Shellsharks Blogroll - BlogFlock

RE: Why Do You Need Big Tech for Your SSG? - Kev Quirk

2025-11-20T11:41:00.000Z

RE: Why Do You Need Big Tech for Your SSG?

by Loren Stephens

Loren posts a response arguing that while self-hosting and local builds have their charm, the simplicity and zero-maintenance nature of services like Netlify often make them the more practical choice for small personal sites.

Read Post →

I enjoyed this post as it approaches the problem I wrote about yesterday from a completely different perspective. While I spoke about rolling my own infrastructure and building locally to maintain control, Loren talks about the simplicity and cost (free!) of hosting with services like Netlify.

Loren closes his post by saying:

If you’re running a complex site or you’re philosophically opposed to big platforms, a VPS + rsync pipeline might be worth it. […] For my tiny, low-traffic static site, the convenience, zero cost, and redirect handling of GitHub + Netlify are hard to beat.

I think this is the crux of the whole discussion. For me, it’s more about control than being opposed to big platform. I think they have their place, but for my use case, my personal blog isn’t it. For Loren, it’s all about simplicity and just getting shit done.

It’s fantastic that we have different options that allow for more control, or for ease of use. As a result, we have a diverse pool of people and opinions on the Indie Web, and I don’t think anyone can argue against that being a good thing.

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

Read "The Charlie Kirk purge: How 600 Americans were punished in a pro-Trump crackdown" - Molly White's activity feed

2025-11-19T22:46:01.000Z

Read:

“The Charlie Kirk purge: How 600 Americans were punished in a pro-Trump crackdown”.

Raphael Satter and A.J. Vicens in Reuters. Published November 19, 2025.

Two months after Charlie Kirk's assassination, a government-backed campaign has led to firings, suspensions, investigations and other action against more than 600 people. Republican officials have endorsed the punishments, saying that those who glorify violence should be removed from positions of trust.

Published on Citation Needed: "Issue 97 – This is hardship" - Molly White's activity feed

2025-11-19T22:37:17.000Z

Published an issue of Citation Needed:

Issue 97 – This is hardship

While slumping prices have some fearing it’s crypto winter again, Trump looks to Saudia Arabia and American retail crypto investors to fund the development of his next hotel

The Peaceful Transfer of Power in Open Source Projects - Terence Eden’s Blog

2025-11-19T12:34:27.000Z

Most of the people who run Open Source projects are mortal. Recent history shows us that they will all eventually die, or get bored, or win the lottery, or get sick, or be conscripted, or lose their mind.

If you've ever visited a foreign country's national history museum, I guarantee you've read this little snippet:

King Whatshisface was a wise and noble ruler who bought peace and prosperity to all the land.

Upon his death, his heirs waged bloody war over rightful succession which plunged the country into a hundred years of hardship.

The great selling point of democracy is that it allows for the peaceful transition of power. Most modern democracies have rendered civil war almost unthinkable. Sure, you might not like the guy currently in charge, but there are well established mechanisms to limit their power and kick them out if they misbehave. If they die in office, there's an obvious and understood hierarchy for who follows them.

Most Open Source projects start small - just someone in their spare room tinkering for fun. Unexpectedly, they grow into a behemoth which now powers half the world. These mini-empires are fragile. The most popular method of governance is the Benevolent Dictator For Life model. The founder of the project controls everything. But, as I've said before, BDFL only works if the D is genuinely B. Otherwise the FL becomes FML.

The last year has seen several BDFLs act like Mad Kings. They become tyrannical despots, lashing out at their own volunteers. They execute takeovers of community projects. They demand fealty and tithes. Like dragons, they become quick to anger when their brittle egos are tested. Spineless courtiers carry out deluded orders while pilfering the coffers.

Which is why I am delighted that the Mastodon project has shown a better way to behave.

In "The Future is Ours to Build - Together" they describe perfectly how to gracefully and peacefully transfer power. There are no VCs bringing in their MBA-brained lackeys to extract maximum value while leaving a rotting husk. No one is seizing community assets and jealously hoarding them. Opaque financial structures and convoluted agreements are prominent in their absence.

Eugen Rochko, the outgoing CEO, has a remarkably honest blog post about the transition. I wouldn't wish success on my worst enemy. He talks plainly about the reality of dealing with the pressure and how he might have been a limiting factor on Mastodon's growth. That's a far step removed from the ego-centric members of The Cult of The Founder with their passionate belief in the Divine Right of Kings.

Does your tiny OSS script need a succession plan? Probably not. Do you have several thousand NPM installs per day? It might be worth working out who you can share responsibility with if you are unexpectedly raptured. Do you think that your project is going to last for a thousand years? Build an organisation which won't crumble the moment its founder is arrested for their predatory behaviour on tropical islands.

I'm begging project leaders everywhere - please read up on the social contract and the consent of the governed. Or, if reading is too woke, just behave like grown-ups rather than squabbling tweenagers.

It is a sad inevitability that, eventually, we will all be nothing but memories. The bugs that we create live after us, the patches are oft interrèd with our code. Let it be so with all Open Source projects.

Resonance - James' Coffee Blog

2025-11-19T12:12:11.000Z

I have been listening to a podcast interview between Ezra Klein and Brian Eno. In it, Eno referenced the concept of the “premature sheen.” I stopped what I was doing, paused the podcast, and started to think about what those words meant.

I wanted to learn more about the concept, so I searched for “preamture sheen” on the web. DuckDuckGo returned an info card of Martin Sheen at the top. Not quite the result for which I was looking, then I realised that there was a typo in my query and maybe that had something to do with it. ¹

The second result was Adactio’s blog post called “The premature sheen”. This looks familiar, I thought. I clicked on the result and realised that it was through Adactio’s blog that I first found this podcast episode.

I saw the post in my web reader, clicked through to Adactio’s blog, clicked on his link to the podcast, and that’s how I got here. Then a web search engine took me back to his blog. All of this is something of a cycle in finding information, a cycle in which personal websites are at the heart. I discovered the podcast through a personal website. I kept up to date with the personal website through a web reader tailored for following blogs.

I haven’t yet read about the concept of “premature sheen” for the serendipity of finding the blog post on which I originally discovered the podcast swept me away. The web is both wide and small. The web is full of potential. The web is wonderful.

I have been thinking for a while of making a list of “reasons to be optimistic about the web.” I tried writing that post but the writing felt a little bit forced, almost as if I was trying to apply sheen before I knew exactly what I wanted to say. I kept my writing as a draft. Now, I wonder if the form of that idea is a list of stories that emerge as I experience wonder with the web – stories like the one I shared above where I had a full-circle experience involving personal websites. A story where the next place to learn about something I heard was from a friend, on the web.

On a similar note, I read Y’all are great by Manuel earlier today, in which he noted “with all the other wonderful humans that are still out there, spending their time making sure the old school web, the one made by the people, for the people, is not dying.” Another personal website that is beaming hope into the world about the web can be!

The web is indeed not "dead." With every voice publishing on independent platforms, and every link between websites, the web shines. With every blog post, story, and note, the power of connection that the web makes possible is illuminated. We can build the web we want.

If you are looking to make something for the web today, I have a prompt for you: What stories do you have of times recently when the web has felt alive?

[1] Typo tolerance is one of my favourite features of search engines. Fun fact: when you add spelling correction in the background to a search engine, the engine becomes significantly more delightful to use. I don’t think Martin Sheen should have come up in the search result, but I’ll take any excuse to think for a moment about the West Wing.

Routines - James' Coffee Blog

2025-11-19T11:14:25.000Z

Over the last few weeks I have been working on rebuilding my morning routine.

