10 interesting stories served every morning and every evening.

Swipe left to beginPress right arrow to begin

Blocked

old.reddit.com

658 shares · 37 trendiness

whoa there, pardner!

Your request has been blocked due to a network policy.

Try logging in or creating an account here to get back to browsing.

If you’re running a script or application, please register or sign in with your developer credentials here. Additionally make sure your User-Agent is not empty and is something unique and descriptive and try again. if you’re supplying an alternate User-Agent string, try changing back to default as that can sometimes result in a block.

You can read Reddit’s Terms of Service here.

If you think that we’ve incorrectly blocked you or you would like to discuss easier ways to get the data you want, please ﬁle a ticket here.

When contacting us, please include your Reddit account along with the following code:

019eea62 – 7613-7ff7-a698 – 85c31e074bc3

Read more Read the original on old.reddit.com →

Read the original on old.reddit.com →

Beyond All Reason ★ RTS

www.beyondallreason.info

459 shares · 23 trendiness

Real-Time Strategy

Redeﬁned

Every unit, projectile and explosion simulated in real-time

Unmatched

Scale & realism

All units and projectiles are simulated in real-time. The game offers fully simulated projectile ballistics, explosion physics and terrain deformation.

Enjoy an immersive RTS experience, whether you are commanding individual units, or armies of thousands. Take control as you engage in an epic struggle for domination!

ScreenshotsGameplay

Strategic

Importance of terrain

The shape of every battleﬁeld in-game imposes which strategies work and which units are effective. No two maps will play the same. Radar cannot penetrate mountains and nuclear warfare will physically alter the terrain.

Utilize over 10 different unit classes, including all-terrain Experimental units, to work your way to victory.

Learn how to Play

Countless

World-class controls

Your power lies in the careful balance of exponentially growing your resource income and the production of devastating war machines.

You decide if you want to disarm your enemies with a few precise early strikes or to build a thousand bombers and obliterate them.

Immerse yourself in a violent world where tactical and strategical supremacy are needed in your ﬁght towards victory.

Commands Overview

Relentless game design

Unique and with a purpose

Each and every unit in the game has a role to ﬁll. Mix-and-match units to create inﬁnite possible tactics. Experiment with your own combinations and show off the new strategies you develop in battle.

‍

Compare Units

Read more Read the original on www.beyondallreason.info →

Read the original on www.beyondallreason.info →

Google hits 50% IPv6 | APNIC Blog

blog.apnic.net

388 shares · 16 trendiness

You may have seen headlines noting that Google’s measurements have shown IPv6 reaching 50% for the ﬁrst time. These measurements are based on Google’s continuous monitoring of the availability of IPv6 connectivity among its users, and reﬂect the proportion of users who access Google services over IPv6. Reaching the 50% mark is a significant milestone, demonstrating that IPv6 is a mature, fully capable protocol that is being deployed at a global scale and used effectively in real-world networks.

The shape of IPv6 adoption isn’t evenly distributed

The global uptake of IPv6 follows a complex and varied path that isn’t apparent in a single, aggregated trend line. Google does not publish per‑region IPv6 statistics, and its per‑economy data is limited to overall totals, so these nuances are hard to see in Google’s ﬁgures alone. To understand how adoption really unfolds, it’s more instructive to look at the APNIC Labs data. Individual economies such as India, Viet Nam, and Saudi Arabia exhibit adoption curves that differ markedly from the global average. As the APNIC Labs data shows, this global trend does not necessarily reﬂect the experience of individual economies.

APNIC’s own measurement records a 42% worldwide IPv6 capability (Figure 2). That’s a substantial difference, which also needs clarifying.

Measurement differences

APNIC’s measurement program is run by APNIC Labs and uses online advertising distributed through Google Ads, which appear in end users’ web browsers, games, and apps wherever Google advertisements are placed. APNIC does not select speciﬁc users and seeks the broadest possible exposure in every economy, 24/7. Normal advertising tracking systems are used with APNIC Labs logic, which ensures a unique set of tests are run, measuring IP, BGP routing and DNS, amongst other technology choices. No end-user Personally Identiﬁable Information (PII) data is held, and raw measurements are never shared, only collations at the ISP, economy and region level.

This work is carried out with the assistance of Google Research, ICANN, and others who help fund and support the activity. Given this close involvement, it’s natural to ask why APNIC’s measurement results don’t always align with Google’s own published statistics. If Google is used to conduct the research, how can the results differ?

APNIC’s measurement approach applies statistical weighting to the collected data and uses external sources, such as World Bank statistics, to model Internet usage by economy. This is necessary because the number of measurement samples APNIC Labs receives each day is not uniform. Advertising placements are optimized by Google to maximize delivery and revenue, which means that, on any given day, more advertisements, and therefore more measurement samples, may be shown in certain economies than others. For example, if advertising demand is higher in North African economies such as Egypt or Tunisia on a particular day, more measurements will be collected there, while fewer may be gathered from South America or Asia.

As a result, the raw sample counts cannot simply be aggregated to calculate global IPv6 capability. Instead, APNIC Labs aggregates the measured IPv6 capability for each economy and then weights it according to that economy’s estimated Internet user population.

In practice, this means that large Internet populations, such as those in India, China, Indonesia, and other major economies, contribute proportionally more to the global result than smaller economies, even if the raw sample volumes on a given day might suggest otherwise. This weighting ensures that the ﬁnal measurements reﬂect global Internet usage more accurately, rather than daily advertising distribution patterns.

At the level of individual economies, APNIC Labs’ measurements generally align with the totals published by Google and with data from Cloudﬂare, Akamai, Cisco, and others. This suggests that the underlying measurements are comparable and that the larger differences observed at the global level are likely due to differences between APNIC’s weighting model. This may be why we see the large variances between the two measurements.

In practice, APNIC’s measurements tend to be lower than Google’s. As a result, it’s useful to view the two data sets together, as they effectively bracket the likely range of actual IPv6 capability at any given point in time.

Is IPv6 adoption progressing as expected?

Some point to the long path toward a 50% adoption milestone as evidence of a systemic failure in IPv6. Nothing could be further from the truth. Deploying IPv6 has required substantial technical effort and significant capital investment. It’s therefore entirely expected that progress has varied across regions and economies, as individual ISPs and economies make their own decisions about how best to balance network growth, user expectations, and the practical realities of operating Internet infrastructure.

The global Internet is not a ‘command economy‘, it evolves through collaboration and cooperation within market-driven conditions. Many providers made substantial capital investments in IPv4 in earlier periods and have naturally sought to maximize the return on those investments. In doing so, they built sustainable and commercially viable IPv4-based networks within their existing footprints.

By contrast, for newer market entrants, it has often been more rational to adopt IPv6 as the primary protocol, as it can demonstrably reduce the total cost of ownership. This pattern is particularly evident in the mobile sector, most notably in large-scale IPv6 deployments such as Reliance Jio’s network in India.

Is the global Internet functioning in a ‘two‑protocol world’?

Yes, but it could be simpler.

Certainly, it would be easier logistically to run a global internet under a single protocol. However, that is not the environment we have ended up with. Instead, the Internet today operates across a mix of direct IPv4 connectivity, IPv4 mediated through Network Address Translation (NAT), either in home networks or at the carrier level via Carrier‑Grade NAT (CGNAT), and IPv6.

Managing address translation through NAT is not materially less complex than alternatives such as protocol translation, IPv4 encapsulation over IPv6, or other transition and proxy mechanisms. As a result, claims that ‘IPv4 is working ﬁne’ often overlook the underlying reality: Modern IPv4 networks already rely on layers of operational complexity, and there is no inherently lower‑cost or simpler approach available within IPv4 alone.

From the outset, it was understood that the lack of direct interoperability between IPv4 and IPv6 would be a challenge that needed to be addressed. Early efforts explored the idea of protocols that could subsume IPv4 unchanged and enable direct connectivity across both worlds, but these approaches did not prove viable.

Instead, interoperability has emerged at higher layers, with transport protocols such as TCP, UDP, and QUIC operating independently of the underlying IP version. This model necessarily relies on some form of intermediary. This is visible in the way large content and caching providers, such as Cloudﬂare, are able to offer dual‑stack services regardless of whether the backend systems themselves support both protocols.

The absence of native dual‑stack capability at some services, for example, certain Git platforms or national television broadcasters, is often perceived as a major barrier to IPv6 progress. However, this may reﬂect pragmatic constraints, such as operational complexity, or, in the case of national broadcasters, legal and regulatory requirements around data access and geolocation, rather than resistance.

Let’s recognize the 50% milestone, even as the journey continues

Whatever one’s view on the decision to introduce a second addressing and protocol model beneath today’s Internet services, the reality is clear: IPv6 is now deployed on a global scale. Around half of the Internet users visible to Google already reach its services over IPv6. IPv6 is used every day, every hour, across developed and developing economies alike, on ﬁxed and mobile networks, on small personal devices, and within vast data‑centre‑backed services. It is no longer experimental or marginal; it is part of the Internet’s day‑to‑day operation.

That achievement reﬂects the collective effort of those working to build, operate, and grow the Internet worldwide, and it is something worth recognizing and taking pride in.

The views expressed by the authors of this blog are their own and do not necessarily reﬂect the views of APNIC. Please note a Code of Conduct applies to this blog.

