December 2025
Pupdate
It’s been quite dry over the Christmas break, which has encouraged some longer than usual walks that the boys have enjoyed.
After a scan at the start of the month Milo has now almost completed the first cycle of his 4th modified ‘CHOP’ chemotherapy protocol. As before, low neutrophils mean we’re a little behind the ideal schedule; but also he’s never made it through the early cycles without some delay.
Gigs
Steve Hogarth
This was our third time in as many years seeing ‘h natural’ at Trading Boundaries, and he really seems to have settled into enjoying the venue. He treated us to another selection of covers, solo material and Marillion tracks; and there was even more audience participation than before, including a performance of Talking Heads ‘Once in a Lifetime’ that had about half a dozen people joining Steve at his keyboard.
Wakeman and Wilson
On a trip with the kids to look at the Roger Dean gallery $wife was persuaded to get some tickets for the Christmas event featuring Adam Wakeman and Damian Wilson. It was a lot of fun, and seems likely to become a regular feature for future festive seasons.
Hackers in the House
I was aware of the first Hackers in the House, last year, but only after the fact. So when it popped up in my Mastodon feed this year I applied to participate.
It was weird to do an event where I didn’t know anybody else; though I did get to meet a couple of folk I knew from the Internet :)
Was it worth a day to learn how the policy sausage is made (and hopefully make future policy better for practitioners)? I think yes – the folk from government seemed very receptive to the input from the room.
My one big takeaway (my own analysis). During Brexit we talked about Britain as a ‘rule taker’ or ‘rule maker’. My read on what’s now happening is that we’re a ‘rule fudger’. The EU is pushing ahead with some pretty big legislation in the cyber security space, such as the Cyber Resilience Act (CRA). Meanwhile the UK government is publishing voluntary codes of practice. For a lot of the areas we talked about it felt like it doesn’t really matter what UK policy is, because the CRA will be shaping what most suppliers actually do.
Health & Fitness
A year of monthly challenges
I’ve had a couple of years where I’ve completed 11 monthly challenges, with one where I frustratingly missed December; but this is my first time getting the complete set.
NHS Healthcheck
“You might think you’re healthy, but you really have no idea, as you’ve not seen a doctor since before Covid”, was becoming a frequent refrain from $wife. I was also a little concerned that I seem to be getting more colds than usual in the past few years. Some sort of deficiency? It was time to find out.
My doctor’s surgery online booking system offered an NHS Health Check, which seemed to be what I needed (and without bothering an actual doctor for an appointment). I had to book two appointments – one for blood to be taken for tests, and another a couple of weeks later to go over the results.
I knew ahead of the second appointment that my blood tests were all normal, as the results appeared in the NHS app on my phone. The consultation was spent going through a lifestyle questionnaire, and that didn’t reveal any surprises or demand any changes. Hurray :) Except I still don’t know why I’m getting so many colds? Aging, more stuff going around post Covid, population wide immune problems post Covid – they’re all in the mix, with no clear answers.
Shingrix
The evidence is mounting that the Shingles vaccine provides protection against dementia, and I don’t want to wait another decade to qualify for it on the NHS. So that was quite an expensive trip to my local pharmacy :0
The pharmacist warned me that it would likely kick my ass, and she wasn’t wrong. I went to bed with a sore arm, and aches all over, and woke a few hours later to shivers. But, by the morning I was feeling OK. Apparently the second dose (due in 2 months) isn’t usually so bad.
Washing machine repair
Our 13 year old Bosch washing machine started leaving puddles on the floor. As the door seal was disgusting, I ordered a replacement, which took a couple of days to arrive. I did that despite not finding any obvious damage that would allow water out.
The new seal took about an hour to fit, following this excellent guide. Running a test wash afterwards seemed fine, but then there was another puddle :(
Somehow I’d failed to spot that the hose for the fabric conditioner had come off. So the machine was getting to quite late in a wash cycle then squirting water.
Getting to the hose to reattach it meant repeating some steps from the seal replacement, but by then I knew what I was doing with my new hook pick and the other tools involved.
Although the replacement seal wasn’t strictly necessary, it’s nice that the machine is looking like new again :)
New IT bits
I didn’t really want a new printer and graphics card, but events forced my hand.
Printer
The Dell 1320CN that I got 15y ago started printing with coloured stripes that weren’t going away. Perhaps a victim of too little use now that $wife does most of her printing at work.
