fidzu : debian

A while back, I came across the AI Fabric system created by Daniel Miessler. I liked its approach of providing command-line tools for filtering text using artificial idiocy services, allowing stepwise operations to be applied to a piece of text. The output of one operation can then serve as the input for another-in other words, Unix pipeline processing powered by large language models. I do no longer remember exactly how I discovered it, but suspect it was via Matthew Berman's video "How To Install Fabric - Open-Source AI Framework That Can Automate Your Life".

While the idea and concept behind AI Fabric appealed to me, its implementation has continued to rub me the wrong way. It started off as a Python project that I could only get running by downloading random programs from the internet using Poetry. I tried to assess how much work it would take to package all its missing dependencies for Debian. However, before I got very far, the project shifted away from Python and over to Go. This new implementation also relied on a build system that seemed to encourage users to run arbitrary code downloaded from the internet to get software working, and further moved to a language I do not master as well as Python. The change bothered me enough that I set my effort to set up a working command line LLM tool in Debian aside for several months.

By chance, I came across a simple Python recipe in January demonstrating how to communicate with a llama.cpp API server. I had already been working on packaging llama.cpp for Debian together with the rest of Debian's AI team, and was fortunate enough to own a working instance with a 24 GiB VRAM GPU from AMD, allowing me to run useful models. Until that point, I had only used the basic web client provided by the Debian package, lacking the spare time to explore what else could be done. Then, I found this simple 50 line Python script demonstrating how to interact with llama.cpp's OpenAI-compatible API. I decided to revive the AI Fabric concept, and implement the Unix pipeline filter tool with as few dependencies as possible. It is now operational and working very well, relying solely on standard Python features. The tool include a copy of the LLM recipes from the AI Fabric project (called "patterns"), enabling easy access to request summaries, translations, code review and other useful tasks. Several hundred patterns are included, though I have only tested about ten so far.

The LLM API server can be specified in ~/.config/hraesvelgr/config.ini like this:

[server]
url=https://some.llm.example.com:8080/v1/
model=Qwen/Qwen3.6-27B-FP8

With this configuration in place (you can also specify these values directly on the command line), you can specify a pattern and a file to process like this:

% bin/hraesvelgr --pattern explain_code bin/hraesvelgr
EXPLANATION:
This Python script is a client tool for interacting with an AI
service (likely a local LLM server) to process text using prompts
defined in the "AI Fabric" repository. It reads system and user
prompts from markdown files, sends them along with input text to a
chat completion API endpoint, and prints the generated response.

Key components:
1. It uses argparse for command-line argument parsing
2. The `send_chat_completion_request` function formats messages
   (system, user, query) into JSON and sends them via HTTP POST to
   an AI service endpoint
3. `read_file` function reads markdown files, replacing placeholders
   like {{lang_code}} with actual values from arguments
4. In main():
 - Parses command-line arguments for input file, API base URL,
   pattern type, language code, and debug flag
 - Ensures the base URL ends with a slash
 - Reads system prompt from data/patterns/{pattern}/system.md
 - Optionally reads user prompt from data/patterns/{pattern}/user.md
 - Reads input text either from stdin (when "-" is passed) or a file
 - Handles encoding fallback to ISO-8859-1 if UTF-8 fails
 - Sends the formatted request to the AI service and prints the response

The script assumes it's running in a directory containing a git
clone of https://github.com/danielmiessler/fabric/, which contains
the necessary prompt files.

This tool is designed to interface with local LLM servers that
support OpenAI-compatible chat completion APIs.
%

The list of available patterns can be viewed by running bin/hraesvelgr --list-patterns. I have found the summarize, translate, improve_writing, review_code, and explain_terms_and_conditions patterns particularly useful. For example using the latter combined with a text based web browser capable of dumping a page as plain text, can be done like this (originally formatted in markdown, I converted to HTML using pandoc for easier readability):

% w3m  -dump https://runbox.com/about/terms-service/ | \
  hraesvelgr --pattern explain_terms_and_conditions
Executive Summary

This is a transparent, privacy-focused contract from
a Norwegian provider that generally respects user data rights and
operates under strict EU/EEA standards. However, it carries
strict liability limitations and an aggressive
data-deletion policy upon cancellation. The vibe is "Professional &
Privacy-First," but you must manage your own backups and understand that
the company heavily shields itself from financial responsibility during
technical failures.
Key Takeaways

• 🛡 Your Data Stays Yours: Section 10.2 explicitly states Runbox will never use your transmitted or stored data for commercial purposes. This is a major privacy win.

[... trimmed output, as it is not the focus of this blog post ...]

