SDF Chatter

They are also requiring all moderators to retroactively remove offending posts and comments that are surfaced via reports.

Long live the fediverse queen.

I had never heard of Lucas Deeco until working on these terminals. These two terminals are fascinating IP65 touch screen terminals for use in hostile environments. (Hostile to computers) Let's dig into what makes these tick and see if I can figure out why one of them is not working.

We're working on completing GrapheneOS support for the Pixel 9a. If you have a Pixel 9a and are interested in testing experimental GrapheneOS builds later today, please join our testing chat room on either Discord or Matrix which are bridged together.

https://grapheneos.org/contact#community-chat

Our 2025040700 release was an early April 2025 security update release based on the Android Security Bulletin backports.

April 2025 monthly release of Android 15 QPR2 is in the process of being published today and we'll make a new release after the tags are all pushed to AOSP.

Today is also the launch day for the Pixel 9a. The tags for the Pixel 9a should get pushed to AOSP after the monthly update is fully pushed.

Once that's pushed and we've released the April update of Android 15 QPR2, we can start working on adding Pixel 9a support to GrapheneOS.

We have a Pixel 9a ordered for our main device farm which has been marked as ready for pickup by the delivery company. It will hopefully be delivered tomorrow. We've generated signing keys and added preliminary support to Auditor and AttestationServer which will need testing.

April 2025 update for the Pixel 9a stock OS is still based on Android 15 QPR1 rather than Android 15 QPR2. They updated the device branch to the April 2025 security patch level via backports from Android 15 QPR2. Our initial port will be from our final Android 15 QPR1 release.

Our final Android 15 QPR1 release was 2025030300 which was the first Monday of March, which was the day the Android Security Bulletin was published so we made a similar early security update release based on it. Android 15 QPR2 was released the next day (March 4th).

Pixel 8a launched in a similar way based on Android 14 QPR1 instead of Android 14 QPR2. It was the first time it happened that way, and now they've repeated it with the Pixel 9a. It's strange to launch a new device on the previous major OS release with security backports instead.

Android 14 QPR3 was released less than a month after the Pixel 8a and it was merged into the mainline releases. It's not clear if the Pixel 9a will get an update to Android 15 QPR2 or move straight to Android 16 in June. Either way, it will have a device branch until Android 16.

Pixel 9a device branch tags are currently being pushed to AOSP. Kernel tags are going to be pushed after the non-kernel tags are pushed. That's means it will be a while longer before the monthly update is fully published. Going to make adding Pixel 9a support take a bit longer.

Tags:

• 2025041100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025040700 release:

• full 2025-04-05 security patch level
• rebased onto BP1A.250405.007.D1 Android Open Source Project release
• remove code for Qualcomm XTRA (PSDS) privacy improvements since we no longer have any devices with Qualcomm GNSS and we can add it back in the future if we need it again rather than porting it forward under the assumption we'll be using it
• fix upstream RecoverySystem.verifyPackage(...) vulnerability (this was not directly exploitable due to there being 2 layers of update package signature verification and downgrade protection, but the first layer of protection should work properly to avoid a vulnerability in the 2nd layer being exploited)
• Android Debug Bridge: more complete fix for upstream use-after-free bug for network-based connections which is being caught by our always enabled hardware memory tagging support for the base OS in hardened_malloc
• kernel (6.1): update to latest GKI LTS branch revision
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.83
• Seedvault: update to 15-5.5 (will be replaced with a better backup implementation in the future)
• Vanadium: update to version 135.0.7049.79.0
• Auditor: update to version 88
• PDF Viewer: update to version 27
• PDF Viewer: update to version 28

Porting GrapheneOS to the Pixel 9a is now well under way. Pixel 9a is still using Android 15 QPR1 rather than Android 15 QPR2. We had to create a special branch for it based on taking our final Android 15 QPR1 release (2025030300) and rebasing it onto the Pixel 9a release tags.

Android 15 QPR2, 2nd quarterly release of Android 15, was released March 2025. Since Android 14 QPR2, quarterly releases are based off the development branch with as many changes as yearly releases. Many changes are behind feature flags and yearly releases enable far more flags.

