California Governor 2026

Who are these people?

An analysis based on actions, not statements.

California Governor 2026  ·  Primary: June 2, 2026  ·  Analysis based on actions, not statements
Candidate Profiles
Xavier Becerra
19% overall  ·  31% Dem voters (Emerson, May 9–10)
Core identity: institutional progressive, litigator, party loyalist
  • Filed 122 lawsuits against the first Trump administration as AG — immigration, ACA, environment. High-volume adversarial posture, consistently aligned with the Democratic party line.
  • Created an environmental justice bureau at the CA DOJ; used prosecutorial power on air quality and industrial permitting fights.
  • Negotiated Medicare drug price reductions of 38–79% on 10 drugs including Eliquis and Jardiance, saving an estimated $6B in 2023 — the most concrete executive-branch result he can point to.
  • Rejected cancer patients’ petition to invoke march-in rights law to break drug patents — a notable limit on how far left his HHS tenure actually went.
  • 12 terms in Congress, Ways and Means Committee. Deep establishment ties, not a reformer.
  • Supported Hillary Clinton in 2016 (was on her VP shortlist). Textbook party insider.
Tension His litigation record is genuinely aggressive, but his HHS tenure drew criticism for being largely absent publicly during COVID and for confusing public health messaging. The 122 lawsuits are a strong résumé line; the pandemic management record is a liability he hasn’t fully answered for.
Katie Porter
10% overall  ·  15% Dem voters
Core identity: consumer protection hawk, outsider positioning, progressive caucus
  • Since 2018, has not accepted campaign donations from corporate PACs — co-led a 100-member coalition to push H.R.1 (campaign finance reform).
  • Was one of the first Democrats in a swing district (Orange County) to support Trump impeachment inquiry in 2019 — took real electoral risk in a district that could punish her for it.
  • Voted 98.2% in line with Biden’s stated positions as of mid-2022. Progressive caucus deputy chair, but not a maverick from the party.
  • Used congressional hearings to extract public admissions from executives — Postmaster General DeJoy on postal costs, UnitedHealth on COVID reimbursements.
  • Co-chaired Elizabeth Warren’s 2020 presidential campaign — her ideological home is the Warren wing, not the Sanders wing.
  • Multiple former staffers described her to the Washington Post as domineering and abusive. A documented pattern, not a one-off allegation.
  • Lost the 2024 Senate primary to Adam Schiff. Running for governor after that loss.
Tension The no-corporate-PAC posture is consistent and backed by action, but she’s fundamentally a party-line voter. The gap between “outsider reformer” branding and 98% Biden alignment is worth noting. The staff treatment allegations are a real liability.
Matt Mahan
8% overall
Core identity: center-right Democrat, tech-aligned, results-over-ideology
  • Endorsed California Prop 36 in 2024, which increased sentences for certain theft and drug crimes — went against most state Democratic leaders. The most ideologically revealing single action.
  • Opposed San Jose’s 2023 municipal union deal that raised wages and parental leave, citing future budget deficits — anti-labor in a union-heavy Democratic primary is a real choice.
  • Opposed citywide elimination of single-family zoning but proposed transit-oriented density instead — YIMBY-adjacent but not blanket upzoning.
  • Backed by Sergey Brin and Palantir co-founder Joe Lonsdale — the donor base tells you the ideological positioning: Silicon Valley libertarian-adjacent money.
  • Claims to have reduced San Jose’s homeless population by a third. Independent verification is limited, but it’s a governing record, not just a campaign claim.
  • Local Democratic leaders say his positions read “a little Republican too.”
Tension He’s the most action-verified candidate in terms of governing record, but his actual policy positions sit well to the right of the Democratic primary electorate. The Prop 36 endorsement and union opposition are genuine tells. He would probably govern most like a Bloomberg-era Democrat.
Tom Steyer
17% overall  ·  20% Dem voters
Core identity: climate-first activist, orthodox Democratic donor, self-funder
  • Spent ~$74M on the 2014 elections through NextGen Climate to elect specific candidates and influence climate policy. Single largest donor in American politics that cycle.
  • Put $5M into defeating California Prop 23 (2010), which would have suspended the Global Warming Solutions Act. Passed 61–39.
  • Founded and bankrolled Galvanize Climate Solutions after leaving Farallon — climate investing as a second career.
  • Fundraised for Mondale, Bradley, Kerry, and was one of Obama’s most prolific bundlers — consistent Democratic party operation, not outsider.
  • Backed Terry McAuliffe in Virginia (2013) and Democrats in Senate races across Iowa, Colorado, New Hampshire, Michigan.
  • NextGen America donated $2.3M to immigration legal services orgs in 2017.
  • Now self-funding $132M+ on the 2026 CA governor’s race — most expensive gubernatorial campaign in state history.
Tension The wealth funding his climate work came partly from Farallon Capital, which held stakes in fossil fuels and private prisons during his tenure. He left in 2012. Climate is his signature issue, yet it ranks third among voter concerns — behind the economy and housing affordability.
Comparative Record

“No record found” reflects the limits of a candidate’s role, not necessarily their position. Polling: Emerson College, May 9–10, 2026.

