I’ve been listening to it in a loop for the last few days. It’s like having a streaming service of sunny weather in your ears. I thought you could use some sun, too. It struck a chord in me. It made me feel good. It made me smile. I felt thankful.

Here goes a good translation of the lyrics in English via some IA over there:

(Let it go)
Let go of that low mood
Raise your head and face evil
Acting this way will be vital for your heart
Because in every experience you learn a lesson
I’ve already suffered for loving like this
I dedicated myself but it was all in vain

(Why?)
Why lament?
If in your life you can find
Someone who loves you with all their strength and passion
Then the pain will subside

(You have to fight)
You have to fight
Don’t get discouraged
Just give yourself
To someone who deserves you
I’m not giving or selling
As the saying goes
My advice is to see you happy

(repeat)

Lala-laia
Lala-laia laia, lala-laia laia, lala-laia, laia-laia-laia
I’m not giving or selling
As the saying goes
My advice is to see you happy
My advice is to see you happy
My advice is to see you happy

I’ve never learned Portuguese, so it’s uncanny how much I could understand (70%, easily) of the lyrics just on the first try. The original goes below, just for the sake of beauty. Brazilian Portuguese is such a beautifully sounding language, it’s almost obscene.

(Deixe de lado)
Deixe de lado esse baixo astral
Ergua a cabeça enfrente o mal
Agindo assim será vital para o seu coração
É que em cada experiência se aprende uma lição
Eu já sofri por amar assim
Me dediquei mas foi tudo em vão

(Pra que?)
Pra que se lamentar?
Se em sua vida pode encontrar
Quem te ame com toda força e ardor
Assim sucumbirá a dor

(Tem que lutar)
Tem que lutar
Não se abater
Só se entregar
A quem te merecer
Não estou dando nem vendendo
Como o ditado diz
O meu conselho é pra te ver feliz

(…)

Lala-laia
Lala-laia laia, lala-laia laia, lala-laia, laia-laia-laia
Não estou dando e nem vendendo
Como o ditado diz
O meu conselho é pra te ver feliz
O meu conselho é pra te ver feliz
O meu conselho é pra te ver feliz

Talk presented at the 2026 Red Hat Summit Connect Switzerland event on January 14th, 2026.

Introduction

Welcome to this presentation titled “What’s in your Container? Securing the Supply Chain without Slowing Down”. This talk was first presented at the 2026 Red Hat Summit Connect Switzerland event in January 14th, 2026.

My name is Adrian Kosmaczewski, and I am a Senior Architect at Red Hat Switzerland.

The “Black Box” Problem

Let us talk about the “Black Box” problem.

Imagine, for a moment, that you walk into a grocery store to buy a frozen lasagna for your family dinner. You pick up the box from the freezer aisle. You toss it in your cart. You trust it. You assume the meat isn’t spoiled. You assume the factory where it was made followed strict health codes.

You assume that the list of ingredients printed on the back (flour, tomatoes, beef, etc.) is actually what is inside the box. You trust the supply chain implicitly because there are regulations and checks in place to keep you safe.

Now, let’s pivot and look at how we build software today.

Modern software development has fundamentally changed. We don’t really “write” code from scratch anymore; we assemble it. We are manufacturing applications on an industrial scale. We take a database from here, a web framework from there, an authentication library from somewhere else, and we glue it all together with a thin layer of our own business logic.

The data backs this up. According to the latest “Open Source Security and Risk Analysis Report” by Synopsys, 96% of all commercial codebases contain open source components. Furthermore, 84% of those codebases contain at least one known vulnerability. We aren’t just using a little bit of open source; our applications are essentially composed of it.

This is fantastic for speed. It allows us to innovate at a pace that was impossible ten years ago. It’s why startups can disrupt giants. But it is absolutely terrifying for security.

Because right now, for most companies, that “frozen lasagna” of software has no ingredients list. It has no seal of authenticity. We are effectively taking binary blobs from the internet (from strangers we have never met, using handles we don’t recognize) and running them in the heart of our sovereign infrastructure. We are downloading packages from NPM, or PyPi, or Docker Hub, often without a second thought.

Consider the phenomenon of “Typosquatting.” An attacker notices that your developers use a popular python library called requests. So, the attacker uploads a malicious library called requessts (with an extra “s”) containing malware. One tired developer makes one typo in a configuration file, and suddenly, you have just invited a trojan horse into your production environment.

We have seen exactly what happens when this goes wrong. We all remember the absolute chaos of Log4j. It wasn’t just a bug; it was a systemic failure. It was a tiny logging library, maintained by volunteers, buried five layers deep in the dependency tree of almost every enterprise Java application in the world. When the vulnerability broke, Chief Security Officers didn’t even know if they were affected or not! They had to scan thousands of servers manually because they didn’t have an inventory.

And let’s not forget SolarWinds. That was a pivotal moment. The attackers realized they don’t need to spend months trying to break into your firewall if they can just poison the water supply. They didn’t attack the customers directly; they injected malicious code into the build system of the vendor. They compromised the factory so that every product leaving the assembly line was pre-infected.

