Shellsharks Blogroll - BlogFlock

Affordances for me, but not for thee - Werd I/O

2026-05-22T14:00:39.000Z

Link: The Web Is Being Made Accessible for AI, Not People, by Jonathan Zong and Frank Elavsky in Tech Policy Press

This is worth sitting with:

“The modern web, originally built for sighted humans using browsers, is now being redesigned for a new kind of user.

What these developers are offering their AI visitors is essentially an accessibility accommodation. […] But when the audience is a disabled person, it has historically been treated as an afterthought. Structured, concise text-based representations of complex content are almost exactly the kind of accommodation that blind and low-vision screen reader users have spent decades requesting from web developers, largely in vain.”

One of the oddest parts of the AI shift is that people are much more willing to do things for LLMs that they should have been doing for human beings all along. Accessibility is clearly an important one: 95% of websites have accessibility flaws, and convincing teams to allocate time for accessibility concerns can be like pulling teeth. But now that similar affordances are required for LLM use, people are leaping over themselves to implement them.

The same goes for specifications and documentation. Often, these have been afterthoughts; policies have been hand-waved rather than concretely written down in ways that people can point to. Sometimes it’s even made explicit that this is to preserve manager optionality. But now that LLMs need more concrete instructions in order to behave well, specifications, documents, plans, and policies have rocketed up the priority list.

It would be beautiful if these needs converged, but as the article notes, the affordances needed by screen readers and LLMs are different. Similarly, documentation and planning documents aimed at an LLM are coercive in nature: they’re designed to force the software to do the right thing, rather than to provide background as to why something is the case.

The simple truth is that there is clearly a perception, in some quarters, that there is a stronger productivity gain from doing this work to serve AI than doing it to serve real human people. That’s quite a dystopian idea, particularly as, even if you don’t care about people with disabilities or your own colleagues, doing those things for humans clearly actually has a real benefit. Making your site more usable allows more people to interact with your work and improves your search engine performance. Writing clear documentation and policies allows your colleagues to spend less time figuring out what to do.

But you can’t measure those things neatly. The cause and effect aren’t immediately tethered; managers don’t see a boost they can cleanly ascribe to this work. In contrast, you know pretty instantly whether the AI you’ve trained on your documentation is doing the right thing.

More importantly, whereas accessibility affordances provide new abilities for vulnerable people, an AI affordance provides new abilities for people with power. And that’s probably the heart of it.