Read more Read the original on blog.apnic.net →

Read the original on blog.apnic.net →

Did my old job only exist because of fraud? – It's not about code

david.newgas.net

371 shares · 49 trendiness

Early in my software engineering career, the UK-based startup I worked at, GenieDB, was taken over by a US Venture Capital fund, Frost VP, owned by Stuart Frost. I was functionally the only piece that came to the US. The code was rebuilt, the rest of the team eventually rotated out, even the core strategy was replaced. But I was early in my career and excited to be working in the VC tech-startup world. I ended up making my life in the US, so this was a pretty pivotal phase in my life.

For a while I lived the start-up life: building rapidly and playing Foosball1. GenieDB actively rejected revenue opportunities (a la Silicon Valley) with the aim of getting acquired for pioneering technology. We limped along for years with never more than 3 customers, even when big-tech and eventually open-source did what we tried to do better than us. I left with mixed feelings and eventually came to realize we never had the serious footing it would have taken to actually develop significant technology.

A decade later I heard from a former colleague that Frost was being sued by the SEC for fraud. Still not sure what to make of my time at GenieDB, I was curious enough to skim the complaint, where I saw this line:

Was GenieDB involved in this fraud somehow? I chewed on this question and it evolved to a form that began to haunt me:

Did my old job — the one that brought me to the USA and changed the course of my entire life — only exist because of fraud?

With this burning question I dove into the record of the case. The alleged fraud was simple: Frost VP operated as an incubator, providing services to the portfolio companies, and the investors say these fees charged were excessive.

The case went to binding arbitration2 and the investors won, after which the SEC sued to bar Frost from managing funds in the future. There’s some great elements like claiming a personal chef and cleaner as expenses, telling investors no salary would be paid by the fees (it was) and starting a marketing company just to sponsor someone’s visa.

But what about GenieDB? Both the arbitration and SEC suit elaborate on this idea of creating companies just to charge them fees:

This allegation was never litigated though, neither court nor arbitrator were kind enough to rule on why GenieDB was in the portfolio. I had to dive into the evidence and decide for myself. First of all, my old CEO testiﬁed that GenieDB was paying excessive fees:

I was only really shaken when I saw what the insiders at the VC fund saying to each other:

To me, this email shows that the investments were motivated by the fees3 and GenieDB was being used to siphon investor money away. I felt like an ant. My career, my family, my citizenship all would be completely different except for this fraud. This story plays out between investors, multi-millionaire VCs, judges, and my entire life isn’t even a footnote.

I took a deep breath. GenieDB did have a concept at the core, which pre-dated Frost turning his eyes on us. A concept which turned out to be quite useful when more serious players took it on. My colleagues and I were really trying to build it, even if the fund manager was eating up our runway with spurious fees for his personal gain. I wasn’t just some instrument of fraud working on nothing.

Besides, turbulence from chance events, lighthearted decisions and even crime alters the course of every life. Stories of chance meetings of a spouse are dime-a-dozen. I just looked in my wake and was surprised by a dark current.

Amusingly Foosball ability reﬂected the corporate hierarchy. Stuart Frost was hands down the best. His second in command a close second, and GenieDB’s CEO could beat any of us programmers. ↩︎

In fact Frost actually initiated the arbitration because he alleged the investors were conspiring against him. The counterclaim laid out the fraud. ↩︎

“With Genie coming out” here is referring to GenieDB dissolving and not paying fees to the incubator any more. GenieDB isn’t one of the companies they are proposing here. ↩︎

Read more Read the original on david.newgas.net →

Read the original on david.newgas.net →

Fully Open Foundation Model for Sovereign AI

apertvs.ai

287 shares · 35 trendiness

Developed by the Swiss AI Initiative as a collaborative effort between EPFL, ETH Zurich, and CSCS. Open weights, open data, open science.

Fully Open

Training data, code, weights, methods, and alignment principles — all documented and reproducible. Apertus is to AI as Open is to Source.

Compliant at Scale

Built to meet EU AI Act requirements: the model respects opt-outs, removes PII, prevents memorization. A global foundation to build on.

Run for Performance

Competitive with top open models at an equivalent scale of 8B and 70B parameters. Multilingual from day one — trained on 1000+ languages.

Swisscom is a Strategic Partner of the Swiss AI Initiative.

Stay Updated

Our newsletter will keep you on top of Apertus releases, our team’s research, and community news.

Read more Read the original on apertvs.ai →

Read the original on apertvs.ai →

HPV jabs cut risk of dying from cervical cancer before 30 to almost zero

www.theguardian.com

228 shares · 25 trendiness

Women who received an HPV vaccine in early adolescence have virtually zero risk of dying from cervical cancer before the age of 30, according to a groundbreaking study, but falling vaccination rates could see a rise in avoidable deaths.

Cervical cancer is the fourth most common cancer in women, according to the World Health Organization, and high-risk human papillomaviruses (HPV) cause 99% of cases. About 3,300 women in England are diagnosed with the disease every year.

While the HPV vaccine prevents about 90% of cervical cancers, until now the impact on survival has been unknown. In new analysis, researchers from Queen Mary University of London (QMUL) used ofﬁcial cancer mortality and vaccination data for women aged 20 to 34 to calculate the impact of vaccination on cervical cancer survival.

While the study, funded by Cancer Research UK and published in the Lancet, saw little change in cervical cancer mortality in those who were never offered HPV vaccination, there were substantial falls in those who were offered vaccination after the HPV jab was introduced in 2008.

The impact on mortality has been so great that the authors estimate that the likelihood of girls who are inoculated when they are 12 or 13 dying from cervical cancer before the age of 30 is almost zero. For vaccinated women aged 30 – 34, the relative risk of death from the disease is 63% lower.

And for the ﬁrst time in recorded history, no women aged 20 to 24 died from cervical cancer in England between 2020 and 2024. In all, the HPV vaccine has saved hundreds of lives, the authors conclude.

Peter Sasieni, professor of cancer epidemiology at QMUL and lead author of the study, said: “We estimate that since its introduction, HPV vaccination has prevented nearly 200 young women from dying from cervical cancer in England.”

The jab, which also protects against certain cancers of the anus, penis, vagina, vulva, mouth and throat, as well as genital warts, is given to girls and boys in year 8, with catchup vaccinations offered in some areas in years 9 and 10.

WHO’s global strategy on cervical cancer states that by 2030, all countries should vaccinate 90% of girls with the HPV vaccine by the age of 15, screen 70% of women and treat 90% of those with cervical disease.

Until the pandemic, vaccination rates were close to WHO’s target, but have fallen significantly since then.

“With close to 90% HPV vaccine uptake in women born between 1995 and 2004, we expect to see thousands of cervical cancer deaths prevented in those women over the coming years,” said Sasieni.

“HPV vaccination combined with cervical screening could reduce cervical cancer rates to the point where almost no one develops it.”

But he said deaths and cases could rise again because of fewer teenagers getting vaccinated.

“The falling HPV vaccine uptake — now just 75% nationally and 60% in London — means that without swift and concerted efforts to increase HPV vaccine uptake, we could see a reversal of these trends.

“There could be another 15 – 25 avoidable deaths each year in young women and eventually about 200 deaths from cervical cancer each year that could be prevented if we can increase vaccine uptake to pre-Covid levels.”

Michelle Mitchell, chief executive of Cancer Research UK, said: “It’s essential that the UK government and health systems urgently address this with targeted action to reach communities where uptake is the lowest.”

Helen Hyndman, lead nurse at gynaecological cancer charity The Eve Appeal, said cervical cancer will not be eliminated unless vaccination and screening rates improve and those who need it get timely treatment.

“We need urgent action — we are lagging behind on our plans to eliminate cervical cancer by 2024 and at our current rate it will be 2050 before this is achieved.”

Dr Alison Wright, president of the Royal College of Obstetricians and Gynaecologists, said the “exciting and powerful data” showed the vaccine’s use could see “fewer women with a cervical cancer diagnosis, and fewer lives lost to a largely preventable disease”.

While improved access to vaccines through local community pharmacies for those who missed school vaccinations was welcome, further progress now depends on encouraging vaccine uptake at all levels, raising awareness of the vaccination programme, and ensuring that everyone who is eligible can get timely, equitable access, she added.

Caroline Temmink, the NHS Director of Vaccination, said: “This hugely encouraging news shows the life-saving impact of the HPV vaccine and it’s incredibly exciting to be able to say to this whole generation, cervical cancer and some other cancers shouldn’t be a risk for you.

“Alongside cervical screening, HPV vaccination is central to the NHS ambition to eliminate cervical cancer by 2040. It’s a safe and effective vaccine and we urge everyone eligible to take up the offer when invited.”

A Department of Health and Social Care spokesperson said: “We are boosting vaccine uptake so that more young people beneﬁt from this life-saving protection — including rolling out catchup HPV vaccination campaigns via community pharmacies, and making it easier to access cervical screening. HPV self-testing kits are now being sent to those who do not come forward for screening, to ensure we catch more cancers at their earliest, most treatable stages.”

