Shellsharks Blogroll - BlogFlock

Why Do You Need Big Tech for Your SSG? - Kev Quirk

2025-11-19T09:57:00.000Z

A look at why small, personal websites don’t need big-tech static hosting, and how a simple local build and rsync workflow gives you faster deploys, more control, and far fewer dependencies.

OK, so Cloudflare shit the bed yesterday and the Internet went into meltdown. A config file grew too big and half the bloody web fell over.

How fragile.

It got me thinking about my fellow small-web compatriots, their SSG workflows, and why on earth so many rely on services like Cloudflare Pages and Netlify. For personal sites it feels incredibly wasteful: you’re spinning up a VM, building your site, pushing the result to their platform, then tearing the VM down again.

Why not just build the site on your local machine? You’re not beholden to anyone, and you can host your site anywhere you like.

✅ No CI/CD pipeline.
✅ No big tech — just you and your server.
✅ No VMs spinning up and down at the speed of a thousand gazelles.

How to build and deploy automatically

All you need is a hosting package that supports SSH (or FTP if you must) and a small script to build your site and rsync any changes. Here’s the core of my deployment script:

#!/bin/bash
set -e

LOCAL_DIR="/path/to/your/site/source"
REMOTE="user@your-server.example.com"
REMOTE_DIR="/path/to/your/website/files/yoursite.com/public_html"

cd "$LOCAL_DIR" || exit 1

# --- Build Jekyll site ---
echo "🏗️  Building Jekyll site..."
bundle exec jekyll build --quiet
echo "✅ Build complete"

# --- Sync _site to remote server ---
echo "🚀 Deploying to server..."
rsync -az --checksum --delete --omit-dir-times --quiet \
  "$LOCAL_DIR/_site/" \
  "$REMOTE:$REMOTE_DIR/"

# --- Fin ---
echo "✅ Deployment complete"

Here’s what it does:

Jumps into the directory where my source website files live.
Builds the Jekyll site locally.
Syncs the built files to my server over SSH, deleting anything I’ve removed locally.

That’s it. And that’s all it needs to do. With these few lines of Bash, I can deploy anywhere, without waiting for someone else’s infrastructure to spin up a build container.

My full script also checks the git status, commits changes, and clears the Bunny CDN cache, but none of that’s required. The snippet above does everything Cloudflare Pages and similar services do — and does it much quicker. My entire deploy, including the extras, takes about eight seconds.

Final thoughts

If you’re hosting with one of the big static hosting platforms, why not consider moving away and actually owning your little corner of the web? They’re great for complex projects, but unnecessary for most personal sites.

Then, the next time big tech has a brain fart, your patch of the web will probably sail right through it.

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

Snow - James' Coffee Blog

2025-11-19T09:54:55.000Z

The snow looks like drops of moonlight I thought to myself as the cool light from the street lamps illuminated the falling snow. It’s beautiful. I have never seen anything like it.

Earlier this week I saw light rain fall that looked almost like it was snow – the light reflected off the falling rain in a way closer to snow than water. Although I am not sure if what I saw was exactly snow, my hopes were raised that it may snow properly this week. The air has been getting cooler; the outdoors feels evermore like winter. Yesterday evening, at around 9 o’clock, my hope for snow came to reality. I looked out the window after reading a book for an hour and noticed the heavy clouds and the white drops of snow.

The last time I saw snow was more than a year ago. Despite my hope that it would snow – one I shared excitedly with people in conversation this week – it took me a moment to internalise that it was now snowing. Then, my mind turned to the beauty of the snow fall – the way that the light breeze blew the snow over the grasses illuminated only by streetlight.

Time froze. I was eager to take in as much of the snow as possible, knowing that, like all seasons and weathers, snow is fleeting. Would the snow be here in the morning? I wasn’t sure, but I knew the snow was there, in the present moment, right in front of me. All that matters is it is snowing now – drops of moonlight fall from the heavens onto the frosting countryside grass.

My gaze was focused on the areas under the streetlights, which illuminated the snow and, over time, showed how the snow was accumulating. This isn’t the kind of snow that will lay there until morning, I knew from having seen many snows growing up; maybe there would be a dusting on the next day.

This morning, I woke up and saw on the horizon a white skyline, above which was the increasingly light blue that comes at 7am in November here in Scotland. Under the white skyline, there were hills dusted in snow. The coat of snow on the hills – enveloping a few almost like a cold blanket – brought to mind last night at which I stood by the window and, for how long I do not know, gazed out and watched the snow paint the countryside with brushstrokes of white whose full beauty would appear in the morning.

22.00.0169 An invoice disappears - Johnny.Decimal

2025-11-19T00:49:03.000Z

An invoice disappears

Well this is weird. I just lost an invoice, as in one that I was sure I had raised a couple of weeks ago. Here's how I discovered it, and what I'll do to make sure it doesn't happen again.

The invoice

I don't raise many invoices manually. This one was to a friend, whose domain name I manage. It's a fancy expensive domain so, when it renews, my company bills his company for it.

I raised it the other week. I remember doing it. And yet now: no trace. A puzzle.

Discovering its loss

I know I'm not going entirely mad because, in reviewing my Small Business category 13 Money earned, spent, saved, & owed this morning, I saw a task due next week:

▷ Check that [name] has paid his invoice
▷ Due: 25 Nov

– and I thought to have a quick look. So I'd done some things right:

Set a quick reminder to myself, in a trusted place.
Made sure that I actually saw that reminder, by reviewing my system regularly.

I'll show you how I do this in the upcoming series 'Task and Project Management using the Johnny.Decimal system'. Will be released on JDU in the next couple of weeks.

The vanishing act

I went to look for this invoice in the only place that it could possibly exist: my Stripe console. It just isn't there. No trace.

I'm deeply confused by this, but whatever. No point dwelling; let's just make sure it doesn't happen again.

Deliberate record-keeping

Last time, I raised the invoice in Stripe and that was it. Other than leaving myself the follow-up task, I didn't record its existence anywhere else.

If only I had a predefined ID for this sort of thing. Oh wait, is that 13.23 Invoices & sales for your work at the door? Oh, come in old friend.

Update: found it!

Talk about real-time updates. Gripping stuff.

So there isn't only one place that this could possibly exist. There are two: the other being my Xero account.

This makes our solution more interesting. Why did I choose Xero over Stripe in this instance?¹ How would I know which to choose in the future?

Solution: new ops manual

This is a textbook ops manual. Next time I need to raise an invoice, I need to be following a process. Last time, I just made it up on the fly.

So here's what my new 13.23+OPS1 Raise an invoice says:

Raise all invoices directly in Xero, because this integrates with your accounting system.
Raise the invoice, and create a note at 13.23 with its number and a link.
Create a new customer record at 33.11 and from there, link to 13.23.

That's it. Three easy steps; but now they're unambiguous, and I won't make the same silly mistake again.

100% human. 0% AI. Always.

I'll tell you why. Because this invoice has nothing to do with Johnny.Decimal, really. In my mind, that's what the Stripe/Xero split is. Stripe was JD stuff, Xero was more fundamental company stuff. Logically, I now understand, this makes no sense. ↩

The State of the Open Social Web - Werd I/O

2025-11-18T23:50:45.000Z

With today’s news of a new leadership team for Mastodon, I thought it would be a good time to take stock of the state of the open social web.

I’m not new to this space, or an impartial observer: I co-founded Elgg, one of the first open source social networking platforms, over twenty years ago. It was used by governments, Fortune 500 companies, global NGOs, and universities, and embraced early open standards. Known, a social publishing platform I co-founded, was used by media companies to build award-winning communities. And I’m on the board of A New Social, a non-profit dedicated to bridging open social platforms.

When you think of social media, many of the platforms you think of are what we call proprietary: their underlying software is private to the companies that build them, and it’s very difficult to move your data or your connections anywhere else. They are, in a very real way, closed. The indie web movement goes so far as to call them silos.

