8 files changed, 824 insertions, 0 deletions

diff --git a/blog/content/notes/greek-task-list.gmi b/blog/content/notes/greek-task-list.gmi
new file mode 100644
index 00000000..841a6a84
--- /dev/null
+++ b/blog/content/notes/greek-task-list.gmi
@@ -0,0 +1,83 @@
+# Greek task list
+
+=> https://apollos-boyfriend.tumblr.com/post/734812687645786112 From:
+
+## Icarian task
+
+When you have a task you know you’re going to fail at anyways, so why not have some fun with it before it all comes crashing down
+
+## Cassandrean task
+
+When you have to deal with people you KNOW won’t listen to you, despite having accurate information, and having to watch them fumble about when you told them the solution from the start (most often witnessed in customer service)
+
+Patroclean task: something that you have a wild misunderstanding of the difficulty involved in accomplishing properly and can only end terribly, but you dive into with your whole heart and the deep faith and conviction that you can accomplish it by sheer force of will.
+
+=> https://www.tumblr.com/bigdickfartsapolka/734815719754170368/achillean-task-something-you-are-absolutely-and From:
+
+## Patroclean task
+
+Something that you have a wild misunderstanding of the difficulty involved in accomplishing properly and can only end terribly, but you dive into with your whole heart and the deep faith and conviction that you can accomplish it by sheer force of will.
+
+=> https://www.tumblr.com/sapphoandvanzetti/791697593363218432/penelopean-task-you-dont-actually-want-the From:
+
+## Penelopean task
+
+You don't actually want the outcome of the task, so you're self-sabotaging in a clever and undetectable way to keep it from ever being completed.
+
+=> https://infosec.exchange/users/masek/statuses/115507451151625748 From:
+
+## Orphean task
+
+When you almost succeed, but lose everything the moment you turn around to check your progress.
+
+## Daedalean task
+
+When you’re forced to design something brilliant and functional… that you yourself will inevitably become trapped inside.
+
+## Medusan task
+
+When your project becomes so horrifying that everyone involved freezes in place rather than deal with it.
+
+## Tantaline task
+
+When success is right there, but bureaucracy or budget cuts keep snatching it away at the last moment, forever.
+
+## Pandoran task
+
+When fixing one small issue unleashes a thousand new ones, but hey — at least there’s still hope somewhere in the ticket backlog.
+
+## Odyssean task
+
+When the assignment technically has an end, but it’s buried under so many side quests that you forget what the original goal was.
+
+## Narcissian task
+
+When the entire effort is about maintaining appearances rather than achieving anything of substance.
+
+## Promethean task
+
+When you give people a powerful new tool that could transform their work — and are punished eternally for doing so.
+
+## Orestian task
+
+When the mess you’re cleaning up is the direct result of the last cleanup you performed.
+
+## Thesean task
+
+When the only way to finish is to disassemble everything piece by piece — until you’re no longer sure if what’s left is the same project you started.
+
+## Achillean task
+
+When your work is flawless except for that one fatal oversight that will, inevitably, destroy you.
+
+## Penelopean task
+
+When you diligently undo by night what you accomplish by day, just to keep the stakeholders pacified.
+
+## Midasean task
+
+When everything you touch turns into paperwork, compliance documents, or gold-plated nonsense nobody actually needs.
+
+## Gordian task
+
+Not intended to be actually done, but violence is the answer.
diff --git a/blog/content/notes/index.gmi b/blog/content/notes/index.gmi
index 2aaf17d7..03e3d9f8 100644
--- a/blog/content/notes/index.gmi
+++ b/blog/content/notes/index.gmi
@@ -1,5 +1,7 @@
 # Notes
 
+=> greek-task-list Greek task list
+
 ## Cliff's notes
 
 Notes about some books I like:
@@ -11,6 +13,12 @@ Notes about some books I like:
 ## Tech
 
 => tech/misc-linux-stuff Misc Linux stuff
+=> tech/running-commands-in-linux Running commands in Linux
+=> tech/ssh-for-beginners SSH for beginners
+=> tech/document-formats Document formats
+=> tech/internet-communication-channels Internet communication channels
+=> tech/ledger Ledger
+=> tech/migadu Migadu
 
 ### Gadgets
 
diff --git a/blog/content/notes/tech/document-formats.gmi b/blog/content/notes/tech/document-formats.gmi
new file mode 100644
index 00000000..385c0c0e
--- /dev/null
+++ b/blog/content/notes/tech/document-formats.gmi
@@ -0,0 +1,97 @@
+# Document formats
+
+Most of the time, when writing a document, I want a document format with the following properties:
+
+* Fast to write using a plain text editor
+* Easy to parse into an AST
+
+An AST is a programming-friendly representation of a document. ASTs reduce the effort required to write tools such as a program that validates links in a document. Ideally, ASTs contain information to track a document element to the position it occupies in the original document. With this information, if you write a tool such as a spell checker, then you can highlight misspelled works precisely in the original document.