I considered not replacing it, but when a deal came up on a Brother HL-L3240CDW I went for it. It’s small, quiet, network connected, and does duplex colour printing; so everything I need. Consumables look reasonable, but only time will tell on that front…
Graphics card
I did a separate post on my Silent PC GPU upgrade, but it was a bunch of money and time just to avoid forced obsolescence because Nvidia doesn’t play nicely with Linux :(
Maybe one day I’ll do some gaming where I can marvel at how much smoother the pixels are :/
Solar diary
December is cold and dark, but this December was less dark than the past couple of years, with some bright sunny days.
VR
Last month I felt that practice in Clay Hunt VR was throwing off my real world clays game. This month, not so much.
Filed under: monthly_update | Leave a Comment
Tags: Adam Wakeman, chemotherapy, clays, Damian Wilson, door seal, fitness, gig, GPU, graphics card, Hackers in the House, healthcheck, Miniature Dachshund, printer, pupdate, repair, shingles, Shingrix, solar, Steve Hogarth, Trading Boundaries, vaccine, vr, washing machine
Silent PC GPU upgrade
TL;DR
Nvidia have ended Linux support for my ‘Pascal’ GTX 1050 Ti GPU. I’ve been able to fit an RTX 5050 card in its place, though the process was problematic due to driver issues. And I’m still concerned that it can only be limited to 110W when my passive cooling is rated up to 75W.
Background
When I upgraded my silent PC earlier in the year I kept the original graphics card, with an Nvidia GTX 1050Ti. I couldn’t find anything better that fitted into the 75W power budget.
Then I saw Justin Garrison’s post linking to ‘NVIDIA Drops Pascal Support On Linux, Causing Chaos On Arch Linux‘.
I replied:
Grrr. I was considering options to upgrade the 1050Ti in my silent desktop, but nothing was compelling (mostly as Nvidia don’t do a 75W card any more).
Forced obsolescence sucks 🙁
It was clear that I was now on an obsolete platform, and I’d need a new card sooner or later. I decided to get the trouble out of the way before the Christmas break ended.
New card
A quick look at Quiet PC suggested that the Palit GeForce RTX 5050 StormX 8GB Semi-fanless Graphics Card would be the way to go. Unfortunately they were closed for Christmas.
Luckily Scan also had the card, and they were offering next day delivery. I opted to save £8.99 by not going for Sunday delivery, but (hurrah) it came on Sunday anyway. Top marks to Scan (and DPD) :)
Although it’s a 130W card, I found these instructions showing how to limit power usage – ‘Set lower power limits (TDPs) for NVIDIA GPUs‘.
I also ordered a 6pin to 8pin PCIe converter cable, as I knew my PSU didn’t have a newer GPU cable.
Cooling
Job 1 was to remove the heatsink and fan, which just needed a few screws to be taken out. I then set about swapping the DB4 GPU cooling kit from the old card to the new. Thankfully it was possible to do that without completely dismantling the PC. I was even able to leave everything apart from the display cables and power plugged in.
The mounting holes for the heat pipe cooler block were in the same spacing as before, and there was just enough space around the GPU. So no drama with this bit. I also had some heatsinks spare that I could attach to the RAM and other chips that were in contact with the OEM heatsink/fan arrangement.
Power
I’d bought the 6pin to 8pin converter knowing that I didn’t have an 8pin connector; but falsely thinking that the existing card used a 6pin.
It did not :( The old card just took power from the PCIe bus, which can supply the 75W it used.
There is a 6pin connector, but that goes to the motherboard.
So… I did this crime against cabling by sacrificing the SATA and Molex cables I don’t use and splicing their power to the adaptor cable I’d bought.
That got me to a system that would power up and show a screen, which is when the real fun began.
Drivers
As I already had an Nvidia card using their official drivers I expected the new card to ‘just work’. It did not.
I got a BIOS boot screen, and then the Kubuntu splash screen as it booted. But no login screen. Just a cursor blinking top left of an empty black screen.
Worse still, the keyboard driver was being disabled at some stage during boot, so I couldn’t just jump into a console and fix things from there.
When I tried unplugging the keyboard and plugging it back in again I got:
usbhid: couldn't find an interrupt endpointDisabling secure boot in the BIOS didn’t improve things.
Getting to grub
I needed to get to a console, which meant interrupting the regular boot.