Read more Read the original on www.theguardian.com →

Read the original on www.theguardian.com →

Running microVMs in Proxmox VE, The Easy Way

taoofmac.com

218 shares · 10 trendiness

Jun 18th 2026 · 15 min read · #containers #homelab #kvm #microvm #proxmox #qemu #virtualization

I’ve been running a mixed Proxmox cluster for years — four nodes of wildly different capability, from an Atom x5-Z8350 with 2 GB of RAM (a z83ii, currently ofﬂine after years of faithful service as a baseline torture device) up to an i7 – 12700 with 128 GB (borg, my main homelab server).

This year, somewhere along the way between writing agentbox and all the hype around agentic sandboxes I got tired of the eternal compromise between LXC containers and full virtual machines, and ended up building pve-microvm — a Debian package that adds QEMU’s microvm machine type as a ﬁrst-class managed guest in Proxmox VE.

This isn’t a quick hack. Well, the ﬁrst version was, actually, but it’s gone quite a bit farther than that, and certainly farther than I expected.

It now ships a custom kernel, patches the Perl internals to provide Proxmox web UI integration, and, due to my usual fascination with offbeat operating systems, ended up supporting (as of this writing) 21 guest OS types from Debian to NetBSD to Plan9.

Yes, I completely brought it upon myself to run Plan9 in a microVM, and yes, it works.

Finding the Right Balance

After a few rounds of cluster cleanups and migrations, it’s now my daily driver for running Gitea, Caddy reverse proxies, mini-ﬁrewalls, and the AI agent that’s helping me clean up this post.

Proxmox gives you two main options out of the box:

LXC containers start instantly, share the host kernel, and are spectacularly efﬁcient. But they’re not isolated — a kernel exploit in one container compromises everything. You can’t run a different OS. You can’t easily nest Docker inside them without ending up (eventually) wrestling with fuse-overlayfs gymnastics. And certain workloads (anything needing custom kernel modules, or CAP_SYS_ADMIN in anger) simply don’t ﬁt.

Full VMs give you hardware isolation via KVM/VT-x, but they boot SeaBIOS or OVMF, sedately walk through GRUB as they yawn their way out of bed, probe a forest of emulated legacy devices (IDE controllers, VGA, USB hubs, PCI bridges), and typically take 5 – 10 seconds to reach a login prompt. Each one carries the overhead of that entire emulated chipset sitting in memory.

What I wanted was the security boundary of a VM with the startup characteristics of a container. QEMU’s microvm machine type — originally developed for Firecracker-style workloads — strips all of that away. No BIOS, no GRUB, no legacy devices. Direct kernel boot into a minimal virtio-only environment. The result: sub-300ms boot to a fully networked guest with a QEMU agent, running inside its own KVM hardware isolation boundary.

Now, let me be clear: I’m not spawning hundreds of these things. I have Azure for that — but I do want to run Gitea Actions workers, have a very limited set of hardware resources, and got fed up with the time it took for one particular VM to boot repeatedly…

What It Actually Does

pve-microvm is a single .deb that patches Proxmox’s qemu-server Perl modules at install time. When you set machine: microvm on a VM conﬁg, the standard conﬁg_to_command function delegates to my MicroVM.pm, which builds an (almost) completely different QEMU command line:

qemu-system-x86_64 -M microvm,x-option-roms=off,pit=off,pic=off,\ isa-serial=on,rtc=on,acpi=on,pcie=on \ -kernel /usr/share/pve-microvm/vmlinuz \ -initrd /usr/share/pve-microvm/initrd \ -append “console=ttyS0 root=/dev/vda rw quiet” \ -device virtio-blk-pci-non-transitional,drive=drive-scsi0 \ -device virtio-net-pci-non-transitional,netdev=net0 \ …

No chipset emulation. No PCI bridges. No VGA. The guest gets a single serial console (which PVE’s xterm.js connects to natively), virtio block devices, and a virtio network interface. Everything rides PCIe transport with non-transitional (modern-only) virtio devices rather than the MMIO transport microvm was originally designed around — for reasons I’ll come to in a moment.

The package ships:

A tiny (12MB) pre-built Linux 6.12.22 kernel compiled from x86_64_defconﬁg with a minimal overlay — virtio, vsock, virtiofs, 9p, and the modules Docker needs (overlay, veth, bridge, netﬁlter, BPF), because, well, I’m pragmatic.

A 1 MB initrd that probes virtio devices, ﬁnds the root ﬁlesystem by label or device path, and does a switch_root in ~150ms

pve-microvm-template — builds root ﬁlesystems from any of 12 supported OCI base images, with optional SSH, Docker, and guest agent

pve-oci-import — pulls an OCI image directly into a PVE-managed disk

Web UI extensions — a “Create µVM” button, machine type dropdown, conditional panel hiding for irrelevant settings, and an amber bolt icon in the resource tree

A systemd service (pve-microvm-early.service) that ensures patches are applied before pvedaemon starts on boot — critical for onboot=1 VMs

The Boot Sequence

Like in aerodynamics, most speed comes from eliminating everything that isn’t strictly necessary. A standard VM spends most of its boot time in ﬁrmware and bootloader, so a microVM skips all of that.

SmolBSD (a NetBSD guest using virtio-mmio transport) boots in 31ms. A full Debian with Docker and the QEMU agent is ready in under 8 seconds — and most of that time is apt package installation during ﬁrst boot. Subsequent boots hit the 300ms mark consistently, even on my humble hardware.

A fun rabbit hole I went into when someone asked me to add SmolBSD support:

There’s a reason SmolBSD gets to use virtio-mmio and the Linux guests don’t. A QEMU microvm machine type can carry its virtio devices over two transports: the bare-bones MMIO interface it was originally built for, or PCIe. MMIO is the lighter of the two — no PCIe host bridge, no ACPI — which is how a NetBSD guest shaves itself down to 31 ms.

But on QEMU 10.x the MMIO path has (as far as I can tell) a device-probing bug for Linux guests: only virtio-blk binds, and the network, serial and balloon devices are never claimed by their drivers for some reason. NetBSD probes MMIO correctly and is perfectly happy; Linux (at least the kernel I am using) is not.

For every Linux guest I therefore fall back to PCIe with non-transitional (modern-only) virtio devices, which binds all of them reliably. The cost is about 50 ms of extra bring-up — which, against a 300 ms boot, I’ll take without complaint.

I think the above is actually a bug in my kernel conﬁguration, but haven’t really had time (or maybe even the right hardware) to tackle it — this is something I’d love more people to look at and contribute patches.

One Kernel, Many Guests

There’s a deliberate consequence of this direct kernel boot trick that’s easy to miss: the kernel doesn’t live inside the guest. It sits on the Proxmox host at /usr/share/pve-microvm/vmlinuz, and the guest disk holds nothing but a root ﬁlesystem — userland, no /boot, no GRUB, no per-guest kernel package, no initramfs of its own.

That also means there’s no “boot the installer ISO and click through it” path, so instead the rootfs gets built straight from an OCI image with pve-microvm-template (Debian, Alpine, Fedora, Rocky, Amazon Linux and friends). In the weird cases, we import a prepared ext4/raw disk with qm importdisk. You don’t install an OS — you assemble a root ﬁlesystem.

Decoupling the kernel from the rootfs is what makes this interesting to run at scale. Every Linux microVM on the node boots the same vmlinuz — one kernel, built once from a stock x86_64_defconﬁg with a microvm overlay, so you can audit and update it in exactly one place: drop a new vmlinuz on the host, restart the guests, done. No guest ever pulls a broken kernel from an apt upgrade, because no guest has a kernel to upgrade, and the rootfs images stay tiny and completely kernel-agnostic.

Container-style kernel consistency, VM-style isolation.

What I’m Running

On my cluster right now, I have a fair smattering of these already. Four off the top of my head are:

gitea (VM 114, on an Intel N5105) — Bare-metal Gitea with SQLite, Caddy HTTPS, local actions runner, Avahi discovery. 2 cores, 2 GB RAM, 32 GB disk. Boots in ~3s, mostly because Gitea does a lot of housekeeping.

smith (VM 9022, on my i7) — the main piclaw agent, the system that manages the cluster, releases piclaw and generally keeps tabs on everything. 2 cores, 6 GB RAM, 48 GB disk. Runs Docker internally, and has 3 smaller, volatile siblings scattered throughout the cluster that don’t run Docker but have different roles (CI/CD, wipe-and-reinstall agent instance for testing upgrades, etc.)

exo (VM 9021, on my i7) — Distributed inference coordinator for running LLMs across multiple machines. CPU-only, 2 GB root.

virtualdsm (VM 300, tnas) — Synology DSM running inside a microVM with Docker, inside Terramaster NAS hardware. Yeah, I know I’m weird, but it was needed when my Synology went sideways and I haven’t nuked it yet. Uses the stock Debian kernel rather than my custom one, because DSM needs speciﬁc module paths.

I also have a dormant 9Front (Plan9) one, as well as a little menagerie of OpenWrt, OPNsense, OSv unikernels, gokrazy Go appliances, and various Alpine/Fedora/Rocky/Amazon Linux conﬁgurations ﬁled away as standard Proxmox backups. The 21 guest OS types aren’t theoretical — each one has been booted and validated, and sometimes smith will go and thaw one out to do regression tests.