We hardened zizmor's GitHub Actions static analyzer - Trail of Bits Blog

2026-05-22T11:00:00.000Z

In March 2026, attackers exploited a <code>pull_request_target</code> misconfiguration in the <a href="https://github.com/aquasecurity/trivy-action"><code>aquasecurity/trivy-action</code></a> GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor <a href="https://github.com/BerriAI/litellm">LiteLLM</a> on PyPI (see <a href="https://github.com/aquasecurity/trivy/discussions/10462">Trivy’s post-mortem</a> for the full timeline). <a href="https://github.com/zizmorcore/zizmor"><code>zizmor</code></a> is a static analyzer that GitHub Actions users run to catch exactly these misconfigurations before they ship. When GitHub Actions <a href="https://github.blog/changelog/2025-09-18-actions-yaml-anchors-and-non-public-workflow-templates/">added support for YAML anchors</a> in September 2025, a small but high-value slice of the ecosystem started writing workflows that <code>zizmor</code> could only analyze on a best-effort basis. Over the past three months, Trail of Bits collaborated with the <code>zizmor</code> maintainers to bring <code>zizmor</code>’s anchor support up to full coverage. First, we fixed parsing bugs that caused crashes, produced wrong-location findings, and silently mishandled aliased values. Second, we surfaced deserialization edge cases that broke zizmor on otherwise valid workflows. Finally, we helped align <code>zizmor</code>’s expression evaluator with GitHub’s own <a href="https://github.com/actions/languageservices">Known Answer Tests</a>. We validated all of this against a new corpus of 41,253 workflows from 6,612 high-value open-source repositories. The result: 20 filed issues, 15 merged pull requests. <h2 id="building-the-test-corpus">Building the test corpus</h2> To understand how anchors are used in CI today and to stress-test <code>zizmor</code> against the full variety of YAML it encounters in the wild, we built a corpus of real workflows. We used <a href="https://cloud.google.com/blog/topics/public-datasets/github-on-bigquery-analyze-all-the-open-source-code">BigQuery’s GitHub dataset</a> to identify the 10,000 most-starred repositories created between 2022 and 2025, filtered to the 6,612 that use GitHub Actions, and downloaded every workflow file. That gave us 41,253 YAML files. <figure> <img src="https://blog.trailofbits.com/2026/05/22/we-hardened-zizmors-github-actions-static-analyzer/pipeline_hu_50937b9976f313d5.webp" alt="Pipeline diagram showing repository selection from BigQuery, filtering for GitHub Actions usage, and workflow download feeding into the zizmor scan stage" width="680" height="390" loading="lazy" decoding="async" /> <figcaption>Figure 1: Building a testing corpus</figcaption> </figure> When we ran <code>zizmor</code> against the corpus, it crashed on 45 of the 41,253 workflows. That’s a low rate, but each crash means a bug in <code>zizmor</code>. <h2 id="how-anchors-are-used-in-the-wild">How anchors are used in the wild</h2> <code>zizmor</code>’s anchor support was deliberately limited, and for good reason. YAML anchors make workflows non-local: an alias defined in one place changes behavior elsewhere in the file. This complicated <code>zizmor</code>’s parsing model, and adoption was rare enough that the <code>zizmor</code> maintainers reasonably <a href="https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchors">discouraged</a> anchor use. In our corpus, only 43 of the 41,253 workflows use YAML anchors (roughly 0.1%), but those 43 include some of the most foundational projects in open source: <ul> <li><a href="https://github.com/bitcoin/bitcoin">Bitcoin Core</a></li> <li><a href="https://github.com/php/php-src">PHP</a></li> <li><a href="https://github.com/openssl/openssl">OpenSSL</a></li> </ul> However, anchors are a supported feature, and their use will likely grow over time. We found two common patterns. The first is reusing steps across jobs, as Bitcoin Core’s CI does: <figure class="highlight"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">jobs: runners: steps: - &ANNOTATION_PR_NUMBER name: Annotate with pull request number run: | if [ "${{ github.event_name }}" = "pull_request" ]; then echo "::notice ..." fi test-each-commit: steps: - *ANNOTATION_PR_NUMBER - uses: actions/checkout@v6</code></pre> <figcaption>Figure 2: Reuse step definition</figcaption> </figure> The second pattern is pinning action versions once. For instance, <a href="https://github.com/home-assistant/core">Home Assistant’s CI</a> defines the action reference (with its SHA hash) using an anchor, then reuses it wherever the same action appears: <figure class="highlight"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">jobs: lint: steps: - uses: &actions-setup-python actions/setup-python@a309ff8b42... # later in the same workflow: - uses: *actions-setup-python</code></pre> <figcaption>Figure 3: Reuse action definition</figcaption> </figure> <h2 id="four-anchor-handling-bugs-found-and-fixed">Four anchor handling bugs found and fixed</h2> When we started, four anchor patterns from these workflows broke <code>zizmor</code>. Aliases in sequences were incorrectly flattened. When a YAML alias appeared inside a sequence (like a list of steps), <code>zizmor</code>’s internal path representation spread the alias contents rather than treating it as a single element. This caused <code>zizmor</code> to crash or produce findings pointing at the wrong location in the file. (Fixed in <a href="https://github.com/zizmorcore/zizmor/pull/1557">#1557</a>) Anchor prefixes leaked into values. <a id="figure-4"></a> <figure class="highlight"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">foo: [&name v, *x]</code></pre> <figcaption>Figure 4: Anchor prefix leak</figcaption> </figure> In YAML flow sequences, anchor prefixes like <code>&name</code> weren’t stripped from resolved values. Given the snippet in <a href="#figure-4">Figure 4</a>, looking up the first element of <code>foo</code> would return <code>&name v</code> instead of <code>v</code>, causing any step that consumed the node value to fail. (Fixed in <a href="https://github.com/zizmorcore/zizmor/pull/1562">#1562</a>) Duplicate anchors caused a crash. The YAML spec allows redefining an anchor name (the last definition wins). <code>zizmor</code>’s YAML layer assumed anchor names were unique and panicked on duplicates. (Fixed in <a href="https://github.com/zizmorcore/zizmor/pull/1575">#1575</a>) The <code>template-injection</code> audit crashed on aliased <code>run</code> values. When a YAML alias was used as a scalar <code>run:</code> value, the audit didn’t expect the indirection and failed. (Fixed in <a href="https://github.com/zizmorcore/zizmor/pull/1732">#1732</a>) To prevent future regressions, we also added integration tests covering anchor patterns found in real workflows (<a href="https://github.com/zizmorcore/zizmor/pull/1682">#1682</a>) and updated the anchor documentation (<a href="https://github.com/zizmorcore/zizmor/pull/1788">#1788</a>). <h2 id="what-else-the-corpus-surfaced">What else the corpus surfaced</h2> Running <code>zizmor</code> against the full test corpus also surfaced bugs that had nothing to do with anchors. Deserialization edge cases. GitHub Actions accepts YAML constructs that <code>zizmor</code>’s workflow model didn’t anticipate: <code>if: 0</code> (an integer where a string is expected), <code>timeout-minutes: 0.5</code> (a float where an integer is expected), <code>secrets: inherit</code> (a string where a mapping is expected). Each one caused <code>zizmor</code> to reject the entire workflow. We reported these as individual issues (<a href="https://github.com/zizmorcore/zizmor/issues/1670">#1670</a>, <a href="https://github.com/zizmorcore/zizmor/issues/1672">#1672</a>, <a href="https://github.com/zizmorcore/zizmor/issues/1674">#1674</a>), and the maintainers fixed them quickly. Expression evaluator bugs. <code>zizmor</code> evaluates GitHub Actions expressions to determine whether user-controlled data flows into dangerous sinks. We validated the evaluator against GitHub’s own <a href="https://github.com/actions/languageservices">Known Answer Tests</a> and helped the maintainers align <code>zizmor</code>’s behavior with the official test suite (<a href="https://github.com/zizmorcore/zizmor/issues/1694">#1694</a>). Upstream issues. We also traced some crashes to bugs in an upstream dependency, <a href="https://github.com/tree-sitter-grammars/tree-sitter-yaml">tree-sitter-yaml</a>, and filed issues and PRs there (<a href="https://github.com/tree-sitter-grammars/tree-sitter-yaml/issues/39">tree-sitter-yaml#39</a>, <a href="https://github.com/tree-sitter-grammars/tree-sitter-yaml/issues/43">tree-sitter-yaml#43</a>). Even the YAML 1.2 test suite doesn’t cover every edge case the spec permits. <h2 id="securing-ci-where-it-matters-most">Securing CI where it matters most</h2> Supply-chain attacks like the Trivy compromise begin with a single misconfigured workflow. GitHub Actions is by far the most popular CI system for open-source projects, and <code>zizmor</code> plays an important role in helping maintainers catch risky configurations before attackers do. By gathering 41,253 real-world workflows and running <code>zizmor</code> against all of them, we tested its robustness against the full variety of YAML patterns that projects actually use. We fixed several anchor-handling bugs, reported deserialization and expression-evaluator issues, and broadened the set of workflows <code>zizmor</code> can analyze cleanly. The methodology is straightforward: download real inputs, run the tool, triage the failures. Any static analysis tool can benefit from the same approach. We’d like to thank the <code>zizmor</code> maintainers, in particular <a href="https://github.com/woodruffw">@woodruffw</a>, for their responsiveness and thorough code review throughout this work. We’d also like to thank the <a href="https://www.sovereign.tech/">Sovereign Tech Agency</a>, whose vision for OSS security and funding made this work possible.

