Shellsharks Blogroll - BlogFlock

📝 2026-06-23 12:58: Create one of those Uses pages. Still a work in progress, but there's a good... - Kev Quirk

2026-06-23T11:58:00.000Z

Create one of those Uses pages. Still a work in progress, but there's a good chunk of the stuff I use on there now.

https://kevquirk.com/uses

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Wonders of Web Weaving, Episode 7 - James' Coffee Blog

2026-06-23T00:00:00.000Z

The seventh episode of Wonders of Web Weaving is out:

In Episode 7, I chat with Ana, the author of ohhelloana.blog. We talk about, among other things, the growth we see in our websites over time, finding an in-person indie web community, and connecting with people using personal websites.

I hope you enjoy the episode!

Wonders of Web Weaving has an RSS feed you can use to follow along from wherever you get your podcasts.

Ana ohhelloana.blog The seventh episode of Wonders of Web Weaving is out Wonders of Web Weaving has an RSS feed

Introducing Patch the Planet - Trail of Bits Blog

2026-06-22T16:50:00.000Z

What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to <a href="https://openai.com/index/daybreak-securing-the-world/">our partnership with OpenAI</a> and its Daybreak initiative, <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">we can report</a> that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across 19 projects (with many more still undergoing coordinated disclosure). That was just the first week of <a href="https://trailofbits.com/patch-the-planet">Patch the Planet</a>. Frontier models like GPT-5.5-Cyber are producing a firehose of security findings, and already-stretched maintainers must sift through all of it to separate real vulnerabilities from plausible-sounding false positives. Patch the Planet is different: with our experts orchestrating and triaging findings, we handle the work of fixing and hardening the code alongside the people who maintain it. The first week of Patch the Planet covered 19 projects across cryptography, networking, language infrastructure, and software supply chain. Among these 19 projects were cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. Over 30 projects have joined the initiative so far, and we’re rapidly expanding it to include more; if you maintain an open-source project, <a href="https://trailofbits.com/patch-the-planet">apply to join</a>! <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-1.gif" alt="“Live look at the Trail of Bits engineering teams”" width="500" height="221" loading="lazy" decoding="async" /> <figcaption>Live look at the Trail of Bits engineering teams</figcaption> </figure> Anyone can file an issue, flex, and walk away. We showed up with the patches: 37 are already merged, and many more are in flight. These merges go beyond just fixing bugs: we’re adding new tests and fuzzing harnesses, CI security scanning, supply-chain tooling, correctness fixes, and features maintainers had been meaning to get to. The goal of Patch the Planet is to leave essential open-source projects measurably better off. <h2 id="we-brought-patches-not-just-bug-reports">We brought patches, not just bug reports</h2> We’re reporting public findings <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">on GitHub</a>, including 64 total pull requests. We also filed 51 issues, 19 of which are already closed with a fix. This public tally undercounts the work, since several projects take reports through private channels like HackerOne, GitHub security advisories, mailing lists, and private forks, and most of these have not been released publicly yet. What’s in those pull requests matters more than the count. At python.org, we added a CI workflow built on <a href="https://github.com/zizmorcore/zizmor">zizmor</a>, our open-source GitHub Actions auditor, fixed all of the issues it flagged, and integrated it into their CI. In RustCrypto, we contributed correctness fixes to the big-integer library that higher-level cryptography is built on, alongside genuine feature work in review: serde encoding support and HPKE DHKEM suite IDs. Other patches were plain engineering help: storage-accounting and service-restart fixes in SimpleX, a clearer admin-quarantine confirmation in PyPI’s Warehouse, and supply-chain improvements like SBOM sidecars for Python’s Windows artifacts. We will also be upstreaming many testing improvements and new testing campaigns. Arguably, our best contributions are not even bug or security fixes. Keeping track of all of this is a bot we call Patchy. Patchy monitors every project, posts each new finding and merged patch to our Slack, and, for reasons we consider scientifically sound, reintroduces the common use of <a href="https://openai.com/index/where-the-goblins-came-from/">goblins, gremlins, and assorted creatures</a>. Here’s Patchy’s description of <a href="https://github.com/pyca/cryptography/pull/14933">an issue that has been patched</a>: <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-2_hu_d772e23377508832.webp" alt="“Patchy’s description of an issue that has been patched”" width="1200" height="329" loading="lazy" decoding="async" /> <figcaption>Patchy’s description of an issue that has been patched</figcaption> </figure> When a patch lands, Patchy celebrates with a triumphant <code>PATCHY HAPPY</code>. Making Patchy happy is really what drives us. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-3_hu_5af72ac2534386fd.webp" alt="“Bug patched, Patchy happy”" width="1200" height="185" loading="lazy" decoding="async" /> <figcaption>Bug patched, Patchy happy</figcaption> </figure> <h2 id="a-few-highlights-from-the-week">A few highlights from the week</h2> The week produced more than we can fit in this post, but here are some quick highlights. A fuzzing lab built in a day. Given a narrow goal (find remotely exploitable bugs) and no instructions on how, GPT-5.5-Cyber decided that reading the source of one of the most-reviewed C libraries in existence was a poor use of tokens. Instead, it stood up a full fuzzing lab in under a day: sanitizer and variant builds, a seed corpus drawn from existing tests, and harnesses across a dozen entry points. Instead of simply fuzzing exposed APIs, it successfully built a harness that injected operating system backpressure to identify novel issues by reaching previously unexplored buggy states. We estimate all of that effort likely would’ve taken one of our fuzzing experts two to three weeks to do manually. Just as important, it showed judgment about what to test, what to report (and not report), and where to find higher-impact findings. We’ll publish the full details in a standalone field report. A pipeline for variant testing historical CVEs built in a day. Codex was also adept at building simple but effective pipelines, such as the CVE variant analysis pipeline shown below. Codex’s <code>/goal</code> feature combined with frontier models like GPT-5.5-Cyber for this type of variant analysis produced novel issues with almost exclusively high-signal output. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-4_hu_a106c2e464121abc.webp" alt="“Pipeline for historical CVE variant analysis”" width="1200" height="617" loading="lazy" decoding="async" /> <figcaption>Pipeline for historical CVE variant analysis</figcaption> </figure> A release-pipeline improvement at python.org. We reported multiple security issues for <a href="http://python.org">python.org</a>, including some issues closing a legacy-API authorization gap. But we’re most proud of the work that produced long-term improvements to python.org’s release infrastructure: the new zizmor CI scanning, tightened release-file and metadata validation, deletion scoping fixed so bulk operations can’t reach beyond their target, and release-tooling patches in review that quote remote command arguments, fail safely on partial uploads, and add SBOM sidecars. The aiohttp maintainers fixed their issues almost immediately. We privately reported a cluster of issues across aiohttp’s client and server paths, including cookies that could regain broader scope after a save and reload, digest credentials that could answer a challenge from the wrong origin, and resource limits that ran after attacker-controlled buffering rather than before. The maintainers authored and merged all eight fixes within hours, seven of them inside a single five-hour window. We were impressed and appreciate the maintainers’ prompt and collaborative work on these issues! Differentially testing major cryptographic libraries against each other. Many of our projects implement the same logic, protocols, and algorithms. In particular, multiple projects implement the same cryptographic algorithms and standards like X.509 certificates. Therefore, we used Codex to point these projects at each other, and identify any relevant behavioral differences. This proved to be a high-signal approach that uncovered several issues, including <a href="https://github.com/pyca/cryptography/pull/14933">this AES-GCM issue in PyCA</a> and several X.509 issues, which we plan to upstream to <a href="https://x509-limbo.com/"><code>x509-limbo</code></a>. <h2 id="finding-the-bugs-is-now-the-easy-part">Finding the bugs is now the easy part</h2> If it wasn’t already clear from the last several months of security news, this week makes one thing clear: the expensive part of security work has moved. Arming Codex with fuzzing campaigns, variant analysis, differential testing, agentic searching, and similar techniques produces real vulnerabilities and compresses weeks or months of manual effort into hours. The advantage is no longer in finding bugs, but everything after: confirming a finding, getting its severity right, writing a patch a maintainer will accept, hardening the surrounding code, making long-term improvements to prevent similar issues in the future, and coordinating a disclosure. That is the work that floods of AI-generated reports threaten to bury. <h2 id="guidance-for-maintainers">Guidance for maintainers</h2> If you’re a maintainer managing an unsustainable number of AI-generated bug reports, the core challenges you need to solve are deduplication, false-positive filtering, and severity correction. Deduplication is the easiest problem to solve technically. Even simple AI-based tools that compare new reports against open issues perform well, especially when grounded in affected code lines. Automating this step eliminates most of the noise. False-positive filtering and severity correction are harder, but they can be managed. Without explicit guidance, models default to rating everything as critical. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-5_hu_1b13148a17364cf7.webp" alt="“Patchy without threat model and severity guidance”" width="1200" height="1019" loading="lazy" decoding="async" /> <figcaption>Patchy without threat model and severity guidance</figcaption> </figure> Generic approaches like our <a href="https://github.com/trailofbits/skills/tree/main/plugins/fp-check">fp-check</a> tool help, but only to a point. The best improvements require project-specific documentation, threat models, and severity criteria. <a href="https://cryptography.io/en/latest/security/">PyCA’s security documentation</a>, for example, was dramatically effective at reducing false positives in our bug candidates. Files like <code>AGENTS.md</code> that explicitly tell models which documentation to consult produced the most consistent and effective results. If security researchers are armed with this documentation, especially <a href="http://AGENTS.md"><code>AGENTS.md</code></a> for AI-based research, more noise will be filtered out before reaching the maintainers. <h2 id="whats-next-and-how-to-get-involved">What’s next and how to get involved</h2> This was just our first week. Over 30 projects have committed to join Patch the Planet, with a growing waitlist. As more findings clear coordinated disclosure, we’ll publish more results and deeper field reports, including full fuzzing lab details, the variant-analysis and differential-testing pipelines, and the tooling we’re building to help maintainers triage AI-generated reports themselves. Our <a href="https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea9e6e967043cbb">Patch the Planet gist</a> contains the full public list of our week one output. <figure> <img src="https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ptp-image-6.gif" alt="“Join Patch the Planet and spread the word”" width="480" height="207" loading="lazy" decoding="async" /> <figcaption>Join Patch the Planet and spread the word</figcaption> </figure> If you maintain a critical open-source project and want this kind of help, you can <a href="https://trailofbits.com/patch-the-planet">apply to join Patch the Planet</a>.

Cybersecurity for the paranoid business traveller - Terence Eden’s Blog

2026-06-22T11:34:18.000Z

Over the years, I've worked for organisations with various levels of risk tolerance for business travellers. Some have been (rightly) paranoid and others have been (wrongly) placid about the threats their employees face.