The z83ii (that ancient Atom x5-Z8350 with 2GB RAM) was invaluable as a baseline test platform, because If a microVM can boot and run usefully on a fanless 2016-era Atom with 2 GB of total system memory, it’ll work anywhere. And it could run six before it started slowing down…

What a Conﬁg Looks Like

There’s no magic to a microVM conﬁg — it’s an ordinary qm guest with a particular machine type and a kernel command line. Here’s gitea (the VM 114 above) as it sits in /etc/pve/qemu-server/114.conf:

agent: 1 args: -kernel /usr/share/pve-microvm/vmlinuz -append “console=ttyS0 root=/dev/vda rw quiet” boot: order=scsi0 cores: 2 machine: microvm memory: 2048 name: gitea net0: virtio=BC:24:11:00:6E:01,bridge=vmbr0 onboot: 1 scsi0: local-lvm:vm-114-disk-0,size=32G serial0: socket tags: microvm vga: serial0

The only microvm-speciﬁc lines are machine: microvm, the args carrying the kernel and its cmdline, and serial0: socket / vga: serial0 wiring the console through to xterm.js. Everything else — cores, memory, the virtio NIC on vmbr0, the scsi0 disk on local-lvm, onboot, the guest agent — is exactly what you’d write for any Proxmox VM.

Note there’s no -initrd in args: MicroVM.pm injects it automatically when it sees the shipped kernel, along with the balloon, vsock and (when conﬁgured) virtiofs devices. That’s the whole point — a microVM is a normal guest that happens to boot a host-provided kernel, not a special object you have to learn a new tool to manage.

Networking

A microVM attaches to the network exactly like any other Proxmox guest. The interface spec is a bit of a mouthful (virtio-net-pci-non-transitional device on the PCIe bus), and it lands on whatever Linux bridge and VLAN you point it at:

qm set 900 –net0 virtio,bridge=vmbr0 # single NIC qm set 900 –net0 virtio,bridge=vmbr0,tag=100 # tagged onto VLAN 100

Because it’s an ordinary KVM guest, the standard PVE ﬁrewall applies — per-VM nftables rules work the way they do for any VM, which is the part that actually matters when you’re running untrusted code.

Inside the guest, networking is handled by systemd-networkd rather than cloud-init: DHCP by default (matched on Type=ether, so it survives cloning with no MAC pinning), or a one-line /etc/microvm-static-net for a static address. Earlier versions leaned on cloud-init for this, and I found it too brittle; moving it to systemd-networkd made cloning reliable and I stopped having to debug templates half the time.

Network isolation, another mainstay of the current hype around agent isolation, is a solved problem I have no interest in re-solving inside the package because I think Proxmox’s own SDN already does it properly — a simple VLAN zone with a separate VNet per trust domain keeps untrusted guests on their own segment with no path to the LAN, and if I ever bothered with that on a home LAN (well I have thought about it… but got no time), a VXLAN zone with a designated exit node would let me funnel egress through a single ﬁrewalled choke point.

The microVM just lands on whatever VNet I point net0 at, so the policy lives in Proxmox, not in a one-off ruleset I’d have to babysit.

There’s also a non-networked path for host/guest plumbing: each guest gets a vsock CID (VMID + 1000), which I use for SSH-agent forwarding (host keys into the guest without ever exposing them on the wire) and for virtiofs/9p directory sharing, because… I forget. I know I needed it at one point, even if right now most of my microvm instances just do SMB mounts (which were a pain to do under Docker and LXC)

The NIC count is… moderately sane. I currently allow six virtio interfaces per guest (net0-net5) on the spurious grounds that they’re twice the maximum number of physical interfaces across all of my host machines. It’s just deﬁned in MicroVM.pm, and the very few people who need more than that are welcome to tweak it (and if you think you want a dozen you almost certainly want VLANs instead).

Storage and Migration

Storage was… trivial? every PVE backend works, because the disk is just a virtio-blk-pci device and Proxmox hands it the same path it hands any VM. LVM and LVM-thin, ZFS, Ceph/RBD, NFS and CIFS, plain directory storage — all ﬁne, with snapshots, linked and full clones, vzdump backups and qm importdisk behaving exactly as they do elsewhere. A microvm is a normal PVE guest that happens to boot differently.

Migration is the only place things are iffy. a) I can’t do live migration on any of my hardware (none of it is enterprise grade), and b) true live migration isn’t viable with the current QEMU microvm machine type anyway — it simply doesn’t implement it.

Ofﬂine migration (i.e., reshufﬂing instances around) works ﬁne, though, and because microvm boot in well under a second, you can run a quick HA relocate cycle — stop, migrate, start — provided your disks live on shared storage.

I’ve measured it at around two seconds moving a small guest between nodes on shared CIFS. Not seamless VM motion, but perhaps good enough for most uses, and as far as I can ﬁgure out, ha-manager drives it the same way it would any guest.

Vs. LXC: When To Choose What

Mind you, I still run LXC containers. They’re the right choice when:

You trust the workload (or it’s your own code)

You need zero boot overhead

You want direct ﬁlesystem access from the host

You want slightly less memory allocation overhead (oh, and there’s shared page cache if you’re really lucky)

MicroVMs win when:

You need actual kernel isolation — running untrusted code, different kernel versions, nested Docker, anything with aggressive CAP_ requirements

You want a reproducible image you can snapshot, back up (vzdump works), ofﬂine-migrate, and clone (linked clones too)

The workload does something unusual to the kernel (BPF programs, custom netﬁlter rules, kernel modules) and you don’t want that leaking into your host (which is why most of my tunnels now land in a microvm)

You’re running non-Linux guests — NetBSD, Plan 9, FreeBSD-based ﬁrewalls — which simply can’t run as LXC

You want a VM that’s up before you’ve ﬁnished the command.

The overhead difference between LXC and a microVM on modern hardware is surprisingly small. On borg (that i7 – 12700), the idle memory footprint of a minimal microvm is ~40 MB, and the CPU overhead of the hypervisor is unmeasurable for most workloads.

The memory ﬁgure you set at boot is genuinely just a ceiling: As far as I can tell KVM still only backs the pages a guest actually touches, and the host’s same-page merging dedupes identical pages — kernels, libc, shared base-image layers — across every microvm on the node, so like on grown-up cloud hypervisors the real cost tracks the working set, not the nominal allocation.

Much to my embarrassment, I didn’t even bother with live resizing for a long while, but I added balloon support to the kernel recently, with free-page-reporting and deﬂate-on-oom. PVE’s balloon target drives proper auto-ballooning, and a virtio-mem device gives genuine ﬁne-grained hot-add and hot-remove, so, again, this works like a normal VM.

The Awkward Parts

Now for the catches…

First one is pretty obvious: I’m patching someone else’s product, and even though I survived the Perl 4 to Perl 5 transition decades ago and I have Codex to help these days, patching the Perl internals is fragile–every qemu-server upgrade can break my setup.

I mitigate this by a) not blindly running upgrades and b) using dpkg triggers (the package re-patches automatically after upgrades), but it’s still a race condition waiting to happen — I’ve had partial PVE upgrades leave the system in a state where pvedaemon couldn’t even compile the patched module.

And then come the weird failure modes–one upgrade had a nasty little side effect regarding root devices:

Root is found at root=/dev/vda because the guest boots under the microvm machine type with virtio-blk on PCIe

but if a guest ever comes up under the standard chipset instead (a half-applied patch, or an onboot=1 VM starting before the early-boot service has re-patched after a host reboot), the same disk enumerates as /dev/sda, root isn’t found, and the VM looks like it has lost its ﬁlesystem.

The data is always there, just at the wrong path. I’ve patched that particular twist in a way that the dpkg trigger and early-boot service ordering try to mitigate it, so the initrd now falls back to /dev/sda when /dev/vda is missing — but until (if ever) Proxmox supports microVMs natively, expect the occasional papercut.

Package version mismatches can cascade. I learned this the hard way — a partial apt upgrade on one of my nodes left libpve-cluster-perl and libpve-network-perl at incompatible versions, which broke all Perl module loading, which meant pvedaemon couldn’t start, which meant VMs couldn’t be managed.

So… always do full dist-upgrade, never partial upgrades on PVE nodes with this.

Another catch (for some) is that there is no VGA and no graphical console — the serial console is your only interface. If something goes wrong during boot, you’re reading kernel panics on a terminal. This is ﬁne for servers, less ﬁne for desktop-oriented guests, and Plan9 really doesn’t like it.

The next one is that there’s no USB at all — no controllers, no passthrough, nothing on the bus — so I had to get the web UI to hide those options the moment you ﬂip a guest to microvm. This might be a deal-breaker if you want to, say, run a Zigbee controller (and is why my home automation stuff is still in an LXC).

The kernel is opinionated. My custom 6.12.22 kernel includes exactly what I need and nothing else. If your workload needs a module I haven’t included, you’ll need to rebuild it or use the stock Debian kernel (which works ﬁne but is 3x larger and boots slower).

Finally, GPU and PCI passthrough are disabled, not impossible. And this is another thing I would love people with more money hardware to really dive into, since I actually had an RTX 3060 passed through and working in early testing.

In the end, I decided to temporarily disable GPU support for simplicity — the package strips hostpci* today and there’s no vIOMMU plumbing wired up, so it’s off by default.

There’s nothing stopping anyone from adding it back (save some QEMU microvm caveats around the minimal ECAM PCIe bus and IOMMU setup), and I’d genuinely love to be able to do proper PCI and vIOMMU testing — I just don’t have the spare hardware for it, and I chose to focus this on running agents rather than chasing accelerator passthrough.

