fidzu : debian

On 25th Oct 2025, I announced via my personal blog and on Mastodon that Fre(i)e Software GmbH was hiring. The hiring process was a mix of asking developers I know and waiting for new people to apply.

At the beginning of November 2025 / in mid November 2025, we started with 13 developers (all part-time) to work on various topics around Lomiri (upstream and downstream). Note that the below achievements don't document the overall activity in the Lomiri project, but that part that our team at Fre(i)e Software GmbH contributed to.

Organizational Achievements

• Setup management board for Qt6 migration in Lomiri [1]
• Setup management board for salsa2ubports package syncing [2]
• Bootstrap Qt 6.8 in UBports APT repository
• Bootstrap Qt 6.8 in Lomiri PPA
• Fix Salsa CI for all Lomiri-related Debian packages
• Facilitate contributor's project around XDG Desktop Portal support for Lomiri.
• Plan how to bring DeltaTouch and DeltaChat core to Debian

Maintenance Development

• Replace libofono-qt by libqofono in telepathy-ofono
• Rework unit tests in telepathy-ofono utilizing ofone-phonesim
• Obsolete not-used-anymore u1db-qt
• Fixing wrong bin:pkg names regarding snapd-glib's QML module

Qt6 Porting

• qmake -> CMake porting (if needed) and Qt6 porting of shared libraries and QML modules consumed by Lomiri shell and Lomiri apps:
  • biometryd
  • libqofono
  • libqofonoext
  • libqtdbusmock
  • lomiri-account-polld
  • lomiri-action-api
  • lomiri-api
  • lomiri-download-manager
  • lomiri-location-service
  • lomiri-online-accounts
  • lomiri-push-qml
  • lomiri-push-service
  • maliit-framework
  • mediascanner2
  • qtlomiri-appmenutheme
  • qtpim (started, work in progress)
  • qwebdavlib
  • signond (flaws spotted in Debian's porting of signond to Qt6)

Feature Development

• Continuing with Morph Browser Qt6 / LUITK
  • Build, run and fix LUITK unit tests for Qt6
  • various bug fixes and improvements for Morph Qt6
• Add mbim modem support to ofono upstream
• Improve ofono support in Network Manager
• Improve mbim modem support in lomiri-indicator-network
• Package kazv (convergent Matrix client) and dependencies for Debian
• Provide Lomiri images for Mobian

Research

• Research on fuse-based caching Webdav client for lomiri-cloudsync-app.
• Research on alternative ORM instead of QDjango in libusermetrics

[1] https://gitlab.com/groups/ubports/development/-/boards/9895029?label_name%5B%5D=Topic%3A%20Qt%206
[2] https://gitlab.com/groups/ubports/development/-/boards/10037876?label_name[]=Topic%3A%20salsa2ubports%20DEB%20syncing

12 Mar 2026 8:59am GMT

Now that ECH is standardized I started to look into it to understand what's coming. While generally desirable to not leak the SNI information, I'm not sure if it will ever make it to the masses of (web)servers outside of big CDNs.

Beside of the extension of the TLS protocol to have an inner and outer ClientHello, you also need (frequent) updates to your HTTPS/SVCB DNS records. The idea is to rotate the key quickly, the OpenSSL APIs document talks about hourly rotation. Which means you've to have encrypted DNS in place (I guess these days DNSoverHTTPS is the most common case), and you need to be able to distribute the private key between all involved hosts + update DNS records in time. In addition to that you can also use a "shared mode" where you handle the outer ClientHello (the one using the public key from DNS) centrally and the inner ClientHello on your backend servers. I'm not yet sure if that makes it easier or even harder to get it right.

That all makes sense, and is feasible for setups like those at Cloudflare where the common case is that they provide you NS servers for your domain, and terminate your HTTPS connections. But for the average webserver setup I guess we will not see a huge adoption rate. Or we soon see something like a Caddy webserver on steroids which integrates a DNS server for DoT with not only automatic certificate renewal build in, but also automatic ECHConfig updates.

If you want to read up yourself here are my starting points:

RFC 9849 TLS Encrypted Client Hello

RFC 9848 Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings

RFC 9934 Privacy-Enhanced Mail (PEM) File Format for Encrypted ClientHello (ECH)

OpenSSL 4.0 ECH APIs

Cloudflare Good-bye ESNI, hello ECH!

If you're looking for a test endpoint, I see one hosted by Cloudflare:

$ dig +short IN HTTPS cloudflare-ech.com
1 . alpn="h3,h2" ipv4hint=104.18.10.118,104.18.11.118 ech=AEX+DQBBFQAgACDBFqmr34YRf/8Ymf+N5ZJCtNkLm3qnjylCCLZc8rUZcwAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700::6812:a76,2606:4700::6812:b76

11 Mar 2026 3:42pm GMT

Another maintenance release of our RcppDE package arrived at CRAN, and has been built for r2u. RcppDE is a "port" of DEoptim, a package for derivative-free optimisation using differential evolution, from plain C to C++. By using RcppArmadillo the code became a lot shorter and more legible. Our other main contribution is to leverage some of the excellence we get for free from using Rcpp, in particular the ability to optimise user-supplied compiled objective functions which can make things a lot faster than repeatedly evaluating interpreted objective functions as DEoptim does (and which, in fairness, most other optimisers do too). The gains can be quite substantial.

This release is again maintenance. We aid Rcpp in the transition away from calling Rf_error() by relying in Rcpp::stop() which has better behaviour and unwinding when errors or exceptions are encountered. We also overhauled the references in the vignette, added an Armadillo version getter and made the regular updates to continuous integration.

Courtesy of my CRANberries, there is also a diffstat report. More detailed information is on the RcppDE page, or the repository.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

11 Mar 2026 2:24pm GMT