The question we need to answer today is simple, but it is deeply uncomfortable for most IT leaders: Do you actually know what is running in your cluster right now?

Not what you think is running. Not what the architecture diagram says should be running. But what is actually there? And if you don’t know the answer to that question, how can you claim your infrastructure is sovereign? How can you claim you are compliant with upcoming regulations like the EU Cyber Resilience Act, NIS2, or DORA? These regulations are no longer suggestions; they are mandates that will hold boards of directors personally accountable for the hygiene of their digital supply chain.

We need a better way. We need the digital equivalent of a nutrition label, and we need a tamper-proof seal for every single digital artifact we deploy.

The Three Pillars

So, how do we fix this? How do we secure this massive, complex supply chain without slowing our developers down to a crawl? We cannot ask them to manually audit every line of code in every library they use. That is humanly impossible. If we add too much friction, they will just find ways around it, and we end up with Shadow IT, which is even worse.

The solution lies in automation, built on three pillars that are redefining the industry, well known since the times of the Roman Empire: Transparentia, Identitas, et Claustra.

Or in English, Transparency, Identity, and Guardrails.

Transparency

The first pillar is Transparency. In the physical manufacturing world, every part has a serial number. If a specific airbag in a car is found to be defective, the manufacturer knows exactly which cars have it and where they are.

In software, we call this an SBOM…

…also known as a Software Bill of Materials.

This is your ingredients list. It is a machine-readable inventory (usually in formats like SPDX or CycloneDX) that lists every single library, every dependency, and every version number inside your application.

Using open source tools like Syft,…

…or enterprise platforms like Red Hat Trusted Profile Analyzer, we can generate this list automatically every time we build an app. It digs deep (not just listing the top-level libraries you installed, but the transitive dependencies, that is, the libraries that those libraries installed).

What does a SBOM look like? Here’s a fragment of one, showing a dependency on a library available via Maven.

Why does this matter? Imagine the next “Log4j” hits tomorrow morning at 9:00 AM. In the old world, you would spend weeks scanning networks, waking up developers, and panicking. In the new world, you simply query your database of SBOMs. You ask: “Show me every container running Log4j version 2.14.” You get the answer in seconds. You know exactly where the risk is, and you can surgically remove it. That is the power of transparency.

Identity

The second pillar is Identity.

Because knowing the ingredients is good, but knowing who cooked the meal is better. We need to cryptographically sign our code to prove its origin.

Now, I see some of you wincing. I know the history here. Traditionally, code signing has been a nightmare. It usually involves managing private GPG keys that sit on developer laptops.

This approach has two fatal flaws:

First, the “Bus Factor”: If the developer leaves the company, does the key go with them?

Second, Key Hygiene: People lose keys, they leak keys to GitHub by accident, or they just turn the verification off because it breaks their workflow.

You can see the issue here. There’s even an engineer with a third leg in there and another with a third arm holding a diskette. Clearly, not very DevSecOps.

This is where the future is changing. We are seeing a revolution with a project called Sigstore…

…which powers the Red Hat Trusted Artifact Signer.

Sigstore does for code signing what “Let’s Encrypt” did for HTTPS. It makes it free, easy, and automated. It uses a concept called keyless signing.

Think of it like a hotel key card. When you check into a hotel, you don’t get a metal key that you keep forever. You get a plastic card that works for your room, for exactly three days. If you lose it after three days, it doesn’t matter. It’s useless.

Here is how Sigstore works: Your developers don’t generate permanent private keys anymore. Instead, they sign their code using their corporate identity (their Google, Microsoft, or Red Hat login) via OpenID Connect. They prove who they are, and the system issues a short-lived, ephemeral certificate that exists just long enough to sign the code (maybe just ten minutes) and then disappears.

This event is recorded in a tamper-proof transparency log called Rekor. It provides a public, verifiable record that says, “Yes, this specific developer signed this specific piece of code at this specific time.” It removes the burden of key management. It turns signing from a chore into an invisible automated step.

Guardrails

The third pillar is Guardrails.

This is the “Bouncer” at the door. It doesn’t matter if you have a perfect SBOM and a valid signature if nobody checks them before the application goes live. If the bouncer is asleep, the club isn’t safe.

We need an admission controller in our Kubernetes clusters. We use tools like Red Hat Advanced Cluster Security (or ACS) which integrates deeply with Kubernetes admission contexts.

ACS acts as a policy engine. It sits at the API gate of your OpenShift cluster. When a deployment tries to enter, ACS stops it and asks for ID. It checks the signature. It parses the attestation.

It runs a logic check against your specific rules. For example:

Rule 1: “Was this image built on a developer’s laptop?”

Deployment Denied.

Rule 2: “Container signed with the key of another department?”

Deployment Denied.

Rule 3: “Was this image built and signed by our Trusted Pipeline?”

Yes. Access Granted.

This is the fundamental shift in our security posture. We stop relying on hope. We stop relying on manual spreadsheets or quarterly audits. We start relying on cryptographic proof and automated policy enforcement.

We move from “Trust but Verify” to “Verify, then Trust.” We make the cluster itself smart enough to reject the bad stuff.

So, as a recap, remember the three pillars: Transparency, Identity, and Guardrails.