The fact is, individuals are often targeted for espionage, blackmail, or other state-sponsored attacks.

Here's a list of some of the different advice I've received, roughly sorted into levels of suitability. Start at the top and work your way down until you reach a suitable level.

USB sticks? No thanks!

At some point, you'll be given a gift of a decorative USB pen drive. It'll either be part of a goodie-bag or you'll be told it has all of this quarter's TPS reports on it.

You should thank them for their kind gift. On your way back to the hotel, drop the stick in a bin.

There's just too much which can go wrong with a USB stick. Maybe it has a virus. Maybe it is an exfiltration device. Maybe it has extreme pornography and the police will catch you with it. Just chuck it. If anyone asks, say you couldn't get it to work and can they please email you the information.

USB Power? Play it safe!

USB powers everything from your phone and laptop, to your headphone and eReader. But USB cables also carry data. Some devices can be silently hacked by plugging them in to a dodgy power port.

Is it likely that the USB socket on the airport bus has been set up to exfiltrate travellers' data? Probably not - but why take the risk?

The best thing you can do is to always charge from your own device. Get a travel charger or, ideally, a portable battery and only use that for charging.

For extra paranoia, you can buy USB condoms and charging-only cables - but they tend to be slower at charging.

Reduce Your App Attack Surface

Do you need all those apps on your phone? Will you cope without your banking apps, dating apps, streaming apps? Each one is a potential vector for abuse.

Is it legal for you to date your preferred romantic partner in your intended destination? You shouldn't have to hide yourself, but having an illegal app on your phone is a great way to get picked up by the police.

Go through your phone and uninstall anything which isn't important to the trip.

A VPN probably draws more attention than it is worth, but browse cautiously

This is slightly counter-intuitive. Every important site on the web uses HTTPS. The really important ones are on a special list which means your browser will only use a secure connection. The chances of your data being intercepted is minimal.

But using a VPN immediately makes your traffic look suspicious and, in some countries, may be illegal.

That said, while the contents of your communications will be private, their destination is easy to figure out. Don't browse pornography or any other site which is liable to get you in trouble. This may include news sites from outside the country.

What passwords do you need?

Hopefully you use a password manager - and hopefully all your passwords are unique. But do you really need to carry around all of them? You password manager almost certainly allows you to create a sub-account into which you can deposit anything you need for your trip.

Similarly, you don't need all your MFA codes with you. If you do need MFA please make sure it isn't coming through SMS.

They're not flirting with you.

Mate, you're a middle-aged sales rep who scored a trip to a conference in an exotic country. Do you really think that pretty young thing is enthralled by your tales of middle-management?

No.

At best, the photos will be used to blackmail you. At worst the police will claim that they're under the age of consent and that will be used to blackmail you.

Laptops and Liability

Your IT team has provided you with a laptop which is encrypted and biometricly secured, right? But do you need that specific laptop?

Grab a cheap laptop. Fill it with only the documents you need. When you get back home, toss it.

I'm quite serious, a £200 Chromebook is a cheap price to pay to prevent your secrets getting stolen or your network being infiltrated.

What Else?

Possibly you think some of these are overkill. Perhaps you think I'm not being paranoid enough. What would you add to the list?

Over/Under Interview - Robb Knight • Posts • Atom Feed

2026-06-22T09:55:58.000Z

Avengers

The movies, overrated with the exception of Infinity War/Endgame which was some of the best movie experiences I've ever had.

The comics, underrated. The stories from the comics is where it's at but it's not a medium that everyone can enjoy. There are so many great Avengers and Avengers-adjacent stories available if you're willing to give it a try. My recommendation is Kelly Thompson's West Coast Avengers run.

Weeknotes

Underrated. I love reading people's weeknotes and I've found it a useful tool to get out random thoughts I've had as well as share fun things I've seen online that week. The pressure to do them every week though, massively overrated. You don't need to do that to yourself, post when you want.

Stickers

Underrated. What a fun item stickers are but you've got to use them. Stick them on anything. Maybe Maique will spot one you stuck somewhere. I love stickers.

BuJo

This is a tough one. Bullet Journal the brand? Overrated. Intentionally or not, one look at the website shows that it exists now to sell courses, books, and other related services.

Bullet Journal the system on the other hand has a lot of good ideas. I don't do all of them, nor do I follow it strictly but the things I did take from the (the bullet system itself, migrating tasks, monthly spreads) have been massively helpful. Slightly underrated if only because the website no longer reflects the system and rather serves as the business side.

Tacos

Underrated. I'm in the UK where we have a troubling lack of mexican-inspired food available but whats not to love? Meat, sauce, taco shell, lettuce, it's got it all.

What are the two best books you couldn't live without and that you recommend?

How to Lie with Statistics. I read this when I was 17 or so and it blew my mind the way you can present data in different ways to elicit different reactions or prove your point. Fair warning this was written in 1954 so some of the language would not be appropriate in 2025, but the ideas are solid.

So You've Been Publicly Shamed. This one serves have a warning both about what one might post online, as well as how wild online mobs can get.

People and Blogs Interview - Robb Knight • Posts • Atom Feed

2026-06-22T09:48:50.000Z

Let's start from the basics: can you introduce yourself?

I'm a developer and dad to two girls living in Portsmouth on the south coast of the UK. By day I work for a SaaS company and in my own time I work on my many side projects. In a previous life I worked at a certain clown's restaurant which is where I met my wife some 15 years ago.