I used to be regimented in my morning routine – everything scheduled down to the minute. I then ebbed the opposite way: my routines became unstructured, my mind every morning exerting itself to remember everything I need to do to start the day. With the experience of both of these extremes – regimentation and structurelessness – I feel like what would serve me best is a middle path: something in between.

I started by asking myself how I would like to start the morning. I decided that I wanted to do a bit of reading, even 15 minutes worth, before starting the day. Reading helps me ease into my day. I am reading Best Wishes from the Full Moon Coffee Shop right now. Because it is winter, the mornings are relatively dark so I light up my room with my fairy lights – my day starts and ends with reading under the fairy lights. At least as much as possible, for within routines there are fluctuations.

I then make coffee. To make coffee, I start by putting water in the kettle and turning the kettle on. I put a filter paper in my coffee brewer. I weigh 15 grams of coffee. I grind the coffee with my hand grinder. I put the coffee in the filter paper, then the coffee brewer on top of my cup. I put my cup on the scale, reset the scale to 0g, and then start brewing coffee. I pour water at 50g of water starting at 0s, 100g of water starting at 40s, and a further 100g of water starting at 1m15s. I try to be as consistent as I can, striving to pour exactly 250g of water in total. I celebrate a little bit every time I pour precisely; my accuracy fluctuates.

I love making coffee. All the steps may be the same, and I may have made coffee hundreds of times, but it doesn't make the process of making coffee any less special. I always look forward to making coffee.

With coffee – and breakfast – ready, I finish the rest of my routine of all the other things you need to do to get ready. Then I start my day.

Getting to the point of having a morning routine was hard. If I wake up early enough that I will have time to read, will I not be tired? How will I stop myself from snoozing the alarm?

Despite all the looming questions on my mind, I kept reminding myself of how much it matters to take care of the essentials – getting good sleep, reading stories, and starting the day right with a good breakfast. I’m going to bed earlier too, so I feel more well rested (although coffee is still an essential in helping me find the energy to start the day!). You don't realise how true and important the advice "take care" is until you realise that you are tired all the time.

I am not regimented about having a morning routine at certain times any more – if I read a bit more or less, that’s okay. If I start breakfast a bit later than normal, that’s okay, too. I am also not sleeping in, either.

It gets easier to wake up on time because I know I have a bit of time to read my book before I have to start the day. Occasionally – like this morning – there are fluctuations where I have something scheduled that means I have to be up earlier, but no routine is the same twice anyway. I have a different routine for weekends. With that said, as long as I am going in the right direction, I am content.

With the desire to have a bit more of a routine, I’m even building a little night time routine too – when it gets to about nine o’clock, I try to read some manga or continue reading whatever fiction book I am reading.

After time with both regimented routines and ones with less structure and schedule, I find the necessity both in having a bit of structure but also not being too rigid. Embracing something in between has made me happier.

This is my submission for this month's IndieWeb Carnival on "Cycles and fluctuations", hosted by Alex.

Why Do You Need Big Tech for Your SSG? - Kev Quirk

2025-11-19T09:57:00.000Z

A look at why small, personal websites don’t need big-tech static hosting, and how a simple local build and rsync workflow gives you faster deploys, more control, and far fewer dependencies.

OK, so Cloudflare shit the bed yesterday and the Internet went into meltdown. A config file grew too big and half the bloody web fell over.

How fragile.

It got me thinking about my fellow small-web compatriots, their SSG workflows, and why on earth so many rely on services like Cloudflare Pages and Netlify. For personal sites it feels incredibly wasteful: you’re spinning up a VM, building your site, pushing the result to their platform, then tearing the VM down again.

Why not just build the site on your local machine? You’re not beholden to anyone, and you can host your site anywhere you like.

✅ No CI/CD pipeline.
✅ No big tech — just you and your server.
✅ No VMs spinning up and down at the speed of a thousand gazelles.

How to build and deploy automatically

All you need is a hosting package that supports SSH (or FTP if you must) and a small script to build your site and rsync any changes. Here’s the core of my deployment script:

#!/bin/bash
set -e

LOCAL_DIR="/path/to/your/site/source"
REMOTE="user@your-server.example.com"
REMOTE_DIR="/path/to/your/website/files/yoursite.com/public_html"

cd "$LOCAL_DIR" || exit 1

# --- Build Jekyll site ---
echo "🏗️  Building Jekyll site..."
bundle exec jekyll build --quiet
echo "✅ Build complete"

# --- Sync _site to remote server ---
echo "🚀 Deploying to server..."
rsync -az --checksum --delete --omit-dir-times --quiet \
  "$LOCAL_DIR/_site/" \
  "$REMOTE:$REMOTE_DIR/"

# --- Fin ---
echo "✅ Deployment complete"

Here’s what it does:

Jumps into the directory where my source website files live.
Builds the Jekyll site locally.
Syncs the built files to my server over SSH, deleting anything I’ve removed locally.

That’s it. And that’s all it needs to do. With these few lines of Bash, I can deploy anywhere, without waiting for someone else’s infrastructure to spin up a build container.

My full script also checks the git status, commits changes, and clears the Bunny CDN cache, but none of that’s required. The snippet above does everything Cloudflare Pages and similar services do — and does it much quicker. My entire deploy, including the extras, takes about eight seconds.

Final thoughts

If you’re hosting with one of the big static hosting platforms, why not consider moving away and actually owning your little corner of the web? They’re great for complex projects, but unnecessary for most personal sites.

Then, the next time big tech has a brain fart, your patch of the web will probably sail right through it.

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

Snow - James' Coffee Blog

2025-11-19T09:54:55.000Z

The snow looks like drops of moonlight I thought to myself as the cool light from the street lamps illuminated the falling snow. It’s beautiful. I have never seen anything like it.

Earlier this week I saw light rain fall that looked almost like it was snow – the light reflected off the falling rain in a way closer to snow than water. Although I am not sure if what I saw was exactly snow, my hopes were raised that it may snow properly this week. The air has been getting cooler; the outdoors feels evermore like winter. Yesterday evening, at around 9 o’clock, my hope for snow came to reality. I looked out the window after reading a book for an hour and noticed the heavy clouds and the white drops of snow.

The last time I saw snow was more than a year ago. Despite my hope that it would snow – one I shared excitedly with people in conversation this week – it took me a moment to internalise that it was now snowing. Then, my mind turned to the beauty of the snow fall – the way that the light breeze blew the snow over the grasses illuminated only by streetlight.

Time froze. I was eager to take in as much of the snow as possible, knowing that, like all seasons and weathers, snow is fleeting. Would the snow be here in the morning? I wasn’t sure, but I knew the snow was there, in the present moment, right in front of me. All that matters is it is snowing now – drops of moonlight fall from the heavens onto the frosting countryside grass.

My gaze was focused on the areas under the streetlights, which illuminated the snow and, over time, showed how the snow was accumulating. This isn’t the kind of snow that will lay there until morning, I knew from having seen many snows growing up; maybe there would be a dusting on the next day.

This morning, I woke up and saw on the horizon a white skyline, above which was the increasingly light blue that comes at 7am in November here in Scotland. Under the white skyline, there were hills dusted in snow. The coat of snow on the hills – enveloping a few almost like a cold blanket – brought to mind last night at which I stood by the window and, for how long I do not know, gazed out and watched the snow paint the countryside with brushstrokes of white whose full beauty would appear in the morning.

22.00.0169 An invoice disappears - Johnny.Decimal

2025-11-19T00:49:03.000Z

An invoice disappears

Well this is weird. I just lost an invoice, as in one that I was sure I had raised a couple of weeks ago. Here's how I discovered it, and what I'll do to make sure it doesn't happen again.