New miniseries: 'Online security essentials' - Johnny.Decimal

2026-05-22T06:57:10.000Z

We added the first episodes in a new JDU miniseries: Online security essentials.

We've been wanting to do this one for a while. This is the basics of staying safe online, and is something we hope you can send to your non-nerd loved ones. We're each recording it with our dad in mind.

This one will also be posted on the YouTube channel for maximum reach.

Background; foreground - James' Coffee Blog

2026-05-22T00:00:00.000Z

In a way, I carry my website with me wherever I go. Technically, my website is a few keystrokes away on my phone, but I think the presence of my website extends beyond the technical. Having a website encourages me to write, I think, because I know I have a place to put and share my writing. I take notes as I go throughout the world because I love writing, then I come home and ask “could I craft this into an essay?” ¹ And so over time my website has accrued stories of bird song and coffee shops and ice cream in Tesco.

My cadence for writing ebbs and flows. I often write in bursts; several days may pass where I mainly take notes, and then I start coalescing ideas into blog posts. In this way my blog moves from the background to the foreground and back – I take notes in the background, write for my blog, and then go back to taking notes.

Days may pass where I don’t do anything with my blog because I’m working on another project, or am otherwise preoccupied. This has been true of late where much of my creative energy has been focused on Wonders of Web Weaving. I want the conversations I have to be the best they can be so my mind has been more on “what questions can I ask?” than “what do I have to write?”

Hearing others’ perspectives on the web gives me so much energy, but right now I want to sit with that energy and let it propel the interviews rather than coming back to my blog. My blog is always here for me when I’m ready, like I am this Friday lunch time when I have connected enough dots to start writing.

This week and last I have also been reading Charlotte Brönte’s Jane Eyre for school. I am almost two thirds of the way through the book and it is already one of my favourites; the contrast between realism and the Gothic in the book is terrific, and my ability to appreciate this contrast has been much aided by reading about the book while I read the book itself. The book is long and gripping, and so my blog has been more in the background – it’s here when I am ready to write, but Jane Eyre has more of my attention at the moment.

I love that my website can sit in the background for a little while. It’s here for everyone who comes to read, and it’s here for me, too, both as a reference – I visit my website basically every day, often to look something up I have written – and as a creative space. Maybe I’ll make a web page. Or write a blog post. Or find a link to share with a friend. And then I keep doing all the other things I do: reading and thinking and walking and dreaming and chatting.

Maybe I overestimate the extent to which having a website and writing are intertwined. Would I write as much if I didn’t have a website? The way to find out would be to not have a website, and that’s not a world I want to live in. Indeed, my passion for the web is so great that despite all of the problematic parts, I am still excited about the future of the web. I want to keep making websites and show other people what is possible with websites because I know first hand how much having a little space to call your own on the World Wide Web can make a big difference.

[↩]

ice cream in Tesco coffee shops bird song 1 [↩]

Like sunrise over a sink - Werd I/O

2026-05-21T22:44:36.000Z

Link: AI scandal engulfs prestigious short story prize after multiple entrants accused, by Shahana Yasmin for the Associated Press

So I want to be a bit careful about this, because a false positive would be harmful, but it certainly looks like the short story that won the Commonwealth Fund Short Story Prize was generated with AI.

A lot has been said of the writing, which includes sentences like:

“She had the kind of walking that made benches become men.”

And:

“The girl smiled like sunrise over a sink.”

The author has no digital footprint except for an AI-shilling LinkedIn account. While he is a verified real person, his author photo has very clearly also been AI-generated.

Here’s the thing I haven’t seen anyone mention yet: we know that when AI is used in hiring, it preferences AI-generated resumés. And not by a small amount:

“The preference rate for models evaluating their own outputs over human-written alternatives reached a staggering 67% to 82% across major commercial and open-source systems.”

There were well over seven thousand submissions for the short story prize. Is it really outside of the realm of possibilities that the prize itself used AI to sift through them?

I’m not saying any of this is definitely what actually happened, but it certainly makes for an interesting Turing test — and it’s worth making note of this moment as a marker as AI continues to ingrain itself culturally.

Nothing deserves brand royalty - Joel's Log Files

2026-05-21T22:20:00.000Z

I don’t like to think of myself as someone with “brand loyalty”, but it’s undeniable that I have preferences for the tools I use hardware and software-wise.

When it comes to brands for any product, I like to think that I do my research and often go for the most budget-friendly options. I used Xiaomi devices for a long time because they were easy to jailbreak and install custom Android versions on them that allowed me to customize my device however I wanted.

I chose my Kobo Clara 2E because it’s not Kindle and it was easy to install KOReader on it. If it were any other brand, if it lacked a built-in store and if its default OS were bad. I wouldn’t mind, the hardware allowed me to do what I wanted, it was the most practical choice. The XTEINK X4 showed up much later to fill a different niche, but I still would have gone Kobo for a proper-sized reader, Amazon is just evil.

I went with Anbernic and Miyoo handhelds since they simply had the most community support around them and I knew the hardware was plenty for my needs. I could have gone with even cheaper no-brand options too but the amount of information available would not have been as big.

Built-in features are almost never what I care about, a pretty logo does not matter to me, I don’t need some comfy walled garden either, when it costs me my freedom.

However, I am weak when it comes to one brand: Nothing

Or at least, that design language of theirs.

Yep, the title had a double meaning, I apologize

I don’t think this warrants a super long blogpost, you can just look up what they sell and you’ll clearly see how incredibly unique they are.