These proprietary silos include:

X (formerly Twitter): now owned by Elon Musk, who actively promotes far-right voices on the platform and in its algorithms.
Meta’s platforms: chiefly Facebook, Instagram, Threads, and WhatsApp. (A caveat for Threads follows below.) Meta was, of course, credibly accused of substantially contributing to the genocide in Myanmar by Amnesty and others. Owners of pages across Meta properties increasingly find that they need to pay to reach their followers.
TikTok, which is now controlled by the Trump-aligned Ellison family.
LinkedIn, the business network owned by Microsoft, which has placed itself in the middle of many hiring and job-seeking processes, and whose professional subscription costs between $30 and $100 a month.

Why should you care?

Anyone whose brand or livelihood depends on these networks has created risk for themselves: there’s nothing to stop any of them from changing their business policies in a detrimental way, as X did when it labeled NPR as state-affiliated media. Any of these networks could disappear, as TikTok almost did in the US before being strong-armed into selling its US business to a Trump ally. And referrals to websites could dry up, as happened in Canada when Meta stopped linking to news sites.

Proprietary silos each have an owner that can, ultimately, do what it wants with them. At best, that can mean that users receive content through curated feeds that might suppress certain kinds of content (including links to certain publishers) and promote others. At worst, it means that traffic and reach could disappear at any time.

In contrast, open social web platforms are designed not to be silos. While each platform is built by a core vendor or community, they run on open protocols that anyone can build software for.

Remember AOL? That was a closed silo. To publish content, you needed to have a relationship with AOL the company. But you don’t need to have a relationship with anyone in particular to publish a website.

The open social web works the same way as the web itself: it’s permissionless. You don’t need to have a relationship with anyone in particular to have a profile and gain reach. And that means nobody can take it away from you.

Just as AOL became less and less relevant, because maintaining a relationship with AOL the company was more friction than simply publishing a website, silos will become less important and the open social web will become more important over time.

It’s early days in that movement. The user bases are still small in comparison. Today, these networks are still mostly filled with early adopters. In my direct experience working with ProPublica, they’re more likely to engage with journalism and information, more likely to donate to non-profit causes, and more likely to re-share according to their values — perhaps because they’re people who have self-selected to move away from proprietary silos. That means these networks are worth engaging with now — and because they will continue to grow, doing so is a good investment in the future.

So what are those open social web platforms and what is their status today?

✉️

I write about technology that serves journalism and democracy, and work with newsrooms, open source movements, and startups. Sign up for a free newsletter subscription or book a call to see how I can help you.

There are two main open social web networks. This isn’t so much a rivalry as a technical consideration: each is based on a different open protocol.

I’ll describe them both in turn.

The Fediverse

You’ve probably heard of Mastodon. When Musk bought Twitter in late 2022, this was the first network that people flocked to, although it had been running for many years before that.

It can be hard for newcomers to get their head around. Whereas to join a silo network you just go to that network’s website and sign up, Mastodon is best thought of as a co-operative network of smaller communities, each with their own rules and culture. That means that signing up involves choosing a community you trust and signing up to that, which is a big ask. How, after all, do you know? In reality, you can’t go wrong by joining mastodon.social, the flagship community run by the project itself.

Source: Mastodon blog

But you don’t need to use Mastodon’s software to join the network. This brings us back to Meta’s Threads: it has support for the underlying protocol, so you can actually talk to and follow Mastodon users from there (and they can follow you). For publishers, Flipboard has become “a Fediverse browser” (particularly in tandem with its newsreader Surf, which I use every day), while the Newsmast Foundation is working to onboard newsrooms and surface trustworthy journalism on the network. Ghost and WordPress both now have extensive support (Ghost's keeps getting slicker and slicker). And there’s a long tail of other platforms like Bonfire and Friendica that are compatible, too, all powered by the underlying ActivityPub protocol.

Source: Flipboard Surf, via TechCrunch

Regardless, Mastodon is definitely the flagship. It’s also the only European major social network. A longtime German entity, its non-profit status was stripped some years ago (the team says it was never told why), and it’s now in transition to becoming a Belgian AISBL. Backers include Craig Newmark, Twitter co-founder Biz Stone (who once sat on the advisory board for Elgg, the open source social networking platform I co-founded), and Stack Overflow co-founder Jeff Atwood.

Critics say it hasn’t focused enough on user experience, that it feels too different from other networks, and that it can be a bit nerdier. The thing is, there’s still everything to play for here: a solid foundation, millions of dedicated users, and a governance and business model that’s very different to the Silicon Valley norm. And at the time of writing, Mastodon just announced a new executive team that includes a lead dedicated to the communities it runs. That new lead, Hannah Aubry, is incredibly important. Bluesky has made great strides by focusing on the culture of its own flagship site, and there’s much more that Mastodon could do here.

I’m personally more excited about Mastodon than ever. Even if it fails — which I don’t believe it will — it’s forging a brave and different path.

Quick facts about the Fediverse:

Flagship platform: Mastodon
Fastest place to sign up: mastodon.social
Other platforms: Ghost, Flipboard, Pixelfed, Friendica, etc
Funding model: Mastodon is becoming a Belgian non-profit. It also has a US 501(c)3 and an original German entity that it is moving away from. It is funded through donations and its own managed hosting services.
Advocacy groups: Social Web Foundation
Underlying protocol: ActivityPub

The ATmosphere

The network built on the AT Protocol — often playfully called “The ATmosphere” — functions a bit differently. On Mastodon, you join a neighborhood; on Bluesky, you rent a storage unit that any app can access.

Bluesky began as an internal Twitter project championed by then-CEO Jack Dorsey. Concerned about political pressure on Twitter’s content decisions, he imagined moving parts of the platform’s governance onto an open protocol that nobody could fully control. In that vision, Twitter itself might eventually run on the underlying protocol.

In its earliest phase, Bluesky was essentially a working group of open-source developers exploring what a “locked-open” social protocol might look like. Jay Graber quickly emerged as the clearest technical and organizational leader, and she ultimately convinced Dorsey to spin the project out as an independent company.

Because of that lineage, the flagship Bluesky app looks and feels like Twitter in many ways. When the site opened to the public, most of the people who left Elon Musk’s X chose Bluesky because it felt more familiar and easier to understand than Mastodon. Over time, the team found itself building not just a protocol, but a full social platform with moderation, recommendation features, and active community management. It’s now the de facto open social web network for journalists, writers, and other public intellectuals.

Source: Bluesky blog

Dorsey’s involvement has been a point of criticism, but ironically, Bluesky’s emphasis on community health is part of what pushed him away. His original aim was to avoid building trust and safety systems altogether: he sees moderation as a path to censorship rather than a requirement for healthy online spaces. Once Bluesky embraced trust and safety as core ethical work rather than something to outsource to the protocol, he walked away and shifted his support to Nostr, a more libertarian network designed to minimize moderation.

All of this sits on AT Protocol’s underlying model. While Mastodon is a series of federated communities, on Bluesky, every profile is actually a storage unit containing that user’s data. When you follow someone, you’re really subscribing to updates to their data. Other applications beyond the flagship Bluesky app can also write to your data store: Leaflet is a blogging platform, Graze lets you build custom feeds according to your interests, and so on.

Source: Graze blog

By default, your data is stored with Bluesky, but there are other options. The best known and in many ways the most exciting is Blacksky, Rudy Fraser’s Black-owned datastore and social application. Eurosky, meanwhile, is an emerging attempt to build outside of North American jurisdiction.

Quick facts about the ATmosphere:

Flagship platform: Bluesky
Fastest place to sign up: bsky.app
Other platforms: Blacksky, Graze, Leaflet, Flashes, etc
Funding model: Bluesky is a VC-funded startup that has raised at least $36M to date. It hasn’t deployed a business model yet.
Advocacy groups: Free Our Feeds
Underlying protocol: AT Protocol

Protocol TL;DR

If you don’t care about protocols at all, here’s the summary:

The Fediverse = small communities talking to each other
AT Protocol = personal data pods that apps plug into
Both = avoid lock-in, centralized power, and unpredictable corporate incentives

Other alternatives

The Fediverse and the ATmosphere aren’t the only open social web networks, although they are by far the most prominent.