The invoice

I don't raise many invoices manually. This one was to a friend, whose domain name I manage. It's a fancy expensive domain so, when it renews, my company bills his company for it.

I raised it the other week. I remember doing it. And yet now: no trace. A puzzle.

Discovering its loss

I know I'm not going entirely mad because, in reviewing my Small Business category 13 Money earned, spent, saved, & owed this morning, I saw a task due next week:

▷ Check that [name] has paid his invoice
▷ Due: 25 Nov

– and I thought to have a quick look. So I'd done some things right:

Set a quick reminder to myself, in a trusted place.
Made sure that I actually saw that reminder, by reviewing my system regularly.

I'll show you how I do this in the upcoming series 'Task and Project Management using the Johnny.Decimal system'. Will be released on JDU in the next couple of weeks.

The vanishing act

I went to look for this invoice in the only place that it could possibly exist: my Stripe console. It just isn't there. No trace.

I'm deeply confused by this, but whatever. No point dwelling; let's just make sure it doesn't happen again.

Deliberate record-keeping

Last time, I raised the invoice in Stripe and that was it. Other than leaving myself the follow-up task, I didn't record its existence anywhere else.

If only I had a predefined ID for this sort of thing. Oh wait, is that 13.23 Invoices & sales for your work at the door? Oh, come in old friend.

Update: found it!

Talk about real-time updates. Gripping stuff.

So there isn't only one place that this could possibly exist. There are two: the other being my Xero account.

This makes our solution more interesting. Why did I choose Xero over Stripe in this instance?¹ How would I know which to choose in the future?

Solution: new ops manual

This is a textbook ops manual. Next time I need to raise an invoice, I need to be following a process. Last time, I just made it up on the fly.

So here's what my new 13.23+OPS1 Raise an invoice says:

Raise all invoices directly in Xero, because this integrates with your accounting system.
Raise the invoice, and create a note at 13.23 with its number and a link.
Create a new customer record at 33.11 and from there, link to 13.23.

That's it. Three easy steps; but now they're unambiguous, and I won't make the same silly mistake again.

100% human. 0% AI. Always.

I'll tell you why. Because this invoice has nothing to do with Johnny.Decimal, really. In my mind, that's what the Stripe/Xero split is. Stripe was JD stuff, Xero was more fundamental company stuff. Logically, I now understand, this makes no sense. ↩

The State of the Open Social Web - Werd I/O

2025-11-18T23:50:45.000Z

With today’s news of a new leadership team for Mastodon, I thought it would be a good time to take stock of the state of the open social web.

I’m not new to this space, or an impartial observer: I co-founded Elgg, one of the first open source social networking platforms, over twenty years ago. It was used by governments, Fortune 500 companies, global NGOs, and universities, and embraced early open standards. Known, a social publishing platform I co-founded, was used by media companies to build award-winning communities. And I’m on the board of A New Social, a non-profit dedicated to bridging open social platforms.

When you think of social media, many of the platforms you think of are what we call proprietary: their underlying software is private to the companies that build them, and it’s very difficult to move your data or your connections anywhere else. They are, in a very real way, closed. The indie web movement goes so far as to call them silos.

These proprietary silos include:

X (formerly Twitter): now owned by Elon Musk, who actively promotes far-right voices on the platform and in its algorithms.
Meta’s platforms: chiefly Facebook, Instagram, Threads, and WhatsApp. (A caveat for Threads follows below.) Meta was, of course, credibly accused of substantially contributing to the genocide in Myanmar by Amnesty and others. Owners of pages across Meta properties increasingly find that they need to pay to reach their followers.
TikTok, which is now controlled by the Trump-aligned Ellison family.
LinkedIn, the business network owned by Microsoft, which has placed itself in the middle of many hiring and job-seeking processes, and whose professional subscription costs between $30 and $100 a month.

Why should you care?

Anyone whose brand or livelihood depends on these networks has created risk for themselves: there’s nothing to stop any of them from changing their business policies in a detrimental way, as X did when it labeled NPR as state-affiliated media. Any of these networks could disappear, as TikTok almost did in the US before being strong-armed into selling its US business to a Trump ally. And referrals to websites could dry up, as happened in Canada when Meta stopped linking to news sites.

Proprietary silos each have an owner that can, ultimately, do what it wants with them. At best, that can mean that users receive content through curated feeds that might suppress certain kinds of content (including links to certain publishers) and promote others. At worst, it means that traffic and reach could disappear at any time.

In contrast, open social web platforms are designed not to be silos. While each platform is built by a core vendor or community, they run on open protocols that anyone can build software for.

Remember AOL? That was a closed silo. To publish content, you needed to have a relationship with AOL the company. But you don’t need to have a relationship with anyone in particular to publish a website.

The open social web works the same way as the web itself: it’s permissionless. You don’t need to have a relationship with anyone in particular to have a profile and gain reach. And that means nobody can take it away from you.

Just as AOL became less and less relevant, because maintaining a relationship with AOL the company was more friction than simply publishing a website, silos will become less important and the open social web will become more important over time.

It’s early days in that movement. The user bases are still small in comparison. Today, these networks are still mostly filled with early adopters. In my direct experience working with ProPublica, they’re more likely to engage with journalism and information, more likely to donate to non-profit causes, and more likely to re-share according to their values — perhaps because they’re people who have self-selected to move away from proprietary silos. That means these networks are worth engaging with now — and because they will continue to grow, doing so is a good investment in the future.

So what are those open social web platforms and what is their status today?

✉️

I write about technology that serves journalism and democracy, and work with newsrooms, open source movements, and startups. Sign up for a free newsletter subscription or book a call to see how I can help you.

There are two main open social web networks. This isn’t so much a rivalry as a technical consideration: each is based on a different open protocol.

I’ll describe them both in turn.

The Fediverse

You’ve probably heard of Mastodon. When Musk bought Twitter in late 2022, this was the first network that people flocked to, although it had been running for many years before that.

It can be hard for newcomers to get their head around. Whereas to join a silo network you just go to that network’s website and sign up, Mastodon is best thought of as a co-operative network of smaller communities, each with their own rules and culture. That means that signing up involves choosing a community you trust and signing up to that, which is a big ask. How, after all, do you know? In reality, you can’t go wrong by joining mastodon.social, the flagship community run by the project itself.

Source: Mastodon blog

But you don’t need to use Mastodon’s software to join the network. This brings us back to Meta’s Threads: it has support for the underlying protocol, so you can actually talk to and follow Mastodon users from there (and they can follow you). For publishers, Flipboard has become “a Fediverse browser” (particularly in tandem with its newsreader Surf, which I use every day), while the Newsmast Foundation is working to onboard newsrooms and surface trustworthy journalism on the network. Ghost and WordPress both now have extensive support (Ghost's keeps getting slicker and slicker). And there’s a long tail of other platforms like Bonfire and Friendica that are compatible, too, all powered by the underlying ActivityPub protocol.

Source: Flipboard Surf, via TechCrunch

Regardless, Mastodon is definitely the flagship. It’s also the only European major social network. A longtime German entity, its non-profit status was stripped some years ago (the team says it was never told why), and it’s now in transition to becoming a Belgian AISBL. Backers include Craig Newmark, Twitter co-founder Biz Stone (who once sat on the advisory board for Elgg, the open source social networking platform I co-founded), and Stack Overflow co-founder Jeff Atwood.

Critics say it hasn’t focused enough on user experience, that it feels too different from other networks, and that it can be a bit nerdier. The thing is, there’s still everything to play for here: a solid foundation, millions of dedicated users, and a governance and business model that’s very different to the Silicon Valley norm. And at the time of writing, Mastodon just announced a new executive team that includes a lead dedicated to the communities it runs. That new lead, Hannah Aubry, is incredibly important. Bluesky has made great strides by focusing on the culture of its own flagship site, and there’s much more that Mastodon could do here.