Issue Becerra Porter Mahan Steyer
Ideological anchor Center-left Warren wing Center-right Climate-left
Labor Pro-union Pro-labor Anti-union Opposed 2023 SJ wage deal Mixed Some labor endorsements
Corporate PAC money Establishment Dem No corp PACs since 2018 Tech billionaires (Brin, Lonsdale) Self-funded
Governing record AG + Biden HHS Secretary Congress only (no executive office) San Jose mayor 2023–present None (activist/donor)
Immigration Sued to defend DACA; 122 Trump suits incl. ICE overreach No distinct action record No record (not a mayoral issue) Funded $2.3M to immigration legal services (2017)
Healthcare Negotiated Medicare drug cuts 38–79%; rejected patent march-in for cancer drugs No Surprise Act vote; called out UnitedHealth on COVID reimbursements; criticized pharma buybacks No record No record
Criminal justice Created CA DOJ env. justice bureau; air quality enforcement suits No distinct record Endorsed Prop 36 (increased sentences for theft/drugs); backed more police hiring and license plate readers No record
Housing No clear record No distinct record Opposed blanket upzoning; pushed transit-oriented density; reduced permitting friction No record
Climate AG env. enforcement; created DOJ env. justice unit House Natural Resources Committee; co-sponsored env. bills Some clean energy work at city level; no major actions $74M in 2014 elections on climate; founded NextGen Climate; co-founded Galvanize Climate Solutions
Donor base Party establishment, labor, Latino orgs Small-dollar donors, Warren/progressive network Silicon Valley billionaires, business orgs Himself; some labor/env. endorsements
Key contradiction Absent/weak during COVID as HHS head 98% Biden alignment vs. “outsider” brand; staff abuse allegations Positions read “a little Republican” per local Dem leaders Climate wealth built on Farallon fossil fuel / private prison stakes
Data sourced from Wikipedia, CalMatters, Emerson College Polling, GovTrack, OpenSecrets  ·  Polling: May 9–10, 2026  ·  Analysis reflects public record of actions, not campaign statements
by stephen

a Cisco SD-WAN primer

The underlying concept of software-defined WAN is that a router’s management and control planes are abstracted from the hardware and reside in the cloud. That router abstraction allows a company to join multiple physical locations into a single network over redundant, low-cost, telecommunication links. The idea is that a router chassis is drawn apart and distributed across a distance — the I/O modules remain physically on-premises while the switch fabric is stretched over long distance media (via TCP/IP, MPLS, 4G/LTE, etc.) and the backplane is virtualized on cloud servers.

The software of a router can be viewed as having three component systems: 

1) The Data Plane refers to all the functions and processes that forward packets and frames from one interface to another — routed data. In SD-WAN, the data plane is tunneled between on-premises edge-routers. Cisco calls them vEdges (named for Viptella, an SD-WAN company that Cisco bought) or cEdges

2) The Control Plane refers to all the functions and processes that determine which path to use — routing data. in SD-WAN, the control plane is shared between edge-routers via cloud-based controllers. Cisco’s controllers are called vSmart, and Cisco SD-WAN also requires another cloud-based server called vBond for network discovery. 

3) The Management Plane refers to the configuration used to control and monitor devices. In SD-WAN, the management plane also resides in the cloud. Cisco’s management server is called vManage.

by stephen

Updating VMware vCenter Server Appliance

Terminology

Baseline
A predefined or custom set of patches, extensions, or upgrades used to update an ESXi host or VM.

Dynamic vs Fixed
Dynamic baselines have selectable criteria for which patches are included.

Fixed baselines allow you to choose specific patches to include.

Attaching / Detaching
Baselines (or baseline groups) are attached to hosts (or clusters of hosts), and then you scan. What you’re attaching is actually just the metadata of the baseline.

Baseline Group
A bunch of baselines, or an aggregate of individual patch and upgrade baselines. An upgrade involves a release number change (e.g. vSphere 6.5 to 6.7). An smaller change uses a patch or update (e.g. vSphere 6.0 Update 1).