Nostr and Farcaster have both attracted a crowd that’s heavy on crypto and libertarian ideologies. (diVine, funded by Dorsey and run by Twitter OG Rabble, rebuilds Vine on the Nostr network.) Given his relationship with trust and safety, it shouldn’t be a surprise that these networks are very technically pure but low on community safety or culture-building.

Source: Nos Social blog

Meanwhile, Project Liberty is a $500M endeavor funded by Frank McCourt, which has built its own open social layer, Frequency. It’s also funded policy blueprints and real legislation designed to give users more control over their social media.

And the indie web, which builds decentralized social functionality on top of web fundamentals like HTML, should not be discounted. Its focus on a world where everyone’s profile is a website that is completely unique to them but can still communicate and share together has led to an enthusiastic community that’s been growing for over a decade. I think the indie web and the open social web are complimentary: you can build a following on the open social web and build an amazing indie web website that really represents you.

Working across networks

The protocols are not as important as the people and communities who connect across them. Part of the ethos of openness is that it’s not about building a “winner”: nobody should be locked into any platform or technology. These movements are also too young for everyone to have converged on one underlying protocol; we’re still at the early innovation stage.

I’m on the board of A New Social, a non-profit whose mission is to provide bridges between protocols, creating a single, unified open social web. Its product Bridgy Fed has long allowed you to follow Fediverse profiles on the ATmosphere and vice versa. And its new product, Bounce, allows you to easily move your profile from one network to the other, bringing your network with you. The result is even less lock-in: you can decide which network makes the most sense for you.

Earlier in this piece, I also mentioned Surf, which allows you to find news stories and conversations you care about across all the open social web networks. I’ve curated a feed of non-profit US newsrooms and one of investigative tech journalism that are also available as Bluesky feeds.

Buffer is one of many social scheduling tools that support both networks. Fedica allows you to analyze your stats and surfaces characteristics of your community.

These are the kinds of tools that could only exist on the open social web. A network like X would charge these providers a ton of money; others would simply block them as a threat to their business models. But on the open social web, where the open protocols are permissionless and open to all, they can thrive.

It’s not zero sum

There’s no reason you need to pick just one. Like many people, I maintain profiles on Mastodon and Bluesky, as well as through my blog and on Threads, and I’ve found that the conversations across all of them are different. There’s a lot to be gained on each — but, again, Bridgy Fed and Bounce mean you can try one without worrying about missing out.

The most important thing is to take back ownership of your community and your relationships online. The silo networks have done their best to become intermediaries between you and your connections, forcing you to pay to reach people who have already subscribed to you. They’ve partnered with authoritarian governments and caused great harm through their negligence and blinkered self-interest.

Another world is possible, and it’s only just beginning. Go grab your profile and get started.

Home alone gaming - W46 - Joel's Log Files

2025-11-18T23:50:00.000Z

Long weekends while home alone are the best! You are going to find quite a lot of gaming was done this time around, however, I also catched up on quite a bit of manga, and went through some painful stuff at work, but nothing too bad.

🎨 I have completed and published my AdwaitaPod-based theme (with Arcticons) for the Innioasis Y1! Feel free to give it a download if you get the device, and check the original theme as well if you want to try it on an iPod or something.
💻 My coworker got a vacation on Friday and it was pain. Some critical machinery malfunctioned at the worst possible moment. I had to set up a plan B in case the automation/maintenance team couldn’t manage to repair it in time. I was on-call during Saturday too, thankfully things turned out fine.
🏠 I stayed home alone for pretty much the whole week. I survived thanks to the existence of cereal and buying lunch at my workplace, I spent most of my time early in the week working on my theme, then I played a bunch of videogames during the weekend.
🐕 My doggo still doesn’t want to use his front leg, I guess there was some nerve damage after all, he doesn’t seem to mind that much so, I’ll just try to get over it, I guess? I wonder if there’s some other therapy to try.
🛍️ El Buen Fin (The Good Weekend) is the mexican equivalent to Black Friday, and I fell for it. I acquired Crypt Custodian and Dragon Quest I & II HD-2D Remake for Nintendo Switch. I also acquired Streets of Rage 4 Anniversary Edition, which arrived early in the week and I have already completed the campaign so that’s fine.
🍕 Went out for some pizzas on Sunday night with friends, it was pretty great and we got to drink some Horchata which is always a big plus.
🎵 Even if I don’t have a music/listening section, I think I can always say some album or song that is currently on my mind. Right now it would be: Daydream by Tatsuro Yamashita

Reading

When it comes to manga I am actually rather impressed with myself. After finishing Ariadne in the Blue Sky, I got to catch up on a lot of other stuff! Here’s it. When it comes to books, not that bad.

Exit Strategy - Up to chapter 4. There’s some characters that made a comeback and it’s been really interesting to watch it unfold. I hope to finish this book this week!
Blue Lock - Up to chapter 325. The match against Nigeria resulted in an absolute victory for the Japanese team. It was an absolutely bloodbath, but the next two matches looks like they’ll be a real challenge, France and England are next.
Chainsaw Man - Up to chapter 220. Crazy stuff is happening as always, for example, a whole city was turned into a weapon.
Frieren: Beyond Journey’s End - Up to chapter 142. Finally returned to Frieren, and I love these characters so much. The current arc is super stressful though, and the action is about to begin.
Sakamoto Days - Up to chapter 227. With Sakamoto out of commission, everyone tries to escape, and new enemies have showed up, crazy action sequences upcoming.

Gaming

This was definitely a week filled with gaming to the brim! I will even make the format a little different because I got a lot to say about a few of the titles here.

Completed

Streets of Rage 4

I didn’t expect this at all, but in a moment of weakness, I bought the physical Anniversary Edition of this game, and as soon as I put the cartridge on, we just couldn’t put it down.

An incredible soundtrack took over my speakers, and we just had to start it immmediately. I played it with my friends and completed the campaign in one sitting.

The simple combat, the animation, the artstyle, the excellent dynamic musical score. This game is probably the best the franchise has to offer, a glorious return to form for anyone who missed the franchise on the Sega Genesis.

Solo, I did a single run of the roguelike mode, and died on the first boss fight, and I decided to focus on other games for now. I can see myself returning to this plenty of times with friends.

Ongoing

The Hundred Line: Last Defense Academy

This game’s the reason my weeknotes are a day late, and the main thing that occupied my time. I started it and “finished” its story months ago. If you are curious, this is officially my most played game on my Nintendo Switch, and it has managed to hook me quite a bit. After beating the game once, the game allows you to play it a second time. However, this playthrough lets you make decisions throughout the story, creating deviations that amount to a total of one hundred endings. This mix between tactics RPG and visual novel is really cool.

This has been an extremely interesting choice from the developers, and it has allowed me to see how every character in the game reacts to the outcomes at hand. It’s fun, stressful, terrifying and exciting. So far, I have gone through 11 endings. Multiple writers were involved, some routes are shorter than others, some moments are samey, and others are absolutely insane. There’s a lot to like, and I absolutely love (most of) these characters. The game lets you skip battles you already played and return to previous branches at any point, it’s unbelievable.

Streets of Rage 2

After a 10 hour-long session of The Hundred Line, I felt like trying out something quick before going to sleep. Alas, Streets of Rage 2 seemed worth trying since I had recently fiddled with the first one and this one was considered the best of the franchise.

And well, yes, that music told me everything I needed to know. It was cleaner and more polished than the first one. I got to the 3rd stage in a few minutes and things were pretty cool, I must say that the second boss flying on a jetpack was very annoying though.