Under The Hood: The Patch Strategy

The package modiﬁes three ﬁles in the PVE Perl stack:

Machine.pm — extends the machine type regex to accept microvm as a valid value

Read more Read the original on taoofmac.com →

Read the original on taoofmac.com →

JSON-LD Explained for Personal Websites

hawksley.dev

188 shares · 16 trendiness

JSON-LD, also known as JSON Linked Data, is a format for adding structured data to webpages. It can aid web crawlers in understanding the semantic structure of your site, qualifying you for richer link previews, and even potentially improving your search ranking.

It’s been 4 months since my ﬁrst post where I described building this site, and Wakatime estimates I’ve spent ~100 hours coding now, not including time spent researching and testing. Since then, this site has been receiving plenty of polish, including the addition of JSON-LD on each page.

JSON-LD Fundamentals

To add JSON-LD to a page, add the following somewhere in your <head> section:

Let’s break down what each part does.

This declares a new script with MIME type application/ld+json. Since it has this type speciﬁed, the browser’s JS engine won’t run it. Specialised crawlers like Googlebot look out for these elements and parse the contents.

{ “@context”: “https://schema.org” }

Here, a JSON object is initialised and the property @context is set to https://schema.org. In JSON-LD, the structure of data is determined by assigning the appropriate context. Web crawlers are standardised on Schema.org,, opens in new tab which deﬁnes all the valid key-value pairs for the JSON.

Now that we’ve deﬁned the schema our JSON-LD is following, we can describe our webpage!

{ “@graph”: [ { “@type”: “WebSite”, “@id”: “https://hawksley.dev/#website”, “url”: “https://hawksley.dev/”, “name”: “Ethan Hawksley” } // Insert more nodes here. ] }

A JSON-LD document can be thought of as a labelled, directed graph, stored under @graph. The graph contains multiple nodes, connected to each other with directed arcs.

Nodes have:

@type - Describes what the node is, e.g. WebSite or SoftwareApplication

@id - A unique identiﬁer for the node, typically a URL with a unique hash value at the end

Properties - Key/Value pairs that describe the attributes of the node

In the example above, the type is WebSite, the ID is https://hawksley.dev/#website, and it has two properties, url and name.

Web crawlers can merge the properties of a node across multiple pages, as long as they share an ID. However, scrapers that only read one page - such as LLMs - will not merge the properties. When JSON-LD is reused across pages, striking this balance is important to keep in mind. It is best practice for the ID to be a URL followed by a hash, such as #website, that uniquely identiﬁes the node.

Although the Schema.org context deﬁnes many types of nodes, this guide will only be covering nodes that have noticeable SEO impact. If you’re interested in more, look up the semantic web - it’s a fun rabbit hole.

Let’s move on to which nodes each page on our site should include. For each type, I’ve included the JSON-LD from this site, so you can copy-paste and edit it to ﬁt your own.

WebSite

You’ve seen an extract of WebSite earlier! Now here’s the full version:

{ “@type”: “WebSite”, “@id”: “https://hawksley.dev/#website”, “url”: “https://hawksley.dev/”, “name”: “Ethan Hawksley”, “alternateName”: [“hawksley.dev”, “Hawksley”], “description”: “The personal site and technical blog of Ethan Hawksley, a UK-based CS student with a focus on systems programming, low-level computing, and cybersecurity.”, “inLanguage”: “en-GB”, “publisher”: { “@id”: “https://hawksley.dev/#person” }, “image”: { “@type”: “ImageObject”, “@id”: “https://hawksley.dev/#website-image”, “url”: “https://hawksley.dev/logo-square.png”, “caption”: “Ethan Hawksley Logo” } }

WebSite explains the metadata about the site. It gives crawlers hints on how to display your site.

Here, you can see that Google has interpreted the name ﬁeld as representative of the domain and is labelling the result appropriately.

Although WebSite applies to every page, you don’t need to include the full version of it on every page. The root page of the domain should be fully detailed, but it is perfectly acceptable for other pages to have a slimmed-down version:

{ “@type”: “WebSite”, “@id”: “https://hawksley.dev/#website”, “url”: “https://hawksley.dev/”, “name”: “Ethan Hawksley” }

This gives sufﬁcient context to single-page crawlers so they correctly name the site, but they don’t need the full details.

WebPage

WebPage describes the current page, but it’s important to distinguish it from other types like BlogPosting (covered later). WebPage represents the physical page itself, the HTML. It contains the content of the page.

{ “@type”: “WebPage”, “@id”: “https://hawksley.dev/blog/hack-club-campﬁre/#webpage”, “url”: “https://hawksley.dev/blog/hack-club-campﬁre/”, “isPartOf”: { “@id”: “https://hawksley.dev/#website” }, “name”: “Winning the Hack Club Campﬁre Hackathon”, “inLanguage”: “en-GB”, “breadcrumb”: { “@id”: “https://hawksley.dev/blog/hack-club-campﬁre/#breadcrumb” } }

There are more speciﬁc subtypes of WebPage. In this post, I’ll cover ProﬁlePage and CollectionPage. You can ﬁnd less common ones at the bottom of Schema.org’s definition for WebPage., opens in new tab

Person

Another node that every page on a personal website should have is Person. It describes who you are, which Google uses as part of their content quality metric. Increasingly, LLM crawlers are also using it to decide who to cite in their answers.

Unlike WebSite, it is important enough context that you should include it on all of your site’s pages.

{ “@type”: “Person”, “@id”: “https://hawksley.dev/#person”, “url”: “https://hawksley.dev/”, “name”: “Ethan Hawksley”, “alternateName”: “ethanhawksley”, “givenName”: “Ethan”, “familyName”: “Hawksley”, “description”: “Long Description”, “disambiguatingDescription”: “Shorter Description”, “jobTitle”: “Computer Science Student”, “knowsLanguage”: “en-GB”, “knowsAbout”: [ // Keywords ], “nationality”: { “@type”: “Country”, “name”: “United Kingdom” }, “homeLocation”: { “@type”: “Place”, “address”: { “@type”: “PostalAddress”, “addressCountry”: “GB” } }, “afﬁliation”: { “@type”: “HighSchool”, “url”: “https://www.alcestergs.co.uk”, “name”: “Alcester Grammar School”, “sameAs”: [ “https://www.wikidata.org/wiki/Q4713005”, “https://en.wikipedia.org/wiki/Alcester_Grammar_School” ] }, “alumniOf”: [ { “@type”: “HighSchool”, “url”: “https://www.brookeweston.org”, “name”: “Brooke Weston Academy”, “sameAs”: [ “https://www.wikidata.org/wiki/Q4974495”, “https://en.wikipedia.org/wiki/Brooke_Weston_Academy” ] } ], “image”: { “@type”: “ImageObject”, “@id”: “https://hawksley.dev/#person-image”, “url”: “https://hawksley.dev/ethan-hawksley.png”, “caption”: “Ethan Hawksley”, “width”: 1200, “height”: 1200 }, “sameAs”: [ “https://github.com/ethan-hawksley”, “https://www.linkedin.com/in/ethanhawksley”, “https://lobste.rs/~ethanhawksley”, “https://news.ycombinator.com/user?id=ethanhawksley” // etc. etc. ] }

Phew! There’s plenty of properties for Person. I ﬁnd that it helps to be more descriptive, rather than less, when it comes to ﬁlling it out. Let’s look at the most important properties:

url - Points to your root page, anchoring the node.

name, givenName, familyName - Clearly describes your name.

image - Preferably a photo of you, or a logo you are afﬁliated with. Connects you to a canonical image of you.

sameAs - Immensely useful for disambiguation, especially if you have a common name. It cleanly informs crawlers what your other proﬁles are, letting them build a knowledge graph representation of you across multiple pages. At the time of writing, /g/11m62cgdtf, opens in new tab is my Google knowledge graph ID.

The other properties of Person are useful for adding more detail, but aren’t strictly necessary. You can trim them if you wish with only minor impact.

ProﬁlePage

A ProﬁlePage, as you may expect, describes a page on the site about a person. For instance, I use this node on my home page, as that’s where I talk about myself. On your site, putting it on an about page could be more appropriate.

{ “@type”: “ProﬁlePage”, “@id”: “https://hawksley.dev/#webpage”, “url”: “https://hawksley.dev/”, “isPartOf”: { “@id”: “https://hawksley.dev/#website” }, “name”: “About Ethan Hawksley”, “inLanguage”: “en-GB”, “dateCreated”: “2024 – 09-10T00:00:00.000Z”, “dateModiﬁed”: “2026 – 05-17T00:00:00.000Z”, “mainEntity”: { “@id”: “https://hawksley.dev/#person” } }

It’s important to use isPartOf to link it to your broader WebSite node, to create a relationship between the two nodes. The same applies for mainEntity, it lets crawlers know who the page is about. Including dateCreated and dateModiﬁed is a good freshness signal for crawlers, but if your site doesn’t have them readily available, don’t worry too much about it.

SoftwareApplication

If you are showcasing any software on your page, it’s a good idea to include a SoftwareApplication node to describe the metadata about it.