+
+On top of that, some features that I don't always need:
+
+* Math support
+* Sophisticated code blocks. For example, being able to highlight arbitrary parts of code blocks (not syntax highlighting).
+* Diagram support
+
+## Existing formats
+
+### Markdown
+
+* Easy to write using a plain text editor
+* Has good AST parsers with position information
+* Has math support
+* Does not support sophisticated code blocks
+* There are many extensions with support for math, diagrams, and many others
+* Is very popular and supported everywhere
+* However, there is a wide variety of variants and quirks
+* Especifically, because Markdown was not designed with parsing in mind, so tools based on different parsers can have differences in behavior
+
+### Djot
+
+=> https://djot.net
+
+It is very similar to Markdown, except:
+
+* It is designed for parsing, so independent parsing implementations are very compatible with each other
+* It is not so popular, so there are less extension and tool support
+
+### AsciiDoc
+
+=> https://asciidoc.org
+
+Compared to Markdown:
+
+* It's more complex to write, but mostly because it's different and more powerful
+* There are attempts to write better parsers, but good parsers with position information are not available yet
+* Supports sophisticated code blocks
+* It has a smaller ecosystem than Markdown, but many good quality tools such as Antora
+
+### Typst
+
+=> https://typst.app
+
+Checks all my boxes, except:
+
+* It is designed for parsing and it has an AST, but it is not easy to access
+* Currently Typst is very oriented towards generating paged documents (e.g. PDF)
+* It includes a full programming language, which is mostly good (very extensible), but this might increase complexity undesirably
+
+Typst is very new and is not yet very popular.
+
+=> https://codeberg.org/haydn/typesetter Typesetter is a desktop application that embeds Typst, so no additional setup is needed. However, Typesetter is only available as a Flatpak.
+
+### Verso
+
+=> https://github.com/leanprover/verso
+
+A Markdown-like closely tied to the Lean programming language.
+
+* Eliminates ambiguous syntax for easier parsing and is stricter (not all text is valid Verso)
+* Has a (Lean) data model
+* Designed for extensibility
+
+### TODO: other formats
+
+=> https://github.com/nota-lang/nota Nota (a document language for the browser)
+=> https://github.com/christianvoigt/argdown Argdown (for argumentation)
+=> https://github.com/podlite/podlite Podlite
+=> https://orgmode.org Org Mode (an Emacs-based tool based on a lightweight markup language)
+=> https://github.com/nvim-neorg Neorg (similar to Org Mode for Neovim)
+=> https://github.com/sile-typesetter/sile Sile (typesetting system)
+
+## Creating your own formats
+
+=> https://github.com/spc476/MOPML Someone created its own lightweight format using Lua and PEGs.
+=> https://tratt.net/laurie/blog/2020/which_parsing_approach.html "Which parsing approach" has information about choosing parsing approaches.
+
+## About gemtext
+
+=> https://geminiprotocol.net/docs/gemtext-specification.gmi
+
+Gemtext is an extremely minimalistic markup language designed for use with the Gemini protocol (an extremely minimalistic protocol similar to HTTP).
+
+The Gemini protocol and gemtext are intentionally designed to limit their power, in my opinion as a comment on the web.
+
+This document is gemtext-native for use in my own minimalistic publishing system.
+
+I also use it as a statement, although the limitations of gemtext can be significant in technical writing. For example, gemtext has no inline links, no inline verbatim code, only three levels of headings, etc.
diff --git a/blog/content/notes/tech/internet-communication-channels.gmi b/blog/content/notes/tech/internet-communication-channels.gmi
new file mode 100644
index 00000000..efdc18af
--- /dev/null
+++ b/blog/content/notes/tech/internet-communication-channels.gmi
@@ -0,0 +1,131 @@
+# Internet communication channels
+
+If you want to provide a communication channel for a community over the Internet and you are considering options such as:
+
+* Slack
+* Discord
+* Reddit
+* Telegram
+* WhatsApp
+* Facebook
+* Or any other communication channel controlled by a single big company
+
+, then please read this article and consider an alternative.
+
+Because such channels are often convenient, cheap, and easy, they are natural choices.