I’m personally more excited about Mastodon than ever. Even if it fails — which I don’t believe it will — it’s forging a brave and different path.

Quick facts about the Fediverse:

Flagship platform: Mastodon
Fastest place to sign up: mastodon.social
Other platforms: Ghost, Flipboard, Pixelfed, Friendica, etc
Funding model: Mastodon is becoming a Belgian non-profit. It also has a US 501(c)3 and an original German entity that it is moving away from. It is funded through donations and its own managed hosting services.
Advocacy groups: Social Web Foundation
Underlying protocol: ActivityPub

The ATmosphere

The network built on the AT Protocol — often playfully called “The ATmosphere” — functions a bit differently. On Mastodon, you join a neighborhood; on Bluesky, you rent a storage unit that any app can access.

Bluesky began as an internal Twitter project championed by then-CEO Jack Dorsey. Concerned about political pressure on Twitter’s content decisions, he imagined moving parts of the platform’s governance onto an open protocol that nobody could fully control. In that vision, Twitter itself might eventually run on the underlying protocol.

In its earliest phase, Bluesky was essentially a working group of open-source developers exploring what a “locked-open” social protocol might look like. Jay Graber quickly emerged as the clearest technical and organizational leader, and she ultimately convinced Dorsey to spin the project out as an independent company.

Because of that lineage, the flagship Bluesky app looks and feels like Twitter in many ways. When the site opened to the public, most of the people who left Elon Musk’s X chose Bluesky because it felt more familiar and easier to understand than Mastodon. Over time, the team found itself building not just a protocol, but a full social platform with moderation, recommendation features, and active community management. It’s now the de facto open social web network for journalists, writers, and other public intellectuals.

Source: Bluesky blog

Dorsey’s involvement has been a point of criticism, but ironically, Bluesky’s emphasis on community health is part of what pushed him away. His original aim was to avoid building trust and safety systems altogether: he sees moderation as a path to censorship rather than a requirement for healthy online spaces. Once Bluesky embraced trust and safety as core ethical work rather than something to outsource to the protocol, he walked away and shifted his support to Nostr, a more libertarian network designed to minimize moderation.

All of this sits on AT Protocol’s underlying model. While Mastodon is a series of federated communities, on Bluesky, every profile is actually a storage unit containing that user’s data. When you follow someone, you’re really subscribing to updates to their data. Other applications beyond the flagship Bluesky app can also write to your data store: Leaflet is a blogging platform, Graze lets you build custom feeds according to your interests, and so on.

Source: Graze blog

By default, your data is stored with Bluesky, but there are other options. The best known and in many ways the most exciting is Blacksky, Rudy Fraser’s Black-owned datastore and social application. Eurosky, meanwhile, is an emerging attempt to build outside of North American jurisdiction.

Quick facts about the ATmosphere:

Flagship platform: Bluesky
Fastest place to sign up: bsky.app
Other platforms: Blacksky, Graze, Leaflet, Flashes, etc
Funding model: Bluesky is a VC-funded startup that has raised at least $36M to date. It hasn’t deployed a business model yet.
Advocacy groups: Free Our Feeds
Underlying protocol: AT Protocol

Protocol TL;DR

If you don’t care about protocols at all, here’s the summary:

The Fediverse = small communities talking to each other
AT Protocol = personal data pods that apps plug into
Both = avoid lock-in, centralized power, and unpredictable corporate incentives

Other alternatives

The Fediverse and the ATmosphere aren’t the only open social web networks, although they are by far the most prominent.

Nostr and Farcaster have both attracted a crowd that’s heavy on crypto and libertarian ideologies. (diVine, funded by Dorsey and run by Twitter OG Rabble, rebuilds Vine on the Nostr network.) Given his relationship with trust and safety, it shouldn’t be a surprise that these networks are very technically pure but low on community safety or culture-building.

Source: Nos Social blog

Meanwhile, Project Liberty is a $500M endeavor funded by Frank McCourt, which has built its own open social layer, Frequency. It’s also funded policy blueprints and real legislation designed to give users more control over their social media.

And the indie web, which builds decentralized social functionality on top of web fundamentals like HTML, should not be discounted. Its focus on a world where everyone’s profile is a website that is completely unique to them but can still communicate and share together has led to an enthusiastic community that’s been growing for over a decade. I think the indie web and the open social web are complimentary: you can build a following on the open social web and build an amazing indie web website that really represents you.

Working across networks

The protocols are not as important as the people and communities who connect across them. Part of the ethos of openness is that it’s not about building a “winner”: nobody should be locked into any platform or technology. These movements are also too young for everyone to have converged on one underlying protocol; we’re still at the early innovation stage.

I’m on the board of A New Social, a non-profit whose mission is to provide bridges between protocols, creating a single, unified open social web. Its product Bridgy Fed has long allowed you to follow Fediverse profiles on the ATmosphere and vice versa. And its new product, Bounce, allows you to easily move your profile from one network to the other, bringing your network with you. The result is even less lock-in: you can decide which network makes the most sense for you.

Earlier in this piece, I also mentioned Surf, which allows you to find news stories and conversations you care about across all the open social web networks. I’ve curated a feed of non-profit US newsrooms and one of investigative tech journalism that are also available as Bluesky feeds.

Buffer is one of many social scheduling tools that support both networks. Fedica allows you to analyze your stats and surfaces characteristics of your community.

These are the kinds of tools that could only exist on the open social web. A network like X would charge these providers a ton of money; others would simply block them as a threat to their business models. But on the open social web, where the open protocols are permissionless and open to all, they can thrive.

It’s not zero sum

There’s no reason you need to pick just one. Like many people, I maintain profiles on Mastodon and Bluesky, as well as through my blog and on Threads, and I’ve found that the conversations across all of them are different. There’s a lot to be gained on each — but, again, Bridgy Fed and Bounce mean you can try one without worrying about missing out.

The most important thing is to take back ownership of your community and your relationships online. The silo networks have done their best to become intermediaries between you and your connections, forcing you to pay to reach people who have already subscribed to you. They’ve partnered with authoritarian governments and caused great harm through their negligence and blinkered self-interest.

Another world is possible, and it’s only just beginning. Go grab your profile and get started.

Home alone gaming - W46 - Joel's Log Files

2025-11-18T23:50:00.000Z

Long weekends while home alone are the best! You are going to find quite a lot of gaming was done this time around, however, I also catched up on quite a bit of manga, and went through some painful stuff at work, but nothing too bad.

🎨 I have completed and published my AdwaitaPod-based theme (with Arcticons) for the Innioasis Y1! Feel free to give it a download if you get the device, and check the original theme as well if you want to try it on an iPod or something.
💻 My coworker got a vacation on Friday and it was pain. Some critical machinery malfunctioned at the worst possible moment. I had to set up a plan B in case the automation/maintenance team couldn’t manage to repair it in time. I was on-call during Saturday too, thankfully things turned out fine.
🏠 I stayed home alone for pretty much the whole week. I survived thanks to the existence of cereal and buying lunch at my workplace, I spent most of my time early in the week working on my theme, then I played a bunch of videogames during the weekend.
🐕 My doggo still doesn’t want to use his front leg, I guess there was some nerve damage after all, he doesn’t seem to mind that much so, I’ll just try to get over it, I guess? I wonder if there’s some other therapy to try.
🛍️ El Buen Fin (The Good Weekend) is the mexican equivalent to Black Friday, and I fell for it. I acquired Crypt Custodian and Dragon Quest I & II HD-2D Remake for Nintendo Switch. I also acquired Streets of Rage 4 Anniversary Edition, which arrived early in the week and I have already completed the campaign so that’s fine.
🍕 Went out for some pizzas on Sunday night with friends, it was pretty great and we got to drink some Horchata which is always a big plus.
🎵 Even if I don’t have a music/listening section, I think I can always say some album or song that is currently on my mind. Right now it would be: Daydream by Tatsuro Yamashita

Reading

When it comes to manga I am actually rather impressed with myself. After finishing Ariadne in the Blue Sky, I got to catch up on a lot of other stuff! Here’s it. When it comes to books, not that bad.