Although developer is what I get paid to do I'm trying to move towards more making; websites, stickers, shirts, art, whatever. I have no idea what that looks like yet or how it's going to pay my bills. I have a whole host of side projects I've worked on over the years; they're not all winners but they all serve, or served, a purpose. If I get lucky, they resonate with other people which is always nice.

What's the story behind your blog?

I've had a lot of blogs over the years, most of which would get a handful of posts before being abandoned. There was a version that ran on Tumblr which I did do for at least a year or two — any interesting posts from that have been saved. The current iteration is by far the longest serving and will be the final version. There's no chance of me wiping it all and starting again.

This current version is part of my main website which is where I put everything. My toots on Mastodon start life as a note post, I post interesting links I find, and I log all the media I watch/play/whatever (I don't want to say consume, that's gross) in Almanac, which itself is on the third or fourth iteration.

As I said above, I had done a few posts on the Tumblr-powered blog but if I look at my stats for posts, it was around 2022 when Twitter started to fall apart that I started to blog more. I was moving away from posting things directly onto social media sites and getting it onto my own site.

I started writing more posts that just had a short idea or helpful tip because I realised not every post has to be some incredible think piece. My analytics show that these posts also tend to be the most popular which probably says more about the state of large, ad-riddled websites than it does about my writing. For example this post about disconnecting Facebook from Spotify is consistently in the top five posts on my site but you're never going to read that post unless you specifically need it. It's not a "good" post, it just exists.

What does your creative process look like when it comes to blogging?

To call what I have a process would be a very liberal use of the word "process". If I have nothing to write about I just won't write anything, I have no desire to keep to a schedule and write just for the sake of it. Usually, I'll get prompted by something someone asks like "How did you do X on your website?" or I feel like I have something to say that would be interesting other people.

I write my posts in Obsidian, then when they're ready to go I'll add them to my site. If I'm on my ~~proper computer~~ laptop I use my CLI tool to add a new post. If I'm on mobile, I use the very haphazard CMS I built.

I'll proof read most things myself before posting and I rarely ask for anyone else's input but if I do want a second opinion it's going to be previous P&B interviewee, Keenan. Usually I'm able to get out what I want to say fairly succinctly without too much editing.

Do you have an ideal creative environment? Also do you believe the physical space influences your creativity?

A proper keyboard and ideally a desk to sit at is what I prefer when I'm writing (or coding) but I can live with just the keyboard. My desk setup makes some people's skin crawl because there's so much going on but I like having all the trinkets and knick knacks around me.

I deeply dislike using my phone for most things outside of scrolling lists, like social media so I rarely write long posts on it. The small form factor just doesn't work for me at all but I also kind of need it to exist in the world.

A question for the techie readers: can you run us through your tech stack?

All my domains are registered with Porkbun and I manage the DNS with DNSControl - my main domain, rknight.me, has nearly 50 records for subdomains so managing those without DNSControl would not be a fun activity. Speaking of DNS I use Bunny for my DNS management and also use their CDN for images and other files I need to host.

The website itself is, as are many of my side projects, built with Eleventy. Eleventy gives me the flexibility to do some interesting things with the posts and other content on my site which would be much harder with some other systems.

The site gets built on Forge to a Hetzner server whenever I push an update to GitHub either via command line, or through the aforementioned CMS, and is also triggered at various points in the day to pull in my Mastodon posts.

Given your experience, if you were to start a blog today, would you do anything differently?

Assuming I actually had to the time to do it, I think I would start with the CMS first, before building anything of the actual site. It is a pain to update things when I'm not at my laptop but jamming features into my CMS is equally frustrating.

If I wanted something off the shelf and easier to maintain I suspect I would choose Ghost or Pika.

Financial question since the Web is obsessed with money: how much does it cost to run your blog? Is it just a cost, or does it generate some revenue? And what's your position on people monetising personal blogs?

Many of these costs are part of my freelancing so are bundled with other sites I run and somewhat hidden but I'll do my best to outline what I do use.

I have a single server on Hetzner that serves my main site as well as another 30 or so side projects so the cost is negligible per-site but it costs about $5 a month. Forge costs $12 a month to deploy my site along with other sites. The domain is $20 a year I think but that's it.

I have a One a Month Club here and I have a handful of people supporting that way. I also use affiliate links for services I use and like which occasionally pays me a little bit.

I think monetising blogs is fine, if it's done in a tasteful way. Dumping Google ads all over your site is terrible for everyone but hand-picked sponsors or referrals is a good way to find new services. Just keep it classy.

Time for some recommendations: any blog you think is worth checking out? And also, who do you think I should be interviewing next?

I want to read sites that are about the person writing them. Photos of things people have done, blog posts about notebooks, wallpaper, food, everything. Things people enjoy.

This is the second time I'm going to mention Keenan here because they write so wonderfully. They also have a podcast with Halsted called Friendship Material which is all kinds of lovely and joyful and everyone should listen.

Alex writes some really interesting computing-related posts, like this one about using static websites as tiny archives.

Annie is so smart and honest in her writing it brings me joy every time I see a new post from her. This post is a masterpiece.

Final question: is there anything you want to share with us?

I'd be a terrible business boy if I didn't at least mention EchoFeed, an RSS cross posting service I run.

I also have a podcast that used to be about tech but is now about snacks.