Scanning
The process of checking if the host(s) or VMs need any of the patches (etc.) in the baseline (or group).

Staging
The process of downloading the actual data of the patches ahead of remediating.

Remediating
The process of applying the patch, extension, or upgrade to an ESXi host or VM. The data will be downloaded if needed — if you didn’t stage the patches. So you need to attach, then scan, stage if you want, and then remediate.

Patch Metadata
Index files stored in the patch repository that list all known patches available for use by Update Manager.

Patch Repository
The directory on the Update Manager Server that holds the Patch Metadata as well as the patches.

Host Extension
Additional software to apply to a host.

VAMI
vCenter Server Appliance Management Interface.
vCenter Server Appliance is a VM that runs in ESXi and manages the entire vSphere environment, and you usually access it via its web UI. But it also has a separate web ui for managing itself, which is accessed at its URL on port 5480.
vsphere.company.com:5480

To update vCenter

(For example from build 6.7.0.10000 to 6.7.0.20000.)

Go to https://my.vmware.com/group/vmware/patch#search

Choose vc and download the latest patch.

In this case:

  • Release name:
  • VC-6.7.0-update01.Appliance-Patch
  • release date
  • 10.16.2018
  • File name:
  • VMware-vCenter-Server-Appliance-6.7.20000-10244745-patch-FP.iso
Then attach the iso to the Vcenter Appliance VM.
  • Actions > Edit Settings > CD/DVD drive > attach datastore or client device file.
Make a snapshot

just in case.

Check for Updates
  • Log into the VAMI as root:
  • https://:5480
  • Navigate to Update > Check Updates > Check CD-ROM + URL
  • Twirl down the selected update and click RUN PRE-UPDATE CHECKS
  • Click Stage only
  • Click INSTALL
  • You’ll need to make a small backup.

To make the backup

You can back up to a server via SCP, HTTPS, HTTPS, FTP, or FTPS (but not SFTP).
Enter the server address like so:
– protocol://:/path
– scp://backup.server.info:22/~
You’ll enter the user name and password separately.

vcenter backup

If you get this ERROR:

vcenter_backup_error

Log into vCenter via SSH as root.

$ ssh root@vsphere.company.com

VMware vCenter Server Appliance 6.7.0.10000

Type: vCenter Server with an embedded Platform Services Controller

Password:
Connected to service

* List APIs: "help api list"
* List Plugins: "help pi list"
* Launch BASH: "shell"

Command>

Enable a BASH shell:

Command> shell

Shell access is granted to root

root@vcenter [ ~ ]#

Check the status of vCenter services with:

  • service-control --status
root@vcenter [ ~ ]# service-control --status

Stopped:
vmcam vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-postgres-archiver vmware-rbd-watchdog vmware-vcha vsan-dps
Running:
applmgmt lwsmd pschealth vmafdd vmcad vmdird vmdnsd vmonapi vmware-analytics vmware-cis-license vmware-cm vmware-content-library vmware-eam vmware-perfcharts vmware-pod vmware-rhttpproxy vmware-sca vmware-sps vmware-statsmonitor vmware-sts-idmd vmware-stsd vmware-updatemgr vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vmware-vsm vsphere-client vsphere-ui
root@vsphere [ ~ ]#

Start the service with

  • service-control --start
root@vcenter [ ~ ]# service-control --start vmware-postgres-archiver
Operation not cancellable. Please wait for it to finish...
Performing start operation on service vmware-postgres-archiver...
Successfully started service vmware-postgres-archiver
root@vcenter [ ~ ]#
by stephen

Add a DMARC record to your mail server.

DMARC is Domain-based Message Authentication Reporting and Conformance
DMARC uses SPF and DKIM to tell receiving email servers what to do (accept, reject, or quarantine) with messages that purport to be from your domain. It also reports to you.
DMARC is defined by a DNS record (TXT) and specifies:
  • An action policy for messages failing both SPF and DKIM. DMARC passes when either SPF or DKIM passes.
  • In Microsoft’s implementation of DMARC for incoming mail (which we don’t control), both SPF and DKIM must pass.
  • Allows for partial checking, e.g. 5 percent of mail.
To implement DMARC, you must first set up SPF and DKIM.
In Office 365, DMARC for incoming mail is done for you. But you must set up DMARC for your domain yourself.