Exit Strategy - Up to chapter 4. There’s some characters that made a comeback and it’s been really interesting to watch it unfold. I hope to finish this book this week!
Blue Lock - Up to chapter 325. The match against Nigeria resulted in an absolute victory for the Japanese team. It was an absolutely bloodbath, but the next two matches looks like they’ll be a real challenge, France and England are next.
Chainsaw Man - Up to chapter 220. Crazy stuff is happening as always, for example, a whole city was turned into a weapon.
Frieren: Beyond Journey’s End - Up to chapter 142. Finally returned to Frieren, and I love these characters so much. The current arc is super stressful though, and the action is about to begin.
Sakamoto Days - Up to chapter 227. With Sakamoto out of commission, everyone tries to escape, and new enemies have showed up, crazy action sequences upcoming.

Gaming

This was definitely a week filled with gaming to the brim! I will even make the format a little different because I got a lot to say about a few of the titles here.

Completed

Streets of Rage 4

I didn’t expect this at all, but in a moment of weakness, I bought the physical Anniversary Edition of this game, and as soon as I put the cartridge on, we just couldn’t put it down.

An incredible soundtrack took over my speakers, and we just had to start it immmediately. I played it with my friends and completed the campaign in one sitting.

The simple combat, the animation, the artstyle, the excellent dynamic musical score. This game is probably the best the franchise has to offer, a glorious return to form for anyone who missed the franchise on the Sega Genesis.

Solo, I did a single run of the roguelike mode, and died on the first boss fight, and I decided to focus on other games for now. I can see myself returning to this plenty of times with friends.

Ongoing

The Hundred Line: Last Defense Academy

This game’s the reason my weeknotes are a day late, and the main thing that occupied my time. I started it and “finished” its story months ago. If you are curious, this is officially my most played game on my Nintendo Switch, and it has managed to hook me quite a bit. After beating the game once, the game allows you to play it a second time. However, this playthrough lets you make decisions throughout the story, creating deviations that amount to a total of one hundred endings. This mix between tactics RPG and visual novel is really cool.

This has been an extremely interesting choice from the developers, and it has allowed me to see how every character in the game reacts to the outcomes at hand. It’s fun, stressful, terrifying and exciting. So far, I have gone through 11 endings. Multiple writers were involved, some routes are shorter than others, some moments are samey, and others are absolutely insane. There’s a lot to like, and I absolutely love (most of) these characters. The game lets you skip battles you already played and return to previous branches at any point, it’s unbelievable.

Streets of Rage 2

After a 10 hour-long session of The Hundred Line, I felt like trying out something quick before going to sleep. Alas, Streets of Rage 2 seemed worth trying since I had recently fiddled with the first one and this one was considered the best of the franchise.

And well, yes, that music told me everything I needed to know. It was cleaner and more polished than the first one. I got to the 3rd stage in a few minutes and things were pretty cool, I must say that the second boss flying on a jetpack was very annoying though.

Others

CrossCode: I should have focused more on this one, if I’m honest, all I did this time was focus on getting leveled up equipment and progressing through the story. For now, I joined a guild, I unlocked my way to the dungeon, and now I just want to get a bit more XP before venturing inside!
Astro Boy: Omega Factor: I returned to this game after a break and it’s honestly just awesome plain fun. A beat’em up platformer that goes through lots of iconic moments of the franchise, fun stuff!
Monster Hunter Rise: To break things up I also progressed a bit on the high rank quests of this game, I went for a Rathian, defeated her, and called it a day.
Spelunky: After me and my friends beat Streets of Rage 4, we felt like trying something a little more chaotic for a bit, so we tried a couple runs of this game, and of course, failed miserably.
Slice & Dice: I hadn’t played this much but during a meet-up with other S&D friends we decided to do a race to see who could win a run first. I didn’t win, but trying was fun!

Around the Web

I read most of these earlier in the week and you can tell, lol.

Blogposts

A Morning of Physical Media - There’s just something about the physical interaction with stuff that is unmatched.
Learning Spanish Update - It’s weird to see La Rosa de Guadalupe mentioned in a blog I follow.
Input diet - yet another good post about media intake and managing that stuff.
Offline first? - Just being a little more offline, and interacting with less short/quick/easy stuff and replace it with meaningful things.
Why I Don’t Need a Steam Machine - Wouter has a big backlog, and so do I.
Self-Hosting for Everyone - Laura is a new discovery, and she is a self-hosting sicko, I have enjoyed her blogposts so far!
My Relationship with Stuff - Curating is better than hoarding, don’t just collect for the sake of it. Figure out what you actually want! I gotta remember this.

Videos

Mind if I complaing for 15 minutes? - I love JadenAnimations and this video is one that I’m sure many will find relatable (not me, I am glad I’ve avoided all that stuff).
Daft Punk Alive 2007 full concert - I had no idea this was a thing that existed, but I am extremely, extremely happy that it does. Just take a break from everything and experience this album as if it’s 2007.
Why I uninstalled ublock origin, this is WAY better! - This is an interesting plugin, although I don’t know if I’ll actually use it.

Reply to this post via email | Reply on Fediverse

2025 Stickers Redux - Robb Knight • Posts • Atom Feed

2025-11-18T12:25:06.000Z

Now the dust has settled on the piracy stickers, I checked how many I had left and it was a few more than I thought so I'm putting them back up for sale until they run out. Here's what I have available:

Four pack of the Don't Know Don't Care Don't @ Me stickers. There's only two of these available. Buy
Training Data double pack. 2 × Pirate Bay, 2 × Piracy Ad. I have 20 or so packs of these. Buy
Pirate Bay four pack. There's 10 or so of these available. Buy

I will do another run of the Sparkly Websites stickers very soon — I don't have any of those left right now. As always, the shop page has all the links as well, at least until I decide on a better system for selling stickers.

We found cryptography bugs in the elliptic library using Wycheproof - Trail of Bits Blog

2025-11-18T12:00:00.000Z

Trail of Bits is publicly disclosing two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography that is downloaded over 10 million times weekly and is used by close to 3,000 projects. These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified, respectively.

One vulnerability is still not fixed after a 90-day disclosure window that ended in October 2024. It remains unaddressed as of this publication.

I discovered these vulnerabilities using Wycheproof, a collection of test vectors designed to test various cryptographic algorithms against known vulnerabilities. If you’d like to learn more about how to use Wycheproof, check out this guide I published.

In this blog post, I’ll describe how I used Wycheproof to test the elliptic library, how the vulnerabilities I discovered work, and how they can enable signature forgery or prevent signature verification.

Methodology

During my internship at Trail of Bits, I wrote a detailed guide on using Wycheproof for the new cryptographic testing chapter of the Testing Handbook. I decided to use the elliptic library as a real-world case study for this guide, which allowed me to discover the vulnerabilities in question.

I wrote a Wycheproof testing harness for the elliptic package, as described in the guide. I then analyzed the source code covered by the various failing test cases provided by Wycheproof to classify them as false positives or real findings. With an understanding of why these test cases were failing, I then wrote proof-of-concept code for each bug. After confirming they were real findings, I began the coordinated disclosure process.