If you sign:

1. 🔒 Set up automated backups immediately. Use IMAP sync to a local drive or a secondary email provider before storing any critical documents or emails. Do not rely on Runbox as your only archive.
2. 📅 Mark your calendar for the 30-day trial end date. Miss the payment window, and access closes instantly with no recovery period.
3. 💰 Monitor price changes at renewal. Since they can adjust fees anytime, check their pricing page a few days before your subscription renews to avoid unexpected charges.

NO FORCED ARBITRATION CLAUSE FOUND.
REFUND POLICY IS STRICTLY CONDITIONAL (see Sections 4.2-4.5).

As you might have already noticed, I name my project after the Norse God of Wind. I found a nice description of the origin of the name on Wikipedia:

In Vafþrúðnismál (The Lay of Vafþrúðnir), Odin questions the wise jötunn Vafþrúðnir about the origin of the wind, and the jötunn answers:

He is called Hræsvelg,
who sits at heaven's end,
a giant, in the shape of an eagle;
from his wings
they say the wind comes over all people.

(translated by John Lindow in Norse Mythology: A Guide to Gods, Heroes, Rituals, and Beliefs 2002)

The latest version of the code can be found at https://codeberg.org/pere/hraesvelgr/. Perhaps you will find it as useful as I did?

As usual, if you use Bitcoin and wish to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

23 May 2026 9:15pm GMT

Background

I'm a member of the EFI team in Debian, and I've done much of the work for Debian to support UEFI Secure Boot (SB) in recent years. We have included that support for a number of releases now, starting back with Debian 10 (aka Buster).

I'm also a long-time accredited member of the shim-review team, the group that checks and approves shim binaries before Microsoft will sign them.

See the Debian wiki for lots of background details about Secure Boot and how we do things in Debian.

Secure Boot depends on signatures, which are verified during boot using a chain of X.509 certificates. The root certificate(s) in the chain are embedded in computer firmware, then later software such as shim can add more certificates to extend the trust. Easy, right?

The problem - certificates expire...

Microsoft administer the most widespread Secure Boot root certificates, and have been doing so since the very beginning of UEFI Secure Boot as a concept. The Microsoft UEFI CA certificates are included in just about every x86 and x86-64 computer shipped, and also in quite a lot of arm64 machines too.

(The fact that Microsoft is therefore a gatekeeper for Linux running under Secure Boot on most machines is very unpopular in some quarters, but this is just a fact of life in the world we live in. None of the following will affect you if you're using Secure Boot with your own keys only.)

The current certificates have been around since 2011:

1. Windows Production PCA 2011 (used for signing Windows components)

  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
  Validity
    Not Before: Oct 19 18:41:42 2011 GMT
    Not After : Oct 19 18:51:42 2026 GMT

This expires in October this year, ~5 months from now.

2. Third Party Marketplace Root (used for signing option ROMs and other software)

  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
  Validity
    Not Before: Jun 27 21:22:45 2011 GMT
    Not After : Jun 27 21:32:45 2026 GMT

For Linux folks, this second certificate is more interesting - it is the root of the certificate chain that Microsoft use when signing shim for Linux distributions

This CA expires 5 weeks from today.

OMG!!! Will all my existing Secure Boot machines stop booting?

Almost definitely not, no.

The specification for UEFI Secure Boot expects that valid dates on certificates should not be enforced for signatures here. All that matters here is the signatures themselves. Modulo buggy firmware, existing signed binaries should continue just fine.

New CAs to be aware of

Microsoft have published three new CAs:

1. A new CA used for signing device option ROMs

  Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
  Validity
    Not Before: Oct 26 19:02:20 2023 GMT
    Not After : Oct 26 19:12:20 2038 GMT

2. A new CA used for signing Windows components

  Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
  Validity
    Not Before: Jun 13 18:58:29 2023 GMT
    Not After : Jun 13 19:08:29 2035 GMT

3. A new CA used for signing other software (e.g. shim)

  Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
  Validity
    Not Before: Jun 13 19:21:47 2023 GMT
    Not After : Jun 13 19:31:47 2038 GMT

New machines and updated older machines will most likely have all of these new CAs installed. New machines are already shipping that only include the new CAs; they will not trust older software and this has already started causing problems for some users.

Isn't this is all a bit short notice?

Yes it is. :-(

A common rule of thumb when deploying CA certificates is to start the process of replacement ("rollover") when a certificate reaches half of its lifetime. Unfortunately, Microsoft have done this very late. They generated new keys in 2023, but didn't start signing shim and other third-party software with the UEFI CA until October 2025.

If I'm a distro developer, what should I do?

If you already have an old shim signed by Microsoft for your distribution from before October 2025, then it will only be signed using the older CA that expires soon. On newer machines, your users will already not be able to boot your distro with Secure Boot enabled.