{ “@type”: “SoftwareApplication”, “@id”: “https://hawksley.dev/#project-yt-play”, “url”: “https://crates.io/crates/yt-play”, “name”: “yt-play”, “description”: “A CLI utility written in Rust that synchronises YouTube playlists to local directories.”, “applicationCategory”: “MultimediaApplication”, “operatingSystem”: “All”, “creator”: { “@id”: “https://hawksley.dev/#person” }, “sameAs”: [“https://github.com/ethan-hawksley/yt-play”], “offers”: { “@type”: “Offer”, “price”: 0, “priceCurrency”: “GBP” } }

If you want to be more speciﬁc than SoftwareApplication, other valid types for this node are MobileApplication, WebApplication, and VideoGame.

The url property should be a link to where the project is deployed, e.g. crates.io. sameAs is for any other pages associated with the project, like its source code repository.

There are lots of valid values for applicationCategory, you can ﬁnd a list on Google’s definition for SoftwareApplication., opens in new tab

Even if your project is FOSS, include offers but make sure to set the price to 0.

BreadcrumbList

BreadcrumbList is widely useful and should be included on all pages aside from the root page. It is used to describe the categorisation of a page, which isn’t necessarily the actual path to the page.

{ “@type”: “BreadcrumbList”, “@id”: “https://hawksley.dev/blog/hack-club-shipwrecked/#breadcrumb”, “itemListElement”: [ { “@type”: “ListItem”, “item”: “https://hawksley.dev/”, “position”: 1, “name”: “Home” }, { “@type”: “ListItem”, “item”: “https://hawksley.dev/blog/”, “position”: 2, “name”: “Blog” }, { “@type”: “ListItem”, “item”: “https://hawksley.dev/blog/hack-club-shipwrecked/”, “position”: 3, “name”: “The Shipwrecked Hackathon by Hack Club” } ] }

BreadcrumbList describes the path of a page. By including one, you can control how search engines represent the path of a speciﬁc page.

Here, the search result for my blog post contains the path https://hawksley.dev › Blog. If your site already uses short paths, this node is a minor gain and can be omitted. However, if your paths are longer, BreadcrumbList is useful for shortening them.

CollectionPage

The CollectionPage node is a subtype of WebPage, usable for pages that primarily contain lists. For example, my /elsewhere/ page lists all my other proﬁles, and /blog/ lists all my blog posts.

{ “@type”: “CollectionPage”, “@id”: “https://hawksley.dev/elsewhere/#webpage”, “url”: “https://hawksley.dev/elsewhere/”, “isPartOf”: { “@id”: “https://hawksley.dev/#website” }, “name”: “Elsewhere”, “description”: “Online proﬁles of Ethan Hawksley, a UK-based CS student. Links to his development, social media, technical writing, and security accounts.”, “inLanguage”: “en-GB”, “about”: { “@id”: “https://hawksley.dev/#person” }, “breadcrumb”: { “@id”: “https://hawksley.dev/elsewhere/#breadcrumb” } }

You’ve met most of these properties already, so they are largely self-explanatory. Make sure you link breadcrumb to the correct BreadcrumbList! It needs to be the one on the current page for it to make any sense.

Blog

You should add the Blog node to your blog’s index or home page. It acts as a stepping stone between your WebSite and the individual blog posts you publish.

{ “@type”: “Blog”, “@id”: “https://hawksley.dev/blog/#blog”, “isPartOf”: { “@id”: “https://hawksley.dev/#website” }, “mainEntityOfPage”: { “@id”: “https://hawksley.dev/blog/#webpage” }, “name”: “Ethan Hawksley’s Blog”, “description”: “Technical blog of Ethan Hawksley, a UK-based CS student. Articles on systems programming, low-level computing, cybersecurity, and computer science.”, “inLanguage”: “en-GB”, “dateModiﬁed”: “2026 – 05-17T00:00:00.000Z”, “publisher”: { “@id”: “https://hawksley.dev/#person” }, “license”: “https://creativecommons.org/licenses/by/4.0/” }

dateModiﬁed is a good freshness signal, but if you don’t have it handy, don’t worry. Including license lets crawlers know under what circumstances they can use your prose.

If you’ve done prior research into JSON-LD, you may be surprised that the publisher property is set to be a Person, not an Organization. Although it used to require one, Google’s documentation has since been relaxed and Person is entirely valid too, and arguably more accurate for a personal website.

BlogPosting

The last node we’ll be covering is BlogPosting. It should be included on all published blog posts, providing added information to crawlers so they can more accurately represent them, including both more accurate placement and richer details in search results.

{ “@type”: “BlogPosting”, “@id”: “https://hawksley.dev/blog/need-for-post-quantum-cryptography/#blogposting”, “url”: “https://hawksley.dev/blog/need-for-post-quantum-cryptography/”, “mainEntityOfPage”: { “@id”: “https://hawksley.dev/blog/need-for-post-quantum-cryptography/#webpage” }, “isPartOf”: { “@id”: “https://hawksley.dev/blog/#blog” }, “headline”: “The Need for Post-Quantum Cryptography”, “description”: “Quantum computers are closer to breaking RSA and ECC than we thought. Learn what post-quantum cryptography is and how to start migrating.”, “articleSection”: “cybersecurity”, “keywords”: “cybersecurity, quantum”, “inLanguage”: “en-GB”, “datePublished”: “2026 – 04-13T00:00:00.000Z”, “dateModiﬁed”: “2026 – 04-17T00:00:00.000Z”, “author”: { “@id”: “https://hawksley.dev/#person” }, “publisher”: { “@id”: “https://hawksley.dev/#person” }, “image”: { “@type”: “ImageObject”, “@id”: “https://hawksley.dev/blog/need-for-post-quantum-cryptography/#blogposting-image”, “url”: “https://hawksley.dev/og/blog/need-for-post-quantum-cryptography.png”, “width”: 1200, “height”: 630 }, “license”: “https://creativecommons.org/licenses/by/4.0/” }

Since this is a personal site, it is alright for author and publisher to both point towards the same Person node. The image property should mirror the OG image that the post already uses for link previews.

Conclusion

Congrats, that’s all the JSON-LD a personal site needs! I’ve structured this post to make it as easy as possible for you to copy-paste and implement into your own personal site. Even if you run a static site without a build step, you can still beneﬁt from adding at a minimum WebSite, ProﬁlePage, and Person to the root page of your site.

If you have any questions, you can get in touch via email, and I’ll do my best to help.

Read more Read the original on hawksley.dev →

Read the original on hawksley.dev →

The 100,000 whys of AI

lcamtuf.substack.com

177 shares · 7 trendiness

One of the most painful arguments I keep having with fellow techies is the question of whether you can distinguish between human-written and AI-generated text.

Their skepticism is rooted in reason: at their core, LLMs are state-of-the-art statistical models of how humans talk. If so, the output from the model should be almost by definition indistinguishable from human language under any statistical test.

I don’t think this is always argued in good faith; at least some of the debates are started by folks who wish to maintain deniability for their own underhanded use of the tech. But if you sincerely hold this belief, I present you the following collage:

The image shows about 150 Amazon book covers that appear if you search the site for “100000 whys” (link). Some of these books are category bestsellers in children literature. You can view a zoomable, full-resolution version here.

There’s nothing inhuman about any of these titles or covers. At the same time, I probably don’t need to convince you that you’re staring at the purest form of AI slop that now ﬁlls up many nonﬁction book categories on Amazon. More specifically, what we’re seeing here is the artifact of the tools being quasi-deterministic: if a hundred “authors” give their favorite AI tool a similar prompt — say, “generate a reference book for children” — the model will produce functionally identical output perhaps 80% of the time.

The similarities in the collage go far beyond the choice of titles: for example, all the covers in the top row feature a roaring dinosaur in the top left corner of the design. There are many other clusters in the data, too. Look for a recurring red-and-white cartoon rocket, a golden retriever, a lion, and so forth. The similarities extend even to author names: Ethan Bright, Nolan Bright, Pamela Bright, Daniel Bright, Thomas Bright, Andrew W. Bright, Mayan Bright, Mary Bright, Levi Bright — the Brights must be a big and exceptionally talented family.

This is precisely what makes LLM writing distinctive: it’s not that the models’ individual mannerisms are different from ours. It’s that they resort to the same, complex set of mannerisms in response to almost any normal prompt. This is a fuzzy signal, so you shouldn’t ﬁre your intern when they say “it’s not this — it’s that”. But in more casual settings, it’s OK to trust your gut. In fact, these instincts are becoming increasingly important because traditional models of online interactions fall apart if it takes much less effort to produce content than to engage with it.

PS. If you’re using an LLM to automate blogging: yes, the tech is amazing, but chances are, your publication could be renamed to “100,000 Whys”.

No posts

Read more Read the original on lcamtuf.substack.com →

Read the original on lcamtuf.substack.com →

Everything Is Logarithms

alexkritchevsky.com

167 shares · 19 trendiness

Some connections between things, which I have not seen elsewhere. Maybe they mean something?

1. The Baseless Logarithm

Normally one writes a logarithm with a base, \(\log_b (x)\), to mean

\[y = \log_b (x) \Lra b^y = x\]

And then you can change the base of the logarithm with

\[\log_b (x) = \frac{\log_a (x)}{\log_a(b)}\]

Which follows from rearranging \(\log_a (x) = \log_a (b^{\log_b x}) = \log_b (x) \times \log_a (b)\).