The Architecture of the Factory Floor

So how does this look like in real life?

Let’s visualize how this looks in a real production environment. I want you to think of this as a high-security, automated factory floor.

It starts with the Developer. They are writing code, perhaps using an IDE plugin, and they push their changes to Git. That is the last human interaction in the process. From this moment on, the robots take over to ensure consistency and security.

This git push triggers our factory engine: Red Hat OpenShift Pipelines, based on Tekton.

Tekton spins up a pod to handle the build. But it doesn’t just compile the code. It acts as an observer, a notary, and a security guard all wrapped in one.

Verification: It runs unit tests to ensure functionality.

Scanning: It scans the code for known vulnerabilities using scanners like Clair or Roxctl. If it finds a “Critical” CVE, the line stops right there. The build fails. The developer gets feedback immediately, not three weeks later.

Documentation: It generates that SBOM, creating the “Nutrition Label” for the software.

Sealing: Finally, it uses the Trusted Artifact Signer to cryptographically sign the container image. It stamps the software with a digital seal that says: “This software was built by this sanctioned pipeline, at this time, and it has not been altered since.”

Once the image is signed and sealed, it moves to the warehouse. In our case, this is Red Hat Quay, an enterprise registry.

Quay isn’t just a dumb storage bucket; it understands these signatures and attachments. It keeps the image and its “paperwork” (the SBOM and signatures) together.

Quay also performs “Time Machine” scanning. Just because an image was safe yesterday doesn’t mean it’s safe today. New vulnerabilities are discovered every hour. If Quay detects that a stored image has become vulnerable overnight, it can tag it as unsafe and prevent it from being pulled.

Now, we have a signed, sealed package sitting in the warehouse. How do we get it to the customers? We use GitOps.

We use OpenShift GitOps, based on the Argo CD project. Argo is the delivery truck. It monitors the warehouse. When it sees a new, valid image is available, or when the git configuration changes, it reaches out to pull that image into the production cluster.

Crucially, Argo CD also handles Drift Detection. If a cowboy administrator SSHs into a server and manually changes a configuration, Argo notices the difference between the “desired state” (Git) and the “actual state” (Cluster). It will automatically overwrite the manual change, healing the system back to its trusted state.

But remember the bouncer we talked about?

As Argo tries to apply this update to the cluster, the OpenShift API pauses. The admission controller steps in. It verifies the signature against the public transparency log. It confirms the “Chain of Custody.”

It asks: “Did this come from our factory? Does the signature match the public key we trust?”

Because the signature matches your organization’s trust policy, the gate opens, and the workload starts.

Conversely, if a developer tries to bypass this process (if they try to manually use kubectl or oc to deploy an unsigned container from their laptop, or if a hacker compromises a credential and tries to inject a rogue container) the cluster will reject it immediately. The admission controller will see there is no signature, or the wrong signature, and it will block the request before the container even pulls.

This entire process happens in minutes. The developer didn’t have to run a security scan manually. They didn’t have to manage a private key. They didn’t have to open a ticket for a security review. They just pushed code. The platform (the Golden Path) handled the sovereignty, the compliance, and the security automatically.

Conclusion

We have talked a lot about technology today: Tekton, Sigstore, Argo CD, OpenShift. We’ve looked at diagrams and command lines. But I want to leave you with a thought about Trust.

For a long time, we treated security as a gate. It was a hurdle that developers had to jump over.

It was the “Department of No.” And because it was hard, and because it slowed people down, smart people found ways around it. That is how supply chains get broken. That is how vulnerabilities slip in. When security fights against velocity, velocity usually wins, and security suffers.

The approach we discussed today, this “Trusted Software Supply Chain”, flips the script entirely. It makes the secure way the easiest way.

Through the Trusted Software Supply Chain, Red Hat provides a tool for each of the three pillars: Transparency through the Trusted Profile Analyzer; Identity, thanks to the Trusted Artifact Signer; and Guardrails, with the Advanced Cluster Security for Kubernetes.

By embedding these checks into the platform itself, by using Red Hat OpenShift and these open source standards to automate the “boring” parts of compliance, we grant our developers the freedom to move fast. We give them the confidence to innovate, because we know the guardrails are solid. We stop asking them to be security experts and start giving them tools that are secure by default.

Sovereignty isn’t just about where your servers are physically located or which cloud provider you pay. Sovereignty is knowing, with mathematical certainty, exactly what software is running on those servers and exactly who put it there. It is about having total visibility and control over your digital assets.

So my challenge to you is this: Don’t leave your infrastructure to chance. Don’t rely on implicit trust. Build the factory. Sign your code. And take back control of your supply chain.

Thank you very much for your attention.

“Oktubre”, by “Patricio Rey y los Redonditos de Ricota” released in its entirety in October 1986, is widely considered to be one of the greatest albums of Argentine rock of all time. During that year they released various singles off the album, among them one called “Ji Ji Ji”, a song which has become the signature song of the band in the decades that followed.