According to many sources online all I needed to do was hold down (right) shift during boot. This accomplished nothing.
Next I tried hitting Esc. Unfortunately my repeated presses bounced me through the grub menu and into the grub command line. I needed to hit Esc, once, at precisely the right time.
On one of my failed attempts Esc got me the dmesg output during a regular boot, which revealed this gem:
Eventually I hit Esc at just the right time, which let me boot into the console and uninstall the existing Nvidia drivers with:
apt purge ^nvidia-.*That got me a system that would properly boot. But only a single screen. I still needed the proper drivers:
sudo apt install nvidia-driver-580-open
Finally… I was back to a proper multi monitor setup. All that remained was to configure power limiting. Unfortunately it turns out I can’t set things to 75W, as the lowest limit is 110W. On the other hand it does seem that quiescent power consumption is about half what the old card used to consume, so maybe I’ll save some pennies on my electricity bill :/
This could have gone much easier if…
- I’d known to uninstall the existing drivers first (and maybe even get the -open drivers in place)
- I’d reconfigured grub to make it easier to get into a console.
Performance (per watt)
I’ve not noticed any improvement in performance, but then I don’t generally use this PC for gaming.
According to GPU Monkey my old 1050 Ti scores 2mp or 0.0267mp/W.
The new 5050 scores 11mp, so 5.5x faster, but also consumes 130W to do that, so 1.73x more power. So only a 3.17x improvement in performance per Watt to give 0.0846mp/W.
Conclusion
This was an upgrade for necessity rather than something I really wanted. My daily use of the PC isn’t improved in any noticeable way.
I’m also a little concerned that I can’t limit the power to the rated capacity of the passive cooling, so if I ever do drive it hard with some gaming it’s likely to overheat and hit thermal throttling.
Filed under: howto, technology | Leave a Comment
Tags: 1050 Ti, 5050, console, cooling, drivers, GPU, grub, GTX, Kubuntu, Linux, NVidia, Palit, passive, power, RTX, silent, StormX
Milo’s had a fantastic long remission – it’s been almost nine months since his last chemo. Long enough that we started hoping for a miracle, and that he might not relapse again.
But… the good folk at North Downs Specialist Referrals (NDSR) were right to be concerned about his last scan, and get him back sooner than we’d originally planned. Although there are no signs of him being unwell, the lymph nodes are definitely growing :(
So… we’re back to weekly vet visits, for blood tests, and chemo if the bloods are looking OK. He’ll be doing the same modified CHOP protocol as last time – so Vincristine, Chlorambucil, Vincristine and Epirubicin over four cycles, along with some Prednisilone for the first few weeks.
Also… wow! I did not expect to still be adding entries to this diary (almost) three years later when I started in Jan ’23. Milo’s responded really well to past treatment, and we can only hope that keeps on going.
Past parts:
Filed under: MiloCancerDiary | Leave a Comment
Tags: cancer, chemo, chemotherapy, Chlorambucil, CHOP, Epirubicin, Milo, NDSR, Prednisilone, protocl, relapse, remission, Vincristine
November 2025
Pupdate
It’s been pretty cold and wet, so the boys are needing to wear their coats outside.
Milo had a scan at the start of the month. Initially things were looking good, and the plan was to stretch out the next visit to three months time :) But then the technician noticed some lymph node density changes, so we’ll be back next week…
Briana Corrigan
Another brilliant act at Trading Boundaries. She sang a fab mix of Beautiful South material, her own songs, and some covers.
RC2014 Picasso
Having ordered my kit back in the Easter holidays I’d been waiting for a wet (and quiet) weekend to put it together – not expecting it to be quite so many months :/
Annoyingly it didn’t work straight away, and the cause wasn’t obvious. After swapping components with my working RC2014 Mini, and checking all the obvious stuff with a meter and scope I paused.
Jason Byrne
Another act that we would have usually seen at the Fringe, but also one of the kids’ favourites. So we caught his tour as it passed through London. Hilarious as always. I think he only got to about 10m of prepared material in almost 2h as there was a LOT of audience interaction.
Retro meetup
The Centre for Computing History in Cambridge held a retro gaming event that was a good excuse to get (some of) the meetup crowd together in person. It was also great to meet and chat with some of the exhibitors.
RC2014 Picasso cont.