+
+However, companies are about maximizing their benefits first. Certainly, providing convenient, cheap, and easy services often help companies make money. But I believe we have seen enough examples of companies putting their benefits first in detriment of their users.
+
+Using these alternatives will always require more effort. This text is long, and just reading and processing it might take more time than setting up a channel on the services mentioned above. The alternatives I describe certainly have drawbacks compared to the services I am asking you to avoid. However, in the long run I think making an extra effort to make an informed choice pays off.
+
+## A quick litmus test
+
+If you only thing about a single thing, then think about this: how many independent clients are for this communication channel?
+
+How tightly the people behind the channel control clients is a good indicator of how much they want to maximize profits.
+
+## Alternatives
+
+### IRC
+
+IRC is a real-time chat protocol created in 1988 that is still in use. Many perceive flaws in IRC that seem to make it a bad choice. However, many IRC flaws have been addressed in recent times and I believe it is a good choice in many (but not all) scenarios.
+
+The biggest traditional issue with IRC is channels without history, where you cannot see messages posted while you were offline. (If you suspend or turn off your laptop, you will be offline in IRC. Even if you run your IRC client continuously on your client, if your phone goes out of coverage or your phone suspends your IRC client, you will be offline.) However, nowadays you can create channels with history.
+
+Channels without history are frequently confusing for new users, because most chat systems have history. Heavy IRC users are either used to having no history [this might seem surprising, but for some this is even a benefit] or have means to be permanently connected to IRC. However, users new to IRC might join a channel, post a question and go offline without anyone having a chance to see their message and reply. Then, unless people remember to answer when they are back, or other means are used, answers will not be visible to the person who asked.
+
+The chathistory extension addresses this problem. As far as I know, only the Ergo IRC server and their network support this extension.
+
+Some advantages of IRC are:
+
+* You can use IRC without creating an account. This can be especially useful for providing a general contact mechanism. You can create links that will ask for a nickname, and place you into a channel without any additional steps.
+* IRC is a very simple protocol with more than 30 years of history. This means that many developers have invested significant efforts in creating powerful IRC clients and tools (such as bots). And lately, many easy IRC clients are available. This means that IRC can scale from simple setups that require little effort to use, to powerful setups that can provide interesting features. (If you are used to plain communication clients, you might be surprised at how valuable some features can be.)
+
+Some drawbacks of IRC are:
+
+* IRC does not have end-to-end encryption, and thus IRC administrators can read every conversation. This is not a huge problem for public or semi-public channels, but it limits IRC for many scenarios.
+* IRC requires more effort from administrators to provide a good experience to entry-level users, control spam, and others. (An important point is that although integration with audio/video conferencing is possible, it requires more effort and provides a lesser experience.)
+* IRC is mostly text-based. Although many IRC clients can display images and GIFs, communicating with images and GIFs is harder on IRC. (And IRC also does not have integrated audio/video conferencing.)
+* Push notifications are not common yet. Although it is possible to receive instant notifications when you are mentioned or receive a private message, this is frequently difficult. In general, IRC on mobile phones is not as evolved as on desktop computers.
+
+Interesting projects:
+
+=> https://github.com/ObsidianIRC/ObsidianIRC ObsidianIRC (web client)
+=> https://kiwiirc.com/ Kiwi IRC (web client)
+=> https://codeberg.org/emersion/gamja Gamja (web client)
+=> https://soju.im/ Soju (bouncer)
+=> https://halloy.chat/ Halloy (graphical desktop client)
+=> https://git.sr.ht/~delthas/senpai Senpai (terminal client)
+
+### Delta Chat
+
+Delta Chat is an instant messaging system that tries to be very similar to the most popular instant messaging systems.
+
+However, there are multiple clients and anyone can run a server.
+
+The strangest thing about Delta Chat is that is uses email underneath. However, I would recommend ignoring this fact.
+
+### XMPP
+
+XMPP is younger than IRC, but older than Matrix. Compared to Matrix:
+
+* End-to-end encryption and audio/video conferencing is possible with XMPP, but in practice it can be difficult to access these features.
+* There's more XMPP clients than Matrix clients, but it is also hard to find clients that support all the features you need on different platforms.
+
+For some scenarios, if you find the right combination of XMPP server and clients, XMPP can be a great option.
+
+Historically, XMPP was not well-suited to mobile usage. Nowadays, mobile usage is better, but finding the right clients to use is still a challenge.
+
+### Matrix
+
+Matrix is a more modern chat protocol that addresses some of the drawbacks of IRC:
+
+* Matrix has end-to-end encryption, so conversations between users are private to Matrix administrators.