Findings

In total, I identified five vulnerabilities, resulting in five CVEs. Three of the vulnerabilities were minor parsing issues. I disclosed those issues in a public pull request against the repository and subsequently requested CVE IDs to keep track of them.

Two of the issues were more severe. I disclosed them privately using the GitHub advisory feature. Here are some details on these vulnerabilities.

CVE-2024-48949: EdDSA signature malleability

This issue stems from a missing out-of-bounds check, which is specified in the NIST FIPS 186-5 in section 7.8.2, “HashEdDSA Signature Verification”:

Decode the first half of the signature as a point R and the second half of the signature as an integer s. Verify that the integer s is in the range of 0 ≤ s < n.

In the elliptic library, the check that s is in the range of 0 ≤ s < n, to verify that it is not outside the order n of the generator point, is never performed. This vulnerability allows attackers to forge new valid signatures, sig', though only for a known signature and message pair, (msg, sig).

$$ \begin{aligned} \text{Signature} &= (msg, sig) \\ sig &= (R||s) \\ s' \bmod n &== s \end{aligned} $$

The following check needs to be implemented to prevent this forgery attack.

if (sig.S().gte(sig.eddsa.curve.n)) {
 return false;
}

Forged signatures could break the consensus of protocols. Some protocols would correctly reject forged signature message pairs as invalid, while users of the elliptic library would accept them.

CVE-2024-48948: ECDSA signature verification error on hashes with leading zeros

The second issue involves the ECDSA implementation: valid signatures can fail the validation check.

These are the Wycheproof test cases that failed:

[testvectors_v1/ecdsa_secp192r1_sha256_test.json][tc296] special case hash
[testvectors_v1/ecdsa_secp224r1_sha256_test.json][tc296] special case hash

Both test cases failed due to a specifically crafted hash containing four leading zero bytes, resulting from hashing the hex string 343236343739373234 using SHA-256:

00000000690ed426ccf17803ebe2bd0884bcd58a1bb5e7477ead3645f356e7a9

We’ll use the secp192r1 curve test case to illustrate why the signature verification fails. The function responsible for verifying signatures for elliptic curves is located in lib/elliptic/ec/index.js:

EC.prototype.verify = function verify(msg, signature, key, enc) {
 msg = this._truncateToN(new BN(msg, 16));
 ...
}

The message must be hashed before it is parsed to the verify function call, which occurs outside the elliptic library. According to FIPS 186-5, section 6.4.2, “ECDSA Signature Verification Algorithm,” the hash of the message must be adjusted based on the order n of the base point of the elliptic curve:

If log2(n) ≥ hashlen, set E = H. Otherwise, set E equal to the leftmost log2(n) bits of H.

To achieve this, the _truncateToN function is called, which performs the necessary adjustment. Before this function is called, the hashed message, msg, is converted from a hex string or array into a number object using new BN(msg, 16).

EC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {
 var delta = msg.byteLength() * 8 - this.n.bitLength();
 if (delta > 0)
 msg = msg.ushrn(delta);
 ...
};

The delta variable calculates the difference between the size of the hash and the order n of the current generator for the curve. If msg occupies more bits than n, it is shifted by the difference. For this specific test case, we use secp192r1, which uses 192 bits, and SHA-256, which uses 256 bits. The hash should be shifted by 64 bits to the right to retain the leftmost 192 bits.

The issue in the elliptic library arises because the new BN(msg, 16) conversion removes leading zeros, resulting in a smaller hash that takes up fewer bytes.

690ed426ccf17803ebe2bd0884bcd58a1bb5e7477ead3645f356e7a9

During the delta calculation, msg.byteLength() then returns 28 bytes instead of 32.

EC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {
 var delta = msg.byteLength() * 8 - this.n.bitLength();
 ...
};

This miscalculation results in an incorrect delta of 32 = (288 - 192) instead of 64 = (328 - 192). Consequently, the hashed message is not shifted correctly, causing verification to fail. This issue causes valid signatures to be rejected if the message hash contains enough leading zeros, with a probability of 2^-32.

To fix this issue, an additional argument should be added to the verification function to allow the hash size to be parsed:

EC.prototype.verify = function verify(msg, signature, key, enc, msgSize) {
 msg = this._truncateToN(new BN(msg, 16), undefined, msgSize);
 ...
}

EC.prototype._truncateToN = function _truncateToN(msg, truncOnly, msgSize) {
 var size = (typeof msgSize === 'undefined') ? (msg.byteLength() * 8) : msgSize;
 var delta = size - this.n.bitLength();
 ...
};

On the importance of continuous testing

These vulnerabilities serve as an example of why continuous testing is crucial for ensuring the security and correctness of widely used cryptographic tools. In particular, Wycheproof and other actively maintained sets of cryptographic test vectors are excellent tools for ensuring high-quality cryptography libraries. We recommend including these test vectors (and any other relevant ones) in your CI/CD pipeline so that they are rerun whenever a code change is made. This will ensure that your library is resilient against these specific cryptographic issues both now and in the future.

Coordinated disclosure timeline

For the disclosure process, we used GitHub’s integrated security advisory feature to privately disclose the vulnerabilities and used the report template as a template for the report structure.

July 9, 2024: We discovered failed test vectors during our run of Wycheproof against the elliptic library.

July 10, 2024: We confirmed that both the ECDSA and EdDSA module had issues and wrote proof-of-concept scripts and fixes to remedy them.

For CVE-2024-48949

July 16, 2024: We disclosed the EdDSA signature malleability issue using the GitHub security advisory feature to the elliptic library maintainers and created a private pull request containing our proposed fix.

July 16, 2024: The elliptic library maintainers confirmed the existence of the EdDSA issue, merged our proposed fix, and created a new version without disclosing the issue publicly.

Oct 10, 2024: We requested a CVE ID from MITRE.

Oct 15, 2024: As 90 days had elapsed since our private disclosure, this vulnerability became public.

For CVE-2024-48948

July 17, 2024: We disclosed the ECDSA signature verification issue using the GitHub security advisory feature to the elliptic library maintainers and created a private pull request containing our proposed fix.

July 23, 2024: We reached out to add an additional collaborator to the ECDSA GitHub advisory, but we received no response.

Aug 5, 2024: We reached out asking for confirmation of the ECDSA issue and again requested to add an additional collaborator to the GitHub advisory. We received no response.

Aug 14, 2024: We again reached out asking for confirmation of the ECDSA issue and again requested to add an additional collaborator to the GitHub advisory. We received no response.

Oct 10, 2024: We requested a CVE ID from MITRE.

Oct 13, 2024: Wycheproof test developer Daniel Bleichenbacher independently discovered and disclosed issue #321, which is related to this discovery.

Oct 15, 2024: As 90 days had elapsed since our private disclosure, this vulnerability became public.

Open Source Power - Werd I/O

2025-11-17T18:38:10.000Z

[Erlend Sogge Heggen]

I’m extremely on board with this whole essay.

“Since its inception the free and open source software movement has lacked a theory of change beyond the liberation of computer code. Liberation of human beings by way of a liberatory technology was always a secondary and oftentimes incompatible concern for Open Source, since laborers having agency of their work (and how it may be exploited) is in conflict with the inviolable liberties of an Open Source computer program.”

As the author points out, open source has facilitated an upwards transfer of wealth and power from contributors and project communities themselves to the larger companies that can make use of this free labor to enrich their own endeavors. In a world where tech has been enabling fascist autocrats in the building of anti-democratic movements and governments, that’s particularly troubling. And it’s dressed up as some kind of altruistic public good, even when the end user is causing great harm.