I’d hoped to chat to RC2014 creator Spencer at the event, but sadly he was unwell and didn’t make the trip. So the debugging continued using the name badge card from RC2014 Assembly. Eventually I noticed a difference in how I held the system – a loose connection or dry joint I’d somehow missed. It was good to see it reliably booting :)
LUX
I’d not previously heard of Rosalía, but I noticed some raving about her new album on Bluesky. Then I saw the video for Berghain. Wow! Instant buy.
I’ve probably listened to it almost every day since the CD arrived, as it’s a masterpiece.
Of course I’ve now gone into the back catalogue and bought ‘El Mal Querer’ and ‘Motomami’.
It’s a little weird listening to stuff where I don’t understand most of the lyrics. But I realised years ago that it’s possible to enjoy singing without understanding it, when a friend gave me an album from the Icelandic band he was part of.
Boots
I got some Sorel Boots at Rei in Tysons Corner on one of my last DXC trips, so they’ve lasted me well considering I’ve worn them a LOT over the 6y or so. They were comfortable from day one, and so they’ve joined me on many adventures.
But… the soles were starting to wear through, and then when I checked them over before sending away for a resole I noticed splits between the upper and sole on both boots. I’m amazed that I hadn’t regularly got wet feet :/
Finding some replacements wasn’t straightforward. I’ve settled for a pair of Panama Jack P03 Aviator C23. Early signs are promising (despite $wife saying the sheepskin lining looks ‘chavvy’), though I’m taking some care breaking them in.
Solar Diary
It’s been cold, and dark, so not a great time of the year for solar generation, but also not the worst November.
VR
After practicing all month I’ve managed to get much better and more consistent at Clay Hunt VR. I can shoot perfect rounds of skeet and trap, and my scores on the various sporting rounds are edging upwards. Did this translate into a real world improvement at the clays ground? No :( If anything my score was worse than usual, and I found myself missing shots I’d usually expect to find easy.
Filed under: monthly_update | Leave a Comment
Tags: boots, Briana Corrigan, clays, comedy, dachshund, Jason Byrne, Miniature Dachshund, music, pupdate, RC2014, retro, Rosalía, solar, vr
TL;DR
Our online discourse is the victim of industrial scale pollution, and the incentives are being aligned in the wrong direction. Rather than polluters being penalised there’s now an entire industry that’s paid to pollute.
Filter Failure at the Outrage Factory is no longer just the work of ‘amateur’ fringe trolls and state sponsored propaganda; it’s become a profession.
Pollution of our lived environment is perhaps more visceral than our information space.
We lost our best watchers
The Stanford Internet Observatory (and particularly Renée DiResta[1]) did sterling work tracking and educating about the spread of online misinformation. Sadly they fell victim to a concerted lawfare campaign. In many ways their shutdown tells us all we need to know about the present situation in terms of politics and incentives.
Yet sometimes the rot is too obvious to ignore
X recently added an account location feature that exposed numerous highly visible US political accounts as being located elsewhere. The BBC ran with ‘How X’s new location feature exposed big US politics accounts‘, whilst 404 went with ‘America’s Polarization Has Become the World’s Side Hustle‘, noting:
The ‘psyops’ revealed by X are entirely the fault of the perverse incentives created by social media monetization programs.
It turns out you can fund a reasonable lifestyle in a ‘low income’ country by shit stirring online; and (as Terry Pratchett might put it), “it’s indoor work with no heavy lifting”.
What’s to be done?
We’ve dealt with pollution before. Early industrialists poisoned their workers and the land around their factories. The costs were borne by society whilst they continued to rake in the profits – what economists call an ‘externality‘.
We’re facing exactly the same problem again, only this time the pollution is to our information space rather than our lived environment. But that doesn’t make the toxic effects any less damaging. Our information space shapes our lived environment (and the policies that apply to it), so it’s vital to ensure that everything is kept clean.
Regulate away the poor incentives
We know how and why all this is happening. Outrage drives engagement, and engagement brings in advertising revenue. That flywheel has been amplified by taking a tiny fraction of the ad revenue to drive more outrage.
This is largely happening because social media companies have dodged the (reasonably effective) advertising regulation that applies to more traditional media. But there’s no reason to give them a pass.
Start with political will
This is the hard bit… regulation only happens when lawmakers feel a sense of urgency.
Kids dying from being poisoned gets an immediate response.