+* Matrix requires less effort from *channel* administrators. (But running a Matrix server requires significant resources. However, there are public Matrix servers and managed services. Thanks to end-to-end encryption, using a public Matrix server is an interesting option.)
+* Matrix has good support for audio/video conferencing, images and GIFs, reactions, push notifications, and phone usage.
+
+But also some disadvantages compared to IRC:
+
+* Users need to create accounts.
+* Using end-to-end encryption makes some usage harder. (Although end-to-end encryption is optional.)
+* There are fewer clients and tools, and generally they are more complex, more resource intensive, and less featureful. (And not all clients support all features.)
+
+### Other alternatives to consider
+
+Zulip offers instant messaging, but has some characteristics from forums. (For example, Zulip uses threads with subjects.)
+
+Mattermost and Rocketchat are designed for communication within organizations.
+
+And lastly, because all the technologies mentioned in this text allow integrations, there are bridges to join different technologies.
+
+For example, IRC channels can be bridged to Matrix rooms.
+
+Although bridges are not ideal, in some cases you can use them to make one channel available over different technologies, which might address the limitations of specific technologies.
+
+Although my perception is that most communities nowadays communicate over instant messaging, many communities use successfully more asynchronous communication channels. In some cases, providing both instant messaging and an asynchronous channel can also work well.
+
+Mailing lists (and their sibling, newsgroups) are older than IRC. Although mailing lists are far less popular than in the past, many communities still use mailing lists.
+
+Mailing lists have several advantages:
+
+* Having an email address is nearly a necessity for all Internet users. Mailing lists often require no user account other than an existing email address.
+* In a way, email and mailing lists share many similarities with IRC. Although most people are users of just a few mail services and clients, there is a wide variety of services and clients. Email power features are somewhat forgotten, but they still exist and mail clients can have very convenient features.
+* Most mailing list have good ways to browse and search past messages. Email discussions are more naturally searchable, thanks to their slower pace and thread organization.
+
+However, they also have many advantages:
+
+* As people no longer use email to communicate, going back to email can cause significant friction.
+* Finding a good mailing list service is difficult. (And hosting your own is also more difficult than hosting other services.)
+
+In my opinion, mailing lists are good, but they have become foreign to most people.
+
+Forums used to be very popular.
+
+Compared to mailing lists:
+
+* Forums require creating an account.
+* Forums do not have multiple clients, although forum software has also evolved for a long time, and many forums have great features.
+* Forums are also a bit out of style, but they are more popular and familiar to most than mailing lists.
+* Finding a forum service or hosting one is simpler than email.
+
+Social networks tend to be slightly different communication channels than instant messaging or asynchronous messaging. Alternatives to social networks also exist. However, in my opinion, social network-style communication is not optimal for "communities" in most cases. Still, you might want to explore alternatives. The Fediverse (or ActivityPub) has many different varieties of communication channels that might suit your needs.
diff --git a/blog/content/notes/tech/ledger.gmi b/blog/content/notes/tech/ledger.gmi
new file mode 100644
index 00000000..97a0af3f
--- /dev/null
+++ b/blog/content/notes/tech/ledger.gmi
@@ -0,0 +1,58 @@
+# ledger
+
+=> https://ledger-cli.org Ledger is a double-entry accounting system based on a text file format.
+
+=> https://plaintextaccounting.org/ The Plain text accounting website lists more software based on the ideas.
+
+This document contains notes about how I use ledger.
+
+## Configuration
+
+My ~/.ledgerrc just contains:
+
+```
+--file ~/Nextcloud/finances.ledger
+--date-format %Y-%m-%d
+```
+
+I store my ledger file in my Nextcloud instance, so Nextcloud synchronizes across my computers.
+
+Other than that, I just configure the YYYY-MM-DD date format.
+
+## Registering transactions
+
+I try to register most transactions the first moment I'm at my keyboard.
+
+I do so manually without automations.
+
+In 2025, I registered over 800 transactions, and I didn't feel it was tedious.
+
+My main text editor is Emacs, so I use ledger-mode:
+
+* Automatically adds indentation and alignment.
+* Autocompletion of accounts and payees.
+
+To register transactions, I run:
+
+```
+ledger reg bankname:accountname
+```
+
+Then, I correlate with the running total that my bank websites show to find the first missing transaction and go on from there.
+
+I have a monthly calendar reminder to catch up on all accounts. In this session, I also update my pension plan accounts with their current value.
+
+## Tagging
+
+### who
+
+I use the who tag because I want to make reports based on specific beings. For example, I want to query quickly costs associated to the cat.