Pixel 8a launched in mid May 2024 still using Android 14 QPR1 instead of Android 14 QPR2 released in March 2024. The device branch for the Pixel 8a went away the next month when Android 14 QPR3 was released. This year's June release is Android 16 rather than Android 15 QPR3.

We've backported a subset of the changes since 2025030300 to our Pixel 9a device branch including an import sandboxed Google Play compatibility layer, a recent fix for an upstream update security issue and all of our changes to our Network Location and System Updater projects.

Strangely, Android delayed the April 2025 monthly update until Pixel 9a launch day (April 10th) despite the Pixel 9a not receiving it. The monthly update is for Android 15 QPR2. Pixel 9a has April 2025 and earlier security patches backported to an Android 15 QPR1 device branch.

Since the Android 15 QPR2 monthly update and Android 15 QPR1 release for the Pixel 9a were released together, the kernel tags for the monthly update were delayed all the way until today in the past hour since the Pixel 9a tags took so long to push. We're dealing with that now.

To work around the monthly update for Android 15 QPR2 being delayed until Pixel 9a launch, we made a release based on April 2025 Android Security Bulletin backports on the day it came out (https://grapheneos.org/releases#2025040700). Android Security Bulletins are partial backports to old versions.

Android Security Bulletins are most of the High and Critical severity patches backported to older releases of Android including Android 15 without the monthly/quarterly updates. They're not the full Android security patches, just the subset required for OEMs to set a patch level.

Android Security Bulletins often contain backports of patches already shipped in earlier months. Various patches in the April 2025 Android security bulletin were already shipped by Android 15 QPR2 in March. The new Android release each month is a separate thing from the bulletin.

OpenSSL 3.5.0 was recently released with support for Post Quantum Cryptography (PQC). The package update is now deployed across our servers. Our web services now use hybrid PQC key exchange with clients supporting it. Easy to confirm X25519MLKEM768 gets used in Chromium browsers.

Notable changes in version 27:

• update pdf.js library to 5.1.91
• raise minimum Chromium WebView version to 133 and use it as the build target
• add redundant setBlockNetworkLoads(true) for the WebView (this is already the default due to not having the INTERNET permission, but being more explicit about this is a good thing)
• update esbuild to 0.25.2
• update dependencies of npm dependencies
• update AndroidX Core KTX library to 1.16.0
• update Android Gradle plugin to 8.9.1
• update Kotlin to 2.1.20
• update Gradle to 8.13

A full list of changes from the previous release (version 26) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to the network, files, content providers or any other data.

Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the APK assets along with blocking custom fonts since pdf.js handles rendering those itself.

It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with less access than it would have within the browser.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 88:

• add support for Pixel 9a with either the stock OS or GrapheneOS
• require TLSv1.3 instead of either TLSv1.2 or TLSv1.3
• drop legacy USE_FINGERPRINT permission since we dropped Android 9 support a while ago
• update Bouncy Castle library to 1.80
• update CameraX (AndroidX Camera) library to 1.4.2
• update AndroidX Core library to 1.16.0
• update Guava library to 33.4.7
• update Android NDK to 28.0.13004108
• update Android Gradle plugin to 8.9.1
• update Kotlin to 2.1.20
• update Gradle to 8.13
• minor improvements to code quality
• exclude unused OSGI manifests to avoid file conflicts

A full list of changes from the previous release (version 87) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

From National Fish and Wildlife Association

A resident of bottomland hardwood forests, the swamp rabbit has an unusual superpower. As the largest cottontail on the planet, their size and buoyancy make them excellent swimmers. When encountering danger, these clever floofs evade predators by hopping into water and swimming away. And they're just as speedy out of the water. Consider them the triathletes of the Mississippi Valley!

To thrive, the swamp rabbit needs large, contiguous forest patches and close proximity to wetlands. That's why we work to restore, enhance and conserve bottomland hardwood forest and wetland habitat to benefit wildlife in the Lower Mississippi Alluvial Valley.

Bonus little video from PBS supposedly capturing the first ever footage of one swimming.

Boondocking site at 7,500ft in the Sandia Mtns. Just east of Albuquerque.

Forecast called for some precip, but I was't expecting this much. I've swept 9" off the panels so far.