Others

CrossCode: I should have focused more on this one, if I’m honest, all I did this time was focus on getting leveled up equipment and progressing through the story. For now, I joined a guild, I unlocked my way to the dungeon, and now I just want to get a bit more XP before venturing inside!
Astro Boy: Omega Factor: I returned to this game after a break and it’s honestly just awesome plain fun. A beat’em up platformer that goes through lots of iconic moments of the franchise, fun stuff!
Monster Hunter Rise: To break things up I also progressed a bit on the high rank quests of this game, I went for a Rathian, defeated her, and called it a day.
Spelunky: After me and my friends beat Streets of Rage 4, we felt like trying something a little more chaotic for a bit, so we tried a couple runs of this game, and of course, failed miserably.
Slice & Dice: I hadn’t played this much but during a meet-up with other S&D friends we decided to do a race to see who could win a run first. I didn’t win, but trying was fun!

Around the Web

I read most of these earlier in the week and you can tell, lol.

Blogposts

A Morning of Physical Media - There’s just something about the physical interaction with stuff that is unmatched.
Learning Spanish Update - It’s weird to see La Rosa de Guadalupe mentioned in a blog I follow.
Input diet - yet another good post about media intake and managing that stuff.
Offline first? - Just being a little more offline, and interacting with less short/quick/easy stuff and replace it with meaningful things.
Why I Don’t Need a Steam Machine - Wouter has a big backlog, and so do I.
Self-Hosting for Everyone - Laura is a new discovery, and she is a self-hosting sicko, I have enjoyed her blogposts so far!
My Relationship with Stuff - Curating is better than hoarding, don’t just collect for the sake of it. Figure out what you actually want! I gotta remember this.

Videos

Mind if I complaing for 15 minutes? - I love JadenAnimations and this video is one that I’m sure many will find relatable (not me, I am glad I’ve avoided all that stuff).
Daft Punk Alive 2007 full concert - I had no idea this was a thing that existed, but I am extremely, extremely happy that it does. Just take a break from everything and experience this album as if it’s 2007.
Why I uninstalled ublock origin, this is WAY better! - This is an interesting plugin, although I don’t know if I’ll actually use it.

Reply to this post via email | Reply on Fediverse

2025 Stickers Redux - Robb Knight • Posts • Atom Feed

2025-11-18T12:25:06.000Z

Now the dust has settled on the piracy stickers, I checked how many I had left and it was a few more than I thought so I'm putting them back up for sale until they run out. Here's what I have available:

Four pack of the Don't Know Don't Care Don't @ Me stickers. There's only two of these available. Buy
Training Data double pack. 2 × Pirate Bay, 2 × Piracy Ad. I have 20 or so packs of these. Buy
Pirate Bay four pack. There's 10 or so of these available. Buy

I will do another run of the Sparkly Websites stickers very soon — I don't have any of those left right now. As always, the shop page has all the links as well, at least until I decide on a better system for selling stickers.

We found cryptography bugs in the elliptic library using Wycheproof - Trail of Bits Blog

2025-11-18T12:00:00.000Z

Trail of Bits is publicly disclosing two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography that is downloaded over 10 million times weekly and is used by close to 3,000 projects. These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified, respectively.

One vulnerability is still not fixed after a 90-day disclosure window that ended in October 2024. It remains unaddressed as of this publication.

I discovered these vulnerabilities using Wycheproof, a collection of test vectors designed to test various cryptographic algorithms against known vulnerabilities. If you’d like to learn more about how to use Wycheproof, check out this guide I published.

In this blog post, I’ll describe how I used Wycheproof to test the elliptic library, how the vulnerabilities I discovered work, and how they can enable signature forgery or prevent signature verification.

Methodology

During my internship at Trail of Bits, I wrote a detailed guide on using Wycheproof for the new cryptographic testing chapter of the Testing Handbook. I decided to use the elliptic library as a real-world case study for this guide, which allowed me to discover the vulnerabilities in question.

I wrote a Wycheproof testing harness for the elliptic package, as described in the guide. I then analyzed the source code covered by the various failing test cases provided by Wycheproof to classify them as false positives or real findings. With an understanding of why these test cases were failing, I then wrote proof-of-concept code for each bug. After confirming they were real findings, I began the coordinated disclosure process.

Findings

In total, I identified five vulnerabilities, resulting in five CVEs. Three of the vulnerabilities were minor parsing issues. I disclosed those issues in a public pull request against the repository and subsequently requested CVE IDs to keep track of them.

Two of the issues were more severe. I disclosed them privately using the GitHub advisory feature. Here are some details on these vulnerabilities.

CVE-2024-48949: EdDSA signature malleability

This issue stems from a missing out-of-bounds check, which is specified in the NIST FIPS 186-5 in section 7.8.2, “HashEdDSA Signature Verification”:

Decode the first half of the signature as a point R and the second half of the signature as an integer s. Verify that the integer s is in the range of 0 ≤ s < n.

In the elliptic library, the check that s is in the range of 0 ≤ s < n, to verify that it is not outside the order n of the generator point, is never performed. This vulnerability allows attackers to forge new valid signatures, sig', though only for a known signature and message pair, (msg, sig).

$$ \begin{aligned} \text{Signature} &= (msg, sig) \\ sig &= (R||s) \\ s' \bmod n &== s \end{aligned} $$

The following check needs to be implemented to prevent this forgery attack.

if (sig.S().gte(sig.eddsa.curve.n)) {
 return false;
}

Forged signatures could break the consensus of protocols. Some protocols would correctly reject forged signature message pairs as invalid, while users of the elliptic library would accept them.

CVE-2024-48948: ECDSA signature verification error on hashes with leading zeros

The second issue involves the ECDSA implementation: valid signatures can fail the validation check.

These are the Wycheproof test cases that failed:

[testvectors_v1/ecdsa_secp192r1_sha256_test.json][tc296] special case hash
[testvectors_v1/ecdsa_secp224r1_sha256_test.json][tc296] special case hash

Both test cases failed due to a specifically crafted hash containing four leading zero bytes, resulting from hashing the hex string 343236343739373234 using SHA-256:

00000000690ed426ccf17803ebe2bd0884bcd58a1bb5e7477ead3645f356e7a9

We’ll use the secp192r1 curve test case to illustrate why the signature verification fails. The function responsible for verifying signatures for elliptic curves is located in lib/elliptic/ec/index.js:

EC.prototype.verify = function verify(msg, signature, key, enc) {
 msg = this._truncateToN(new BN(msg, 16));
 ...
}

The message must be hashed before it is parsed to the verify function call, which occurs outside the elliptic library. According to FIPS 186-5, section 6.4.2, “ECDSA Signature Verification Algorithm,” the hash of the message must be adjusted based on the order n of the base point of the elliptic curve:

If log2(n) ≥ hashlen, set E = H. Otherwise, set E equal to the leftmost log2(n) bits of H.

To achieve this, the _truncateToN function is called, which performs the necessary adjustment. Before this function is called, the hashed message, msg, is converted from a hex string or array into a number object using new BN(msg, 16).

EC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {
 var delta = msg.byteLength() * 8 - this.n.bitLength();
 if (delta > 0)
 msg = msg.ushrn(delta);
 ...
};

The delta variable calculates the difference between the size of the hash and the order n of the current generator for the curve. If msg occupies more bits than n, it is shifted by the difference. For this specific test case, we use secp192r1, which uses 192 bits, and SHA-256, which uses 256 bits. The hash should be shifted by 64 bits to the right to retain the leftmost 192 bits.

The issue in the elliptic library arises because the new BN(msg, 16) conversion removes leading zeros, resulting in a smaller hash that takes up fewer bytes.

690ed426ccf17803ebe2bd0884bcd58a1bb5e7477ead3645f356e7a9

During the delta calculation, msg.byteLength() then returns 28 bytes instead of 32.