I Am A Link Curator - The Weblog of fLaMEd

2026-06-22T08:49:05.000Z

What’s going on, Internet? Friend of the site James recently shared a new post Blogger Archetypes which asks a series of questions to help you narrow down your character as a member of the blogging community. A bit of indie web fun.

Here are my results:

You are a Link curator

The web is not just its pages, but the connections between pages. You have internalised this and love spending your time exploring the web and sharing what you find with the world.

You are also a Culture maker

You love to help push the blogging community forward by starting discussions, encouraging thought, and sharing what’s on your mind.

And the other archetypes on offer:

Explorer: To you, the web feels like a library that’s open all hours and has everything you could ever imagine! You love reading others blogs, and know how important readers are to the whole of the indie web community!

Community gardener: You love to help contribute to building the blogging community, either through your writing or how you share the spirit of writing on the web with friends.

Author: You love writing and have a growing backlog of posts on your website! Words are your best friend and you’re always thinking about what to write next.

Link curator feels about right. A lot of what I do here is exactly that. Surfing the web, finding the good stuff, and passing it along. The bookmarks, the links back to other people’s writing (which I need to get back into doing regularly). That’s the fun part for me.

If you’ve got a blog, go and take the quiz and write up what you got. Send it my way, I’d love to to see what you got. 🤙

Hey, thanks for reading this post in your feed reader! Want to chat? Reply by email or add me on XMPP, or send a webmention. Check out the posts archive on the website.

📝 2026-06-22 09:39: The fox continues to prowl around our chickens. This morning we caught it in the... - Kev Quirk

2026-06-22T08:39:00.000Z

The fox continues to prowl around our chickens. This morning we caught it in the GARDEN a few feet from our favourite chicken. Luckily the magpies warned us and we were able to scare it away.

It's not nice keeping the little cluckers cooped up in this heat, but needs must unfortunately.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

No, I don't want you to summarise the page! - Kev Quirk

2026-06-22T08:04:00.000Z

I've talked about LLMs a few times here - the TL;DR is that I find them useful for certain use cases.

Searching something complex? Great.

Checking my code, or helping me with a problem in said code? Count me in.

But summarising a page I'm reading? Absofuckinglutely not.

One of the things I really enjoy about the web is surfing it and reading. Reading is one of the great joys I get from the web, and in general. Why would I want a bastardised version of your words presented to me by a computer when I can read the actual words you took time to write?

LLMs have their place and are useful tools in my opinion, but I'm getting sick of them being crammed into every facet of computing.

Hopefully the bubble will burst soon and we can all enjoy an LLM enriched web, not an LLM hijacked web.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Registration review: Taiwan - Johnny.Decimal

2026-06-22T06:53:29.000Z

Vehicle registration plates provide a ubiquitous numbering scheme that's easy to enjoy: just walk around the streets and pay attention. Each country offers its own variant of the form, so in this series I will review each country's registration plates as I encounter them.

These reviews are not scientific and should not be quoted as authoritative.

Introduction

Taiwan's scheme was refreshed in 2012. This review only considers the post-refresh scheme. Older plates are still very common.

Schema

A simple, consistent scheme: AAA-0000. The usual suspects are omitted from the letter prefix – O, I – but Q remains, as we'll see below.

Absurdly, the number 4 is no longer used. I thought this was user preference, as I did see one in the wild. But it seems that the user preference was so strong, they elected to remove it. The plate I saw must have been from an older range.

This broad omission of 4 is common across Asia – it sounds like the word 'death' – as is the equally absurd omission of the West's superstition, 13.¹ (Combined with the fact that the ground floor is represented as 1 means that a room on the 14th floor isn't quite as high as one might hope.)

The scheme allows a theoretical maximum of 24^3 × 9^4 = 90,699,264 plates. Given Taiwan's population of 23.5m people this is a touch under 4 cars each. This doesn't feel like enough, but the most recent plate I saw began CCD indicating that about 10% of plates have been issued in 14 years. So we don't need to worry about them running out.

Special cases

There are special cases for electric vehicles E__-____, rentals R__-____, and so on. I appreciate this additional information being encoded in the plate.

They've also removed a whole bunch of three-letter words from the pool so bad luck if you wanted GAY-0000. Inexplicably, ANT is disallowed. Because that's … an ant?

Issue date

The scheme encodes issue date gracefully: it's pretty obvious by looking at cars that they started at AAA and they're currently somewhere in the early-to-mid-C__s.

This avoids issues of specifically encoding a year into the plate, as we'll see the next time I visit the UK. It also provides a free street game: find the latest plate!

Region awareness

There appears to be no region encoding in the plate. Taiwan is a relatively small island so this probably isn't necessary, but I do like knowing where someone is from.

Schema: 4/5

Pro: simple, obvious, and consistent.
Con: no regional coding, the 4 thing, and it feels punitive to have excluded ANT.

Design

A simple plate, stamped metal, black on white in its standard form. I prefer an embossing over a cheaper-looking laminate so top marks here.

The typeface is slightly condensed which looks nice on the plate. But I like a plate to fill the space given for it on the vehicle, and a narrow plate rarely does that.

Theoretically that's a - dash separating the letters and numbers, but it's shown as a dot on most (all?) plates. I would have stretched that out a little, at least on cars where there's plenty of room.

Points for a nice `Q`

If you're going to use a Q you really have to make sure it looks like a Q. Taiwan is a clear pass in this category.