As you can see on the cover, the band took some inspiration from the history and culture (that’s Latin for “clichés”) of the USSR, in the process even performing a horizontal symmetric transformation on the wrong letter; yes, I guess the illustrator didn’t know (or gloriously ignored) that it should have been a “Я” (called “Ya”), appearing in a context where it actually doesn’t make any sense whatsoever… so we got an inverted “B”… that doesn’t exist in the Cyrillic alphabet.

To my Russian readers, you can stop facepalming now. The final results are worth it, I promise.

The whole album is a very personal interpretation of the times we were living in 1986; cold war, Chernobyl, communism, nuclear scare, and whatnot, as seen from a country on the literal antipodes of the USSR, that was barely emerging from decades of intermittent on-and-off dictatorships. To my ears, the album sounds sometimes menacing, sometimes nostalgic, often tough, mostly terribly naïve.

The album is freely available in the official channel of the band (whose name can be roughly translated as “Patricio Rey and the Ricotta Bites”). The video contains the full album in order, with the original lyrics in Spanish.

Speaking about which, in case you’re interested, the lyrics don’t make much sense, not even in Spanish, and not only on this album; they have always been a weird thing with Los Redondos. It’s like they privileged the sounds of the words to their actual meaning, and hence people think that they convey some satanic or prophetic message.

It remains a favorite album of mine. I was finishing primary school when I heard it for the first time. My parents both detested Argentine rock; for my mother it was all about depravation and drugs and violence (and she was right to a point). I now firmly believe it’s a masterpiece of rock, regardless of country, language, inspiration, colors, or origin. It’s rich, layered, poetic, enthralling, fun, and of course to me, it brings oh so many memories.

Personal favorite songs: “Semen-Up” (yes, it’s a pun and the word means exactly the same in Spanish and in English), “Motor Psico”, and of course “Ji Ji Ji” which sends shivers down my spine.

The Redondos disbanded in the early 2000s, and the lead singer (known as “El Indio Solari”) continued his career with another band named “Los Fundamentalistas del Aire Acondicionado” (aka “The Air Conditioning Fundamentalists”). They played songs from the Redondos, of course, and had their masterpieces too, like “Beemedobleve” (2013). El Indio also had some incredible collaborations with other bands, including this anthem called “Angel de los Perdedores” (“Loser’s Angel”, 1997), with the most amazing lyrics:

The night shatters your glass, selling illusions
leaving you scraps of dreams, in the corners
But, baby, your laughter is the magic of rock ‘n’ roll
I bear the mark of your stings tattooed on me.

You healed all your wounds with rotten water
you lied to the devil three times, selling him flowers
and you carried the Loser’s Angel on your shoulders.

In 2017 the Fundamentalistas performed the biggest rock concert in the history of Argentina (and probably many other countries) in front of… 400'000 souls. They literally took over a whole city in the middle of the Pampas (called Olavarría) for a day.

This video is filmed from the pogo. Don’t watch if you are sensible to lights and shaking cameras. Do watch it if you want a good laugh. Fast-forward to minute 2:50 for the crowd singing the chorus of “Ji Ji Ji”. To say it’s epic is the understatement of the decade.

You have no idea the cult following around El Indio Solari and the Redondos. He’s a bit like our version of Hunter S. Thompson in all possible ways. Sadly, Indio announced being hit with Parkinson shortly after that megaconcert, and lives since then in seclusion in an undisclosed location, only known to a few close friends.

The final lyrics of “Ji Ji Ji” in English can be roughly translated as follows… and I’ll leave the interpretation to you.

The final cut is really intriguing
It’s actually really entertaining
You’re walking through the dark crowd, caught off guard
Bullying those who’ve loved you

I didn’t dream it, yeah, eh-eh-eh
He stood up straight and toasted to your luck
I didn’t dream it, yeah, eh-eh-eh
And he offered himself better than ever
I didn’t dream it, yeah, eh-eh-eh
You were running adrift
I didn’t dream it, yeah, eh-eh-eh
Blind eyes wide open
Please don’t look, and don’t turn on the light
The image has disfigured you, uh-oh, uh-oh, uh-oh, uh-oh

See?
There’s Chernobyl, Chernobyl
Chernobyl, Chernobyl
Chernobyl, Chernobyl

Speaking about El Indio Solari, here’s a picture I took in April in Buenos Aires; it is a graffiti at the corner of San Martín avenue and Punta Arenas street, in the neighborhood of La Paternal, showing El Indio, Maradona, the FIFA World Cup trophy, the seal of the Peronist party, and the veterans of Malvinas/Falklands. All strong symbols of my birthplace.

Looking for options I discovered that Pandoc supports Typst since version 3.1.2, released in March 2023… but then I asked myself, what is Typst? Well it turns out it’s a new markup language coupled with a processor toolchain written in Rust; not just another one of those great “rewritings in Rust” but a new product, aiming at the same market than LaTeX but with all the speed of a Rust-built binary.

Typst provides all of the features I need, including syntax highlighting, math equation support, links as footnotes, and much more. So I gave it a shot, and with the help of Cursor I adapted the old LaTeX template used to generate PDF files into the one required by Typst, and I launched the generation of PDF files. The final templates are very readable I have to say, much more than the equivalent ones for LaTeX, that’s for sure.