If you want your users to be able to use Secure Boot in future, you will need to get a new shim build submitted, reviewed and signed using the new CA. However, that signed build will not work on older machines unless they have had the new CAs installed. This is also likely to cause problems for some users. You should encourage your users to update their systems NOW before things break for them.

There is an interim solution which will work, but only if you're quick! Microsoft are currently returning shim binaries signed using both the old CA and the new CA. More specifically, for every binary that is submitted they will return two: one signed with each CA. If you use these directly, you'll need to plan to publish:

• 2 signed shim binaries
• 2 installers
• 2 sets of live/installer images
• etc.

and explain to your users how they'll need to pick one. Good luck with that!

However, it is possible to extract signatures from those signed shim binaries and attach them all onto one shim, giving you the Holy Grail here - a single shim that will boot on the vast majority of machines. Indeed, this is what I'm planning on doing in Debian. So-called "dual-signed" shims may provoke issues with buggy firmware, so be aware that you may have to deal with this too. But take heart: early testing by various distro folks with a dual-signed Fedora shim did not show any problems.

You have 5 weeks and counting...

Microsoft have promised to continue signing with the old CA as long as possible, right up to the last day. They understand how awkward things are going to be otherwise, and are trying to help here as much as possible.

In the shim-review team, we have been expecting to see a surge of shim submissions before the old CA expires, to make the most of the "Holy Grail" dual-signed shims described above. But we've been really surprised that this has not been happening.

So, this blog is a wake-up call for people doing Secure Boot with shim. Even if you're not going to be ready to ship a new shim binary to your users, you should really try to get a new build prepared and signed NOW so that you have it available to tide you over through the coming CA transition. Don't leave it too late.

If you're not sure what to do, ask me and the other shim-review folks. We're happy to give advice. But don't delay.

You have 5 weeks and counting.

How to make a dual-signed shim binary

Microsoft only ship binaries with a single signature included. To make things work, extract those signatures using sbattach --detach (from the sbsigntools source package, available in most distributions. Then apply those signatures one at a time to your shim binary, using sbattach --attach. Simple, really. There's one strong recommendation here: order the signatures on your shim oldest first - that way, old buggy firmware implementations that potentially don't look for more than one signature will find the old signature first.

pesign can also handle moving signatures around, but I chose sbsigntools when doing this work myself.

If you're looking to see how others handle multiple signed shim binaries, feel free to look at the Debian shim-signed package for examples. The repo is https://salsa.debian.org/efi-team/shim-signed.git.

References

• Microsoft ship all their CA certificates and binaries you can use to update computers at https://github.com/microsoft/secureboot_objects
• The Debian wiki has a lot more information about UEFI and Secure Boot already, and I'm going to be adding more user-focused documentation about the CA rollover at SecureBoot/CAChanges shortly.

I'll add more links here in the coming weeks.

21 May 2026 11:43pm GMT

Another very minor update, now at 0.3.15, for our nanotime package is now on CRAN, and has been built for r2u and Debian. nanotime relies on the RcppCCTZ package (as well as the RcppDate package for additional C++ operations) and offers efficient high(er) resolution time parsing and formatting up to nanosecond resolution, using the bit64 package for the actual integer64 arithmetic. Initially implemented using the S3 system, it has benefitted greatly from a rigorous refactoring by Leonardo who not only rejigged nanotime internals in S4 but also added new S4 types for periods, intervals and durations.

This release adjusts the package for the maybe overly hasty switch R 4.6.0 has undertaken with respect to using C++20 as a default C++ compilation standard. I am of course largely in favour of such a switch to more modern C++. But I am also cognizant of the fact that not all compilers and machines are ready. And just as I have already seen one other package fail to compile on a particular CRAN system (!!) under C++20, this package all of a sudden, and only on that same system, started to throw two (harmless) compiler warnings. We could call these erroneous as newer versions of the same compiler do not throw them but it does not matter. The decision to default to C++20 has been made, and now we live with it. But maybe some hardware platforms should be moved behind the barn. Either way, this release both adds an explicit cast to two lines that may not really need it (but this will not hurt) and also dials the compilation standard down to C++17 on one particular platform. So once again there are no user-facing changes, or behavioural changes or enhancements, in this release.

The NEWS snippet below has the fuller details.

Changes in version 0.3.15 (2026-05-21)

• Add extra const_cast as one CRAN machine with more ancient setup whines otherwise and is obviously less C++20 ready than it thinks

• tools/configure also checks where this is being built and 'as needed' downgrades the compilation to C++17

Thanks to my CRANberries, there is a diffstat report for this release. More details and examples are at the nanotime page; code, issue tickets etc at the GitHub repository - and all documentation is provided at the nanotime documentation site.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

21 May 2026 1:57pm GMT