But the harms from the pollution of our information space aren’t so obvious. Worse they’re being actively obfuscated by… the pollution of our information space. It’s like the smog from the factory stopping anybody from noticing the kids choking to death.
In many cases one side of the political divide has persuaded itself that the outrage supports their case. Meanwhile their opponents are too in thrall of media power.
There are some glimmers of hope, that I’ll return to in another post; but right now it seems we’re a long way from solving this pollution problem.
Note
[1] Renée’s ‘Invisible Rulers: The People Who Turn Lies into Reality‘ provides an excellent overview of this problem.
Filed under: Uncategorized | Leave a Comment
Background
We build a bunch of stuff for RISC-V using the Dart official Docker image, but the RISC-V images can often arrive some time (days) after the more mainstream images[1]. That means that if we merge a Dependabot PR for an updated image it might well be missing RISC-V, causing the Continuous Delivery (CD) pipeline to break when trying to do a release :(
More testing
The answer is to have an additional test e.g. check_riscv_image.yml. This is triggered by any PR that’s changing a Dockerfile that might go awry because of an incomplete manifest. It then uses docker buildx to inspect the manifest, along with some jq to pick the bits we need out of the json. If we find a riscv64 image in there then all is good; otherwise the test fails and we know not to merge the offending PR (and wait a while longer for a more complete manifest to show up).
Note
[1] This isn’t just a problem for Dart, it happens for all of the official images that include RISC-V (and other less popular architectures). The underlying problem is the Docker folk just don’t have sufficient build infrastructure, and it’s particularly acute when lots of images are being (re)built at once (e.g. because of a new Debian stable release).
Filed under: Dart, howto, technology | Leave a Comment
Tags: CD, CI, Dart, Debian, Docker, GitHub Actions, image, manifest, RISC-V, testing
Don’t huff the fumes
TL;DR
Agentic systems are the latest thing being used to solve IT integration issues, becoming the glue squirted into the gaps between systems. But the use of natural language means that the distinction between ‘data’ and ‘code’ is almost impossible to make, which causes a whole raft of security concerns. This new glue may be powerful, but it gives off fumes that can cause a bunch of problems. Handle with care!
Agents are being used as space filling glue
Agentic AI agents are being put to use filling the gaps between systems in order to get them to integrate. Zack Akil has a post about this “AI Agents are the new 3D Printers“, which I might boil down the the observation that it’s fine to make a disposable prototype out of hot glue, but maybe consider other things if you want a load bearing structure.
Zack’s post inspired me to comment on LinkedIn:
This reminds me of some of the conversations around serverless a few years back.
The analogy I used was ‘space filling glue’, and 3D printing is (approximately) “what if we make things entirely out of space filling glue”.
Serverless functions also make a great (virtual) space filling glue. If you have some apps or services that don’t quite join together then you can squirt some functions into the gap and get a fit that works.
Agents are the new shiny, and so of course people are finding novel ways to use them to fill those annoying gaps between systems. More space filling glue. But once again, you might wish to think twice about building something load bearing entirely out of this stuff.
Glues through the ages
I’m sure there’s historical stuff about tree sap or whatever I could dig into; but there’s no need to go so far back.
My first memory of glue was 1970s adverts for ’10 second bonding’ Superglue; but cyanoacrylate is not ‘space filling’ and relies on perfectly matched surfaces that fit together. I came to discover that epoxy resin, and impact glue and various other forms were better for fixing many things. When my dad first showed me a hot glue gun it seemed like magic, but I came to discover it too had (many) limitations.
Of course another feature of the 70s was the scourge of ‘glue sniffers’ – people getting off their heads by inhaling the toxic solvents used in some glues.
It’s been a similar story with integrating IT systems. At first we had to arrange for the perfect fit, but over the years various forms of ‘middleware‘ have come along to facilitate integration. Before agents, serverless was the latest hotness (or hot glue); which caused me to observe at the time that serverless is great if you have a joining things together problem, but you might not want to construct entire systems from it.
And yet, we still have ‘swivel chair‘ integration; and mostly because it’s been deemed too risky to join systems with the glues at hand. I’ll speculate that agentic approaches don’t magically fix that.