Markings at the bottom

Apparently they moved the screw holes exclusively to the top to allow for those markings, barely visible, at the bottom. I wouldn't have bothered.

Design: 3/5

Pro: stamped metal. A nice typeface.
Con: no other adornments. Kinda plain. Doesn't fill the space.

Summary

Overall Taiwan scores 7/10: not bad for our first entrant. It's an inoffensive plate that does the job without trying to get in your face. I just wish that they'd put a touch more into its design.

13 is not excluded from the registration scheme, to be clear. I refer to its common omission from building floor numbers. ↩

Finished reading Book of the Dead - Molly White's activity feed

2026-06-22T00:12:23.000Z

Finished reading:

Kay Scarpetta series, book 15.

Book of the Dead

by Patricia Cornwell.

Published 2007. 511 pages.

Started June 20, 2026; completed June 21, 2026.

Removing prefixes and suffixes in Python - James' Coffee Blog

2026-06-22T00:00:00.000Z

A few weeks ago, I learned about the removeprefix method in Python. It lets you remove a specific prefix from the beginning of a string. For example, I can use the following code to remove www. from the beginning of a domain name:

"www.jamesg.blog".removeprefix("www.")

If the string doesn’t contain the prefix, nothing happens; if the string does contain the prefix, the prefix is removed.

Note: If you are parsing URLs in Python, you should use a library like urllib.parse to extract parts of a URL.

I did some digging and, via a mention of the method in Stack Overflow, I learned that Python 3.9 added support for methods for removing prefixes and suffixes from strings: removeprefix and removesuffix.

When I learned about removeprefix, I felt a little bit of joy. I have been using Python for years and had no idea about this method.

Instead of doing the trick to measure the length of a string I want to remove, and then removing that number of characters from the beginning of a string using indexing if the string startswith the string I want to remove, I now can use a single method: removeprefix (and removesuffix to do the same at the end of a string).

Addendum: lstrip and rstrip

While the lstrip() and rstrip() methods, which remove either whitespace or specified characters from the start or end of a string, may sound like they do the same thing, they remove all instances of the specified characters. For example, if I use this code:

"www.w.jamesg.blog".lstrip("www.")

The code returns:

jamesg.blog

lstrip() has removed all w and . characters that would start the string.

I thought I would document this because for a while I wasn’t aware this was the behaviour of lstrip and strip.

urllib.parse removing prefixes and suffixes from strings a mention of the method in Stack Overflow

📝 2026-06-21 18:42: It's handy when your riding buddy is a photographer. You end up with some nice... - Kev Quirk

2026-06-21T17:42:00.000Z

It's handy when your riding buddy is a photographer. You end up with some nice photos.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

📝 2026-06-21 09:35: Some goats, just goating around, watching me mow the field. - Kev Quirk

2026-06-21T08:35:00.000Z

Some goats, just goating around, watching me mow the field.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Finished reading Predator - Molly White's activity feed

2026-06-21T01:25:44.000Z

Finished reading:

Kay Scarpetta series, book 14.

Predator

by Patricia Cornwell.

Published 2005. 453 pages.

Started June 19, 2026; completed June 20, 2026.

Little moments of joy - James' Coffee Blog

2026-06-21T00:00:00.000Z

As I write, the lowering sun is gently shining on the monstera plant in the living room, casting a shadow on the wall. I am enjoying the changes in light outside as the longest day draws to a close. The birds sing quietly outside.

Yesterday, the clouds started to move away for the first time in days, leaving a sky so clear at sunset I couldn’t see a cloud out the window. The clarity carried on to this day: for all the day there have been few clouds in the sky. I look out the window and see a few clouds. I briefly imagine what a city in the clouds would be like, but I can’t formulate a complete picture in my imagination. The clouds themselves say so much that I am preoccupied by studying what I see.

I write down little moments of joy as I go around the world: “the joy of watching the sun set under a clear sky,” “the joy of someone seeing you so clearly after only saying a few words,” “the joy of singing a song to yourself while waiting for the bus”. These moments come at random. That is what makes them so special.

Earlier today, after leaving a shop, a car parked nearby which had their windows down and was loudly playing Taylor Swift’s Delicate. I started to sing along. Was that their favourite song? I’ll never know, but it is fun to imagine. The moment was fleeting, but one I knew I had to write down – if a moment is fleeting, words can help it exist a little bit longer.

The light beaming onto my monstera is fading. The shadow cast by the two tallest leaves that are closely interspersed looks like a palm tree: a vision of the tropical in the Scottish summer. The contours of some of the shadows of leaves are still well defined, but others fade into a haze. Soon, the sun will set. I think about how special it is to watch this moment: to see the last slivers of sunlight peek through a low cloud on the horizon on the longest day of the year.

The colour from the lingering lavender cast onto the sparse clouds, possible only because the sun is where it now is in the sky, makes me smile; oh! how wonderful the changes in colours through Day and Night are.

Small wishes - James' Coffee Blog

2026-06-21T00:00:00.000Z

I like to wish people a happy day, and so many of my conversations start with “Happy Sunday”, or similar. Today I was able to add an additional well-wish: “Happy Solstice!” As I write, it is 9pm and the sun is still radiating over the hills. Trees cast long shadows over the quiet fields. The pattern of branches at the top of a tree reminded me of a village Kirk I saw earlier today.