Notable changes in version 28:

• add back JPEG 2000 image support unintentionally removed in PDF Viewer version 27 due to pdf.js splitting it out
• add JavaScript fallback for JPEG 2000 image support for when the WebView JIT is disabled
• improve CMYK to RGB conversion when the WebView JIT is enabled via ICC profile support provided by the pure Rust qcms library compiled to WebAssembly

A full list of changes from the previous release (version 27) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to the network, files, content providers or any other data.

Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the APK assets along with blocking custom fonts since pdf.js handles rendering those itself.

It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with less access than it would have within the browser.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

http://archive.today/2025.04.18-233234/https://www.nytimes.com/2025/04/18/us/politics/trump-rubio-putin-ukraine.html

“If it is not possible to end the war in Ukraine, we need to move on.”

Whatever Mr. Rubio’s meaning, his words were the latest American gift to Mr. Putin’s cause. At every turn since Mr. Trump’s inauguration, he or his top national security aides have issued statements that played to Russia’s advantage: taking NATO membership for Ukraine off the table, repeatedly declaring that Ukraine would have to give up territory and even blaming Ukraine for the invasion itself.

On Friday, Mr. Trump himself suggested that the United States could walk away from the conflict, much as it did when frustrated in Vietnam, Iraq and Afghanistan.

Indeed, in an interview with The New York Times in the spring of 2016, when he was first running for president, Mr. Trump described Ukraine as Europe’s problem. “I’m all for Ukraine; I have friends that live in Ukraine,” he said.

But Mr. Trump added: “When the Ukrainian problem arose, you know, not so long ago, and we were, and Russia was getting very confrontational, it didn’t seem to me like anyone else cared other than us. And we are the least affected by what happens with Ukraine because we’re the farthest away.”

Defense Secretary Pete Hegseth struck a similar tone in February, when he declared on his first official trip to Europe that Ukraine would not enter NATO for the foreseeable future, that Russia would likely keep the 20 percent or so of Ukraine it had seized, and that any peacekeeping or “tripwire” force in Ukraine to monitor a cease-fire would not include Americans.

Mr. Trump’s distrust of Mr. Zelensky remains as strong as ever. “I’m not a fan,” he told Ms. Meloni in an Oval Office meeting on Thursday.

There is virtually no serious discussion underway at the White House or on Capitol Hill about the next package of arms for Ukraine when the current support, which was pushed through in the last months of the Biden administration, runs its course, according to congressional supporters of Ukraine.

European officials say they have not even received assurances that the United States will continue its extensive intelligence sharing for Ukraine, which has been key to its ability to target Russian troops and infrastructure.

In fact, when the White House talks about its relationship with Ukraine these days, it is usually in terms of what it is getting, not what it plans to give. Since the Oval Office blowup, the United States and Ukraine have been renegotiating a deal for American investment and access to Ukrainian minerals, rare earths and other mining projects.

It has taken the better part of six weeks to rewrite the deal that was left unsigned at the White House that day. But Mr. Trump and Treasury Secretary Scott Bessent said this week that they would sign a substitute agreement next Thursday.

The deal Mr. Trump really covets is one with Russia. But getting there requires getting past Ukraine — either by declaring a cease-fire, or just setting the problem aside.

Some experts argue that even if Mr. Trump makes that huge shift, it likely will not work. They doubt Mr. Putin is ready to limit his ties to China, Iran and North Korea — countries that fuel the war effort with technology, drones and, in North Korea’s case, troops.

In several interviews, including one with Tucker Carlson, Mr. Witkoff described the benefits of a broader relationship with Russia, one that would essentially normalize relations. When Mr. Carlson asked about Mr. Putin’s broader ambitions to take all of Ukraine and perhaps seek to reabsorb some of the former Soviet republics, Mr. Witkoff dismissed the idea. He said he was “100 percent” certain that Mr. Putin has no desire to overrun Europe, or even to control Ukraine.

“Why would they want to absorb Ukraine?” he asked. “That would be like occupying Gaza.”

I've been down the trackers rabbit hole lately, given my basic knowledge of music making. This is what what I've manage to come up with recently. I know it doesn't sound all that good but at least it's something.

More content to come now that my precious collection is available to me day to day. Just have to find the boxes that contain my LD players.