IT’s original sin, repeated, and worse
We chose the Von Neumann architecture over the Harvard architecture because memory was expensive and thus rare; and its use could be better optimised if code and data shared the same space. Arguably this is the original sin of IT security, as many of the issues that beggar us today track back to not properly separating code from data. There have of course been successive attempts to remedy this, with something like Capability Hardware Enhanced RISC Instructions (CHERI) representing the state of the art.
Agentic systems double down on this original sin, turbocharged, and on steroids. Everything is in natural language, so there’s no clear way to separate ‘code’ from ‘data’. Sequences of tokens might be innocuous in isolation, but add a couple together and you get an attack. It seems the only way to tell is to ‘run’ it and find out. Halting problem anybody?
Is our new agentic integration glue ‘better’ than what we had before? For some situations undoubtedly yes. Safer? Hell no, this stuff makes gluing stuff together in an unventilated cupboard with giant open pots of contact adhesive look like the sane option. Don’t huff the fumes.
Filed under: security | Leave a Comment
Tags: agentic, agents, AI, CHERI, glue, integration, middleware, security
October 2025
Pupdate
The central heating went on a few days into the month, and it was also soon time for the boys to be wearing their coats out.
Interactive Ball Toy
Having learned my lesson about dodgy drop shippers last month I ordered from AliExpress when $wife found a fun looking toy in some Dachshund forum.
It’s basically a robot mouse, a motorised rubber wheel with a semicircle frame attached to a string ‘tail’. Milo seems to be terrified of it, resulting in lots of noise and running away. Max on the other hand is very adept at catching it, then struts off to dismember his prize.
So far it’s been minutes of fun, and I forecast maybe a few more before it’s damaged to a point where it’s unsafe.
Bath
$daughter0 was starring in a university production of Crazy for You, which meant a flying visit to Bath (as we had to be back for a birthday party in London the following day). It’s a city that we always enjoy spending time in. We weren’t there long enough for dinner at Raphael, but we did manage to squeeze in some cocktails at Fidel Rum Bar :)
Mattress
We stayed at the Apex hotel in Bath, which is one of our regular haunts. $wife commented that the bed was very comfortable, contrasting to many complaints about our Tempur mattress at home. A quick search revealed that the mattress is a Simba ‘Apex‘, and after some deliberation we ordered one that was delivered towards the end of the month. Early impressions are very good (in that it might just be worth the somewhat outrageous price).
John Bishop
Another comedian that we would have seen at The Fringe in Edinburgh, if they’d had dates and availability then. Instead we joined some friends for a matinee in Brighton, which was a lot of fun, and maybe worked better for logistics than an evening show.
Barcelona
Between various trade shows at Fira Gran Via, and passing through on the way to Andorra for skiing, BCN has been my most visited airport over the years. But $wife had never joined me there. That put Barcelona at the top of the list for a half term city break.
We stayed at the Occidental Barcelona 1929 as I’d been there before, and Place d’Espanya is somewhere that’s easy to get to. There wasn’t really a plan, though the walk along La Rambla that turned into a wander around the marina, then a cable car over to Montjuic and a meander through the gardens back down to the hotel couldn’t have been better. We then went to see Sagrada Família, and get some tapas.
Wine
Chapel Down
I bought Chapel Down shares a few years back as I really like their wine, and shareholders get a discount. Shareholders also get invited to various events, but often I’m not able to make it along, especially stuff at their Tenterden HQ, which is a 90m drive.
This time was different though, a shareholder dinner and tasting that lined up with $wife being off work. We double dipped by booking a vineyard tour and tasting (another shareholder perk).
For anybody keeping score, that’s a LOT of wine tasting in a single day, not that I have any complaints[1].
The idea was that the menu had been constructed to go with the wines (rather than the usual pairing of wines to suit the food), and it worked really well. It was also good to meet other shareholders (we seemed to have a fun table) and some of the exec team.
Grape & Grain Japanese Lunch
This took the more traditional approach of pairing wine with the food; which worked really well.
On the way home I commented that it was a good job that it had been lunch rather than dinner, as we’d been there for 4.5 hours :0
Solar Diary
The big news for this month is that I’m now on a tariff that pays me 15p/kWh for export, which is almost 3x the previous rate :)
VR Stock
The Real Stock Pro that I ordered at the end of last month made its way over the Atlantic pretty swiftly and I’ve been able to do lots more clays practice with it on Clay Hunt VR.