One way of thinking about what this formula does is that it is a change of units. Similar to writing \(2 \text{ km} = 2000 \text{ m} / \frac{1000 \text{ m}}{1 \text{ km}}\) or \(5 \text{ bytes} = 40 \text{ bits}/\frac{8 \text{ bits}}{1\text{ byte}}\). It says: how many copies of \(b\) are in \(x\)? It’s the number of copies of \(a\) in \(x\), divided by the number of copies of \(a\) that are in \(b\).

This is perfectly simple, but for some reason it’s hard to think about logarithms that way. The notation kind of… obfuscates things? Speciﬁcally it is hard to read \(\log_b x\) as “how many copies of \(b\) are in \(x\)”, because that English expression should correspond to the notation \(x/b\), not \(\log_b x\).

I found a way of thinking about logarithms which I think makes this clearer, but you have to allow a sort of odd object that I am call the baseless logarithm. It is simply a logarithm without a base:

\[\log N\]

which we regard as an abstract object, not a number. Then we write our normal “based” logarithm as a ratio of two of these baseless logarithms:

\[\log_2 N = \frac{\log N}{\log 2}\]

Note, this is already sort of a thing people colloquially do, e.g. leaving out the base of logarithms in asymptotic formulas. But I do not mean it as a shorthand. It is useful to regard it as an actual algebraic object.

We interpret \(\log 2\) as being the unit “bits”. To write \(\log N\) in bits is to factor it as a multiple of \(\log 2\):

\[\log N = \frac{\log N}{\log 2} \log 2 = \log_2 (N) \log 2 = \log_2 (N) \text{ bits}\]

Then the change-of-base for logarithms follows from just writing the same geometric quantity in different units. For example \(\log e\) as a unit is sometimes called “nats”:

\[\begin{aligned} \log N = \frac{\log N}{\log 2} \log 2 = \log_2 (N) \text{ bits} = \frac{\log N}{\log e} \log e = \ln (N) \text{ nats} \end{aligned}\]

The baseless \(\log N\) is sort of the multiplicative version of an object that might be familiar from discussions of vectors. It is common with vectors to distinguish between points and displacements: a displacement vector \(\b{v}\) is given by the difference of two points \(\v = (b) - (a)\). When we write think of points as having coordinates, this involves an explicit choice of origin \(\O\), such that \(\b{a} \equiv (a) - \O\) and \(\b{b} \equiv (b) - \O\). Then a displacement vector is constructed by subtracting off the factors of \(\O\), \(\b{v} = \b{b} - \b{a} = ((b) - \O) - ((a) - \O) = (b) - (a)\). The baseless logarithm implemens the same thing but with multiplication: the value \(\log N\) may be thought of as \(\log N / \log \O\) for an unspeciﬁed choice of origin; turning it into an actual numeric value involves dividing two such logarithms to cancel out the origin, \(\log_M N = \log N / \log M = (\log N / \log \O) / (\log M / \log O)\). I think of \(\log N\) as the point corresponding to \(N\) and \(\log N / \log \O\) as its corresponding displacement vector once you pick a coordinate system. I prefer to think of the point as more fundamental.

You might ask: if we have a baseless logarithm \(\log N\), do we also have a “baseless exponential”? Normally \(b^{\log_b N}\) can be written as something like \(b^{\log_b N} = b^{\ln N / \ln b} = e^{\ln N} = N\); is there any way to do this without actually choosing a base? I think the answer has to be “no”. All we can say is that we have split the one object, a logarithm \(\log_b N\) which is the solution of \(b^y = N\), into two objects, \(\log N\) and \(\log b\), each of which on their own are without “units” and so have no numerical meaning. It is just like points in space: a point on its own has no operation of addition and does not have a length. We can subtract points to produce vectors (relative to a symmetry group) but not add them, and the usual operations in coordinates all require a choice of origin.

In fact there are many surprising similarities between logarithms and vectors.

2. Logarithms are Vectors

When doing vector algebra and differential geometry in a properly covariant way, we distinguish between abstract vectors and vectors in a particular coordinate system. My personal convention for this is to refer to the abstract vectors as “geometric” vectors and always write them in bold, \(\v\), whereas “coordinate” vectors, tuples of their values in coordinates, are written with an arrow over them like \(\vec{v} = (v_x, v_y, v_z)\). Boldface geometric vectors are always coordinate-free, whereas coordinate vectors are just collections of numbers or other objects. The geometric vector \(\b{v}\) can be written as a dot product of its coordinates with a ‘frame’ \(X = (\x, \y, \z)\) of basis vectors

\[\b{v} = \vec{v} \cdot X = (v_x, v_y, v_z) \cdot (\x, \y, \z) = v_x \x + v_y \y + v_z \z\]

The projection of \(\v\) onto a basis vector \(\x\) is then given by ‘measuring’ the vector against the basis vector (which does not have to be of unit length). I like to write this as division because it acts a lot like division (although it’s technically pseudodivision instead):

\[\frac{\v}{\x} = v_x\]

That’s in my own very nonstandard notation1 for vector division here. The more common way to write this is to project a component of a differential \(df = f_x dx + f_y dy + f_z dz\) with a partial derivative, which is also the pseudodivision operation (which is incidentally the sense in which partial derivatives kinda work like division but not really):

\[\frac{\p f}{\p x} = f_x\]

I will write things in both forms to make it easy to translate between them; I do prefer my vector-division version because it avoids bringing in the irrelevant notations of differential calculus, but since the latter is actually standard I ought to include it for comparison.

Suppose \(\b{v}\) is one-dimensional, \(\b{v} = v_x \x\). Then the projection onto a ‘measuring stick’ \(\b{m} = m \x\) measures its length in terms of multiples of \(m\):

\[\frac{\v}{\b{m}} = \frac{v_x \x}{m \x} = \frac{v_x}{m}\]

Multiplying by \(\b{m}\) again is what we mean by “writing \(\b{v}\) in units of \(\b{m}\):

\[\frac{\b{v}}{\b{m}} \b{m} = (\frac{v_x}{m}) \text{m} \x\]

(In differentials, this is the differential of \(f\) restricted to its \(dx\) component: \(\frac{\p f}{\p x} dx = f_x dx = df \mid_{x}\), which is a perfectly interesting object (a covariant derivative) that one does not see written in this way very often. By the way, it’s not really important here, but is possible to view all measurements of the length of vectors in this way by thinking ﬁrst of rewriting an arbitrary vector \(\v = v_x \x + v_y \y + v_z \z\) in a polar form \(\v = v_r \r + v_{\theta} \theta\) and then projecting onto \(\r\), \(\| \v \| = \v/\r\). This tends to be a good way of looking at things.)

The baseless logarithm is performing the same operation on logarithms, where \(\log N\) is ﬁlling the role of the geometric vector \(\v\) and \(\log 2 = \text{bits}\) is the unit vector or measuring stick, which takes the role of \(\x\).

\[\begin{aligned} \frac{\log N}{\log 2} &= \log_2 N \\ \frac{\log N}{\log 2} \log 2 &= \log_2 N \text{ bits} \end{aligned}\]

In this sense baseless logarithms write numbers in coordinates in exactly the same way that measuring sticks write vectors in coordinates.

The equivalence of logarithms in different units

\[\begin{aligned} \log N &= \frac{\log N}{\log 2} \log 2 = \log_2 (N) \text{ bits} \\ &= \frac{\log N}{\log e} \log e = \ln (N) \text{ nats} \end{aligned}\]

is the same as the equivalence of geometric vectors in different units

\[\begin{aligned} \v &= \frac{\v}{\x} \x = v_x \x \\[1em] &= \frac{\v}{\x’} \x’ = v_{\x’} \x’ \\ \end{aligned}\]

\[\begin{aligned} df &= \frac{\p f}{\p x} dx = f_x dx \\ &= \frac{\p f}{\p x’} dx’ = f_{x’} dx’ \end{aligned}\]

And the change of base formula that computes a ratio of logarithms in different bases

\[\begin{aligned} \log_2 N \text{ bits}&= \ln N \text{ nats} \\ \log_2 N &= \frac{\text{nats}}{\text{bits}} \ln N\\ &= \frac{\log e}{\log 2} \ln N \\ &= \log_2 (e) \ln N \end{aligned}\]

is exactly like the change of coordinates for a vector, where \(\x\) and \(\x\) are two units for the same quantity.

\[\begin{aligned} v_x \x &= v_{x’} \x’ \\ v_x &= \frac{\x’}{\x} v_{\x’} \\ \end{aligned}\]

or2

\[\begin{aligned} f_x dx &= f_{x’} dx’ \\ f_x &= \frac{dx’}{dx} f_{x’} \end{aligned}\]

What logarithms don’t allow you to do that partial derivatives and vector division do allow to actually talk about a partial derivative operation in isolation. For example, if \(N = 2^a 3^b\), you can only talk about the ratio with respect to a single unit \(\log 2\)

\[\frac{\log N}{\log 2} = a \frac{\log 2}{\log 2} + b \frac{\log 3}{\log 2} = a + b \log_2 3\]

which is equivalent to writing a vector as a multiple of a single basis vector (like in Clifford/geometric algebra)

\[\frac{\v}{\x} = v_x + v_y \frac{\y}{\x}\]

or to a total derivative

\[\frac{df}{dx} = f_x + f_y \frac{dy}{dx}\]

But there is no direct equivalent of the operation of partial differentiation—there’s nothing that acts like \(N \? (\log_2 N) \log 2 + (\log_3 N) \log 3\).