EC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {
 var delta = msg.byteLength() * 8 - this.n.bitLength();
 ...
};

This miscalculation results in an incorrect delta of 32 = (288 - 192) instead of 64 = (328 - 192). Consequently, the hashed message is not shifted correctly, causing verification to fail. This issue causes valid signatures to be rejected if the message hash contains enough leading zeros, with a probability of 2^-32.

To fix this issue, an additional argument should be added to the verification function to allow the hash size to be parsed:

EC.prototype.verify = function verify(msg, signature, key, enc, msgSize) {
 msg = this._truncateToN(new BN(msg, 16), undefined, msgSize);
 ...
}

EC.prototype._truncateToN = function _truncateToN(msg, truncOnly, msgSize) {
 var size = (typeof msgSize === 'undefined') ? (msg.byteLength() * 8) : msgSize;
 var delta = size - this.n.bitLength();
 ...
};

On the importance of continuous testing

These vulnerabilities serve as an example of why continuous testing is crucial for ensuring the security and correctness of widely used cryptographic tools. In particular, Wycheproof and other actively maintained sets of cryptographic test vectors are excellent tools for ensuring high-quality cryptography libraries. We recommend including these test vectors (and any other relevant ones) in your CI/CD pipeline so that they are rerun whenever a code change is made. This will ensure that your library is resilient against these specific cryptographic issues both now and in the future.

Coordinated disclosure timeline

For the disclosure process, we used GitHub’s integrated security advisory feature to privately disclose the vulnerabilities and used the report template as a template for the report structure.

July 9, 2024: We discovered failed test vectors during our run of Wycheproof against the elliptic library.

July 10, 2024: We confirmed that both the ECDSA and EdDSA module had issues and wrote proof-of-concept scripts and fixes to remedy them.

For CVE-2024-48949

July 16, 2024: We disclosed the EdDSA signature malleability issue using the GitHub security advisory feature to the elliptic library maintainers and created a private pull request containing our proposed fix.

July 16, 2024: The elliptic library maintainers confirmed the existence of the EdDSA issue, merged our proposed fix, and created a new version without disclosing the issue publicly.

Oct 10, 2024: We requested a CVE ID from MITRE.

Oct 15, 2024: As 90 days had elapsed since our private disclosure, this vulnerability became public.

For CVE-2024-48948

July 17, 2024: We disclosed the ECDSA signature verification issue using the GitHub security advisory feature to the elliptic library maintainers and created a private pull request containing our proposed fix.

July 23, 2024: We reached out to add an additional collaborator to the ECDSA GitHub advisory, but we received no response.

Aug 5, 2024: We reached out asking for confirmation of the ECDSA issue and again requested to add an additional collaborator to the GitHub advisory. We received no response.

Aug 14, 2024: We again reached out asking for confirmation of the ECDSA issue and again requested to add an additional collaborator to the GitHub advisory. We received no response.

Oct 10, 2024: We requested a CVE ID from MITRE.

Oct 13, 2024: Wycheproof test developer Daniel Bleichenbacher independently discovered and disclosed issue #321, which is related to this discovery.

Oct 15, 2024: As 90 days had elapsed since our private disclosure, this vulnerability became public.

Open Source Power - Werd I/O

2025-11-17T18:38:10.000Z

[Erlend Sogge Heggen]

I’m extremely on board with this whole essay.

“Since its inception the free and open source software movement has lacked a theory of change beyond the liberation of computer code. Liberation of human beings by way of a liberatory technology was always a secondary and oftentimes incompatible concern for Open Source, since laborers having agency of their work (and how it may be exploited) is in conflict with the inviolable liberties of an Open Source computer program.”

As the author points out, open source has facilitated an upwards transfer of wealth and power from contributors and project communities themselves to the larger companies that can make use of this free labor to enrich their own endeavors. In a world where tech has been enabling fascist autocrats in the building of anti-democratic movements and governments, that’s particularly troubling. And it’s dressed up as some kind of altruistic public good, even when the end user is causing great harm.

The traditional open source / free software demand that software be made available freely for any use feels outdated in the current context. It’s a very libertarian rather than pro-social view of the world. In our current world, it’s particularly worth re-examining permissive licenses and considering what they are actually permissive of.

The suggestion here is that commercial use by large corporations is charged for. I think that makes sense: it’s a way of funding development that also preserves the underlying availability of open software and the sustainability of building it. But I’d honestly go further.

Do open source maintainers want their software to be used by ICE, for example? You don’t have to allow it to be. There’s no magical law of the universe that means you lose part of your soul if you say “no”. Software is a creative work, and the software you build is your creative work. You get to decide who uses it and under what terms. It’s completely reasonable to apply your values in making those decisions.

[Link]

Weeknote #1975 - Robb Knight • Posts • Atom Feed

2025-11-17T12:35:04.000Z

I've narrowed down the inks I'm going to try for finding my perfect pink ink to a handful. I'm planing on ordered Taccia Momo first because this is the one that's been recommended to me the most. I also updated my ink list on FPC.

I've added some more pens to my wanted list including the Diplomat Viper, the Monteverde MP1, and the new TWSBI Eco Cosmos Blue with Onyx. I also found somewhere selling the discontinued Pink Eco at retail price so I might need to buy that first.

I've backed Bonfire on IndieGoGo because I'm fascinated by what they're trying to do.

Despite not being an iOS developer (nor do I have any intention of becoming one), Everything but the Code is 50% off for Black Friday and aside from some app-specific things, seems like it'll have a lot of useful stuff in it.

Links

Flare is a new unified app for connecting to multiple social networks like Mastodon and Bluesky. I don't I need this but it's interesting nonetheless.

Grila is a keyboard-driven calendar app for MacOS which reminds me a lot of Godspeed.

Taking stock of my tools by Britney Winthrope is a great post with an new (to me) way of categorising tools you use (the CODE framework - Capture, Organize, Distill, Express).

The Ollee watch is back in stock but I resisted for the time being.

These Japanese firework illustrations are gorgeous. This also led to me to find Affinities which is a book by The Public Domain Review. Right onto my wishlist that goes.

Mutant Standard emoji is a fun new emoji set.

OpenBenches 💖 OpenStreetMap - Terence Eden’s Blog

2025-11-17T12:34:41.000Z

When Liz and I created the OpenBenches website, it was just designed to be a fun way for people to record memorial benches. Since then things have got out of hand and we now have over thirty-nine thousand benches recorded!

Our plan was never to compete with something like OpenStreetMap. The OSM project is vast, complex, and brilliant - we are small, simple, and differently brilliant. But, over the years, people have repeatedly asked if there's any way to combine the two data sets.

This has proved logistically complex for several reasons.

Our users aren't experienced mappers.
- Most of our entries are uploaded with fairly fuzzy GPS co-ordinates. Mobile phones aren't always the best at accurate locations and, besides, people tend to stand away from the bench when taking its photo. So our data isn't quite at the level of quality rightly demanded by OSM.
OSM didn't have a tag specifically for memorial benches.
- We started out site in 2017. OSM added the Tag:memorial=bench in 2021. Up until then, there wasn't a great way to record that a bench was a memorial.
Data licencing is complicated.
- We chose the Creative Commons Attribution ShareAlike licence - it seemed like a good idea at the time! OSM use ODbL which is subtly incompatible. As such, OSM volunteers asked us to sign a waiver so they could use the data - which we happily did.
Adding or editing data on OSM can be complicated.
- OpenBenches is designed to be an upload-and-forget process. It doesn't matter much to us if a bench is recorded a dozen metres away from its true location. But that isn't the way OSM works. We didn't want to bulk upload data which was inaccurate, incomplete, or inappropriate. Luckily, there are now tools to help with that!

Things have been working away in the background. Some people have manually added Key:openbenches:id to appropriate benches, and others have edited our database to make the locations closer to reality.

And now, thanks to the sterling work of the brilliant Pieter Vander Vennet we're moving to our next phase of increased collaboration!