I started my morning with a long walk followed by a (decaf) coffee. I love when I can start the day with a walk: when I have time to watch the world go by, listen to some music, and notice the world around me. Within thirty minutes my environment can change from the plain walls of my bedroom to Nature in which, no matter how much I look around, there will always be a new detail to appreciate.

After my coffee, a thought came to mind: I hope that one day I can see the countryside from a double-decker bus. It’s a small wish. It may never happen but I hold onto the thought any way. The wish pops into my mind sometimes when I am travelling. Maybe I need to travel at a different time of day to have a higher likelihood of catching the double decker bus that sometimes runs. But then again I like the feeling of holding a tiny hope – something that makes me feel “what if?”

While at the bus station I skimmed through new blog posts. I opened one in which the author had shared a photo of a pancake with a face made of butter on top. It was a tiny moment, but one shared across continents through the medium that we call the web. I smiled, my heart already warm from the light of the day and the coffee and the tiny wish of seeing the countryside from a double-decker bus.

I looked up to the sky and saw blue wherever I looked. I thought about the contrast between the greens of Earth and the blues of the sky and let a few moments pass while I admired the contours of the trees in the middle distance.

On my journey, I saw the countryside with new clarity: the day is clearer than many I remember from recently. The trees and fields and valleys and peaks were all so vibrant, their colours illuminated by the warm sun: a warmth that will linger today longer than any other: therein, the joy of Solstice.

Travelling further through the fields and hills, I thought about how even a tree far away can have an impact on me. A tree may be a mile or two away by distance, but yet it can still feel close. Our hearts can interpret what we see no matter how far away what we are looking at may be.

Which Copyleft Licence is Suitable for an SVG? - Terence Eden’s Blog

2026-06-20T11:34:22.000Z

The Scalable Vector Graphics (SVG) format is amazing. It allows you to precisely define how an image should look. Written in XML, it uses various mathematical operations to display an image which looks crisp and clear at any size.

Here's a trivial example:

<svg height="100" viewBox="0 0 100 100" width="100" xmlns="http://www.w3.org/2000/svg">
   <circle cx="50" cy="50"  fill="#fff" r="100"/>
</svg>

That code produces this circle:

You could print that out with a kilometre radius and it would still be a perfect circle - unlike a traditional raster image which is just a grid of blocky pixels.

But suppose you wanted to freely share your SVG with others - and ensure that they also freely share it. What sort of "Copyleft" licence would you give it?

Creative Commons

The obvious choice seems to be a Creative Commons Share-Alike licence. SVGs are images. Images are creative works. Creative Commons is suitable for creative works. Job done!

But…

SVGs are not images. The are code which produce images. If we assume that an SVG is software, this entry in the FAQ becomes relevant:

Can I apply a Creative Commons license to software?

We recommend against using Creative Commons licenses for software.

[…]

Unlike software-specific licenses, CC licenses do not contain specific terms about the distribution of source code, which is often important to ensuring the free reuse and modifiability of software.

[…]

Additionally, our licenses are currently not compatible with the major software licenses, so it would be difficult to integrate CC-licensed work with other free software. Existing software licenses were designed specifically for use with software and offer a similar set of rights to the Creative Commons licenses.

At the end of that FAQ, they also say:

While we recommend against using a CC license on software itself, CC licenses may be used for software documentation, as well as for separate artistic elements such as game art or music.

So, that's a perhaps?

GPL

But let us assume that an SVG is a piece of media rather than software. Would it be suitable to use a software licence for it?

The various Gnu Public Licences have this to say:

Can I use the GPL for something other than software?

You can apply the GPL to any kind of work, as long as it is clear what constitutes the “source code” for the work. The GPL defines this as the preferred form of the work for making changes in it.

A photo JPEG might be derived from the RAW image file. In which case, the RAW is suitable for being GPL'd, not the resultant JPEG.

Similarly, the Photoshop file of a complex and multi-layered illustration would suitable, but not the outputted PNG.

An SVG can straddle both worlds. It's possible to build an SVG with layers, groups, and transformations, and then simplify it for output. You could edit the optimised version, but it's hardly the preferred format.

I read the GPL (so you don't have to) and right at the start it says:

The GNU General Public License is a free, copyleft license for software and other kinds of works.

(Emphasis added.)

But do they mean that?

Licenses for Other Types of Works

[…]

We don't take the position that artistic or entertainment works must be free, but if you want to make one free, we recommend the Free Art License.

But, as delightful as the Free Art License is, the FSF say:

Please don't use it for software or documentation, since it is incompatible with the GNU GPL and with the GNU FDL.

Is an SVG software or not?

I think so.

It's written in plain text.
It contains definitions, variables, and instructions.
It can contain scripting.

That sure looks like software to me!

But, at the same time, the user experiences it as a graphic. An animated GIF, for example, contains a small amount of code-like data to say how long each frame should last for and when to stop running. Is a GIF software? Is the basic circle above software? How much code do you need before something becomes software?

Are SVGs Libraries?

Licences like the LGPL and MPL allow copyleft libraries to be integrated into non-free software.

A proprietary application could treat an SVG as a library by asking the SVG to render the output and then displaying that. A bit of a reach, perhaps?

What about embedded raster graphics?

Just to complicate things, an SVG can also contain raster graphics. That is, it is possible to embed a PNG, JPEG, or any other traditional image within an SVG.

In this case, the embedded image can be Creative Commons licenced because CC BY-SA is compatible with GPLv3.