SPF – Sender Policy Framework

SPF is a DNS record (TXT) that specifies which IP addresses are allowed to send mail on your domain’s behalf.
You need a single spf record for your domain, which will contain all the IP addresses that are allowed to send mail on your behalf.
Example record:

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all

Example for Office 365:

v=spf1 include:spf.protection.outlook.com -all

Even if your domain doesn’t send mail, it is still vulnerable to spoofing and should have this SPF record:

v=spf1 -all

DKIM – DomainKeys Identified Mail

DKIM is a DNS record (TXT) that lets a domain associate its name with an email message by affixing a digital signature (using PKI) to it.
A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.
DKIM provides for two distinct operations, signing and verifying.
DKIM specification allows signers to choose which header fields they sign, but the From: field must always be signed.
You might need multiple DKIM records for your domain if you have different hosts, domains, or subdomains that you want to allow to send mail for you. Each host needs its own key specified in a separate TXT record, and each host is identified with a unique selector name.
Generate the keys with:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

Install the private key on the MTA/Email sending systems.
Publish the public key in the DKIM record with your registrar:
Example DKIM record:
  • type:  TXT
  • host:  selector1-dzsolutions-com._domainkey
  • Points to address or value:  v=DKIM1; k=rsa; p=<public_key>; n=1024,1453276987,1

DMARC

You want to ease into your DMARC policy to make sure it’s working correctly.
  • First, make a no-action policy (p=none;) that just collects reports. You’ll see who is sending mail on your behalf, and be able to correct for any senders you left out.
  • Second, switch to a low percentage quarantine policy (p=quarantine; pct=5;). It tells receiving servers to check only 5 percent of the mail, and if DMARC fails, send it to the spam folder. That way, most of the mail will go through no matter what, and your reports will show how well it’s working for the 5 percent. You can make adjustments until it works right.
  • Third, ease into rejecting (p=reject; pct=5;). Check your reports, adjust things, and increment up to 100%
no-action DMARC record:
  • Type:  TXT
  • Host: 
  • Value:  v=DMARC1; p=none; rua=mailto:admin@your_domain.com; ruf=mailto:admin@your_domain.com; sp=reject; ri:84600;
Where:
  • v is the version.
  • p is policy for handling pass/fail messages: none | quarantine | reject.
  • rua specifies where to send aggregate reports.
  • ruf specifies where to send forensic reports.
  • sp is the subdomain policy.
    If you have no subdomains for mail, it is best to reject.
  • ri is the time period for sending reports; default is 84600 seconds (24 hours).
Check your DMARC record at:
View the reports using https://dmarcian.com/ or https://mxtoolbox.com/domain/; they have validation tools for all DNS records.

by stephen

Create your own What’s My IP service.

Here’s an easy way to make your own IP echoing service on your own website if you’re hosting that website with Apache on a Debian-based Linux distro.

  • 1. Add a new site to the apache configuration. The file should be named as the URL with `.conf` at the end:

nano /etc/apache2/sites-available/myip.stephenfranklin.info.conf

And it should look like this:

ServerAdmin stephen@stephenfranklin.info
ServerName myip.stephenfranklin.info
DocumentRoot /var/www/myip.stephenfranklin.info/htdocs
ErrorLog /var/www/myip.stephenfranklin.info/logs/error.log
CustomLog /var/www/myip.stephenfranklin.info/logs/access.log combined
  • 2. Enable the site and reload apache:

root@www:sites-available$ a2ensite myip.stephenfranklin.info.conf
Enabling site myip.stephenfranklin.info.
To activate the new configuration, you need to run:
service apache2 reload
root@www:sites-available$ service apache2 reload
* Reloading web server apache2 *
root@www:sites-available$
  • 3. Then create the appropriate directories for that site in `/var/www/`:

mkdir -p /var/www/myip.stephenfranklin.info/htdocs
mkdir /var/www/myip.stephenfranklin.info/logs/

Create an index.php script in the htdocs directory:

nano /var/www/myip.stephenfranklin.info/htdocs/index.php
And put this in there:


< ?php echo $_SERVER['REMOTE_ADDR']."\n"; ?>
  • 4. Test it from another machine with `curl`:

stephen@mac:~$ curl -s http://myip.stephenfranklin.info/
191.145.122.55
stephen@mac:~$

That’s it! Try it out from a browser:
1_myip.stephenfranklin.info

by stephen

/dev/xvda1 should be checked for errors

Amazon EC2 Ubuntu instances sometimes display this message to the terminal when you ssh in:

**** /dev/xvda1 should be checked for errors ****

/dev/xvda1 refers to the first partition of the hard drive (which is actually a virtualized hard drive running under Xen). This partition (likely, the only partition) contains your machine’s file system. To run a file system check, we like to use the fsck command. But this can only be used when the file system is not in use, so we’ll tell the system to run it upon reboot. And to do that we need to temporarily change two files: /etc/fstab (the file system table), and /etc/default/rcS (a small configuration file).