I own one of their phones—Nothing Phone (3a)—one of their wireless earphones—Nothing Ear (a)—and I just purchased their of open earphones too—Nothing Ear (open)—that I’ve been testing for a couple of days and plan to use while cycling around my city.

For the price, the brand is well placed, offering affordable devices with some compromises that I don’t really care about. But when I purchased these earbuds (and the ones I already had, to be honest) I realized that I completely ignored my “budget-friendly” ideals of before. I would usually go for something like SoundCore or Haylou back in the day.

I got them because they were competitive, sure—any more expensive and I would not have bothered—but the design is what won me over. They look unique, they say something about you. And as much as I don’t want a brand to represent me or seem superficial, I just can’t help but love it.

There are better products for better prices, but the creativity just won me over, their phones’ bootloader is also unlockable so that’s a plus for the day I finally decide to get into rooting and installing a rom on my phone again.

Now, if it’s not obvious. Nothing (the brand) doesn’t actually deserve brand loyalty. They have done some sketchy moves too. I am not a fan of the pathetic AI button on my phone that can’t be reprogrammed by default. There are also some updates that have shown some notifications with ads for app recommendations and the like. Definitely not perfect at all.

I just love that their phones and products are more than just boring rectangles and Apple clones, okay?

Oh, actually, I am also weak to Nintendo, they suck, they do terrible stuff sometimes, but those games are just so goood…

Sorry, I am just a hypocrite. Enough.

This is day 68 of #100DaysToOffload)

All of my Nothing products, very aesthetic!

Reply to this post via email | Reply on Fediverse

Why micropayments can't save news - Werd I/O

2026-05-21T14:29:00.000Z

In an interview with Nicholas Thompson last month, OpenAI CEO Sam Altman backed a micropayments strategy for news:

“What really makes sense in a world of agents is we try a sort of micropayment-based approach. […] My agent can read it, pay $0.17, and give me a summary of that. If I want to go read the whole article, pay $1, or however that works. If my agent wants to calculate something for me that’s really difficult to do, it can go rent some cloud compute somewhere and pay for that, but I think there will be need to be a new economic model for these agents doing lots of small transactions and exchanges of value with each other on behalf of their human controllers or whatever, all of the time.”

What he describes is a combination of pay-per-view and a utility model. In pay-per-view, you’re paying a custom price set by the publisher in order to access a resource; you as the user might get a prompt asking whether you approve the transaction, or you might just give it an approved budget. When he talks about an agent renting cloud compute, it would likely be paying based on usage like a utility, with financial transactions similarly carried out behind the scenes. It’s not really different from the Spotify model in the sense that artists are paid per stream; there it’s a percentage of your total listens, whereas here it’s probably a total budget that you preload into a wallet.

This keeps coming up in software circles: I’ve heard, again and again, that an approach like Altman describes would help provide revenue for publishers in an AI-intermediated information ecosystem. I disagree; while I think there’s certainly value for utility-style pricing on the web, proposals to use it for news are based on a misunderstanding of how journalism is valued and paid for today, set up the wrong incentives for publishers, and conflate every kind of publisher into one very flat model.

So, let’s talk about it.

First, it’s important to understand what a micropayment actually is. Then I’ll discuss the incentives micropayments create, how they might apply to different kinds of publishers, where micropayments might be useful, and how platform owners might embrace the needs of publishers more directly in an agentic ecosystem.

What is a micropayment?

Micropayments are small payments — sometimes a fraction of a cent — that are charged to access digital goods or services. Usually, this happens more or less automatically: you load a wallet connected to your web browser or AI agent, and then when you or your agent visit a resource, a small payment is made. This could be a flat fee or it could be charged as a percentage of your total browsing for the month.

There have been a number of attempts to make micropayments work on the web. Flattr was an early example: a browser extension that paid for content on your behalf. It struggled with getting enough people to fund their wallets and was faced with the high underlying transaction fees associated with credit card payments. It ultimately shut down in 2023. The Brave browser attempts something similar through cryptocurrency.

Today, the Interledger Foundation is working on creating an open protocol that can be used for micropayments, among other kinds of compensation. The protocol is intended to overcome the kinds of financial friction that Flattr experienced. The Foundation is working hard on the problems I’ll raise here in the rest of the piece.

We’ll make it up in volume

Clickbait is enabled at scale on the web by display advertising. Because the revenue received by a publisher is directly connected to the number of pageviews they receive, publishers that are entirely tethered to this model have two incentives:

To drive as much traffic as possible to their articles
To lower the cost of each individual article as much as possible

That’s led to an information ecosystem where many publishers produce low-quality content with misleading headlines in an effort to get as many people as possible to look at them. For many, it doesn’t even matter if the article is true; the reader doesn’t build a long-term trust relationship with the publisher and likely won’t come back unless they’ve been hoodwinked into looking at another one. These publishers are the tourist traps of the internet. There’s no ongoing relationship, so there’s no duty of care.

Micropayments are effectively this model, with the difference that nobody has to look at an ad. Revenue is directly tethered to traffic, like a display ad model; the difference is that the money for a publisher comes from the reader’s pocket instead of the advertiser’s.

Not only does this continue to incentivize clickbait, but these publishers are now competing for the checkbooks of millions of people rather than a few well-funded advertisers. In an advertising-based world, every visitor is highly likely (ad blockers excepted) to produce a small amount of revenue; in a distributed wallet world, we’re relying on individuals to be well-funded.

It’s also worth considering the full user journey. For a reader to arrive at a particular article, one of two things is happening:

The reader has discovered the article off-platform, perhaps through a social media post or a search engine result
The reader already trusts the publication and is seeking out their information specifically

In the first case, the publisher is incentivized to find ways to surface their work. That will be through a combination of tried and tested methods like social media audience work, paid acquisition, and SEO. But they have to do this work for every single article, for every single reader. The most efficient thing they can do is try to build an ongoing relationship with that reader so they don’t have to work as hard for that reader’s second pageview. In other words, the most desirable end state for a cold interaction with a reader is some kind of trusted relationship: they want the reader to sign up for a membership.