+
+In 2026, I think I will have some accounts like "Expenses:Supermarket:My Name" too, so I'm experimenting with the following snippet:
+
+```
+= :My Name
+    ; who: myname
+```
+
+This seems to automatically add the tag to related accounts.
diff --git a/blog/content/notes/tech/migadu.gmi b/blog/content/notes/tech/migadu.gmi
new file mode 100644
index 00000000..9fc5a80e
--- /dev/null
+++ b/blog/content/notes/tech/migadu.gmi
@@ -0,0 +1,100 @@
+# Migadu
+
+=> https://migadu.com/
+
+## A strategy to handle email addresses
+
+Email addresses can be "vanity" or "non-vanity".
+Vanity email addresses are meant to be public and memorable, for example firstname@lastname.tld.
+
+Set up any vanity domains that you want, and a non-vanity domain.
+
+### Non-vanity email addresses
+
+In the non-vanity domain, you create the {me}{code}@nonvanity.tld mailbox.
+
+{me} identifies you, you can have multiple users with different {me} identifiers in a single non-vanity domain.
+
+This strategy uses {code} to obfuscate email addresses. When you use {code} in an email address, ideally you should be able to identify if the {code} is valid or not.
+
+For example, you could use a four-digit {code} and store what code you have used for each address. If you use x3452 and store this code, when you receive an email that does not match, such as x3453, you know the code is incorrect.
+
+Alternatively, you can use hashing so that you do not have to store all codes.
+
+No one except you should know about {me}{code}@nonvanity.tld.
+
+Then you create a pattern rewrite from {me}.*@nonvanity.tld to {me}{code}@nonvanity.tld.
+
+When you need a non-vanity email address, you create a new {me}.{entity}{code}@nonvanity.tld, where {entity} is the entity that communicates with this email address and {code} is a new code.
+
+Mails received at {me}@nonvanity.tld are incorrect. Mails received without the correct code are incorrect.
+
+### Vanity email addresses
+
+Create any needed {id}@vanity.tld addresses.
+
+Different from non-vanity email addresses, vanity email addresses can be guessed and you cannot identify invalid email.
+
+=> misc-linux-stuff See "email forwarding via IMAP" for notes about forwarding between different email servers.
+
+### TODO Filing
+
+Because each vanity email address and entity has a different email address, you can file emails automatically into folders if wanted.
+
+## Migrating email from Gmail
+
+```
+imapsync --user1 xxx@gmail.com -passfile1 gmailpass --user2 a@a.com --host2 imap.a.com --passfile2 pass --gmail1
+```
+
+To move mail, add --delete1. But this seems to make `imapsync` much slower! (IIRC, also this didn't remove the emails from GMail!)
+
+### Preventing issues with multiple tags
+
+An email message can have multiple "tags" in Gmail that correspond to IMAP folders. If you have messages with multiple tags, then the migration will duplicate messages in multiple folders or file mails to one folder at "random".
+
+imapsync has features to control this, and avoid problems with the "all mail" and "sent mail" Gmail folders, but for further control, you can refile emails to have a single tag.
+
+I have an mbsync replica of my Gmail account for backup purposes. This replica can be used to find messages with multiple tags:
+
+```
+find . -path './\[Gmail\]/All Mail' -prune -o -not -name index -type f -exec grep -H ^Message-ID: {} \; >index
+```
+
+Produces one file with lines:
+
+```
+/.../cur/f:Message-ID:...
+```
+
+```
+#!/usr/bin/env python3
+
+import pathlib
+ms = pathlib.Path("index").read_text().splitlines()
+
+import collections
+idx = collections.defaultdict(set)
+
+for m in ms:
+    path, _, id = m.rsplit(":", 2)
+    f = "/".join(pathlib.Path(path).parts[:-2])
+    idx[id].add((path, f))
+
+for id, vs in idx.items():
+    fs = sorted(set([f for (_path, f) in vs]))
+    if len(fs) > 1:
+        print(fs)
+```
+
+```
+./idx.py | sort | uniq
+```
+
+Clear up multiple tags in Gmail to prevent duplicates.
+
+
+## Notes
+
+* Aliases do *not* have plus addressing, use a "pattern rewrite" instead.
+* New domains come with 'junk messages with word "SPAM" in subject (case insensitive)' on by default; go to domain, spam filtering, aggresiveness to disable.
diff --git a/blog/content/notes/tech/running-commands-in-linux.gmi b/blog/content/notes/tech/running-commands-in-linux.gmi
new file mode 100644
index 00000000..4fe4a004
--- /dev/null
+++ b/blog/content/notes/tech/running-commands-in-linux.gmi
@@ -0,0 +1,259 @@
+# Running commands in Linux
+
+## Motivating examples
+
+=> https://cwe.mitre.org/data/definitions/1337.html The 2021 CWE Top 25 Most Dangerous Software Weaknesses helps focus on the biggest security issues that developers face.