So what happened? Well, the results were nothing short of spectacular. On my personal 2022 ThinkPad X1 Carbon (running Fedora 44) the time for a full build of all the PDF files for De Programmatica Ipsum went from more than 2 hours to… a mere 15 minutes 😳 ! And not only that, but there are many more configuration options available, providing much finer control over the final output.

I also adapted the PDF generation toolchain for my websites, and you can see the final products, for example on this website or on De Programmatica Ipsum. For reference, find below the Typst template I use for the PDFs generated with the contents of this website at the time of this writing.

// Pandoc Typst template
// Compatible with current Typst and Pandoc template variables.

#let horizontalrule = line(start: (25%, 0%), end: (75%, 0%))

#show terms: it => {
  it.children
    .map(child => [
      #strong[#child.term]
      #block(inset: (left: 1.5em, top: -0.4em))[#child.description]
    ])
    .join()
}

#set table(inset: 6pt, stroke: none)

#let admonition(title: [], strokeColor: rgb("#1976D2"), fillColor: rgb("#E7F1FB"), titleColor: rgb("#0D47A1"), body) = block(
  width: 100%,
  inset: (x: 10pt, y: 8pt),
  radius: 4pt,
  fill: fillColor,
  stroke: (left: (paint: strokeColor, thickness: 2.3pt)),
)[
  #set text(size: 0.88em, weight: "bold", fill: titleColor)
  #title
  #parbreak()
  #v(0.2em)
  #set text(size: 1em, weight: "regular", fill: black)
  #body
]

#show figure.where(kind: table): set figure.caption(position: $if(table-caption-position)$$table-caption-position$$else$top$endif$)
#show figure.where(kind: image): set figure.caption(position: $if(figure-caption-position)$$figure-caption-position$$else$bottom$endif$)

#let resolve-image-path = path => {
  if path.starts-with("/") or path.starts-with("http://") or path.starts-with("https://") {
    path
  } else {
    let rp = "$resource-path$"
    if rp == "" {
      path
    } else {
      rp + "/" + path
    }
  }
}

#let _image = image
#let image(path, ..args) = _image(resolve-image-path(path), ..args)

#let month-name = m => (
  if m == "01" { "January" }
  else if m == "02" { "February" }
  else if m == "03" { "March" }
  else if m == "04" { "April" }
  else if m == "05" { "May" }
  else if m == "06" { "June" }
  else if m == "07" { "July" }
  else if m == "08" { "August" }
  else if m == "09" { "September" }
  else if m == "10" { "October" }
  else if m == "11" { "November" }
  else if m == "12" { "December" }
  else { m }
)

#let ordinal = day => {
  let d = int(day)
  if calc.rem(d, 100) == 11 or calc.rem(d, 100) == 12 or calc.rem(d, 100) == 13 {
    [#d#("th")]
  } else if calc.rem(d, 10) == 1 {
    [#d#("st")]
  } else if calc.rem(d, 10) == 2 {
    [#d#("nd")]
  } else if calc.rem(d, 10) == 3 {
    [#d#("rd")]
  } else {
    [#d#("th")]
  }
}

#let format-commit-date = raw => {
  // Accept YYYY-MM-DD or ISO-like values and keep first 10 chars.
  let clean = if raw.len() >= 10 { raw.slice(0, 10) } else { raw }
  let parts = clean.split("-")
  if parts.len() == 3 {
    [#month-name(parts.at(1)) #ordinal(parts.at(2)), #parts.at(0)]
  } else {
    [#raw]
  }
}

#set smartquote(enabled: true)

$for(header-includes)$
$header-includes$

$endfor$

#show link: it => [
  #it.body
  #footnote(it.dest)
]

#show: doc => {
  set document(
$if(title-meta)$
    title: [$title-meta$],
$elseif(title)$
    title: [$title$],
$endif$
$if(subject)$
    description: [$subject$],
$endif$
$if(author-meta)$
    author: [$author-meta$],
$endif$
$if(keywords)$
    keywords: ($for(keywords)$[$keywords$]$sep$,$endfor$),
$endif$
  )

  $if(lang)$
  set text(lang: "$lang$")
  $endif$

  $if(mainfont)$
  set text(font: ("$mainfont$",))
  $else$
  set text(font: ("IBM Plex Sans",))
  $endif$

  $if(fontsize)$
  set text(size: $fontsize$)
  $endif$

  $if(monofont)$
  show raw: set text(font: ("$monofont$",))
  $else$
  show raw: set text(font: ("IBM Plex Mono",))
  $endif$

  set page(
    numbering: none,
    footer: context {
      let n = counter(page).get().first()
      if n > 1 {
        align(center, counter(page).display($if(page-numbering)$"$page-numbering$"$else$"1"$endif$))
      }
    },
  $if(papersize)$
    paper: "$papersize$",
  $endif$
  $if(margin)$
    margin: ($for(margin/pairs)$$margin.key$: $margin.value$,$endfor$),
  $else$
    // More balanced defaults for article PDFs.
    margin: (top: 2.6cm, bottom: 2.2cm, left: 2.2cm, right: 2.2cm),
  $endif$
  )

  doc
}

$for(include-before)$
$include-before$

$endfor$

$if(title)$
#align(center)[
  #set text(size: 1.55em, weight: "bold")
  $title$
  $if(subtitle)$
  #v(0.25em)
  #parbreak()
  #set text(size: 1.08em, weight: "regular")
  $subtitle$
  $endif$
  $if(date)$
  #v(0.15em)
  #parbreak()
  #set text(size: 0.50em, weight: "regular")
  #format-commit-date("$date$")
  #v(0.45em)
  #parbreak()
  $endif$
]