About fstab:

LABEL=cloudimg-rootfs / ext4 defaults,discard 0 0
/var/swap.1 swap swap defaults 0 0

The file system table (/etc/fstab) contains information that allows the machine to automatically mount disk partitions. That is, it prepares them for access by assigning them a location (mount point) on the file system tree. For the partition that contains the file system, the table assigns it to the root directory, which is designated by a forward slash / in the second field.

The first field in an fstab entry contains the device node, in this case by it’s file system label. If you look in /dev, you’ll see many devices, including the disk (“xvda”) and its partitions (“xvda1”). You’ll also see the \dev\disk directory, and if you look in there you’ll see that you can list devices by-label or by-UUID.

Enter
ls -l /dev/disk/by-label
and you’ll see something like:

lrwxrwxrwx 1 root root 11 Jul 25 21:15 cloudimg-rootfs -> ../../xvda1

which shows that the label cloudimg-rootfs is just a link to the device /dev/xvda1.

The last field (in the fstab entry, not the ‘ls -l output) is what we’re interested in changing here. It’s the “pass number” and indicates the order in which file system checks are done. “0” tells it not to run fsck, “1” tells it to run fsck on the root partition, and “2” tell it to check other partitions. We’re going to change it to “1”.

About rcS:

The /etc/default/rcS file contains six variables that change the behavior of various boot scripts. (The “rc” term, as in .bashrc and rc.local, has some history behind it and may stand for “run commands” or “run configuration,” or something like that.) The variable we’re interested in is FSCKFIX, which, when enabled with a “yes”, will tell fsck to always repair the file systems without asking for further permission.

The repair:

  1. Edit fstab: 
    sudo vim /etc/fstab

    Look for the line describing the root (/) file system, and change the last ‘0’ to a ‘1’.

    LABEL=cloudimg-rootfs   /    ext4   defaults,discard    0 1
/var/swap.1 swap swap defaults 0 0

    To do that with vim:
    a. Enter insert mode by hitting ‘i’.
    b. Exit insert mode with the ‘esc’ key.
    c. Save and exit by typing :wq.

  2. Edit rcS: 
    sudo vim /etc/default/rcS

    Look for the line #FSCKFIX=no and under it type:

    FSCKFIX=yes
  3. Add in the /forcefsck trigger. 
    sudo touch /forcefsck

    In the script /etc/init/mountall.conf, there’s a line which looks for the /forcefsck file, and upon finding it, will direct fsck to perform a full file system check.

  4. Reboot. 
    sudo reboot
  5. Delete the line FSCKFIX=yes in the rcS file.
  6. Change the line in /etc/fstab back to a ‘0’.
    (The /forcefsck file was deleted for you by mountall.conf.)
by stephen

Revert to old version of Google Chrome (OS X)

The latest version of Chrome (39) introduced some annoying behavior when revealing and hiding the top bar, so annoying that I wrote up a bug report, and decided to keep using the previous version (37). But I kept getting this warning when starting the application:

Your profile can not be used because it is from a newer version of Google Chrome. Some features may be unavailable. Please specify a different profile directory or use a newer version of Chrome.

And my search settings (for which I have a lot of nifty shortcuts) were vaporized every time.

Here’s how I solved that problem:

cd ~/Library/Application Support/Google/Chrome/Default
mv Web\ Data Web\ Data.old

The warning is gone, and upon signing in to Chrome, my search settings were restored.

by stephen

Apple EarPods pin-out

Today I soldered a new jack onto my Apple EarPods. I have the EarPods with remote and mic. They’d been stretched and yanked too many times and were randomly pausing or advancing my podcasts. I bought a 50 peso knock-off pair (which worked but sounded like 50 peso earphones), and I cut off the jack. There are tear-downs online but they don’t mention the pin-out, so I had to work it out for myself. For future reference, here it is:

Pinout for the Apple EarPods with Remote and Mic
Tip – Left – Green
Ring1 – Right – Red
Ring2 – Ground – Green/Gold & Red/Gold & Red/Green*
Ring3 – Mic – Gold*

  • There’s a wire that has red and green strands wrapped around gold strands. Separate them. The red/green is ground. The gold is for the microphone.

(By gold, I mean the color of the insulation, not the metal.)

by stephen