In the second case, a trust relationship has already been established. Here, too, the most desirable end state is for the reader to have a membership. Because the reader already trusts the publication, it’s the most desirable end state for them, too: they likely want to prioritize this publication over other sources that are less trusted by them.

Okay, but what about agents?

There’s an argument to be made that, in an agentic world, the relationship isn’t between the publication and the reader; instead, the AI vendor sits in the middle as an intermediary. That’s much worse. Rather than allowing every reader to build their own information landscape, the decisions made by companies like OpenAI about which sources are trustworthy will affect the information that everybody receives. If agents build their own trust relationships with publications, the underlying assumptions that dictate how those agents select sources and process their information govern how everybody learns about the world around them.

Micropayments probably are the financial backbone of that world, but I’d argue that it’s not a world we want to live in. On the other hand, if agents act based on human reader preferences, then the relationship returns to being between the publication and the reader, and we’re back to the incentives for both readers and publishers tending towards membership.

If an agent-first world really is coming — and, to be clear, the jury’s still out — then finding ways to encode memberships into the underlying protocols and mechanisms is important. Micropayments are ephemeral.

Publishers are not monolithic

When we talk about “publishers” we miss a ton of nuance. What works for a local for-profit paper is not the same as what works for a non-profit national news website is not the same as what works for a premium international newspaper. These businesses all try to serve their communities with information, but they have different financial dynamics, communities, and needs. There are multiple overlapping spectra of business models, information types, communities served, publishing surfaces, and more.

At some intersections, micropayments might make more sense than others. For example, if a local for-profit paper is serving event listings for the area, it might quite reasonably charge an agent to access it as a dataset on a utility basis. In general, micropayments do make sense as a way to access raw datasets or lists of facts; you don’t establish a trust relationship with a spreadsheet.

But even then, it’s heavily dependent on the nature of the publisher. If it’s a non-profit paper, those charges might not fit within its mission. If we’re instead talking about ongoing, in-depth qualitative reporting on the characters behind a neighborhood, rather than flat facts, or an ongoing series by a journalist with a specific point of view, a reader might want to establish a subscriber or member relationship. But that, in turn, might make more sense for a for-profit publisher, while a non-profit might be serving its articles for free but asking for a donation. (Or it might not! There’s nothing requiring that it does this.)

The medium matters, too: some models work better with the ways people interact with text, others with the ways people watch video. You also need to consider the characteristics of the intended audience. Can they pay for a micropayment or a membership, or does informing them require some other kind of underwriting like non-profit donations from an institutional backer or, yes, advertising? If we only inform audiences who can pay, we create news deserts in the communities that might need real reporting the most.

There’s no single solution. Every publisher needs to figure out the business model that’s right for it based on its specific context, mission, audience, and focus.

There’s a real distinction between commodity facts (a stock price, a sports score, an event listing) and the analytical, contextual, investigative work that makes journalism valuable. The latter is an ongoing process of building trust. It’s not ephemeral; it is relationship-based. And although, as I’ve discussed, there are also real differences across publisher type, medium, and community, it’s generally not a good fit for micropayments.

So what should platforms do?

I’ve discussed that publishers need to navigate all their contextual factors and choose the business model that’s right for them from first principles. Platform owners would likely prefer that publishers all use the same template — it’s much easier to build a scalable platform that way. Sam Altman isn’t just thinking about how to provide compensation to publishers; he’s also considering what would result in the least friction for his business.

Micropayments are useful for people who build agentic platforms because they reduce friction. The user asks for information (or the system contextually decides they need to see it); the system serves up that information. The micropayment transaction happens behind the scenes in a non-interruptive way.

Supporting trust relationships can be similarly non-interruptive, but they require a little more thought. Today, the thinking is that AI agents will use protocols like MCP to request information from sources. The protocol might change in the future, but the principle probably remains the same: it’s an API that happens to be designed for AI systems rather than traditional client applications.

Adding a mechanism for explicit calls to action would be a great start. This would allow the publisher to prompt the user to start a membership. The publisher would receive more information about the reader, as well as potentially some revenue; in turn, the reader would receive access to more articles or data that their agent could use.

One embodiment of this is that a user could subscribe to a publisher and receive its articles in a reader, perhaps even using an existing substrate like RSS; they could then use their accumulated corpus of subscribed articles with their AI agent. The agent is not intermediating a relationship with the publisher; the relationship is with the human subscriber, and the agent then operates on what they’ve subscribed to. This doesn’t just build trust in the publisher: it builds a loyalty relationship with the AI platform too. Both the publisher and the AI platform build a stronger relationship with the reader.

Membership-first platforms like Ghost are already approaching this as they start to add more affordances for AI. It wouldn’t surprise me to see existing publisher platforms move in this direction, building more foundational AI technology for memberships in the process.

Publishers don’t need to compromise on their relationships with their communities in order to adopt new technology. Platforms don’t need to flatten relationships in order to achieve scale. There’s a lot to be gained by working together and understanding each other — and remembering that human relationships build the kind of trust and loyalty that an ephemeral transaction never could.

Going to try shutting down my laptop every night - Johnny.Decimal

2026-05-21T13:00:38.000Z

When you have the safety net of 'never close anything', you don't really have to think about where a thing goes. You can just leave things open in a window, unsaved, hoping that someone else will think about it at some point in the future.

Starting today I'm going to quit every app and shut down my laptop at the end of the night.

Will I find it all again in the morning?