$if(abstract)$
#parbreak()
#heading(level: 1)[Abstract]
$abstract$
$endif$
$endif$

$if(image)$
#figure(
  image("$resource-path$/$image$"),
)
$endif$

$if(toc)$
#outline(
$if(toc-title)$
  title: [$toc-title$],
$else$
  title: auto,
$endif$
  depth: $toc-depth$,
)
$endif$

$if(lof)$
#outline(
  title: [List of Figures],
  target: figure.where(kind: image),
)
$endif$

$if(lot)$
#outline(
  title: [List of Tables],
  target: figure.where(kind: table),
)
$endif$

$body$

$if(citations)$
$if(csl)$
#set bibliography(style: "$csl$")
$elseif(bibliographystyle)$
#set bibliography(style: "$bibliographystyle$")
$endif$
$if(bibliography)$

#bibliography($for(bibliography)$"$bibliography$"$sep$,$endfor$)
$endif$
$endif$

$for(include-after)$

$include-after$
$endfor$

You can download an example output of this new PDF generation toolchain in the form of the file conway-in-c89.pdf, extracted using the source of the article with the same name.

The eiPott was this short-lived thingy made by Koziol in 2010: a small, colorful plastic dish where you could eat a hard-boiled egg.

The name (and the very shape of the thing, really) comes from the German words “Ei” (meaning “Egg”) and “Pott” (meaning… “pot”). And needless to say, the name was a pun around the word “iPod”, whereby in German you would pronounce “eiPott” similarly.

Of course Apple did not appreciate the joke, as the Mac Observer and many other news outlets reported back in the day. It was far more than a simple “cease-and-desist” thing; Apple literally took the infringement to the courts, and a German judge sided with Steve Jobs on this one. The settlement involved some fines and everything.

I remember posting a message on Twitter (remember? Yeah, those were the days) about the eiPott, and then I got a call from Bertrand, and we were both laughing uncontrollably about the thing for a while. We both thought it was as brilliant as it was clumsy; he had a law degree, so he knew that playing such a game wasn’t going to come for free. But he loved the pun, a lot.

And next thing I know, a few days later I received a package in the post; a Koziol eiPott, bought by Bertrand and delivered to my place. He was like this. I still have my eiPott, proudly displayed in my home office, and every time I see it I remember him.

I miss Bertrand. 2016 was really a terrible year. We lost so much.

To begin with, the mandatory TL;DR: I love it. There is no way to put it; this is by far the best keyboard I have ever owned, and I cannot believe I didn’t get one earlier. Seriously good. Of course I got mine with the mandatory US (ANSI) layout, which you can see in the picture below.

There are several things that I found outstanding in this keyboard. Foremost, the packaging is (let’s be honest) sublime. Outside the Apple galaxy, where things are always beautifully packaged, few manufacturers try to stand out in packaging; Keychron is the exception, clearly.

Then the accessories: it comes bundled with all sorts of tools and with keycaps replacing the dreaded “Windows” key, which faithful readers know I loathe and despise vehemently. Inside a little bag there’s a classic macOS “Command” key and a much more appropriate “Alt” key, which, as you can see in the picture, is the one I ended up installing.

Then there’s the configuration. To change various settings on your keyboard, you can use the Keychron Launcher, which, surprisingly enough, is a web application. At the time of this writing, it is only available on Chrome (or Chromium, as is my case) or other browsers using the same engine (Opera and Edge, most notably). Although apparently Firefox will soon gain access to the coveted Web Serial API, which would expand the availability of this application to our beloved browser as well. Crossing fingers.

Then comes the keyboard itself; I’ve chosen a unit with brown switches, and I have to say, I love it. It has the tactile feedback of the blue switches I already knew (my good old Das Keyboard 4 Ultimate I bought in 2015 had blue switches), but without the insane level of noise. Yes, maybe I’m getting old, and I need a bit quieter environment around me. Who knows?

Also: it is heavy! Very dense, almost as heavy as my old Das Keyboard but with a smaller size, and the construction quality is seriously good.

Some key combinations that I had to look for in the documentation, leaving them here for future reference:

• Fn + B to see the battery level (as a very nice LED animation below the number row; I love those kinds of small details)
• Fn + W to increase the brightness of the LEDs and Fn + S to bring it down. Although there are also dedicated function keys for that (Fn + F6 and Fn + F5, respectively).

I love the fact that this keyboard comes with arrow + utility keys (Ins, Del, Home, End, Page Up, and Page Down) located in the standard location of most keyboards, without fancy Fn + combinations to make them work properly (my previous keyboard before the Keychron was a Logitech MX Keys Mini… and it was a bit too minimalist for my taste). It also has a very handy volume knob next to the F12 key, and did I mention that all keys are completely programmable through the Launcher application?