Firstly, there are about 1,060 benches on OpenStreetMap which have an OpenBenches ID. I've taken all those OSM IDs and put them into our database. Which means that the OpenBenches website can display a button like this:

One click and you're looking at OSM - ready to investigate, edit, or admire.

But what about the other 38,000 benches? Well, that's where MapComplete comes in. MapComplete is sort of like Pokémon Go for maps. As you wander this Earth, you can complete little quests to help improve OpenStreetMap. For example, on the "Pubs" quest, you can add details of all the pubs you visit.

With the "Bench" quest, it is a little different. If an OpenBench is sufficiently nearby an OSM bench, you'll get the option to link the two with a couple of clicks.

But there are loads of benches we have discovered which aren't in the OSM database. In which case, you can add a new bench to OSM using the data from OpenBenches!

This has been a couple of years in the making - but it looks like most of the kinks are now sorted out. I'm sure there will be a few early problems, and no doubt a bit of late-night bug fixing, but I hope that this is the start of something long-lasting. The joy of decentralised sites using open data is that we can all build on each others' work in a spirit of fun and exploration.

Automating my reading progress updates - Posts feed

2025-11-16T18:13:00.000Z

I've tracked my reading progress on my site for a bit now. I'd originally done this by fetching my progress from external APIs and sources on platforms like Oku, fetching and parsing the DOM on the StoryGraph and eventually importing and managing my own data. For years I've been reading and listening to audiobooks in Apple's Books app. Much like Apple's other media apps (music and TV, namely), Books has slowly moved in a direction that makes importing your own content increasingly difficult, while slowly pushing storefront elements into the home section of the app until they effectively took over.

What tethered me to Apple Books for so long was my investment in the reading streak I'd maintained. But that streak is simply a number, a number that I can and have replicated here. That streak, as of writing, stands at 2,095 days. I've finally uninstalled Books, let the streak lapse there and moved my reading activity to Audiobookshelf.

Audiobookshelf is heavily focused on audiobooks, but also supports reading ebooks in myriad formats. It also does a wonderful job of tying different formats together for the same book should you have it as, say, an audiobook, an epub, a mobi file — you name it. I have my audiobooks there and I've added my ebooks. There are quite a few audiobook clients for Audiobookshelf, which makes sense given the app's focus. I haven't found an app that supports its ebook functionality.¹ For a consistent experience, I've added my instance of the app to my iOS device homescreens via Safari.

I track my reading progress as a percentage of completion and increment my reading streak whenever progress is updated. My reading streak table consists of a days_read integer and a last_read_date datetime. This is handled by a trigger:

And the function it runs:

Up until now, I've manually updated reading progress via a widget on my Filament dashboard. This was effective, but a bit tedious. However, since Audiobookshelf has a rich API, I dove in to see what data I could retrieve programmatically. I arrived at a Laravel command that runs every 15 minutes. This command fetches items in progress, then fetches details for each item (with expanded set to 1 and progress included). The response will then include userMediaProgress which, in turn, contains ebookProgress and progress. Audiobookshelf tracks distinct progress states for ebooks and audiobooks that are bundled together. The full command looks like this:

Once the progress is retrieved, it updates the progress for the book in my site's database via PostgREST by looking it up via the ISBN and, failing that, the title. As I read, Audiobookshelf records my progress, my site polls my instance of the app and updates each book's progress and my ongoing reading streak.

In addition to automating my progress tracking, I've updated my book data importer to fetch data from Audiobookshelf. It is also able to fetch data from Google Books and Open Library but, since I've consolidated my reading to Audiobookshelf, it made sense to import data from it directly to better align the record in my database with the source record. This import is second hand, in a sense as Audiobookshelf imports from other sources (Apple Books, funnily enough, is my default), but provides the best results:

This process is kicked off by clicking an Import Book command on my dashboard, which opens a modal with a dropdown to select the API source and an import for the required ID for that source.

With all that configured, I can quickly import data on the book I'm reading and progress will be automatically recorded as I read (or listen) to it.

If there is one, let me know. ↩

Updating forgejo's robots.txt - Posts feed

2025-11-15T22:10:00.000Z

I've moved all of my personal, private projects over to my own forgejo instance. It's been reliable and an altogether simple transition — I even have it mirroring the ai.robots.txt repo.

While most of my projects on the instance are private (like the source for this site and for Cadence), I wanted the robots.txt file for forgejo to align with this site's. Thankfully, updating the forgejo robots.txt is straightforward. I'm deploying my instance in a Docker container using Coolify and update the file as follows:

ssh into the server where the container is running.
Run docker ps -a | grep forgejo to get the forgejo container name.
Log into the container using docker exec -it <NAME> sh.
Navigate to forgejo's public directory: cd data/gitea/public.
Open robots.txt: vi robots.txt.
Add entries as you see fit.

I've mirrored my site's robots.txt to my forgejo instance and I've also included the rules from Codeberg's (up until the # Codeberg-specific changes to the end of the file). You can view the full file here.

robots.txt is, of course, a voluntary mechanism, but including these directives is still prudent.

Small Web, Big Voice - Kev Quirk

2025-11-15T16:22:00.000Z

Small Web, Big Voice

by Andre Franca

Andre argues that independent blogging isn’t about scale at all, but about integrity — choosing a place you control, writing in your own voice, and keeping the web human.

Read Post →

I read this post this morning while I was perusing my RSS feeds with a coffee. Firstly, I’m not sharing this because Andre called out my blog (although being bundled with people like Rach and Manu is extremely flattering). I’m sharing it because I agree with everything he says in the post.

Having a place on the web that I’m 100% in control of, where I can share my own thoughts, feelings, and opinions is very powerful for me. Over time this blog has evolved from me sharing technical posts most of the time, to a legit personal blog with a technical twist.

Despite what sites like ProBlogger say, I don’t have a niche, and I don’t try to grow my audience (I don’t even know how big my audience is). I just write whatever is on my mind at any given time, and people usually get in touch with me to discuss the topic. It’s fantastic.

If you’re on the fence about starting a blog, I implore you to do so. It’s probably the best thing I’ve ever done with a computer. If you, please drop me an email with the link - I love discovering new blogs!

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

Gadget Review: Benfei USB-C Video Capture ★★★★★ - Terence Eden’s Blog

2025-11-15T12:34:43.000Z

Want to capture video from your phone or console? You could just point a camera at the screen, but a more sensible way to do it is to capture the video directly via USB-C.

The good folks at Benfei have sent me another gadget to review! This is a USB-C Video/Audio capture dongle. Plug one end into a device and the other into your computer - it will show up as a USB video capture device.

Notice the extra USB socket there?

USB Power

One great thing about this device is that it has USB Power Delivery pass through. This means you can charge your device while grabbing video from it. That's more than a "nice to have" - the Nintendo Switch will refuse to output video over USB-C unless it is connected to a power supply.

The capture device claims to be able to pass through 100W - I don't have any devices which need that much power, but my USB-C Power Meter showed devices happily slurping down between 5W and 20W depending on the device I was using.

So how does it do?

Video and Audio

It is limited to 1080p @ 60Hz, which is good enough for most things.

Here's a short clip from the Nintendo Switch:

https://shkspr.mobi/blog/wp-content/uploads/2025/11/Benfei-Switch.mp4

And here's a capture from my Android phone:

https://shkspr.mobi/blog/wp-content/uploads/2025/11/Benfei-Android-Video.mp4

Linux

For the nerds amongst us, this shows up in lsusb as 345f:2130 MACROSILICON USB3 Video which should be well supported.

OBS Studio was able to capture the video and audio input perfectly:

It is the epitome of Plug & Play. Shove one end into your device and plug the other end into your computer's USB-C port. That's it. Done. No software to install, no drivers to download, no switches to flip. There's also a handy adapter if you want to use a USB-A socket - although it will need to support USB 3 speeds.

Limitations

As with most HDMI devices, it will refuse to stream video protected by HDCP DRM. That means you probably can't stream your Netflix / Disney / Whatever subscription to your laptop.