Context switching - Johnny.Decimal

2026-05-21T12:21:48.000Z

Still on a quest to figure out the right pattern for work logs (also here and this episode of the Task & Project Management course), I've been tracking what I'm doing in a really simple Baserow table for a couple of days.

It's just thing, started, and finished. If an item isn't finished, it groups up to the top (not shown here), so I have a simple list of stuff I'm still doing. It's been really helpful and I'll keep doing it. (Idea is to template this out as something you can duplicate.)

That's me working on 21 separate tasks, across the breadth of my business, in just 2 days. And I'm sure there are more: I haven't added a row for the fact that I'm typing out this blog post.

The modern world is insane. You can do so much. And at the end of the day your brain is broken. It's pretty obvious why.

I'm not sure what I do with this data yet. It's not like I want to slow down. But this doesn't feel sustainable? (Not complaining! Love my job. Just an observation.)

Graduation Day - Cool As Heck

2026-05-21T11:34:16.000Z

Today is graduation day for my twin girls, Moxie and Clarity.

They've gone through a lot of things I didn't have to go through when I was a kid: divorce, moving, changing schools, going back and forth between two parents. Yet they turned out much wiser than I was at their age. They've both strived to be great students and challenge themselves, attending college-level classes at the high school or classes at the local community college during their senior year. They joined clubs, made art, inspired change, built solid friend groups, and advocated for their fellow students. I know that they're ready for college and the new challenges ahead. I'm so proud of them.

Today my heart is full.

Whale Fall - Terence Eden’s Blog

2026-05-21T11:34:15.000Z

Somewhere, in the endless blue ocean, a gigantic mammal shudders as it takes its last breath. Thanks to science, we know that all dogs go to heaven, but all whales descend through the murky depths until their carcasses litter the seabed.

Imagine a giant dying. You can't. They are huge and endless. A towering presence which, so it seems, has always been part of our world. They dominate and are indomitable. It is simply unfathomable that they can ever end. Yet end they must.

As the whale dies, we do not know what passes through its cavernous brain. But we do know what the rest of the ocean thinks.

Lunch.

The death of a whale is a thing to be celebrated. The thump of their still-warm body onto the floor is the starting bell for a feast. Some larger predators sense an easy meal and tear off the choicest morsels. But what of the scavengers? What about the new life not yet established? What happens to the weird little creatures just waiting for an energy boost?

In many ways, it was fortuitous that Twitter pre-signalled its death with the Fail Whale.

The twitching corpse is gently floating down to its watery grave. Some of the older and more established social networks have bitten out chunks of the still-fresh body and have run away with their spoils. But the fascinating thing is watching all the new services benefit from the death of a giant. Mastodon, Discord, BlueSky, Qaplion, Nostr, and a bunch of others hollowing out the rotting husk and using it to power their own growth.

Will those .meow social networks ever become a gigaton behemoth capable of ruling the waves? Maybe not, but size is not the only metric of success. Finding and defending an ecological niche is its own reward. Evolution abhors a monoculture.

Several bloated bodies meander through the brine, each one confident that its ageless wisdom will outlast the others. Had they any self-awareness, the hubris would gnaw at their tattered souls until the crushing realisation of their impending doom drove them mad.

Perhaps it will happen to GitHub next. The endless downtime and forced injection of crappy AI will start a death spiral. Already established forges are waiting to pounce once they smell blood in the water. But what critters will emerge to suck the bones of the old giant and develop in unexpected ways? Some bizarre fungal growth will devour the stinking jelly unlocked from those shattered bones and a new ecosystem will emerge.

Will WordPress's increasingly erratic leadership and tangle of legal disputes cause it fatal damage? Once minnows darted away from its presence; now they cautiously nip at its greying skin. Its mighty bellow still echoes through the clammy waters, but there's a tinge of frailty in its song.

Everything dies eventually.

The internal flora and fauna - be they parasitic or symbiotic - eagerly await their host's downfall. A chance to break free and explore new strange new world. A chance to begin a new relationship and co-evolve in unexpected ways.

The biological pump is primed, the hungry jaws of an uncountable fleet of new ideas is just waiting to pounce, the giants swim on in blissful ignorance.

You can read more about Whale Fall on Wikipedia.

New miniseries: 'Everyday Obsidian' - Johnny.Decimal

2026-05-21T06:22:57.000Z

We added the first episodes in a new JDU miniseries: Everyday Obsidian.

In this free series I'll show Lucy practical everyday tips for Obsidian. This is 'how normal people use it every day', not 'how to become an Obsidian guru'.

PSA: PDFs leak data - Johnny.Decimal

2026-05-21T05:48:15.000Z

Lucy just noticed that a PDF she was viewing in her browser revealed something about its history when she hovered over the browser tab. In her case, harmless enough: the shameful fact that she created one of her lovely Excel summary sheets in PowerPoint. (Not even Keynote!)

PDFs are full of invisible data

Chock-full of it. Here's how this can trip you up. Let's say Jim is leaving so the team writes him a lovely message. Nobody really likes Jim, so you save the file on your Desktop with a snarky title.

Then you Print > Save as PDF…, and of course you save the file as Good luck Jim!.pdf.

Oooh but you didn't notice the Title field there, and now that's embedded in the PDF. Jim can just inspect the file or, if you're unlucky, he'll open it in Firefox on the farewell Zoom call and it'll be visible to everyone. Em-barrassing!

You think this will never happen to you? Oh sweet child, it happens all the time. And there's not really much you can do about it other than be aware of it, and remember not to do it.

PDFs contain a lot more information than you can see. Be careful.

Nobody is destined for greatness. - Westenberg

2026-05-21T01:31:20.000Z

Demosthenes lost his first appearance before the Athenian assembly. His voice came out thin and failed him mid-sentence, and the crowd laughed him off the platform. Plutarch tells us he walked home with his cloak pulled over his face, certain his public life had ended before it started.