I feel like I’m making good progress on improving my scores (and consistency) with virtual skeet, trap etc. Unfortunately I’ve not had the chance to see if it makes any difference to my real life shooting as the last few opportunities have collided with other stuff. It’s been a busy month :0
Note
[1] Some good planning also meant that there was only one wine duplicated across the two events :)
Filed under: monthly_update | Leave a Comment
Tags: Apex, Barcelona, Bath, Chapel Down, dachshund, John Bishop, mattress, Miniature Dachshund, pupdate, solar, tapas, toy, vr, wine
TL;DR
Supply-chain Levels for Software Artifacts (SLSA) attestations are a great way to show that you care about security, and they’re fairly trivial to add to delivery pipelines that produce a single binary or container image. But things get tricky with matrix jobs that build lots of things in parallel, as you then need to marshal all the metadata into the attestation stage, and there isn’t a straightforward way to do that. It can however be done by generating JSON artifacts alongside images, then munging those into a single document that feeds the attestation process.
Background
Some of the Continuous Delivery (CD) pipelines that I work on at Atsign have got complex. Multiple binaries, from multiple sources, for multiple architectures.
Since Arm runners became available I’ve refactored a bunch or workflows so that the Arm builds run on Arm runners, as they’re much faster than cross compiling with QEMU[1]. But that then means stitching multi-arch images together – more complexity.
I recently spent some time adding Cosign signatures to our images, and that prodded me to get SLSA in place everywhere too. But that meant taking on some complex workflows.
Digest Marshalling
The issue boils down to funnelling the correct image names and corresponding digests into the slsa-github-generator action. There are some good pointers in the documentation, but not quite a complete example for what I needed to do.
Can AI help?
A bit… Gemini got me pointed in the right direction (as it had likely been trained on the generator documentation, and perhaps also some code implementing it). What it didn’t give me was working code. It was trying to write to the same artifact from a matrix job, which works for the first one to finish, and then causes the rest to fail.
We need the image digests for signing anyway
So I can get my digest for cosign and for SLSA in the same step within my docker_combine job:
- name: Save digest to file and sign combined manifests
id: save_digest
run: |
IMAGE="atsigncompany/${{ matrix.name }}:${{ env.TAG1 }}"
IMAGE_DIGEST=$(docker buildx imagetools inspect ${IMAGE} \
--format "{{json .Manifest}}" | jq -r .digest)
# Create a JSON object for the image and digest
echo "{\"name\": \"${IMAGE}\", \"digest\": \"${IMAGE_DIGEST}\"}" \
> ${{ matrix.name }}_digest.json
IMAGES="${IMAGE}@${IMAGE_DIGEST}"
IMAGES+=" atsigncompany/${{ matrix.name }}:${{ env.TAG2 }}@${IMAGE_DIGEST}"
cosign sign --yes ${IMAGES}Then upload them as (uniquely named) artifacts
- name: Upload image digest file
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: digests-${{ matrix.name }}
path: ./${{ matrix.name }}_digest.jsonThen aggregate the digests into a JSON document
This is slightly fiddly, as if I send the JSON straight to $GITHUB_OUTPUT the first line break will be treated as the end, and the rest of the JSON will be lost, so I need to follow the process for multiline strings.
aggregate_digests:
runs-on: ubuntu-latest
needs: [docker_combine]
outputs:
slsa_matrix: ${{ steps.create_matrix.outputs.matrix_json }}
steps:
- name: Download all-image-digests artifact
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
pattern: digests-*
path: ./digests
merge-multiple: true
- name: Combine digests into a single JSON array
id: create_matrix
run: |
MATRIX_JSON=$(jq -s '.' ./digests/*_digest.json)
{
echo "matrix_json<<EOF"
echo "${MATRIX_JSON}"
echo "EOF"
} >> "$GITHUB_OUTPUT"
echo "::notice::Generated SLSA Matrix JSON: ${MATRIX_JSON}"In better news Gemini did come up with the right jq expression :)
And finally pass the JSON into the slsa-github-generator
The crucial bit here is creating a matrix ‘image_data’ from the JSON and then using the ‘name’ and ‘digest’ elements.
slsa_provenance:
needs: [aggregate_digests]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
strategy:
matrix:
image_data: ${{ fromJson(needs.aggregate_digests.outputs.slsa_matrix) }}
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ matrix.image_data.name }}
digest: ${{ matrix.image_data.digest }}Have I missed a trick here?