When someone creates an adaptation of a BY-SA licensed work and includes it in a GPLv3-licensed project, both licenses apply and downstream users must comply with both licenses. However, Section 2(a)(5)(B) of BY-SA 4.0 allows anyone who receives the adapted material downstream to satisfy the conditions of both BY-SA and GPLv3 (i.e. attribution and ShareAlike) in the manner dictated by the GPLv3.

(Emphasis added.)

The barest of SVGs containing only an embedded image probably wouldn't count as software. But what if you started applying programmatic transformations to them? This SVG embeds an image and uses software to rotate it upside down.

<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="64" height="64">
  <image x="0" y="0" width="64" height="64"
    transform="rotate(180)"
    href="data:image/png;base64,iVB…" />
</svg>

Is that enough code to count as software?

Wisdom of the Crowds

I conducted a rigorously accurate public survey. Here are the results:

Post by @Edent@mastodon.social

View on Mastodon

Final Thoughts

Personally, I think SVGs are software. I understand the argument that they're suitable for Creative Commons, but I disagree with it. Even the simplest SVG is distributed in a way that its contents are executed by the computer.

While SVGs may be minified and stripped of comments, they still retain the essence of source code. I suppose you could try to obfuscate them, or package them up in a quasi-binary form, but I maintain the source is still viewable and editable.

If you choose to use a Creative Commons Share-Alike licence, it probably won't cause any harm. But given CC's reluctance to endorse its use on software, it probably makes sense to use a copyleft source-code licence.

Day - James' Coffee Blog

2026-06-20T00:00:00.000Z

The warm glow at the door, intensified by the morning sun beaming and then reflecting on the blank walls of the hallway, is the first colour I notice when I wake. I then look around and see the blue around the blinds – colour from the evening before, but seen from a new perspective: the hybrid of restfulness and tiredness that occupies the first few moments of the day.

My eyes are heavy, lingering between the last moments of sleep and the beginning of the new day. When I close my eyes I dream of the day ahead. Idle thoughts come to mind: when will I get up? More serious thoughts arise, too: how can I comprehend the contradictions of modernity? Such thoughts pass. I haven’t had a cup of tea yet.

I hear the birds sing. When the bird song recedes, I notice breath – life – is the loudest sound I can hear.

I wake up to a bluer sky than I have seen in a week. I later hear that the weather for the next week is to be sunny. That reminds me: the solstice is coming soon: the longest day. We are always so close to Nature. Memories of music and tales of travel come to mind. Mornings feel like the space for reminiscing and dreaming and waking.

As I get ready to go on my morning walk – a walk to which I have been looking forward for days, with the sky now clear – I find in my pocket the five pence coin I found outside of a museum. I remember the phrase “Find a penny pick it up, and all day you’ll have good luck. If you pass it to a friend, then your luck will never end.”

Leaving the house, I sing the songs I played yesterday evening with the world waking up around me: the melody of day.

Search Is Broken - Kev Quirk

2026-06-19T20:28:00.000Z

I was listening to Late Night Linux 390 during my evening walking with the pooches tonight, and they were talking about (among other things) Kagi search.

I've tried Kagi myself, but ultimately cancelled my subscription as I didn't really see the point in paying for it when I could get similar results with DuckDuckGo.

This isn't because DDG or Kagi are inherently bad, it's because no matter which service you use, the web has been SEO'd to within an inch of its life, so we're fucked either way. That's why I stopped using Kagi as I didn't see the point in paying $10/month for a service that can't fix the web despite having some interesting options to help filter the noise.

What I do instead

What I've started doing instead is to use DDG for simple queries that I can quickly and easily get the answer to. For anything more complex, I go to my LLM of choice (currently Gemini) and I ask the question there.

This is because it saves me a tonne of time sifting through all the SEO crap, and I can ask follow up questions too. Win/win.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Shellsharks Blogroll - BlogFlock

📝 2026-06-23 12:58: Create one of those Uses pages. Still a work in progress, but there's a good... - Kev Quirk

Wonders of Web Weaving, Episode 7 - James' Coffee Blog

Introducing Patch the Planet - Trail of Bits Blog

Cybersecurity for the paranoid business traveller - Terence Eden’s Blog

Over/Under Interview - Robb Knight • Posts • Atom Feed

People and Blogs Interview - Robb Knight • Posts • Atom Feed

I Am A Link Curator - The Weblog of fLaMEd

📝 2026-06-22 09:39: The fox continues to prowl around our chickens. This morning we caught it in the... - Kev Quirk

No, I don't want you to summarise the page! - Kev Quirk

Registration review: Taiwan - Johnny.Decimal

Introduction

Schema

Special cases

Issue date

Region awareness

Schema: 4/5

Design

Points for a nice Q

Markings at the bottom

Design: 3/5

Summary

Footnotes

Finished reading Book of the Dead - Molly White's activity feed

Removing prefixes and suffixes in Python - James' Coffee Blog

Addendum: lstrip and rstrip

📝 2026-06-21 18:42: It's handy when your riding buddy is a photographer. You end up with some nice... - Kev Quirk

📝 2026-06-21 09:35: Some goats, just goating around, watching me mow the field. - Kev Quirk

Finished reading Predator - Molly White's activity feed

Little moments of joy - James' Coffee Blog

Small wishes - James' Coffee Blog

Which Copyleft Licence is Suitable for an SVG? - Terence Eden’s Blog

Day - James' Coffee Blog

Search Is Broken - Kev Quirk

What I do instead

Points for a nice `Q`