It is limited to stereo sound. I couldn't convince the Nintendo Switch to output surround sound.

Obviously, it only works with devices which have USB-C video output. Modern Android and most hand-held consoles will work. Your PS5 won't.

So what about those devices without USB-C?

Bonus HDMI Dongle!

So you're a wannabe Twitch streamer, or you just want to capture something from your HDMI output? The good folks at Benfei also sent me their HDMI Capture Dongle to review.

There's absolutely nothing else to say about this one. It has the same internals - 345f:2130 MACROSILICON USB3 Video - and works exactly the same.

Shove an HDMI cable in there and you're good to go,

Price

The USB-C to USB-C cable a surprisingly reasonable £15. If you need to capture video for presentations or streaming, it will do the job splendidly. The cable is long enough to drape from a machine to a source - and the Power Delivery is useful.

The HDMI capture is only £12. They both work identically well and are supported on Linux.

Highly recommended!

Level up your Solidity LLM tooling with Slither-MCP - Trail of Bits Blog

2025-11-15T12:00:00.000Z

We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine. Slither-MCP benefits virtually every use case for LLMs by exposing Slither’s static analysis API via tools, allowing LLMs to find critical code faster, navigate codebases more efficiently, and ultimately improve smart contract authoring and auditing performance.

How Slither-MCP works

Slither-MCP is an MCP server that wraps Slither’s static analysis functionality, making it accessible through the Model Context Protocol. It can analyze Solidity projects (Foundry, Hardhat, etc.) and generate comprehensive metadata about contracts, functions, inheritance hierarchies, and more.

When an LLM uses Slither-MCP, it no longer has to rely on rudimentary tools like grep and read_file to identify where certain functions are implemented, who a function’s callers are, and other complex, error-prone tasks.

Because LLMs are probabilistic systems, in most cases they are only probabilistically correct. Slither-MCP helps set a ground truth for LLM-based analysis using traditional static analysis: it reduces token use and increases the probability a prompt is answered correctly.

Example: Simplifying an auditing task

Consider a project that contains two ERC20 contracts: one used in the production deployment, and one used in tests. An LLM is tasked with auditing a contract’s use of ERC20.transfer(), and needs to locate the source code of the function.

Without Slither-MCP, the LLM has two options:

Try to resolve the import path of the ERC20 contract, then try to call read_file to view the source of ERC20.transfer(). This option usually requires multiple calls to read_file, especially if the call to ERC20.transfer() is through a child contract that is inherited from ERC20. Regardless, this option will be error-prone and tool call intensive.
Try to use the grep tool to locate the implementation of ERC20.transfer(). Depending on how the grep tool call is structured, it may return the wrong ERC20 contract.

Both options are non-ideal, error-prone, and not likely to be correct with a high interval of confidence.

Using Slither-MCP, the LLM simply calls get_function_source to locate the source code of the function.

Simple setup

Slither-MCP is easy to set up, and can be added to Claude Code using the following command:

claude mcp add --transport stdio slither -- uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp

It is also easy to add Slither-MCP to Cursor by adding the following to your ~/.cursor/mcp.json:

{
 "mcpServers": {
 "slither-mcp": {
 "command": "uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp",
 "env": {
 "PYTHONUNBUFFERED": "1"
 }
 }
 }
}

Figure 1: Adding Slither-MCP to Cursor

For now, Slither-MCP exposes a subset of Slither’s analysis engine that we believe LLMs would have the most benefit consuming. This includes the following functionalities:

Extracting the source code of a given contract or function for analysis
Identifying the callers and callees of a function
Identifying the contract’s derived and inherited members
Locating potential implementations of a function based on signature (e.g., finding concrete definitions for IOracle.price(...))
Running Slither’s exhaustive suite of detectors and filtering the results

If you have requests or suggestions for new MCP tools, we’d love to hear from you.

Licensing

Slither-MCP is licensed AGPLv3, the same license Slither uses. This license requires publishing the full source code of your application if you use it in a web service or SaaS product. For many tools, this isn’t an acceptable compromise.

To help remediate this, we are now offering dual licensing for both Slither and Slither-MCP. By offering dual licensing, Slither and Slither-MCP can be used to power LLM-based security web apps without publishing your entire source code, and without having to spend years reproducing its feature set.

If you are currently using Slither in your commercial web application, or are interested in using it, please reach out.

22.00.0168 How to remember the Markdown link syntax - Johnny.Decimal

2025-11-15T02:16:10.000Z

How to remember the Markdown link syntax

In Markdown, a universally-handy text formatting language, you create a link like this:

[Title of link](https://…)

Easy enough, but there's a bunch to remember there. Which comes first, the title or the link? And which is in square brackets, which in regular brackets?

Get any of those things wrong, and your link won't work.

'Name and address please, sir'

Let's do the stuff inside the brackets first. When you get pulled over by the cops you'd never be asked for your 'address and name', would you? Same here.¹

Name and address in that order.

Addresses contain numbers

Those regular brackets () live on the keys 9 and 0.

What contains numbers? An address.

What doesn't? Your name.²

That's it

[Johnny](90 Main St)

100% human. 0% AI. Always.

Yeah, yeah, you're innocent. Save it for the judge. ↩
Unless you're this guy. ↩

Maple Vanilla Mead - Cool As Heck

2025-11-14T13:14:14.000Z

My next experimental mead recipe is going to be a maple vanilla mead. Here's the base recipe:

- 2lb raw acacia blossom honey (primary)

- 12oz Vermont maple syrup (primary)

- 1 vanilla bean (secondary)

- 2 whole allspice berries (secondary)

- 6g of oak chips (secondary)

- 4-6oz Vermont maple syrup for back sweetening and taste

Yeast: Lalvin 71B

This will hit about 12% ABV. This will be my first time working with acacia honey, raw honey, maple syrup, and oak chips, so this is going to be fun and interesting. 🍷

Giving My Jekyll Site a CDN Front End - Kev Quirk

2025-11-14T12:55:00.000Z

I've managed to get my Jekyll based site working behind Bunny CDN, while maintaining my .htaccess redirects. Here's how I did it...

Giving My Jekyll Site a CDN Front End

Since switching back to Jekyll recently, I’ve been running this site on a Ionos-hosted VPS, then using a little deploy script to build the site and rsync it up.

This all worked fine, but I really wanted to use Bunny CDN for more than just hosting a few images and my custom font. Being a static site, I could have dumped everything onto their storage platform, but I have a metric tonne of redirects in a .htaccess file from various platform migrations over the years.

Bunny’s Edge Platform could have handled these, but with the number of redirects I have, it would have been a slog to maintain. So I assumed I’d never be able to put Bunny in front of my Jekyll site easily and went about my business.

💡 Then I had an epiphany.

What if I created a Bunny pull zone that uses kevquirk.com as the public domain, then set up a separate domain on my VPS, host the site there, and use that as the pull zone origin?

My theory was that Bunny would still be requesting content from the VPS, so my .htaccess redirects might still work.

…turns out, they did.

Some small bugs

I duplicated my live site so I could experiment safely. The setup looked like this:

test.kevquirk.com - the domain configured in the Bunny pull zone
src.qrk.one - the origin domain on my VPS, where the site actually lives

The first thing I had to do was update the url field in my Jekyll _config.yml from kevquirk.com to test.kevquirk.com, rebuild the site, and upload it to src.qrk.one.

Now, you might be thinking, “Kev, why build the site with the wrong domain?”

But I haven’t. By building the site with the test domain, all links point to test.kevquirk.com/.... If I built it with the origin domain, all internal links would lead to the wrong place. They would still work, but the site would be served from src.qrk.one, which is not what I want.

Next up was redirect testing. I visited /feed, which should hit .htaccess and redirect to /feed.xml. The redirect worked fine, but the resulting URL was being served from the origin domain.

So instead of seeing test.kevquirk.com/feed.xml I saw src.qrk.one/feed.xml.