The traditional open source / free software demand that software be made available freely for any use feels outdated in the current context. It’s a very libertarian rather than pro-social view of the world. In our current world, it’s particularly worth re-examining permissive licenses and considering what they are actually permissive of.

The suggestion here is that commercial use by large corporations is charged for. I think that makes sense: it’s a way of funding development that also preserves the underlying availability of open software and the sustainability of building it. But I’d honestly go further.

Do open source maintainers want their software to be used by ICE, for example? You don’t have to allow it to be. There’s no magical law of the universe that means you lose part of your soul if you say “no”. Software is a creative work, and the software you build is your creative work. You get to decide who uses it and under what terms. It’s completely reasonable to apply your values in making those decisions.

[Link]

Weeknote #1975 - Robb Knight • Posts • Atom Feed

2025-11-17T12:35:04.000Z

I've narrowed down the inks I'm going to try for finding my perfect pink ink to a handful. I'm planing on ordered Taccia Momo first because this is the one that's been recommended to me the most. I also updated my ink list on FPC.

I've added some more pens to my wanted list including the Diplomat Viper, the Monteverde MP1, and the new TWSBI Eco Cosmos Blue with Onyx. I also found somewhere selling the discontinued Pink Eco at retail price so I might need to buy that first.

I've backed Bonfire on IndieGoGo because I'm fascinated by what they're trying to do.

Despite not being an iOS developer (nor do I have any intention of becoming one), Everything but the Code is 50% off for Black Friday and aside from some app-specific things, seems like it'll have a lot of useful stuff in it.

Links

Flare is a new unified app for connecting to multiple social networks like Mastodon and Bluesky. I don't I need this but it's interesting nonetheless.

Grila is a keyboard-driven calendar app for MacOS which reminds me a lot of Godspeed.

Taking stock of my tools by Britney Winthrope is a great post with an new (to me) way of categorising tools you use (the CODE framework - Capture, Organize, Distill, Express).

The Ollee watch is back in stock but I resisted for the time being.

These Japanese firework illustrations are gorgeous. This also led to me to find Affinities which is a book by The Public Domain Review. Right onto my wishlist that goes.

Mutant Standard emoji is a fun new emoji set.

OpenBenches 💖 OpenStreetMap - Terence Eden’s Blog

2025-11-17T12:34:41.000Z

When Liz and I created the OpenBenches website, it was just designed to be a fun way for people to record memorial benches. Since then things have got out of hand and we now have over thirty-nine thousand benches recorded!

Our plan was never to compete with something like OpenStreetMap. The OSM project is vast, complex, and brilliant - we are small, simple, and differently brilliant. But, over the years, people have repeatedly asked if there's any way to combine the two data sets.

This has proved logistically complex for several reasons.

Our users aren't experienced mappers.
- Most of our entries are uploaded with fairly fuzzy GPS co-ordinates. Mobile phones aren't always the best at accurate locations and, besides, people tend to stand away from the bench when taking its photo. So our data isn't quite at the level of quality rightly demanded by OSM.
OSM didn't have a tag specifically for memorial benches.
- We started out site in 2017. OSM added the Tag:memorial=bench in 2021. Up until then, there wasn't a great way to record that a bench was a memorial.
Data licencing is complicated.
- We chose the Creative Commons Attribution ShareAlike licence - it seemed like a good idea at the time! OSM use ODbL which is subtly incompatible. As such, OSM volunteers asked us to sign a waiver so they could use the data - which we happily did.
Adding or editing data on OSM can be complicated.
- OpenBenches is designed to be an upload-and-forget process. It doesn't matter much to us if a bench is recorded a dozen metres away from its true location. But that isn't the way OSM works. We didn't want to bulk upload data which was inaccurate, incomplete, or inappropriate. Luckily, there are now tools to help with that!

Things have been working away in the background. Some people have manually added Key:openbenches:id to appropriate benches, and others have edited our database to make the locations closer to reality.

And now, thanks to the sterling work of the brilliant Pieter Vander Vennet we're moving to our next phase of increased collaboration!

Firstly, there are about 1,060 benches on OpenStreetMap which have an OpenBenches ID. I've taken all those OSM IDs and put them into our database. Which means that the OpenBenches website can display a button like this:

One click and you're looking at OSM - ready to investigate, edit, or admire.

But what about the other 38,000 benches? Well, that's where MapComplete comes in. MapComplete is sort of like Pokémon Go for maps. As you wander this Earth, you can complete little quests to help improve OpenStreetMap. For example, on the "Pubs" quest, you can add details of all the pubs you visit.

With the "Bench" quest, it is a little different. If an OpenBench is sufficiently nearby an OSM bench, you'll get the option to link the two with a couple of clicks.

But there are loads of benches we have discovered which aren't in the OSM database. In which case, you can add a new bench to OSM using the data from OpenBenches!

This has been a couple of years in the making - but it looks like most of the kinks are now sorted out. I'm sure there will be a few early problems, and no doubt a bit of late-night bug fixing, but I hope that this is the start of something long-lasting. The joy of decentralised sites using open data is that we can all build on each others' work in a spirit of fun and exploration.

Automating my reading progress updates - Posts feed

2025-11-16T18:13:00.000Z

I've tracked my reading progress on my site for a bit now. I'd originally done this by fetching my progress from external APIs and sources on platforms like Oku, fetching and parsing the DOM on the StoryGraph and eventually importing and managing my own data. For years I've been reading and listening to audiobooks in Apple's Books app. Much like Apple's other media apps (music and TV, namely), Books has slowly moved in a direction that makes importing your own content increasingly difficult, while slowly pushing storefront elements into the home section of the app until they effectively took over.

What tethered me to Apple Books for so long was my investment in the reading streak I'd maintained. But that streak is simply a number, a number that I can and have replicated here. That streak, as of writing, stands at 2,095 days. I've finally uninstalled Books, let the streak lapse there and moved my reading activity to Audiobookshelf.

Audiobookshelf is heavily focused on audiobooks, but also supports reading ebooks in myriad formats. It also does a wonderful job of tying different formats together for the same book should you have it as, say, an audiobook, an epub, a mobi file — you name it. I have my audiobooks there and I've added my ebooks. There are quite a few audiobook clients for Audiobookshelf, which makes sense given the app's focus. I haven't found an app that supports its ebook functionality.¹ For a consistent experience, I've added my instance of the app to my iOS device homescreens via Safari.

I track my reading progress as a percentage of completion and increment my reading streak whenever progress is updated. My reading streak table consists of a days_read integer and a last_read_date datetime. This is handled by a trigger:

And the function it runs:

Up until now, I've manually updated reading progress via a widget on my Filament dashboard. This was effective, but a bit tedious. However, since Audiobookshelf has a rich API, I dove in to see what data I could retrieve programmatically. I arrived at a Laravel command that runs every 15 minutes. This command fetches items in progress, then fetches details for each item (with expanded set to 1 and progress included). The response will then include userMediaProgress which, in turn, contains ebookProgress and progress. Audiobookshelf tracks distinct progress states for ebooks and audiobooks that are bundled together. The full command looks like this:

Once the progress is retrieved, it updates the progress for the book in my site's database via PostgREST by looking it up via the ISBN and, failing that, the title. As I read, Audiobookshelf records my progress, my site polls my instance of the app and updates each book's progress and my ongoing reading streak.

In addition to automating my progress tracking, I've updated my book data importer to fetch data from Audiobookshelf. It is also able to fetch data from Google Books and Open Library but, since I've consolidated my reading to Audiobookshelf, it made sense to import data from it directly to better align the record in my database with the source record. This import is second hand, in a sense as Audiobookshelf imports from other sources (Apple Books, funnily enough, is my default), but provides the best results:

This process is kicked off by clicking an Import Book command on my dashboard, which opens a modal with a dropdown to select the API source and an import for the required ID for that source.