+
+=> https://cwe.mitre.org/data/definitions/78.html Number 5 on that list is Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
+
+Software developers often write code that invokes other programs. For example, shell scripts tend to be mostly composed of invocations of programs such as find, grep, etc. Even software developed in languages such as Python, C, or Java often invokes other programs.
+
+Python software developers use the subprocess module to perform this task. Other languages provide similar facilities.
+
+Consider the two following Python sessions to execute an equivalent to the bash statement "cat /etc/passwd":
+
+```
+$ python3
+>>> import subprocess
+>>> subprocess.run(["cat", "/etc/passwd"])
+```
+
+```
+$ python3
+>>> import subprocess
+>>> subprocess.run("cat /etc/passwd", shell=True)
+```
+
+Both scripts use the same run function, with different values of the shell parameter (the shell parameter defaults to True). When executing a command with many arguments, shell=True seems to be terser. "a b c d e" is shorter and easier to read than ["a", "b", "c", "d", "e"]. Readable code is easier to maintain, so a software developer could prefer the shell=True version.
+
+However, using shell=True can introduce the "OS Command Injection" weakness easily.
+
+Create a file named "injection.py" with the following contents:
+
+```
+import sys
+import subprocess
+
+subprocess.run(f"cat {sys.argv[1]}", shell=True)
+```
+
+This program uses the cat command to display the contents of a file.
+For example, if you run (using Python 3.6 or higher):
+
+```
+$ python3 injection.py /etc/passwd
+```
+
+The terminal shows the contents of the `/etc/passwd` file.
+
+However, if you run:
+
+```
+$ python3 injection.py '/etc/passwd ; touch injected'
+```
+
+The terminal shows the same file, but a file named `injected` also appears in the current directory.
+
+Create a file named "safe.py" with the following contents:
+
+```
+import sys
+import subprocess
+
+subprocess.run(["cat", sys.argv[1]])
+```
+
+Running "python3 safe.py /etc/passwd" has the same behavior as using injection.py. However, repeating the command that creates a file using safe.py results in:
+
+```
+$ python3 safe.py '/etc/passwd ; touch injected'
+cat: '/etc/passwd ; touch injected': No such file or directory
+```
+
+injection.py is vulnerable to "OS Command Injection" because it uses shell=True, whereas safe.py is not.
+
+If a malicious user can get strings such as "/etc/passwd ; touch injected" to code that uses shell=True, then the user can execute arbitrary code in the system. Code that does not handle user input might not be exposed to such issues, but user input might creep in and introduce unexpected vulnerabilities. Avoiding the use of `shell=True` and similar features can be safer than making sure that user input is correctly handled in all cases.
+
+## Writing shell scripts that handle files with spaces in their names
+
+Create a file called backup.sh with the following contents:
+
+```
+#!/bin/bash
+
+for a in $1/* ; do
+    cp $a $a.bak
+done
+```
+
+Run the following statements in the terminal to create a sample directory with files.
+
+```
+$ mkdir backup_example_1
+$ for a in $(seq 1 9) ; do echo $a >backup_example_1/$a ; done
+```
+
+These statements create the backup_example_1 directory, and files named 1 ... 9.
+
+The backup.sh script creates a copy of each file in a directory. If you run:
+
+```
+$ bash backup.sh backup_example_1/
+```
+
+Then the script will copy 1 to 1.bak, and so on.
+
+However, if you create a new directory with files whose names have spaces:
+
+```
+$ mkdir backup_example_2
+$ for a in $(seq 1 9) ; do echo $a >backup_example_1/"file $a" ; done
+```
+
+Then the backup.sh script does not work correctly:
+
+```
+$ bash backup.sh backup_example_2/
+cp: cannot stat 'backup_example_2//*': No such file or directory
+```
+
+In order to fix the script, change the contents of backup.sh to:
+
+```
+#!/bin/bash
+
+for a in "$1/*" ; do
+    cp "$a" "$a.bak"
+done
+```
+
+## Background
+
+### int main(int argc, char *argv[])
+
+Programs written in C for Linux define a function called main that is the entry point of the program. Documents such as the N2310 draft of the C language standard describe the main function. Page 11, section 5.1.2.2.1, "Program startup", provides a common definition of main:
+
+```
+int main(int argc, char *argv[]) { /* ... */ }
+```
+
+=> http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2310.pdf The N2310 draft of the C language standard
+
+The argc parameter contains the **c**ount of the arguments provided to the program. The argv parameter contains their **v**alues.