This happened because Bunny requested the file from the origin using its own hostname, not the hostname I typed. In simple terms:

I visited test.kevquirk.com/feed.
Bunny checked its cache. It wasn’t there, so it asked my origin for the file.
But Bunny made that request using its own hostname (src.qrk.one), not the one I typed.
Apache saw the request coming from src.qrk.one/feed and applied the .htaccess redirect to /feed.xml.
Apache then rebuilt the redirect URL using the hostname it was given, which was src.qrk.one.

So Apache went:

“Oh, you want /feed? Sure. That’s at src.qrk.one/feed.xml. Here ya go…”

Fixing the problem

This would not break anything for visitors, but I didn’t want src.qrk.one appearing anywhere. It looked messy.

Two changes fixed it:

Enable Forward Host Headers in my Bunny pull zone.
Add test.kevquirk.com as a domain alias of src.qrk.one on my VPS.

Forward Host Headers makes Bunny tell the VPS the hostname the visitor used. So instead of:

“I’m asking for this on behalf of src.qrk.one.”

Bunny says:

“I’m asking for this on behalf of test.kevquirk.com, not src.qrk.one.”

The domain alias ensures Apache accepts that hostname and serves it correctly.

Magic. 🪄🐇

The other thing to double-check is that every page sets a proper canonical URL. The origin domain is publicly accessible, so crawlers need to know which domain is the real one. That should always be the Bunny pull zone domain.

In Jekyll this is simple. Add the following to the head section of your layout:

<link rel="canonical" href="{{ page.url | absolute_url }}">

The final straight

With the redirect behaviour sorted, the last step was to add a purge step to my deploy script so Bunny knows to fetch the latest version whenever I publish a new post or update something.

Here’s the snippet I added:

# --- Clear Bunny Cache ---
echo "🗑 Clearing Bunny Cache..."
PURGE_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
  -H "AccessKey: $BUNNY_ACCESS_KEY" \
  "https://api.bunny.net/pullzone/$PULL-ZONE-ID/purgeCache")

if [ "$PURGE_RESPONSE" -ne 200 ] && [ "$PURGE_RESPONSE" -ne 204 ]; then
  echo "⚠️  Bunny purge failed (HTTP $PURGE_RESPONSE)"
  exit 1
fi

I set my Bunny API key and Pull Zone ID as variables at the top of the script. The if statement simply says, “If the response isn’t 200 or 204, tell Kev what went wrong.”

And that is it. Last night I flipped the switch. Bunny CDN now sits in front of the live site. I also moved the VPS from Ionos to Hetzner because Ionos now charge extra for a Plesk licence. I went with Hestia as the control panel on the new server.

If you spot any bugs, please do let me know, but everything should be hopping along nicely now. (See what I did there? God I’m funny!)

Thanks for reading this post via RSS. RSS is great, and you're great for using it. ❤️

Reply to this post by email

22.00.0167 An(other) advantage of the creative pattern - Johnny.Decimal

2025-11-14T00:43:29.000Z

An(other) advantage of the creative pattern

Our creative system here at JDHQ is in heavy use with production of the upcoming JDU series 'task and project management', seeing me create ID 50092 yesterday. We'll crack that hundred before long.

Previous creative projects -- recording the workshop, say -- tended to sit in their own isolated world. They take up a bunch of disk space, and if you're on a laptop you don't want to (or simply can't) carry those files around forever.

You produce a series, upload the final videos, and archive the original files. So it feels simpler to have all of those files in one folder, and you can just move that folder around.

This is a problem, though, if you ever want to re-edit those videos. To correct a mistake, say. Now you have to get the vidoes off 'the archive drive' and put them back either exactly where they were, which involves you remembering exactly where that was, or you have to re-point your video editing software to their new location. DaVinci Resolve calls this 're-linking the media'.

Neither of us are video editing professionals. This is an exercise fraught with danger that often results in us looking at this dreaded screen. We're not the only ones.

Figure 22.00.0167A. DaVinci Resolve's dreaded 'unlinked media' icon.

What if the files never moved?

With the creative pattern, the path to the file never changes. It's always (truncated for simplicity)
D25/50-59/50082/file.mov.

What changes is whether the original video files are actually at that location on disk. On my laptop, I've told Syncthing, which keeps our files in sync across the world, to remove those files. Lucy, our editor, still holds a copy.

I'll eventually remove all of these files from both laptops. We say that I'm 'dehydrating' those folders. At this point, launching DaVinci will look like the screenshot above. But the only thing I'll need to do if Lucy wants to edit a video is 'rehydrate' those files, synchronising them across the network from our server in Melbourne.

Nothing changed from DaVinci's perspective. Nothing ever will. Bye bye, red timeline of confusion.

100% human. 0% AI. Always.

Mead Update - November 13, 2025 - Cool As Heck

2025-11-13T21:05:22.000Z

This week I deoxidized and stabilized the pumpkin mead after back sweetening it last week. It turned out pretty good! If I had to do it again I would go a little less heavy on the amount of spices or the amount of time I left them in. Still, it turned out nice and I can't wait to see how it tastes after a few weeks in the bottle.

I've got a batch of ginger peach cyser going now. Well, it's just peach at the moment. It still has a week or two of fermentation left before I can test it, rack it, and add the ginger. I also got some peach syrup to use as a sweetener if it needs a little more post-fermentation sugar or an extra kick of peach flavor.

Shellsharks Blogroll - BlogFlock

Why Do You Need Big Tech for Your SSG? - Kev Quirk

How to build and deploy automatically

Final thoughts

Snow - James' Coffee Blog

22.00.0169 An invoice disappears - Johnny.Decimal

An invoice disappears

The invoice

Discovering its loss

The vanishing act

Deliberate record-keeping

Update: found it!

Solution: new ops manual

Footnotes

The State of the Open Social Web - Werd I/O

What is the open social web?

Why should you care?

Prevailing open social web networks

The Fediverse

The ATmosphere

Protocol TL;DR

Other alternatives

Working across networks

It’s not zero sum

Home alone gaming - W46 - Joel's Log Files

Reading

Gaming

Completed

Streets of Rage 4

Ongoing

The Hundred Line: Last Defense Academy

Streets of Rage 2

Others

Around the Web

Blogposts

Videos

2025 Stickers Redux - Robb Knight • Posts • Atom Feed

We found cryptography bugs in the elliptic library using Wycheproof - Trail of Bits Blog

Methodology

Findings

CVE-2024-48949: EdDSA signature malleability

CVE-2024-48948: ECDSA signature verification error on hashes with leading zeros

On the importance of continuous testing

Coordinated disclosure timeline

For CVE-2024-48949

For CVE-2024-48948

Open Source Power - Werd I/O

Weeknote #1975 - Robb Knight • Posts • Atom Feed

Links

OpenBenches 💖 OpenStreetMap - Terence Eden’s Blog

Automating my reading progress updates - Posts feed

Updating forgejo's robots.txt - Posts feed

Small Web, Big Voice - Kev Quirk

Small Web, Big Voice

Gadget Review: Benfei USB-C Video Capture ★★★★★ - Terence Eden’s Blog

USB Power

Video and Audio

Linux

Limitations

Bonus HDMI Dongle!

Price

Level up your Solidity LLM tooling with Slither-MCP - Trail of Bits Blog

How Slither-MCP works

Example: Simplifying an auditing task

Simple setup

Licensing

22.00.0168 How to remember the Markdown link syntax - Johnny.Decimal

How to remember the Markdown link syntax

'Name and address please, sir'

Addresses contain numbers

That's it

Footnotes

Maple Vanilla Mead - Cool As Heck

Giving My Jekyll Site a CDN Front End - Kev Quirk

Giving My Jekyll Site a CDN Front End

Some small bugs

Fixing the problem

The final straight

22.00.0167 An(other) advantage of the creative pattern - Johnny.Decimal

An(other) advantage of the creative pattern