TIP: Fun fact: on my Fedora system, the microphone key on the top-right corner of the screen, supposedly launching Cortana on Windows, instead opens up the calculator on my Fedora. Of course you can customize that, but I actually use the calculator quite a bit, believe it or not, so this was definitely a nice surprise.

As for the LEDs beneath the keys, I opted for the “heatmap” setting, where the most used keys are the ones getting the “hotter” colors. I found that quite cool, and it’s a funny way to discover my typing patterns.

Now for the less fun part: I tried accessing the Keychron Launcher app from two different laptops, both running Fedora 43, and in the first (my Lenovo laptop provided by Red Hat), it worked out of the box; however, on my personal one (a Lenovo ThinkPad X1 Carbon Gen 10), I could not make it recognize my device, and I was getting an error message looking like this:

A little bit of Google-fu later, I found the solution in a GitHub Gist showing a short Bash script that gets the trick done. Run the script as sudo, et voilà! My keyboard was properly recognized by the system.

So, conclusion: I love this keyboard; it is very comfortable, I can type at full speed, and I can write more and more text for this blog and my magazine every day. Highly recommended!

I was invited by my friend (and community extraordinaire) Junior “Bonto” Bontognali to talk at the first edition of the App Builders conference, the first (and to my knowledge, to this day the only) 100% Swiss conference about mobile applications, with tracks for both iOS and Android developers.

I ended up speaking at the first four editions of App Builders, from 2016 to 2019. They took place all over Switzerland, from Zürich in 2016 to Lausanne in 2017 (in the French-speaking area of Switzerland, also known as the “Romandie”), to finally the gorgeous town of Lugano in the Italian-speaking section of the country for the 2018 and 2019 events.

That first edition in Zürich was more than memorable, totally epic, and featured sessions and attendees among which many luminaries (many of whom I have the immense privilege of calling friends) were there, like Anastasiia Voitova, Natasha Murashev, Vikram Kriplaney, Sebastian Vieira, Graham Lee, Daniel Steinberg, Vitaly Friedman, Nicolas Seriot, Steve “Scotty” Scott, Eliezer Talón, John Sundell, Orta Therox, Marin Todorov, and so many more. If you were active in the Swiss mobile app development community ten years ago, you know the names I just mentioned; they ring more than just a bell.

And thus I delivered the closing keynote on the first day of App Builders 2016, in a session titled “Being A Developer After 40”.

For some unknown reason, this talk hit a chord in the audience (I’m sure it was the Clippy reference, no doubt about that). It was one of my favorite moments on stage, ever. I had a blast. And I got what I suppose can be called a standing ovation at the end.

I am not used to these things, clearly.

Bonto and his team (among whom were my friends Susanna Riccardi and Patrick Balestra) recorded the talk and posted the video on YouTube a few days later. But the same evening of that talk, I published my speech on Medium and went to bed, exhausted and happy.

The following day, as the speakers were starting their sessions, Bonto approached me and, without saying a word, showed me the home page of Hacker News on his iPhone.

I was speechless.

What followed cannot be described as anything else but pure madness.

My Twitter and LinkedIn follower count jumped by 150% on a single day, and I got flooded with messages and congratulations by people from all over the world. The video on YouTube went into the thousands of views, and my Medium.com article (which I agreed to include in the FreeCodeCamp community of that website for a while) cumulated hundreds of thousands of views overnight. The article was reprinted by a (now defunct) monthly publication called “Hacker Bits.” Even crazier, I had people voluntarily translating the articles to other languages, and thus came to life versions in Russian, Hungarian, Czech, Portuguese, Farsi, Vietnamese, and Romanian. And finally, I was asked to re-deliver that same talk in India in September 2016 and then in France in April 2017.

I still have people (colleagues, conference attendees, etc.) come up to me to tell me spontaneously of how much they liked it. And I’m amazed to hear that, just like the first day.

To say that I’m still speechless as I write these words would be the understatement of the decade. In particular, I’m so thankful to all the translators for the time they took to adapt my words into so many languages. I know it was a lot of work… because, well, it’s a really long speech with almost 5000 words!

After App Builders, Bonto and his team came up with another gem of a conference: The Swift Alps, held in November 2016 in the gorgeous town of Crans-Montana (a place that, sadly, became known by a horrendous tragedy at the beginning of this year). I participated in the first two Swift Alps, but my (already visible at the time) lack of enthusiasm for Swift led me to drop out from that event, starting from the third edition onwards.

The pandemic was too strong for App Builders and Swift Alps; their last editions were (at the time of this writing) in 2022, and since then, nothing else has happened. It’s sad; it was a sensational family of events organized by the sweetest team ever. Hopefully we can get it back up on its feet one day.

So, there you go: 10 years later, I’m so thankful for this talk and its warm reception by the community. Thank you all.

The current list is the following; those languages that appear in the Conway Game of Life project appear in bold.