+
+Create a file named argv.c with the following contents:
+
+```
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+    for(int i=0; i<argc; i++) {
+        printf("Argument %d -%s-\n", i, argv[i]);
+    }
+}
+```
+
+Compile the file running the following command:
+
+```
+$ cc argv.c
+```
+
+This produces an executable file named "a.out". This executable will print the arguments you provide via the command line:
+
+```
+$ ./a.out
+Argument 0 -./a.out-
+```
+
+```
+$ ./a.out arg1 arg2 arg3
+Argument 0 -./a.out-
+Argument 1 -arg1-
+Argument 2 -arg2-
+Argument 3 -arg3-
+```
+
+Note that the first argument is the name of the executable file itself.
+
+Note that when using quoting, the program prints things like:
+
+```
+$ ./a.out "a b" c
+Argument 0 -./a.out-
+Argument 1 -a b-
+Argument 2 -c-
+```
+
+So the first argument is "a b" (without quotes).
+
+### exec(3)
+
+UNIX-like operating systems provide the "exec" family of functions to invoke commands. "man 3 exec" describes the exec family of functions in Linux. Linux provides the execl, execlp, execle, execv, execvp, and execvpe functions. These functions allow us to execute a command from within a C program.
+
+Create a file named execlp.c with the following contents:
+
+```
+#include <stdlib.h>
+#include <unistd.h>
+
+int main() {
+    exit(execlp("cat", "cat", "/etc/passwd", NULL));
+}
+```
+
+Compile the file running the following command:
+
+```
+$ cc execlp.c
+```
+
+This produces an executable file named "a.out".
+Execute it:
+
+```
+$ ./a.out
+```
+
+This is equivalent to running in a shell the statement "cat /etc/passwd".
+
+This article does not describe the intricacies of the exec family of functions. However, let's analyze the call to execlp.
+
+The exec functions whose name contains a "p" look up the command to execute by searching for executables named like the first argument in the directories listed in the PATH environment variable. In the example, execlp looks up the cat executable in directories such as /usr/bin.
+
+The second argument is also the name of the program.
+
+Note that in the preceding argv.c example, the zeroth argument is the name of the program being executed. Some executables in Linux systems are present under different names (using symbolic links). For example, xzcat is a symbolic link to xz. Running xzcat or xz runs the same executable file, but the executable uses the zeroth argument to change its behavior.
+
+This technique is a simple way to "share" code between similar programs. The BusyBox project provides many common utilities, such as ls and cat, in a single executable. By sharing code among all utilities, the BusyBox executable is smaller.
+
+The rest of the parameters to execlp are the arguments for the executable file.
+
+In a way, exec functions "call" the main function of other programs. The parameters to exec are "passed" to the main function.
+
+### Shells
+
+Programs such as bash provide a way to execute other programs. When you type a statement such as "cat /etc/passwd", bash parses the statement into a command to execute and arguments. Then, bash uses an exec function to run the program with arguments.
+
+The simplest bash statements are words separated by spaces, of the form "arg0 arg1 arg2 ... argn".
+
+On such a statement, bash executes something like:
+
+```
+execlp(arg0, arg0, arg1, _..._, argn, NULL)
+```
+
+And the program will receive the string arg0 as the zeroth argument, arg1 as the first argument, and so forth.
+
+However, using cat to view the contents of files, the user might want to view a file whose name contains spaces.
+
+The statement "cat a b" has two arguments: a and b. For each argument, cat prints the file of that name. So the "cat a b" statement prints the contents of the a and b files, not of a file named "a b".
+
+## Further reading
+
+=> http://teaching.idallen.com/cst8177/13w/notes/000_find_and_xargs.html Using find -exec or xargs to process pathnames with other commands
+=> https://infosec.exchange/@david_chisnall/115116683569142801 Early UNIX did glob expansion in the shell not because that’s more sensible than providing a glob and option parsing API in the standard library, but because they didn’t have enough disk space or RAM to duplicate code and they didn’t have shared libraries... For example, on FreeBSD, I often do pkg info foo* to print info about packages that start with some string. If I forget to quote the last argument, this behaves differently depending on whether the current directory contains one or more files that have the prefix that I used. If they do, the shell expands them and pkg info returns nothing because I don’t have any installed packages that match those files. If they don’t, the shell passes the star to the program, which does glob expansion but against a namespace that is not the filesystem namespace. The pkg tool knows that this argument is a set of names of installed packages, not files in the current directory, but it can’t communicate that to the shell and so the shell does the wrong thing. Similarly, on DOS the rename command took a load of source files and a destination file or pattern. You could do rename *.c *.txt and it would expand the first pattern, then do the replacement based on the two patterns. UNIX’s mv can’t do that and I deleted a bunch of files by accident when I started using Linux because it’s not obvious to a user what actually happens when you write mv *.c *.txt. There is a GNU (I think?) rename command and its syntax is far more baroque than the DOS one because it is fighting against the shell doing expansion without any knowledge of the argument structure.
