Boy I was wrong about the Fediverse
Of course search was broken because all OSS social tools must have one glaring lack of functionality. In a nightmare world full of constant change it’s good to have a few constants to hold on to.
Billions of dollars at their disposal and Meta made a hot new social media network with the appeal of junk mail.
Intuitive Understanding of Sine Waves
Sine is a natural sway, the epitome of smoothness: it makes circles "circular" in the same way lines make squares "square".
I woke up every single day for the next two months after signing those deals, convinced that I had somehow broken the law and I would find in my inbox an email saying "no, sorry, this has all been a misunderstanding, you must return to us all of that money." The process of sending an invoice of that size was surreal in a way that few things since have quite been, and more than the actual financial gain it was a deeply useful lesson in understanding that the numbers which look big to a twenty-four-year-old look like rounding errors to a sophisticated company.
It's painfully rare for a piece of software to have a true sense of narrative closure: either it succeeds, and is immortal, or it is killed: killed by shifting priorities and shrunken budgets and changing macroeconomic headwinds and more exciting ideas.
The case for gatekeeping, or: why medieval guilds had it figured out
We need a verified not-shit-person badge. Some mechanism, ideally decentralized, ideally reputation-based, that lets maintainers distinguish between "human who has demonstrated basic competence and good faith" and "entity or bot submitting or causing to be submitted auto-generated changes to mass repositories for credential farming.""
[The more people contribute to a shared network, the less appropriate "personal computing" metaphors becomes. It becomes inevitable to index aggregate data on their behalf, and these are shared resources that require governance. Pure p2p fails here because it has no solutions for shared governance.]
[Servers simplify operational challenges that come with p2p, like reliable uptime, device sync, and key management.]
A shared data space enables modularity, separating powers away from the popular hosts.
How n8n Handles Vulnerability Disclosure - and Why We Do It This Way
[Closed-source security updates are hidden from attackers, which means the time they need to reverse-engineer a patch is a window for users to safely apply the update. Open-sources security patches are immediately visible and become a roadmap for attackers to target those who haven't updated yet.]
[We currently publish patches and advisories on the same day to minimize the exploitable window. We also develop fixes in private and merge into public only when it's announced.]
newcomer’s contributions aren’t as complete or far-reaching than those of experienced contributors, so it is doubly important for you care about the people and their enthusiasm about your project more than that typo-fix they put on the website. We’ve turned someone who fixed a single typo on the website to a steady contributor and well respected community member that now helps out all over the project
How I Learned to Stop Caring and Love Open Source
For early stage projects, care is the only thing you can give them. But once you’ve shipped version 1.0.0 or even 2.0.0, once you wrote all the documentation, once people start using the project in production with success, once you’ve talked the 100th person through getting started on IRC or Slack, your priorities have to change.
Text is the most socially useful communication technology. It works well in 1:1, 1:N, and M:N modes. It can be indexed and searched efficiently, even by hand. It can be translated. It can be produced and consumed at variable speeds. It is asynchronous. It can be compared, diffed, clustered, corrected, summarized and filtered algorithmically. It permits multiparty editing. It permits branching conversations, lurking, annotation, quoting, reviewing, summarizing, structured responses, exegesis, even fan fic. The breadth, scale and depth of ways people use text is unmatched by anything. There is no equivalent in any other communication technology for the social, communicative, cognitive and reflective complexity of a library full of books or an internet full of postings. Nothing else comes close.
Provisional Guidance for Users of LLM-Based Code Generators
I’m sure there will be links like “Court Rules AI Art Can’t Be Copyrighted” aplenty. They will be wrong. The court didn’t rule that AI art can’t be copyrighted. It ruled that copyright requires human authorship, surprising approximately zero copyright lawyers…or people who have read the Wikipedia page.
If you’re looking for a “simple legal rule” so that you can game it, nitpick its terms, or run right up to its line, you’re looking for trouble. Don’t blame me when you find it. But if you’re a realistic player just looking for a sense of odds so you can place wiser bets, the amount of output you accept from an LLM into your codebase at once, and the extent to which it makes what look like implementation choices, rather than simply invoking APIs or established boilerplate, probably represents your best intuitive heuristic. Your working sense of whether it looks like code completion, template-based code generation, or what coders used to have to unavoidably think through and type for themselves, before Copilot and the like came around, can serve as first-pass proxy for legal peril.
If it’s what everybody else checks in to use the same APIs, that’s unlikely creative expression that anyone can claim to own and see infringed. The more specific, creative routines that go within that boilerplate? Yes, potentially. The rigging, patterns, and boilerplate everybody else is filling in, too? Not so much.
the newer a novel, commercially relevant phenomenon, the less specifically-worded, algorithm-like rules determine outcomes at law, and the more important the purposes behind more generally worded rules become. Lawyers call abstractly stated, syllogism-like rules “black letter law” and the more generalized purposes “policies”. When how to apply black letter law isn’t clear, we cite and fight about policies in arguing how to read in context.
When you prompt and take big chunks of code from LLMs that rate high on the intuitive completion-generation-authorship scale, document your code input state, prompts, and further edits. Create a written record of your innocent use of LLMs.