• 1992: QBasic
• 1993: Turbo Pascal
• 1994: ANSI C
• 1995: Delphi
• 1996: JavaScript. Others: HTML
• 1997: Java
• 1998: VBScript. Others: CSS
• 1999: Transact-SQL
• 2000: C#. Others: Prolog
• 2001: C++
• 2002: PHP. Others: C#
• 2003: Objective-C
• 2004: Visual Basic.NET
• 2005: Ruby
• 2006: LINQ. Others: C# 2.0, C++
• 2007: Erlang
• 2008: Python
• 2009: Go
• 2010: Common Lisp
• 2011: Haskell
• 2012: Lua
• 2013: C++ 11
• 2014: Scala
• 2015: Swift. Others: C++ 14
• 2016: Kotlin. Others: Swift 3, Java 1.7
• 2017: TypeScript. Others: 68K Assembler, PHP 7, awk
• 2018: F#. Others: C# 7, Elisp
• 2019: Go. Others: Scheme, Ballerina
• 2020: Smalltalk. Others: COBOL, Rexx
• 2021: Rust. Others: R
• 2022: Dart. Others: Elixir, Crystal, Perl, D
• 2023: Zig. Others: Minimal BASIC, Fortran
• 2024: Bash, Vala, APL
• 2025: C23, C++23
• 2026: Hare

NOTE: Yes; the list above is 35 lines long. I can’t really believe it.

Hare

So yes, this year I dived into Hare, another one of those programming languages that aim to become the “next C”, allowing developers to write fast lower-level code, without… well, writing C. (Insert shrug emoji here.)

Here go some notes I took while diving into the subject, hopefully they’ll be useful to you too.

• Home page.
• Created by Drew DeVault
  • Announcement and another announcement.
• Source code
  • Based on the QBE backend which I didn’t know about.
• Standard library docs

This language has been around since 2022, so there’s already quite a few “first impressions” out there, that I recommend you read, too:

• Quite a long (1 hour 40 minutes!) recording of a streaming session with an introduction to the language (published in 2024).
• First impressions by Dhole
• More impressions
• And some very early impressions (2021) by Kiëd Llaentenn.

Finally, if you would like to see some example code written in Hare, I found the following:

• There’s a “Hare by Example” website.
• An operating system built with it, because why not.

In my own experiment, I literally gave Cursor the whole Conway project and asked it to translate it to Hare; and lo and behold, it succeeded, with just 3 iterations.

export fn main() void = {
	let w = world_new(30);

	const p1 = blinker(coord { x = 0, y = 1 });
	const p2 = beacon(coord { x = 10, y = 10 });
	const p3 = glider(coord { x = 4, y = 5 });
	const p4 = block(coord { x = 1, y = 10 });
	const p5 = block(coord { x = 18, y = 3 });
	const p6 = tub(coord { x = 6, y = 1 });

	seed(&w, p1[..]);
	seed(&w, p2[..]);
	seed(&w, p3[..]);
	seed(&w, p4[..]);
	seed(&w, p5[..]);
	seed(&w, p6[..]);

	let generation = 0;
	for (true) {
		generation += 1;
		world_print(w, generation);
		time::sleep(500 * time::MILLISECOND);
		w = world_evolve(w);
	};
};

IMPORTANT: Interestingly, of all the “C successor” languages (a select group where Rust and Zig appear as pioneers) Hare is the one that requires the least amount of code to reproduce this application, more or less the same as Java, Dart, or D, while Zig and Rust require slightly longer codebases (25% longer for Zig, 40% longer for Rust) for the same results.

All in all, I found Hare interesting; it is worth exploring it more in the future, although you might infer from the lack of enthusiasm in my writing that there wasn’t really anything special that caught my attention. It’s a commendable and interesting work for sure, but that’s all. (And, yes, I do sometimes expect a bit too much from programming languages, most probably.)

We can solve this step by step as follows. First, eliminate $y$ adding $(1)$ and $(2)$ together:

Eliminate $y$ multiplying equation $(2)$ by $2$ and adding it to equation $(3)$:

Adding this to equation $(3)$ we get:

Solve the $2 \times 2$ system for $x$ and $z$: from equation $(5)$, we can see that $z = 10 - 7x$. Substitute this into equation $(4)$:

Now, find $z$:

Finally, find $y$ using equation 1:

And the final solution is:

Et voilà! This simple algorithm was one of my discoveries of 1989. Then came other methods, including substitution and matrices (aka Cramer’s rule), but traditional calculus (that is, derivatives and integrals) wasn’t a part of the curriculum for the exam.

I tried to connect Boatswain to my Flatpak-installed version of OBS Studio (of which I’ve already talked in a previous article) to simplify its use, and I discovered that the latest versions of OBS Studio use a WebSocket 5-based API, while unfortunately Boatswain only speaks the old OBS Studio API based on WebSocket 4.

The solution consists in installing an older version of the obs-websocket plugin, which thankfully in Flatpak is just a simple command away:

$ flatpak install com.obsproject.Studio.Plugin.WebSocket

Once this is done, just customize your buttons on Boatswain, adding as many OBS-related tasks as you’d like (to start and stop recording or streaming, to switch scenes, or even to mute your audio input) and have fun!