What he did next settled the rest of his career. He dug out an underground study and shaved half his head, so that he'd stay indoors at his exercises for months, too ashamed to be seen. He crammed pebbles into his mouth and made himself speak around them. Climbing steep ground, he recited long passages, and he pitched his voice against the crash of the sea so that a hostile crowd could never break his rhythm again. He walked out of that hole as the finest orator Greece produced, the man who roused Athens against Philip of Macedon.

Nobody handed him any of it. He built it out of repeated failure and a stubborn refusal to accept the verdict of one bad afternoon.

The story we keep telling

We tell ourselves a flattering story about greatness. Some people get born for it, the gift already in them, coiled and waiting. We keep that story alive because it lets everyone off the hook. If you have to be marked for it from the start, then the people who reach it were always going to, the rest of us were never meant to, and nobody has to attempt anything that might hurt.

Anyone who reads the biographies finds the opposite. The people we file under genius turn out to be the ones who put in absurd quantities of hard, unwitnessed work before anyone noticed them. Some of them carried obvious aptitude, sure, but they fed it for years before they made it into something worth paying to see.

Where the "naturals" come from...

People reach for Mozart first to defend the destiny myth. They point at a child composing music at 5, call it proof of something supernatural in the blood, then skip what came before: Leopold Mozart, a professional teacher who wanted a prodigy for a son, started drilling the boy before he could read. By the time Wolfgang wrote anything we still perform, his father had put him through daily lessons for more than a decade.

The psychologist Anders Ericsson studied expert performers for most of his life and set out his findings in Peak, published in 2016. He found the same thing wherever he looked, among violinists, chess players, athletes and surgeons. The standout was the person who started young and put in more hours, whatever wiring they happened to be born with.

Ted Williams, who has a fair claim to being the best hitter baseball has seen, swung until the skin came off his hands. He liked to point out that nobody turned into a hitter by strolling up to the plate. Eliud Kipchoge, in his 40s, still grinds through the same training blocks he ran as a nobody, out of a bare camp in Kenya's Rift Valley, logging every kilometre by hand.

James Dyson built 5,126 failed prototypes of his bagless vacuum cleaner across the early 1980s before the 5,127th held together. No factory backed him and no investor believed in the idea. The established manufacturers turned him away one after another, because they made their margin selling bags and his machine needed none. The man with a multibillion-pound company today was broke through all of it, alone in a workshop, getting it wrong more than 5,000 times before anyone called him an inventor.

None of these people waited for a calling. They went and earned the thing, one repetition at a time, while it was still ugly and unrewarded.

...And what the myth costs

People who believe in destiny pay a price for it. They turn brittle, because they take their first hard setback as proof they were wrong about themselves, a sign the gift has run dry. Carol Dweck documented this in Mindset in 2006. Children praised for being clever, rather than for effort, dodged hard problems and folded when stuck, because failing one would expose the label as a lie.

The rest of us sit on our hands. People wait for a sign that they belong, and no one ever sends it, because that's not how any of this happens. Demosthenes got no sign. He got an underground hole, a half-shaved head, a mouthful of pebbles and the roar of the sea.

The people who make it tell the destiny story too, once they've arrived. Looking back, they compress the grind into a clean line and leave the years of doubt out, until what remains sounds like a gift that unfolded on schedule. By retelling it that way, they teach everyone behind them the wrong lesson, and another generation believes it.

Earned greatness looks nothing like the myth.

Picture the thousandth repetition of a thing you fumbled on your first attempt, and the long stretch when nobody is watching. Behind that are the friends who lose patience, the savings that drain, the steadier job you turned down and the years that pass with no proof you were right. Other people add the glamour later, once the result is plain to see and you've already paid for it.

There's a version of you that keeps waiting to feel chosen, and a version that goes down into the hole and gets to work. The first one keeps waiting.

Nobody is born holding greatness.

People build it in the dark, with pebbles in the mouth, long before anyone arrives to applaud.

Lifting Mastodon rate limits - Posts feed

2026-05-20T22:04:00.000Z

I'm a reluctant Bluesky user and a new Bluesky user. I expanded my site's syndication implementation to support Bluesky and updated my links implementation to support tagging authors on Bluesky. Why join now? I'm not totally sure. Indigo launching was a factor. It looked like (and is) a lovely app.

[RSS Club] Let's meet up AFK - Terence Eden’s Blog

2026-05-20T11:34:04.000Z

Shhhh! This post is only available to RSS subscribers like you 😊

My wife and I are preparing for a big Interrail journey through Europe. Whenever we go on holiday, we like to meet up with friendly locals to have a drink and chat. We did this on our last journey and it was great.

So, if you're a member of RSS club and fancy showing some tourists a cool bar, awesome restaurant (with vegan options), local tech conference, or nifty museum - please get in touch.

Our exact dates aren't finalised yet, but from now until the beginning of July, we'll be taking roughly this route:

🇩🇪 Hamburg →
🇩🇰 Copenhagen →
🇸🇪 Gothenburg →
🇳🇴 Oslo →
🇸🇪 Stockholm →
🇫🇮 Helsinki →
🇪🇪 Tallinn →
🇱🇻 Riga →
🇱🇹 Vilnius →
🇵🇱 Warsaw →
🇩🇪 Berlin → Munich →
🇮🇹 Verona → Milan →
🇨🇭 Basel →
🇫🇷 Paris

If you're in one of those cities and fancy a beer & veggie burger, please give us a shout. We won't be able to meet everyone as we do have some existing plans and tight connections but, as they say, it's nice to go where everybody knows your name.

Exporting Vinted Sold Data - Robb Knight • Posts • Atom Feed

2026-05-20T10:58:13.000Z

Over the past month or so I've sold a bunch of stuff on Vinted and I wanted to know how much I've made but Vinted don't give you that data, at least not in a nice way. They have monthly reports but that shows what you started with and ended with which only works if you don't withdraw or spend anything, which I had.

