it shows up on the website.
  • You can sometimes find unlisted videos by downloading their playlists, duplicate the channel link in 0SOURCES and append /playlists. Be sure to comment it after, as playlist processing can easily get you rate-limited.
  • If yt-dlp outputs that a video is age-restricted or private you can see if archive.org has a copy, add https://web.archive.org/web/https://www.youtube.com/watch?v=VIDEO_ID_HERE to your 0SOURCES file. Be sure to comment it after.
  • If you have a slow Internet connection you might want to rate limit the process so as to not make your Internet unusable, add the --limit-rate 4M option, changing it to however fast/slow you want it.

Comment on this: Fediverse

Converting HTML to Markdown2025-06-20

I needed to do this earlier and pulled pandoc out, except the output was not great. Turns out you need to specify markdown_strict instead. If you have tables you may also want to to append +pipe_tables to the output format.

pandoc --wrap=none --from html --to markdown_strict page.html --output page.md

Kairoscope Updates2025-06-20

I've prioritized and added more reading sources, as well as tidied up the pages.

Welcome2025-06-19

I figured it was about time I started a blog. I've backfilled it a little from my recent toots, along with some extras sprinkled in there.
I've also made a handful of updates to the website the past few days, especially the homepage. And I've added a 'GenAI usage disclosure' section, which I encourage others to do as well.

Comment on this: Fediverse

Dark Mode2025-06-19

I've added dark mode to my current websites. I still use mini.css which was last updated in 2018 and it predates prefers-color-scheme. So I manually merged the colors from mini-dark.css into mini-default.css and minified it again. My last attempt years ago was just loading both style sheets and setting them using the @media rule but that wasted bandwidth.

Comment on this: Fediverse

Udderance Updates2025-06-18

  • added 14 more phrase boards after implementing a Open Board Format converter
  • made sub menu navigation cleaner by collapsing others
  • added support for Escape key to close dialogs/submenus
  • generated the remaining 5647 translations, still to be imported

Comment on this: Fediverse

Freshly Picked Onions2025-06-17

Back in January when I tore down all of the DivestOS infrastructure, I also took down my onion services. Today they are back and with nice vanity addresses. I was reminded to do this after seeing someone with an awesome purple roots Tor t-shirt.

  • divested.dev: divestedqc3zjycupgdvmpzzlxtw6jkxsin2xo4g4nxzsu77jknygxqd.onion
  • kairoscope.org: screenerivy55uviqfvyqtx5sjwxbeuwairfusxedszywr5p6g7us6qd.onion
  • udderance.app: udderaacpou4mku6xptn7ebdzgzw63mtz6jnyafk6jd43xoiu6ymbbqd.onion

Brace Updates2025-06-16

Fedora just shipped chrony 4.7 today and Brace's previous override caused the service to be terminated by systemd due to the upstream service file switching from `forking` to `notify` type.

Comment on this: GitHub

Cables Fail - Part 22025-06-15

Recently my friend swapped out one of their 1Gb switches with a 10Gb switch, but it refused to link up with their other 10Gb switch. After some troubleshooting today, it turned out to be the cable linking them. Despite being CAT 6A, it could only successfully negotiate at 1Gb. I wouldn't be surprised if there were carrier errors at 1Gb too, but I didn't bother checking logs.

Udderance Updates2025-06-15

  • Boards are now machine translated into 35 languages
  • Pictograms now work in Safari
  • Phrase buttons are now in a dialog view instead of a collapse view for quicker navigation
  • Phrase board generation has been overhauled to allow for sub boards as a prerequisite for importing Open Board Format files
  • Many homepage improvements: features, compatibility matrix, explanations, etc.

More information on the choice of languages: These added 35 cover every TTS voice that Apple provides for different languages. So feel free to pick a matching board and voice and use it entirely in your native language!

Comment on this: Fediverse

Udderance Updates2025-06-14

Just added pictogram support for 700+ phrases to Udderance thanks to the Mulberry Symbols project. Was easier than I expected, although my server is having a difficult time serving them up quickly. I disabled compression of SVG files to help, but I will need to pre-compress them and adjust my Apache config to handle that.

Comment on this: Fediverse

Udderance Updates2025-06-13

  • Support for dynamic phrase board generation and presets
  • A board preset cloned from Cboard AAC
  • Improved voice list handling
  • Support for Sherpa TTS via WASM for more voices and as a fallback when WebSpeech is unavailable (many Linux distros don't seem to setup/enable Speech Dispatcher)
  • Tiny additions like a button to clear the history log
  • Various bug fixes

Comment on this: Fediverse

iPhone Review2025-06-12

Notes after daily driving an iPhone for six months after having spent a decade maintaining my own Android distro: ios-review.txt

Comment on this: Fediverse, Privacy Guides Forum

Launching Udderance2025-06-10

Happy Tuesday! 🛸🐮
Here is another small project I made yesterday.
Udderance is a text-to-speech (TTS) based augmentative and alternative communication (AAC) tool with a focus on simplicity and cross-platform usage.
It is meant to be installed as a PWA (via your browser) on your phone.

Comment on this: Fediverse, Privacy Guides Forum, Hacker News

Strange ZFS behavior2025-06-07

I recently added some drives to a ZFS pool. When I did an rsync to the dataset, it had seemingly recopied some directory metadata despite them not actually changing. I think I've observed this previously, but didn't document it last time.

Summarizing a YouTube video2025-06-04, License: CC0

Someone on a forum asked for a summary of a YouTube video so I figured I'd see how well Ollama/Gemma3 can do it. I used some bash fun to convert the subtitles, as I found existing tools overcomplicated. You'll also need to increase your Ollama context limit from the default 4k to 16k or higher if the video is particularly long.

videoID="[YOUTUBE VIDEO ID]";
yt-dlp --write subs --write-auto-subs --skip-download "https://www.youtube.com/watch?v=$videoID";
cat "*$videoID*.vtt" | grep -v "<>" | grep -v "\-\->" | grep -v "><" | awk '!seen[$0]++' | tail -n +4 | tr '\n' ' ' > "/tmp/transcript-$videoID";
ollama run gemma3:12b-it-qat "Please write a breakdown and summary of the following, ignore any sponsorship segments: $(cat /tmp/transcript-$videoID)" > "summary-$videoID";

Donations2025-05-29

I removed the donation options six months back when I shuttered DivestOS. Today they are available again for those of you who are interested in financially supporting my work.

Kairoscope Updates2025-05-29

There are now 21 tests and it now has a dedicated domain.

Comment on this: Fediverse

Launching Kairoscope2025-05-27

May is mental health awareness month, so to promote it I’ve implemented a handful of mental health screeners in the form of completely client side tests. Have fun!
Please let me know if you encounter any issues with them.

Comment on this: Fediverse, Privacy Guides Forum, Hacker News

Cables Fail - Part 12025-05-20

I've had many cables fail over the years, so I figured I'd start documenting them. I just swapped out all SATA cables on my NAS after one drive started spewing UDMA errors a few days ago. Said problematic cable was untouched and working for ~3 years and then decided to retire early.

Fedora iptables fun2025-04-28

Fedora pushed out an iptables update today which altered some paths. firewalld, Docker, and other tools broke. Chaos ensued.

CAA Record Clipping2025-04-21

I've started migrating to Porkbun since Gandi has yet to cease constantly hiking their prices. After I moved my first domain over I quickly hit an error where CAA records were being clipped off. Porkbun was quick to help here: It seems Cloudflare DNS (which Porkbun depends on) is quite strict in their parsing and it must not contain any spaces. I later made a script to bulk test/verify DNS records are set as expected, I'll be publishing it eventually.

Bounds checking in hmalloc2025-03-21

I've started working on a feature in the GrapheneOS hardened_malloc project that enables system wide buffer over/under-flow detection by overriding common block operation functions (eg. memcpy/memset) and performing size checks against the known sizes available in the malloc's metadata. It works quite well system wide in my testing, but still needs some extra work. @cgzones has been a kind help to me in making it comprehensive and accurate. This feature provides substantial security benefits to traditional (Intel/AMD) systems.

Comment on this: Privacy Guides Forum

SCFW3 Updates2025-03-20

trash.sh now blocks many known AI crawlers and the ancient versions list has been refreshed.

Comment on this: GitHub

Brace Updates2025-02-18

  • JavaScript JIT is now disabled for WebKitGTK and GJS thanks to @RKNF404
  • Tweaks to browser extension overrides

Comment on this: GitHub

Ending DivestOS and apps2024-12-23

Thank you everyone. Full announcement

Comment on this: Fediverse, Privacy Guides Forum, Hacker News, F-Droid Forum, Techlore Forum

Support Tavi's Work ♥