Could this be done directly with step outputs from the matrix into the SLSA generator (and without squirting JSON into artifacts etc.)? If you have the wizardly incantations to do that I’d love to hear about them.
Note
1. Most of the stuff I’m working with is Dart based, and usually the slow bit (especially in QEMU) is ‘dart compile’. Since Dart can now do cross compilation it’s possible that I could refactor things once more, but I haven’t got around to that yet.
Filed under: Dart, Docker, Gemini, howto | Leave a Comment
Tags: AI, ARM, artifact, attestation, CD, container, Cosign, Dart, DevOps, Docker, Gemini, GitHub Actions, image, json, matrix, security, signing, slsa
September 2025
Pupdate
Autumn is upon us, and it was a wet start to the month, but that hasn’t stopped the boys from being enthusiastic about their walks.
Clear scan
Milo had another scan at the start of the month, and once again it was clear :) That means we’re now on the longest stretch of remission since he got ill.
Octopus
We fell for a social media Dachshund group promotion (scam?) and ordered a toy on what I thought was Etsy, but was actually ‘Esty Express’ (spot the difference). It was £20.24 inc shipping. If I’d looked on Ali Express I’d have found the same thing for £2.94.
Milo ‘Destroyer of Toys’ didn’t have the squeaker out in under a minute. But once he got started, it was less than an hour before it had to be binned :(
South Lodge
We’d planned to spend our anniversary at Trading Boundaries for a T’Pau gig, but that got pushed back a few weeks. Plan B was a night at South Lodge along with dinner at The Pass.
It was a beautiful place to spend a night, and the food (and wine) was tremendous. It’s definitely a place we’d both like to return to.
Torres tasting
I’ve always loved the selection on offer at Grape & Grain, and it’s become a regular haunt since they started doing cafe style service where you can enjoy some amazing food and wine[1]. So when I got an email for a ‘Meet the Winemaker’ with Torres Chile head winemaker Eduardo Jordon I didn’t hesitate in booking tickets.
It’s maybe the best such event I’ve ever attended. A great selection of wines, generous samples, and of course some amazing commentary from Eduardo. There was also just a really fun vibe to the place :)
Marcus Brigstocke
I wanted to see Marcus’s ‘Vitruvian Mango‘ show at Edinburgh Fringe last month, but (because we booked so late) tickets were already sold out. Luckily he’s touring around the country, and I was able to grab some tickets at The Old Market in Hove. That meant we were able to take $son0 along (who’s also a big Marcus fan), and we probably got twice as much material as he did 50m either side of the interval.
T’Pau
A few weeks later than originally planned, but still a great evening out, and they played a good selection of old hits and some newer material.
RC2014 Assembly
I’ve been a fan of Spencer Owen’s RC2014 kits since first meeting him at an OSHcamp workshop so when he announced a community get together at The National Museum of Computing (TNMOC) of course I was going to go.
I did a lightning talk on my TMS9995 project, which led to some great conversations with other attendees. It was also great to hear from RomWBW creator Wayne Warthen.
In the past I’ve driven to Bletchley Park, which has always been a slog, as the M23/M25/M1 combo is never fun. This time I took the train, which was much better[2] :)
Solar Diary
A sunnier September than last year, but not as good as previous years :/
Clay Hunt VR
No ‘Beating Beat Saber’ this month, though with darker days coming I’m sure I’ll be back to VR workouts soon.
I gave Clay Hunt VR a quick try, and it’s very compelling (and a lot of fun). I’m sure enough that it will help my real world shooting that I’ve ordered a Real Stock Pro for more realistic practice, which should hopefully arrive in the next week or so.
Notes
[1] Especially since I discovered that their whole wine selection is available with fixed corkage, which means we’ve been enjoying some top notch English sparkling for the same price per glass as Prosecco in other places.
[2] I’ve normally not travelled alone in the past, which has skewed the economics. But I also fell victim to silly ticket pricing in the comparison. A (railcard discounted) ticket from Haywards Heath to Bletchley is £36.25, but it turns out separate tickets to St Pancras and then on from Euston are £26.85 :0
Filed under: monthly_update | Leave a Comment
Tags: Bletchley Park, comedy, dachshund, Marcus Brigstocke, music, octopus, pupdate, RC2014, scan, solar, South Lodge, T'Pau, TNMOC, Torres, vr, wine
Chris Swan's Weblog 