With all that configured, I can quickly import data on the book I'm reading and progress will be automatically recorded as I read (or listen) to it.

If there is one, let me know. ↩

Updating forgejo's robots.txt - Posts feed

2025-11-15T22:10:00.000Z

I've moved all of my personal, private projects over to my own forgejo instance. It's been reliable and an altogether simple transition — I even have it mirroring the ai.robots.txt repo.

While most of my projects on the instance are private (like the source for this site and for Cadence), I wanted the robots.txt file for forgejo to align with this site's. Thankfully, updating the forgejo robots.txt is straightforward. I'm deploying my instance in a Docker container using Coolify and update the file as follows:

ssh into the server where the container is running.
Run docker ps -a | grep forgejo to get the forgejo container name.
Log into the container using docker exec -it <NAME> sh.
Navigate to forgejo's public directory: cd data/gitea/public.
Open robots.txt: vi robots.txt.
Add entries as you see fit.

I've mirrored my site's robots.txt to my forgejo instance and I've also included the rules from Codeberg's (up until the # Codeberg-specific changes to the end of the file). You can view the full file here.

robots.txt is, of course, a voluntary mechanism, but including these directives is still prudent.

Small Web, Big Voice - Kev Quirk

2025-11-15T16:22:00.000Z

Small Web, Big Voice

by Andre Franca

Andre argues that independent blogging isn’t about scale at all, but about integrity — choosing a place you control, writing in your own voice, and keeping the web human.

Read Post →

I read this post this morning while I was perusing my RSS feeds with a coffee. Firstly, I’m not sharing this because Andre called out my blog (although being bundled with people like Rach and Manu is extremely flattering). I’m sharing it because I agree with everything he says in the post.

Having a place on the web that I’m 100% in control of, where I can share my own thoughts, feelings, and opinions is very powerful for me. Over time this blog has evolved from me sharing technical posts most of the time, to a legit personal blog with a technical twist.

Despite what sites like ProBlogger say, I don’t have a niche, and I don’t try to grow my audience (I don’t even know how big my audience is). I just write whatever is on my mind at any given time, and people usually get in touch with me to discuss the topic. It’s fantastic.

If you’re on the fence about starting a blog, I implore you to do so. It’s probably the best thing I’ve ever done with a computer. If you, please drop me an email with the link - I love discovering new blogs!

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

Gadget Review: Benfei USB-C Video Capture ★★★★★ - Terence Eden’s Blog

2025-11-15T12:34:43.000Z

Want to capture video from your phone or console? You could just point a camera at the screen, but a more sensible way to do it is to capture the video directly via USB-C.

The good folks at Benfei have sent me another gadget to review! This is a USB-C Video/Audio capture dongle. Plug one end into a device and the other into your computer - it will show up as a USB video capture device.

Notice the extra USB socket there?

USB Power

One great thing about this device is that it has USB Power Delivery pass through. This means you can charge your device while grabbing video from it. That's more than a "nice to have" - the Nintendo Switch will refuse to output video over USB-C unless it is connected to a power supply.

The capture device claims to be able to pass through 100W - I don't have any devices which need that much power, but my USB-C Power Meter showed devices happily slurping down between 5W and 20W depending on the device I was using.

So how does it do?

Video and Audio

It is limited to 1080p @ 60Hz, which is good enough for most things.

Here's a short clip from the Nintendo Switch:

https://shkspr.mobi/blog/wp-content/uploads/2025/11/Benfei-Switch.mp4

And here's a capture from my Android phone:

https://shkspr.mobi/blog/wp-content/uploads/2025/11/Benfei-Android-Video.mp4

Linux

For the nerds amongst us, this shows up in lsusb as 345f:2130 MACROSILICON USB3 Video which should be well supported.

OBS Studio was able to capture the video and audio input perfectly:

It is the epitome of Plug & Play. Shove one end into your device and plug the other end into your computer's USB-C port. That's it. Done. No software to install, no drivers to download, no switches to flip. There's also a handy adapter if you want to use a USB-A socket - although it will need to support USB 3 speeds.

Limitations

As with most HDMI devices, it will refuse to stream video protected by HDCP DRM. That means you probably can't stream your Netflix / Disney / Whatever subscription to your laptop.

It is limited to stereo sound. I couldn't convince the Nintendo Switch to output surround sound.

Obviously, it only works with devices which have USB-C video output. Modern Android and most hand-held consoles will work. Your PS5 won't.

So what about those devices without USB-C?

Bonus HDMI Dongle!

So you're a wannabe Twitch streamer, or you just want to capture something from your HDMI output? The good folks at Benfei also sent me their HDMI Capture Dongle to review.

There's absolutely nothing else to say about this one. It has the same internals - 345f:2130 MACROSILICON USB3 Video - and works exactly the same.

Shove an HDMI cable in there and you're good to go,

Price

The USB-C to USB-C cable a surprisingly reasonable £15. If you need to capture video for presentations or streaming, it will do the job splendidly. The cable is long enough to drape from a machine to a source - and the Power Delivery is useful.

The HDMI capture is only £12. They both work identically well and are supported on Linux.

Highly recommended!

Shellsharks Blogroll - BlogFlock

RE: Why Do You Need Big Tech for Your SSG? - Kev Quirk

RE: Why Do You Need Big Tech for Your SSG?

Read "The Charlie Kirk purge: How 600 Americans were punished in a pro-Trump crackdown" - Molly White's activity feed

Published on Citation Needed: "Issue 97 – This is hardship" - Molly White's activity feed

The Peaceful Transfer of Power in Open Source Projects - Terence Eden’s Blog

Resonance - James' Coffee Blog

Routines - James' Coffee Blog

Why Do You Need Big Tech for Your SSG? - Kev Quirk

How to build and deploy automatically

Final thoughts

Snow - James' Coffee Blog

22.00.0169 An invoice disappears - Johnny.Decimal

An invoice disappears

The invoice

Discovering its loss

The vanishing act

Deliberate record-keeping

Update: found it!

Solution: new ops manual

Footnotes

The State of the Open Social Web - Werd I/O

What is the open social web?

Why should you care?

Prevailing open social web networks

The Fediverse

The ATmosphere

Protocol TL;DR

Other alternatives

Working across networks

It’s not zero sum

Home alone gaming - W46 - Joel's Log Files

Reading

Gaming

Completed

Streets of Rage 4

Ongoing

The Hundred Line: Last Defense Academy

Streets of Rage 2

Others

Around the Web

Blogposts

Videos

2025 Stickers Redux - Robb Knight • Posts • Atom Feed

We found cryptography bugs in the elliptic library using Wycheproof - Trail of Bits Blog

Methodology

Findings

CVE-2024-48949: EdDSA signature malleability

CVE-2024-48948: ECDSA signature verification error on hashes with leading zeros

On the importance of continuous testing

Coordinated disclosure timeline

For CVE-2024-48949

For CVE-2024-48948

Open Source Power - Werd I/O

Weeknote #1975 - Robb Knight • Posts • Atom Feed

Links

OpenBenches 💖 OpenStreetMap - Terence Eden’s Blog

Automating my reading progress updates - Posts feed

Updating forgejo's robots.txt - Posts feed

Small Web, Big Voice - Kev Quirk

Small Web, Big Voice

Gadget Review: Benfei USB-C Video Capture ★★★★★ - Terence Eden’s Blog

USB Power

Video and Audio

Linux

Limitations

Bonus HDMI Dongle!

Price