If you were going to code a key part of a project ten years ago, and worried you’d be accusing of plagiarism, the natural advice would’ve been to document your process. Don’t just phone it in with an “Implemented $foo” commit message. Write a nice long one, and maybe blog work in progress or keep a “lab notebook”, too.
Crypto is here to stay and it’s big! But it’s mostly a financial asset class built on narratives, self-referential applications, and a side order of niche use cases. The killer use case is stablecoins. That’s pretty boring.
Bitcoin is not a viable high-volume payment system. It’s not a safe haven. It’s not a hedge against a weak USD or inflation. It was a risky asset. But then it didn’t rally when every other risky asset in the world exploded higher. It was digital gold. Then gold and silver doubled and tripled and bitcoin stood still, looking on with jealous awe.
So my view is that crypto is maturing into a small but meaningful asset class with some important but kinda niche use cases. That’s about it. Like video games, or 3D printing, or VR. Exciting, useful, and important industries. But not the internet. Not railroads. Not AI. There is no coming wave of innovation that will take it to the promised land. Crypto has arrived. It’s maturing. It’s not early. What you see is what you get.
OAuth, or, The Elaborate Ceremony of Not Giving People Your Password
[Implicit Grant throws your key to you across a lobby full of interested parties. Proof of Code Key Exchange ensures that the one who requested the key gets it. Neither will solve impersonation attacks via social engineering.]
Tactical tornado is the new default
When it comes to implementing a quick feature, nobody gets it done faster than the tactical tornado. In some organizations, management treats tactical tornadoes as heroes. However, tactical tornadoes leave behind a wake of destruction. They are rarely considered heroes by the engineers who must work with their code in the future. Typically, other engineers must clean up the messes left behind by the tactical tornado, which makes it appear that those engineers (who are the real heroes) are making slower progress than the tactical tornado.
How StrongDM’s AI team build serious software without even looking at the code
[Describe tests as 'scenarios' that represent user stories, and 'satisfaction' to quantify that it's happening, then store it where agents can't see them.]
We built twins of Okta, Jira, Slack, Google Docs, Google Drive, and Google Sheets, replicating their APIs, edge cases, and observable behaviors.
I know local models will win. At some point frontier models will face diminishing returns, local models will catch up, and we will be done being beholden to frontier models. That will be a wonderful day, but until then, you will not know what models will be capable of unless you use the best. Pay through the nose for Opus or GPT-7.9-xhigh-with-cheese. Don't worry, it's only for a few years.
But I managed. People usually figure out I’m harmless within about 14 seconds of meeting me. I have developed, in my wizened old age, a curious ability to make people feel good, no matter who they are, with just a little conversation, making us both feel good in the process. (You probably have this ability too, and just don’t know how to use it yet.)
During Golden Ages, there is more work than people. And when they crash, it is because there are more people than work.
“I AM GOING DOWN TO GET A DONUT NOW,” they will say, and someone will yell from the nap couch, “GET ME A DONUT.” “I AM ALSO DELETING THE DATABASE.” “OK.”
A lot of engineers like to work in relative privacy, or even secrecy. They don’t want people to see all the false starts, struggles, etc. They just want people to see the finished product. It’s why we have git squash and send dignified PRs instead of streaming every compile error to our entire team.
The Settlers of Catan inventor Teuber famously built new games for his own family to playtest for years, before they finally found the formula for Catan through many iterations.
The center of the campfire is a living prototype. There is no waterfall. There is no spec. There is a prototype that simply evolves, via group sculpting, into the final product: something that finally feels right. You know it when you finally find it.
Anthropic’s Hive Mind is described by employees as “Yes, and…” style improvisational theater. Every idea is welcomed, examined, savored, and judged by the Hive Mind. It’s all based on vibes. There is no central decision-making authority. They are just trying everything, and when magic happens, they all just kind of realize it at once.
all companies are asking variations of just the same two questions. They bluster and bluff and try to act informed, but they are all terrified. When you cluster their questions, they break down into, “Will everything be OK?” and “Will we be here in five years?”
I didn’t ask for the role of a programmer to be reduced to that of a glorified TSA agent, reviewing code to make sure the AI didn’t smuggle something dangerous into production.
The Great Realtime Collaboration Misdirection
the need for realtime editing in applications is greatly exaggerated. Think about how rare it is to:
get two people to be in the same place at the same time
have a task where more than one person makes changes at a time
want other people peering over their shoulder while they work
Permissioned Data Diary 1: To Encrypt or Not to Encrypt
[End-to-end encryption may have become the baseline for messages, but not everything needs that. Nobody expects a large group forum or Patreon-style membership area to deal with secret keys.]
this inherent complexity isn’t something that the protocol team at Bluesky can just handle - it gets pushed out to every dev trying to build a client that works with encrypted data.
People who end up in positions of power are often not there because they’re particular profound, or strong, or even nefarious, but rather because they’re trauma-ridden vessels who offer the least resistance to the inhuman forces of our economic system, and who are therefore, almost evolutionarily, ‘selected’ by it.