However, I keep ﬁnding that people have gone and invented the projection / partial derivative operation on logarithms anyway. For example, the p-adic valuation in number theory

\[\nu_p (n) = \max \{ k \in \bb{N} \mid p^k \mid n \}\]

corresponds to extracting the coefﬁcient of \(\log p\) of an natural number in a logarithmic basis

\[\begin{aligned} \log n &= \log 2^{n_2} 3^{n_3} 5^{n_5} \cdots \\ &= n_2 \log 2 + n_3 \log 3 + n_5 \log 5 + \ldots \\ \nu_p (n) &= n_p \end{aligned}\]

Each coefﬁcient is a positive integer, and \(\nu_p\) just takes the component corresponding to \(\log p\). Clearly \(\log n\) acts like a vector (although since the coefﬁcients are in \(\bb{N}\) it is technically a commutative monoid instead of a vector space… nevertheless, it has the familiar structure of a vector). Since \(\nu_p\) is a ‘projection’ out of this logarithm, it still obeys logarithmic identities like \(\nu_p(m/n) = \nu_p(m) - \nu_p(n)\). But there is not really a good notation for actually expressing it as a projection, so sadly it gets a whole separate nomenclature that you have to learn.3

The same thing also works for rational \(n\) or radical \(n\) (meaning it is the product of radicals of prime factors), in which case the coefﬁcients become integers or rationals. (As a bonus the resulting objects live in an actual vector space.)

Another example of these logarithmic projections: in complex analysis the “order of vanishing” \(\text{ord}_a f(z)\) of a meromorphic function \(f(z)\) at a point \(z=a\) is the order of the pole or zero at a point (where zeroes are like negative poles). That is, it is the degree \(n\) of the lowest-degree term in the Laurent series of the function around the point \(z=a\),

\[f(z) = f_{-n} (z-a)^{-n} + f_{-n+1} (z-a)^{-n+1} + \cdots + f_{-1} (z-a)^{-1} + f_0 + f_1 (z-a) + \cdots\]

(that is, the value of \(n\) such that \((z-a)^n f(z)\) is holomorphic around \(a\)). This is extracted with a logarithm:

\[\text{ord}_a f(z) = \lim_{z \ra a} \frac{\log f(z)}{\log (z-a)} = -n\]

since for \(z \approx a\), \(f(z) \sim f_{-n} (z-a)^{-n}\) which dominates the other terms that blow up less quickly. If we write \(g(z)\) for the rest of \(f(z)\) which has \(\text{ord}_a (g(z)) > -n\):

\[\begin{aligned} \lim_{z \ra a} \frac{\log f(z)}{\log (z-a)} &= \lim_{z \ra a} \frac{\log (f_{-n} (z-a)^{-n} + g(z))}{\log (z-a)}\\ &= \lim_{z \ra a} \frac{\log f_{-n} (z-a)^{-n} (1 + \frac{g(z)}{f_{-n}} (z-a)^n)}{\log (z-a)} \\ &= \lim_{z \ra a} \frac{\log f_{-n}}{\log (z-a)} -n \frac{\log (z-a)}{\log (z-a)} + \frac{\log (1 + c (z-a))}{\log (z-a)} \\ &= -n \end{aligned}\]

So this is a very similar operation: the limit \(\lim_{z \ra a} \log (z-b)/\log(z-a) = 1_{a=b}\) serves to cancel out the rest of the terms, like how \(\p_j dx^i \sim (\p x^i)/(\p x^j) = 1_{i=j}\) serves to cancel out the terms in a partial derivative, extracting the \(dx\) component of \(df = f_x dx + f_y dy + \ldots\).

(I’m not very good at complex analysis so that’s all I’m going to say about that. Still, it seems clear that this is basically the same operation.)

We see that the baseless logarithm \(\log n\) works a lot like a vector \(\v\) or differential \(df\), and then expressing a logarithm in a base like \(\log_2 n = \log n / \log 2\) is a lot like a total derivative \(df/dx\) or Clifford division \(\v \ast \b{x}^{-1}\). What is missing is some equivalent of the partial derivative / projection operator that projects only onto that component… but various ﬁelds have gone and Found a way to invent that anyway, either in the form of a partial derivative \(\p f/\p x\), or just by making up the \(p\)-adic valuation \(\nu_p\), or by the limits \(\lim_{z\ra a} \log f(z) / \log (z-a)\) in complex analysis. The similiarities are all suspicious, though, and I can’t help but think there is some unifying theory here that ties all this together… but I can’t see what it is yet.

One thing that we might try in order to invent a \(\log_2 N\) that acts like \(\p_x f\) or \(\b{v}/\x\) is to somehow restrict the values of the logarithms to certain spaces, e.g. integers or rationals. Since the \(\{\log p_i\}\) are linearly indepedent (which is essentially equivalent to prime factorizations being unique), you would end up with objects like \(\log_2 3 = \log_3/\log_2\) which have no value in \(\bb{Q}\); “zeroing” those out then gives something that acts like a partial derivative. But I don’t know if that’s useful. Certainly it doesn’t help in any numeric context.

Anyway, onto more things that are logarithms.

3. Vectors are also Logarithms?

In differential geometry one interprets vectors like \(\v = v_x \x + v_y \y\) being written in a basis of partial derivative operators, \(\v = v_x \p_x + v_y \p_y\). These can then be used to create discrete translations which move around in the various coordinates,

\[T^{\v} = e^{\v} = e^{v_x \p_x + v_y \p_y }\]

The partial derivatives are here in order to make it operate on functions

\[e^{v_x \p_x + v_y \p_y} f(x,y) = f(x + v_x, y + v_y)\]

which is true at the level Taylor expansions as well. I often ﬁnd it easier to dispense with the partial derivatives and just think of these as translation operators on the space \((x,y)\) directly

\[e^{v_x \p_x + v_y \p_y} (x, y) = (x + v_x, y + v_y)\]

(You can also think of this acting on the function \(f(x) = x\) also, but that feels like overkill.)

In any case, all this is really doing (in ﬂat space, at least) is changing the additive vector \(\b{v}\) into a multiplicative form \(T^{\b{v}}\) which corresponds to the same operation, but whose terms are multiplied instead of added, and whose scalar coefﬁcients are applied via exponentiation instead of multiplication. The basis is now translation operators in each coordinate:4

\[T^{\v} = e^{v_x \p_x} e^{v_y \p_y} = T_x^{v_x} T_y^{v_y}\]

(In non-ﬂat space this is not so simple because the translations in different coordinates may not commute; you can still write it in this form but it’s a lot more complicated.)

What this means for us is: look, vectors are logarithms too

\[\begin{aligned} \ln T^{\v} &= \ln T_x^{v_x} T_y^{v_y} \\ &= v_x \ln T_x + v_y \ln T_y \\ &= v_x \p_x + v_y \p_y \end{aligned}\]

I can’t exactly say why, but it seems preferable to have this written in terms of baseless logarithms also. We do this by realizing that \(T_x = e^{\p_x} = T^{\p_x}\) and thinking of this symbol \(T\) as a sort of ‘generic’ base for translations, absent the numeric meaning of the symbol \(e\), which has \(\log T_x = \log T^{\p_x} = \p_x \log T\). Then

\[\log T^{\v} = \v \log T = v_x \p_x \log T + v_y \p_y \log T\]

And then we can write \(\v = \log_T T^{\v} = \log T^{\v} / \log T\). This is equivalent to the natural log version but it avoids explicitly depending on the numeric value of \(e\): any choice of base for the logarithm \(T\) gives the same concept of a vector, written in terms of the exponentiation of \(T\), but now we make explicit that the ‘units’ on \(\v\) come in part from the units on \(\log T\) itself.

So vectors in differential geometry may also be thought of as logarithms, specifically, the logarithms of translation operators.

Regular multiplication can even be viewed as an example of this. A product like \(xa\) can be rewritten as “translation” in the \(\ln a\) coordinate:

\[xa = e^{\ln x} e^{\ln a} = e^{(\ln x) \p_{\, \ln a}} a = x^{\p_{\, \ln a}} a\]

I’m not sure how that would be ever be useful but maybe it’s a bit interesting?

4. Logarithms are Derivatives?

This part doesn’t really matter, I just thought I would mention it so that this article contains every fun fact about logarithms that I know.

One way of deﬁning the natural logarithm is

\[\ln x = \lim_{a \ra 0} \frac{x^a - 1}{a}\]

I ﬁnd this formula neat for a few reasons. Mostly it explains where a lot of the behaviors of \(\ln\) in calculus comes from.

It follows from substituting \(x^a = e^{a \ln x}\) and then Taylor expanding:

\[\frac{x^a - 1}{a} = \frac{e^{a \ln x} - 1}{a} = \frac{(1 + a \ln x + \ldots) - 1}{a} \stackrel{a \ra 0}{=} \ln x\]

Read more Read the original on alexkritchevsky.com →

Read the original on alexkritchevsky.com →

To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".

10HN is also available as an iOS App

If you visit 10HN only rarely, check out the the best articles from the past week.

Visit pancik.com for more.