+
+## TODO
+
+=> https://news.ycombinator.com/item?id=36722570 SSH particularities
diff --git a/blog/content/notes/tech/ssh-for-beginners.gmi b/blog/content/notes/tech/ssh-for-beginners.gmi
new file mode 100644
index 00000000..0c74b2e4
--- /dev/null
+++ b/blog/content/notes/tech/ssh-for-beginners.gmi
@@ -0,0 +1,88 @@
+# SSH for beginners
+
+Some simple advice for people who are starting to use ssh.
+
+## Use the config
+
+If you create a file "~/.ssh/config", with contents like:
+
+```
+Host xxx
+	HostName yyy
+	Port 1234
+	User zzz
+```
+
+, then if you type "ssh xxx", the result will be like executing "ssh -p 1234 zzz@yyy".
+
+Any ssh command line arguments can be encoded in an SSH client configuration file, so you can access any server by just passing a host to ssh without any additional parameters.
+
+Additionally, most modern systems configure SSH tab completion, so if you type "ssh <tab><tab>", your shell will complete with the hosts in your configuration file.
+
+## Use public key authentication
+
+By default, ssh uses passwords for authentication. If you use a good password, then password authentication is a decent authentication method.
+
+However, you can use other methods, such as public key authentication. With public key authentication, you have a public and private key.
+
+If you are working on system A with your *private* key, and you copy your *public* key to system B, then you can ssh from system A to system B without entering a password.
+
+### Security
+
+Note that if someone obtains your private key, they will be able to log in to systems that trust your key. Knowledge of your private key is similar to knowledge of a password. Take care making your private key truly private.
+
+If you suspect someone else has been able to obtain your private key, then generate a new key and remove the leaked public key from all systems.
+
+Note that you can generate as many keys as you want. Managing multiple keys requires more effort, but in some cases it might be more convenient. For example, if a key is suspected to be leaked, then you might only need to revoke a key and continue using other keys.
+
+### Generating SSH keys
+
+To generate your private and public keys:
+
+```
+$ ssh-keygen
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/alex/.ssh/id_rsa):
+Created directory '/home/alex/.ssh'.
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/alex/.ssh/id_rsa
+Your public key has been saved in /home/alex/.ssh/id_rsa.pub
+The key fingerprint is:
+SHA256:...
+The key's randomart image is:
++---[RSA 3072]----+
+...
+```
+
+### Key type choice
+
+OpenSSH, the standard ssh client, changed its default type of key generation to Ed25519 in version 9.5 released in late 2023. Previously, ssh-keygen generated RSA keys, as in the example above. Many Linux distributions still use OpenSSH versions earlier than 9.5.
+
+You can find advisories like:
+
+> It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
+
+=> https://www.ssh.com/academy/ssh/keygen
+
+Although as of the time of writing this, RSA is considered safe. However, you can consider generating an Ed25519 key instead, following the most recent OpenSSH defaults.
+
+### Passphrases
+
+By default, if you provide an empty passphrase to ssh-keygen, your private key will be stored unprotected. Anyone that can read the private key file can obtain your key.
+
+You can use a passphrase to protect your key. If someone obtains a private key file but they don't know the passphrase, then they cannot use the key.
+
+Using a passphrase means that you need to type the passphrase every time you use the key, or use a system such as ssh-agent. This creates a tradeoff between security and convenience.
+
+(Note that a popular criticism of SSH public key authentication is that it is not easy for systems administrators to enforce the use of SSH passphrases.)
+
+## Further SSH features
+
+Many developers have added many useful features to SSH during many years, such as:
+
+* The scp command to transfer files using SSH
+* Tunnels to establish bidirectional communication between systems without such connectivity. (For example, to connect to your workstation from a remote system.)
+* Jump hosts that expedite the connection to a system that is not directly accessible, by using SSH to establish connection through intermediate systems.
+
+Also, SSH integrates very well with UNIX pipes and tools such as rsync, Git, and many others.