So I went to the sold page, scrolled the infinite scroll list until it had loaded the months worth of stuff and whipped up this snippet to take the price and title of the item and add it to the clipboard.

list = document.getElementsByClassName('my-orders-content')[0]
items = Array.from(list.querySelectorAll('a .web_ui__Cell__content'))
data = items.map(i => {
	price = i.getElementsByClassName('web_ui__Text__text')[0].innerText
	title = i.getElementsByClassName('web_ui__Cell__title')[0].innerText

	return `${price} // ${title}`
}).join('\n')
copy(data)

The output will look something like this which I can then paste into Numi or Soulver to give me a total. Bundles don't have a useful title because that's not available on the page.

JDU 'preview mode' - Johnny.Decimal

2026-05-20T04:36:09.000Z

We've added a 'preview mode' for signed-in users with a free account. You can preview a handful of Task & Project Management episodes today, and in the next few days we'll do the same for the Workshop and Learn with Lucy – Excel.

Why wouldn't every meeting have an ID? - Johnny.Decimal

2026-05-20T02:24:10.000Z

After our meeting on Monday I'm feeling hyper-organised. All of our active work has a project in Things, which I'll show another day. What I'm doing now is scheduling some of this work, including a meeting with Lucy tomorrow.

For that meeting I've created a work package – again, details to follow – but what's interesting here is that I've used the IDs of all of these things in the appointment title.

I don't see a reason why every single one of my future meetings won't have an ID. (Unless it's just me blocking time/reminding myself to stand up and have a break – see that work/break pair, which I move around throughout the day.)

Right now, in the context of setting up this meeting, I know what it's about. I just created work package W0159~21.39 Home page re-jiggering to make it more SBS-focused. It's in-memory, as we say. So why let it fall out of memory, only to have to recall it tomorrow?

It's these tiny optimisations, applied consistently, that'll make you 1% more efficient.

Performative Blogging - Joel's Log Files

2026-05-19T22:00:00.000Z

Photo from Unsplash

Don’t worry, I am not going to expose anyone but myself here.

A few weeks ago I saw a YouTube video: The Performative Epidemic (Invidious) by chon digital, that was about something I think everyone has heard about in one way or another.

Basically, people that pretend to do or engage in a certain activity and post about it online. All with the hopes of getting engagement and make themselves known or internet famous, although sometimes they genuinely want to form connections with people but end up looking like attention-seekers anyway.

I will be honest. I do like to be known and to have some fame. I am not going to pretend otherwise, but I have also tried my best to write about whatever I am feeling like writing, and to do so without worrying much about what is trending or popular.

However, I’ve been very, very tempted lately, to go ahead and copy whatever is going on in the online circles around me.

Seriously though, I look at what’s on the top of the Bubbles frontpage every couple of days and often think “how did I not write about that sooner?” Even more so when there’s a trending post that caused a lot of public responses—such as Hey you, start communicating! by David, and many others before it!—that I could have contributed to—and I may do so even after they are not trendy anyway.

I just need to admit it. I am a little jealous, because a lot of the posts are kind of obvious. They are meta-posts about blogging, about being yourself, about the indie web, about socializing in the internet, a rant against AI, someone who switched to Linux, or whatever in between!

And you know? Writing this, I think it has been holding me back. A part of me wants to write about the next big thing that will get a lot of clicks, and that has stopped me on my tracks from writing about what my brain would usually come up with.

Look at my weeknotes that mention what I actually do and engage with, and you can see a lot of themes that would usually be expanded upon from a paragraph to a whole blog!

Maybe about my return to Monster Hunter Freedom Unite, a guide on how to get started through the early stages of the game or set up online multiplayer rooms for it via emulation! I’ve even been asked for this by a friend already!

It could be a tour through the Miis and experiences I’ve had on Tomodachi Life: Living The Dream, sharing some funny screenshots and recordings of the game that I’ve saved with hilarious moments, and some thoughts about it.

Or it could be that post about cycling through my city! I experienced a lot of things as I’ve gotten started on this hobby/transportation method, and I could even do a tour through some neat places I’ve seen on my rides, although I prefer to keep where I live private for the most part.

Perhaps a nostalgia trip through Max Steel, the toy franchise that heavily influenced my life through its movies—which I’ve been bingewatching for a few days—and their action figures I wanted as a kid

But like, who wants to read a young adult rambling about a toy from the early 2000s and its low budget movies with PS2 quality graphics? Why would one care about the early beginnings of yet another hobby of mine when there’s a dozen I’ve written about already? How trendy can a blogpost about an old PSP game with terrible controls and lots of grinding really get? Tomodachi Life is the one somewhat trendy topic, but whatever.

Funnily enough, some of those themes are things friends have already asked me about a couple times, I am just being deaf here for no reason—nobody cared about Max Steel though unfortunately.

Of course there are readers for everything, and I’ve been reassured by many of my online friends about how they like that I write about whatever all the time.

And yet here I am, writing my own meta-blogpost, with a title that is likely to make it to the top for once.

Is this the ultimate move of “performative” blogging? Am I being as hypocritical and desperate as it can get while writing about the fact that I should not write about trendy topics just to get attention for it?

Perhaps I am, but I will write about my little niches soon enough too. Now click that upvote button in the comments section for me okay? Or just send me an email, I love them very much too. 😁

To make it clear again, a lot of the people who have blogposts that get to the top are actually awesome. They, like me, have plenty of variety and themes and shenanigans they share online. I am definitely not saying they are being performative and it’s something that is hard to judge anyway. If anything, I’m the one being a little childish about it. But hey, that’s just my brain sometimes.

Now I just need to share this post at the perfect time to get the largest amount of readers as possible…

NO, STOP IT, END OF LINE.

This is day 67 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse