Dan Q

Year: 2025

A Psalm for the Wild-Built by Becky Chambers

Duration

Podcast Version

This post is also available as a podcast. Listen here, download for later, or subscribe wherever you consume podcasts.

Book cover: A Psalm for the Wild-Built, by Becky Chambers. The cover art shows a winding trail weaving its way through a forest of diverse plants. At one end, a figure wearing brown and yellow robes sits on the front step of an old fashioned wagon carriage, cupping a hot beverage in both hands. Near the other end of the trail, a humanoid metal robot reaches out a finger to provide a landing spot to a pair of butterflies.I’d already read every prior book published by the excellent Becky Chambers, but this (and its sequel) had been sitting on my to-read list for some time, and so while I’ve been ill and off work these last few days, I felt it would be a perfect opportunity to pick it up. I’ve spent most of this week so far in bed, often drifting in and out of sleep, and a lightweight novella that I coud dip in and out of over the course of a day felt like the ideal comfort.

I couldn’t have been more right, as the very first page gave away. My friend Ash described the experience of reading it (and its sequel) as being “like sitting in a warm bath”, and I see where they’re coming from. True to form, Chambers does a magnificent job of spinning a believable utopia: a world that acts like an idealised future while still being familiar enough for the reader to easily engage with it. The world of Wild-Built is inhabited by humans whose past saw them come together to prevent catastrophic climate change and peacefully move beyond their creation of general-purpose AI, eventually building for themselves a post-scarcity economy based on caring communities living in harmony with their ecosystem.

Writing a story in a utopia has sometimes been seen as challenging, because without anything to strive for, what is there for a protagonist to strive against? But Wild-Built has no such problem. Written throughout with a close personal focus on Sibling Dex, a city monk who decides to uproot their life to travel around the various agrarian lands of their world, a growing philosophical theme emerges: once ones needs have been met, how does one identify with ones purpose? Deprived of the struggle to climb some Maslowian pyramid, how does a person freed of their immediate needs (unless they choose to take unnecessary risks: we hear of hikers who die exploring the uncultivated wilderness Dex’s people leave to nature, for example) define their place in the world?

Aside from Dex, the other major character in the book is Mosscap, a robot whom they meet by a chance encounter on the very edge of human civilisation. Nobody has seen a robot for centuries, since such machines became self-aware and, rather than consign them to slavery, the humans set them free (at which point they vanished to go do their own thing).

To take a diversion from the plot, can I just share for a moment a few lines from an early conversation between Dex and Mosscap, in which I think the level of mutual interpersonal respect shown by the characters mirrors the utopia of the author’s construction:

“What—what are you? What is this? Why are you here?”

The robot, again, looked confused. “Do you not know? Do you no longer speak of us?”

“We—I mean, we tell stories about—is robots the right word? Do you call yourself robots or something else?”

Robot is correct.”

“Okay. Mosscap. I’m Dex. Do you have a gender?”

“No.”

“Me neither.”

These two strangers take the time in their initial introduction to ensure they’re using the right terms for one another: starting with those relating to their… let’s say species… and then working towards pronouns (Dex uses they/them, which seems to be widespread and commonplace but far from universal in their society; Mosscap uses it/its, which provides for an entire discussion on the nature of objectship and objectification in self-identity). It’s queer as anything, and a delightful touch.

In any case: the outward presence of the plot revolves around a question that the robot has been charged to find an answer to: “What do humans need?” The narrative theme of self-defined purpose and desires is both a presenting and a subtextual issue, and it carries through every chapter. The entire book is as much a thought experiment as it is a novel, but it doesn’t diminish in the slightest from the delightful adventure that carries it.

Dex and Mosscap go on to explore the world, to learn more about it and about one another, and crucially about themselves and their place in it. It’s charming and wonderful and uplifting and, I suppose, like a warm bath: comfortable and calming and centering. And it does an excellent job of setting the stage for the second book in the series, which we’ll get to presently…

×

Article posted at UTC on .

No comments

Getting better!

After most of four days spent primarily in bed with what’s probably a norovirus infection (or something like it), this afternoon I got up and went outside. 🎉

It felt like a huge achievement, even if I ran back in to the warmth the very second that the dog I was supervising had finished her business.

A white man stands outside a white house, looking cold. His hands are buried in the pockets of his checked pyjama bottoms, and his upper half is wrapped tightly in a Tumblr-branded grey jumper. Various childrens toys litter the garden around him.

×

Note posted at UTC on .

No comments

3-day streak

Using WordPress internally at Automattic as a productivity tool is great… until you have to call in sick three days in a row and Jetpack treats your “streak” as an “achievement”! 😅

Two 'Jetpack' notifications on an Android phone, both at 08:07. The first reads: 'Dan Q posted on Marketplace Engineering: AFK for itsdang -26Feb25'. The second reads: 'New achievement: You're on a 3-day streak on Marketplace Engineering!'

×

Note posted at UTC on .

1 comment

For anybody who could use a break

Third day of being ill with what’s probably a winter vomiting bug, with one child home sick from school… and just having had to collect the other kid who started throwing up on his school trip… I finally got back to my bed and picked up the next book on my pile, Becky Chambers’ A Psalm for the Willd-Built.

The opening page reads: “For anybody who could use a break.”

Printed serifed text reading: 'For anybody who could use a break.'

Yes. Yes, please.

×

Note posted at UTC on .

No comments

Fever dreams

Don’t remember the last time I felt so run-down. I’ve been unwell since Sunday with an illness I can only assume I caught from the 11-year-old, who’s been unable to keep food down for several days.

In my case, though, I’ve mostly been full of muscular aches and cramps, ocassionally fits of shivers, and strange dizziness.

I’ve spent the last day and a bit mostly drifting in and out of sleep, where I’ve had the weirdest dreams. I just woke from one where I was lost in a sprawling hotel, looking for my room which was number 317 or possibly 305, I couldn’t remember. The signage didn’t make sense to me and I couldn’t read it, and found myself wandering around a sprawling resort, with hot air balloon services connecting different parts. At one point I found myself lost in a library whose winding shelves formed a Escherian maze, and a small child watched me with suspicion as I fumbled around for an exit.

In a disturbing dream from yesterday afternoon, I was lying in a desert of cold sand as the wind gradually piled up more and more sand against me. At first I felt fascinated, thinking I’d learned something about how dunes form, until I discovered that I wasn’t able to move. I gradually sunk deeper and deeper underground, in pain except when I lay very still and let it take me, until eventually I started to become the very sand that I was disappearing into. I felt flakes of myself break away and become part of the desert, unable to resist the change nor reconstruct myself, resigned to my fate.

I’m in less pain so far this morning than yesterday, so I think I’m recovering, but man this has been an unpleasant ride. Whatever I’m infected with: do not recommend, would not contract again, one out of five.

Note posted at UTC on .

1 comment

Generative AI use and human agency

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

5. If you use AI, you are the one who is accountable for whatever you produce with it. You have to be certain that whatever you produced was correct. You cannot ask the system itself to do this. You must either already be expert at the task you are doing so you can recognise good output yourself, or you must check through other, different means the validity of any output.

9. Generative AI produces above average human output, but typically not top human output. If you overuse generative AI you may produce more mediocre output than you are capable of.

I was also tempted to include in 9 as a middle sentence “Note that if you are in an elite context, like attending a university, above average for humanity widely could be below average for your context.”

In this excellent post, Joanna says more-succinctly what I was trying to say in my comments on “AI Is Reshaping Software Engineering — But There’s a Catch…” a few days ago. In my case, I was talking very-specifically about AI as a programmer’s assistant, and Joanna’s points 5. and 9. are absolutely spot on.

Point 5 is a reminder that, as I’ve long said, you can’t trust an AI to do anything that you can’t do for yourself. I sometimes use a GenAI-based programming assistant, and I can tell you this – it’s really good for:

  • Fancy autocomplete: I start typing a function name, it guesses which variables I’m going to be passing into the function or that I’m going to want to loop through the output or that I’m going to want to return-early f the result it false. And it’s usually right. This is smart, and it saves me keypresses and reduces the embarrassment of mis-spelling a variable name1.
  • Quick reference guide: There was a time when I had all of my PHP DateTimeInterface::format character codes memorised. Now I’d have to look them up. Or I can write a comment (which I should anyway, for the next human) that says something like // @returns String a date in the form: Mon 7th January 2023 and when I get to my date(...) statement the AI will already have worked out that the format is 'D jS F Y' for me. I’ll recognise a valid format when I see it, and I’ll be testing it anyway.
  • Boilerplate: Sometimes I have to work in languages that are… unnecessarily verbose. Rather than writing a stack of setters and getters, or laying out a repetitive tree of HTML elements, or writing a series of data manipulations that are all subtly-different from one another in ways that are obvious once they’ve been explained to you… I can just outsource that and then check it2.
  • Common refactoring practices: “Rewrite this Javascript function so it doesn’t use jQuery any more” is a great example of the kind of request you can throw at an LLM. It’s already ingested, I guess, everything it could find on StackOverflow and Reddit and wherever else people go to bemoan being stuck with jQuery in their legacy codebase. It’s not perfect – just like when it’s boilerplating – and will make stupid mistakes3 but when you’re talking about a big function it can provide a great starting point so long as you keep the original code alongside, too, to ensure it’s not removing any functionality!

Other things… not so much. The other day I experimentally tried to have a GenAI help me to boilerplate some unit tests and it really failed at it. It determined pretty quickly, as I had, that to test a particular piece of functionality need to mock a function provided by a standard library, but despite nearly a dozen attempts to do so, with copious prompting assistance, it couldn’t come up with a working solution.

Overall, as a result of that experiment, I was less-effective as a developer while working on that unit test than I would have been had I not tried to get AI assistance: once I dived deep into the documentation (and eventually the source code) of the underlying library I was able to come up with a mocking solution that worked, and I can see why the AI failed: it’s quite-possibly never come across anything quite like this particular problem in its training set.

Solving it required a level of creativity and a depth of research that it was simply incapable of, and I’d clearly made a mistake in trying to outsource the problem to it. I was able to work around it because I can solve that problem.

But I know people who’ve used GenAI to program things that they wouldn’t be able to do for themselves, and that scares me. If you don’t understand the code your tool has written, how can you know that it does what you intended? Most developers have a blind spot for testing and will happy-path test their code without noticing if they’ve introduced, say, a security vulnerability owing to their handling of unescaped input or similar… and that’s a problem that gets much, much worse when a “developer” doesn’t even look at the code they deploy.

Security, accessibility, maintainability and performance – among others, I’ve no doubt – are all hard problems that are not made easier when you use an AI to write code that you don’t understand.

Footnotes

1 I’ve 100% had an occasion when I’ve called something $theUserID in one place and then $theUserId in another and not noticed the case difference until I’m debugging and swearing at the computer

2 I’ve described the experience of using an LLM in this way as being a little like having a very-knowledgeable but very-inexperienced junior developer sat next to me to whom I can pass off the boring tasks, so long as I make sure to check their work because they’re so eager-to-please that they’ll choose to assume they know more than they do if they think it’ll briefly impress you.

3 e.g. switching a selector from $(...) to document.querySelector but then failing to switch the trailing .addClass(...) to .classList.add(...)– you know: like an underexperienced but eager-to-please dev!

Repost posted at UTC on .

No comments

OpenStreetMap rocks (especially on foot)

Especially outside of urban centres, and especially if you’re on foot, OpenStreetMap is way better than Google Maps, Bing Maps, Apple Maps, or what-have-you.

Animated GIF comparing maps of the Sutton Lane/Beaumont Green area of Sutton/Stanton Harcourt. Google Maps shows only the streets and building outlines, and the name of only one property, whereas OpenStreetMap also includes public footpaths, gates, bridges, house names, and land use indicators.
The area at the North end of Sutton Lane, near where I live, is mostly just a huge expanse of nothing in Google Maps, but OpenStreetMap shows footpaths, gates, bridges, house names, driveways, and land use indicators.

OpenStreetMap is especially good for walkers, with its more-comprehensive coverage of public footpaths as well as the ability to drill-down for accessibility information: whether a path ends in a gate or a stile matters a lot if you can’t climb the latter (or you’re walking with a small-but-muddy dog who’ll need lifting over).

Sure, you don’t get (as much) street view photography. But how often do you use that, anyway?1

Animated GIF comparing maps of Halifax Way (the Hayfield Green estate) in Stanton Harcourt. Google Maps shows streets only, some of them not even named (and one of them obstructed by a nonexistent building). OpenStreetMap includes house numbers, footpaths, and even the locations of play equipment and benches.
Of course, some of the places near me at which OpenStreetMap especially excels are… because of me! A little amateur cartography can go a long way.

I’ve heard it argued that OpenStreetMap, with its Wikipedia-like “anybody can edit it” model, cannot be relied upon. And sure, if you’re looking for an “official” level of accuracy and the alternative is an Ordinance Survey map, then that’s what you should go for.

But there’s nothing specific to, say, Google Maps that makes it fundamentally more “accurate” for most2 geographic features than OpenStreetMap. The vast of cartographic data on Google Maps is produced by humans, looking at satellite photos, and then tracing the features on them, probably with AI assistance. And the vast majority of cartographic data on OpenStreetMap is produced… exactly the same way, although without the AI “helping”.

Google Maps has mistakes, just like every map3. And it’s got trap streets, like most commercially-produced maps (including the Ordinance Survey). Google Maps’ mistakes tend to be made by somebody on the other side of the world from the feature, doing a bad job of tracing what they think might be a road… while OpenStreetMaps’ mistakes are for the most part omissions in areas that are under-explored by local contributors. And there are plenty of areas – like those near where I live, especially if you’re on foot – where the latter mistakes are much less-troublesome.

Animated GIF comparing maps of Main Road and The Green in Stanton Harcourt. Google Maps shows streets and building outlines, and the general location of the primary school (although not all of its buildings). OpenStreetMap includes all the same detail but also shows the location of the village green, several footpaths, benches, house names, and car parking areas.
If you’re looking to make a delivery to my village, where most buildings are named rather than numbered, postcode areas are broad, and it’s not always clear where it’ll be safe to park… you’d do a lot better to use OpenStreetMap than any other digital map.

I fixed a couple of omissions on OpenStreetMap just earlier today. While I was out walking the dog, earlier, I added the names of two houses whose identities weren’t specifically marked on the map, and I added detail to the newly-constructed Deansfield estate. Google Maps shows there being only two houses on Deansfield Estate, among other inaccuracies, even though they’ve got up-to-date aerial and street photography.

Google Maps is fine if you want to drive to Sheffield, you need public transport connections to Plymouth4, or you’re looking for a restaurant nearby and you want the data about them to be accurate. But next time you’re walking somewhere, or when you’re looking for a specific address… I’d suggest you give OpenStreetMap a go. You might be pleasantly surprised.

Footnotes

1 I say that as somebody who uses street view and satellite photography a more than average amount, for geohashing purposes. But I can switch mapping software on-the-fly; nobody’s stopping me looking at “ostrich” photos when I need them.

2 The place that Google Maps really beats OpenStreetMap, in my mind, is in the integration of its business directory. If you search for a business in Google Maps, you’ll probably find it and get reasonably-accurate opening hours and contact details. But that’s a factor of two things: the Google My Business directory, and – more importantly – the popularity of the application and the fact that the mobile app “nudges” people to check on the places around them. By the way: if you want to contribute to making maps better in that way without becoming an unpaid researcher working to line Google’s pockets, StreetComplete is an app that helps fill-out business and related information on OpenStreetMap!

3 Google Maps used to show Vauxhall tube station on entirely the wrong side of the River Thames, for example.

4 Public transport’s another thing Google Maps does very well.

× × ×

Article posted at UTC on .

No comments

Dan Q wrote note for GC9EXX4 Friar’s Farm – Bisected Byway

This checkin to GC9EXX4 Friar's Farm - Bisected Byway reflects a geocaching.com log entry. See more of Dan's cache logs.

Checked up on this cache while the dog and I were nearby. It’s in fine condition and ready to find. The latch for the container is beginning to rust, but the whole thing is perfectly serviceable. Go find it!

A French Bulldog at the end of a red lead, near a kissing gate in a hedgrerow.
The dog helped check up on the cache.
×

AI Is Reshaping Software Engineering — But There’s a Catch…

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I don’t believe AI will replace software developers, but it will exponentially boost their productivity. The more I talk to developers, the more I hear the same thing—they’re now accomplishing in half the time what used to take them days.

But there’s a risk… Less experienced developers often take shortcuts, relying on AI to fix bugs, write code, and even test it—without fully understanding what’s happening under the hood. And the less you understand your code, the harder it becomes to debug, operate, and maintain in the long run.

So while AI is a game-changer for developers, junior engineers must ensure they actually develop the foundational skills—otherwise, they’ll struggle when AI can’t do all the heavy lifting.

Comic comparing 'Devs Then' to 'Devs Now'. The 'Devs Then' are illustrated as muscular men, with captions 'Writes code without AI or Stack Overflow', 'Builds entire games in Assembly', 'Crafts mission-critical code fo [sic] Moon landing', and 'Fixes memory leaks by tweaking pointers'. The 'Devs Now' are illustrated with badly-drawn, somewhat-stupid-looking faces and captioned 'Googles how to center a div in 2025?', 'ChatGPT please fix my syntax error', 'Cannot exit vim', and 'Fixes one bug, creates three new ones'.

Eduardo picks up on something I’ve been concerned about too: that the productivity boost afforded to junior developers by AI does not provide them with the necessary experience to be able to continue to advance their skills. GenAI for developers can be a dead end, from a personal development perspective.

That’s a phenomenon not unique to AI, mind. The drive to have more developers be more productive on day one has for many years lead to an increase in developers who are hyper-focused on a very specific, narrow technology to the exclusion even of the fundamentals that underpin them.

When somebody learns how to be a “React developer” without understanding enough about HTTP to explain which bits of data exist on the server-side and which are delivered to the client, for example, they’re at risk of introducing security problems. We see this kind of thing a lot!

There’s absolutely nothing wrong with not-knowing-everything, of course (in fact, knowing where the gaps around the edges of your knowledge are and being willing to work to fill them in, over time, is admirable, and everybody should be doing it!). But until they learn, a developer that lacks a comprehension of the fundamentals on which they depend needs to be supported by a team that “fill the gaps” in their knowledge.

AI muddies the water because it appears to fulfil the role of that supportive team. But in reality it’s just regurgitating code synthesised from the fragments it’s read in the past without critically thinking about it. That’s fine if it’s suggesting code that the developer understands, because it’s like… “fancy autocomplete”, which you can accept or reject based on their understanding of the domain. I use AI in exactly this way many times a week. But when people try to use AI to fill the “gaps” at the edge of their knowledge, they neither learn from it nor do they write good code.

I’ve long argued that as an industry, we lack a pedagogical base: we don’t know how to teach people to do what we do (this is evidenced by the relatively high drop-out rate on computer science course, the popular opinion that one requires a particular way of thinking to be a programmer, and the fact that sometimes people who fail to learn programming through paradigm are suddenly able to do so when presented with a different one). I suspect that AI will make this problem worse, not better.

×

Repost posted at UTC on .

No comments

Goodbye, Slippers

Yesterday, owing to some plot, the dog didn’t get as much outside/walk/play time as she’d like.

Today, she let me know how she felt about that by shredding my slippers. 🙄

A partially-shredded slipper is held in a hand, in front of a French Bulldog, on the wooden floors of the hallway of a house.

×

Note posted at UTC on .

No comments

Wavey Dan

I was experimenting with VP8/VP9 WebM video transparency and I made a stupid thing: a URL that, if you go to it, means you’ll he followed around my blog by a video of me just hanging out in the corner of the page – https://danq.me/?fool_id=06

I’ve added it to my list of “stupid/random things that can happen if you visit my blog on April Fools’ Day”: https://danq.me/fools/

Screenshot of DanQ.me, with a transparent video overlay of Dan in the bottom right corner, waving.

×

Note posted at UTC on .

No comments

The Blind Piemaker

Ruth bought me a copy of The Adventure Challenge: Couples Edition, which is… well, it’s basically a book of 50 curious and unusual ideas for date activities. This week, for the first time, we gave it a go.

Open book showing a scratch-off panel, whose contents read: Find your favonte pie recipe and gather the ingredients. Blindfold your partner. Now, guide them through the process of making a pie. No instructive sentences are allowed, you can only guide them with your hands. (Don't say "pick this up" or 'drop that", find a different way to communicate - only through touch). You can only touch your blindfolded partner's hands or body - NOTHING ELSE (ingredients, utensils, dishes, etc). IMPORTANT: this challenge works best when you follow these instructions as strictly as possible.
Each activity is hidden behind a scratch-off panel, and you’re instructed not to scratch them off until you’re committed to following-through with whatever’s on the other side. Only the title and a few hints around it provide a clue as to what you’ll actually be doing on your date.

As a result, we spent this date night… baking a pie!

The book is written by Americans, but that wasn’t going to stop us from making a savoury pie. Of course, “bake a pie” isn’t much of a challenge by itself, which is why the book stipulates that:

  • One partner makes the pie, but is blindfolded. They can’t see what they’re doing.
  • The other partner guides them through doing so, but without giving verbal instructions (this is an exercise in touch, control, and nonverbal communication).
Dan, wearing a black t-shirt, smiles as he takes a selfie. Alongside him Ruth, wearing a purple jumper, adjusts a grey blindfold to cover her eyes.
I was surprised when Ruth offered to be the blindfoldee: I’d figured that with her greater experience of pie-making and my greater experience of doing-what-I’m-told, that’d be the smarter way around.

We used this recipe for “mini creamy mushroom pies”. We chose to interpret the brief as permitting pre-prep to be done in accordance with the ingredients list: e.g. because the ingredients list says “1 egg, beaten”, we were allowed to break and beat the egg first, before blindfolding up.

This was a smart choice (breaking an egg while blindfolded, even under close direction, would probably have been especially stress-inducing!).

Dan takes a selfie showing himself, smiling, and Ruth, wearing a blindfold and balling up pastry on a wooden worksurface.
I’d do it again but the other way around, honestly, just to experience both sides! #JustSwitchThings

I really enjoyed this experience. It forced us into doing something different on date night (we have developed a bit of a pattern, as folks are wont to do), stretched our comfort zones, and left us with tasty tasty pies to each afterwards. That’s a win-win-win, in my book.

Plus, communication is sexy, and so anything that makes you practice your coupley-communication-skills is fundamentally hot and therefore a great date night activity.

Plate containing four beautifully-browned but slightly lopsided pies, held in a woman's hands.
Our pies may have been wonky-looking, but they were also delicious.

So yeah: we’ll probably be trying some of the other ideas in the book, when the time comes.

Some of the categories are pretty curious, and I’m already wondering what other couples we know that’d be brave enough to join us for the “double date” chapter: four challenges for which you need a second dyad to hang out with? (I’m, like… 90% sure it’s not going to be swinging. So if we know you and you’d like to volunteer yourselves, go ahead!)

× × × ×

Article posted at UTC on .

1 comment

Reply to Vika, re: Content-Security-Policy

This is a reply to a post published elsewhere. Its content might be duplicated as a traditional comment at the original source.

Vika said:

Had a fight with the Content-Security-Policy header today. Turns out, I won, but not without sacrifices.
Apparently I can’t just insert <style> tags into my posts anymore, because otherwise I’d have to somehow either put nonces on them, or hash their content (which would be more preferrable, because that way it remains static).

I could probably do the latter by rewriting HTML at publish-time, but I’d need to hook into my Markdown parser and process HTML for that, and, well, that’s really complicated, isn’t it? (It probably is no harder than searching for Webmention links, and I’m overthinking it.)

I’ve had this exact same battle.

Obviously the intended way to use nonces in a Content-Security-Policy is to have the nonce generated, injected, and served in a single operation. So in PHP, perhaps, you might do something like this: 

<?php
  $nonce = bin2hex(random_bytes(16));
  header("Content-Security-Policy: script-src 'nonce-$nonce'");
?>
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>PHP CSP Nonce Test</title>
</head>
<body>
  <h1>PHP CSP Nonce Test</h1>
  <p>
    JavaScript did not run.
  </p>

  <!-- This JS has a valid nonce: -->
  <script nonce="<?php echo $nonce; ?>">
    document.querySelector('p').textContent = 'JavaScript ran successfully.';
  </script>

  <!-- This JS does not: -->
  <script nonce="wrong-nonce">
    alert('The bad guys won!');
  </script>
</body>
</html>
Viewing this page in a browser (with Javascript enabled) should show the text “JavaScript ran successfully.”, but should not show an alertbox containing the text “The bad guys won!”.

But for folks like me – and you too, Vika,, from the sounds of things – who serve most of their pages, most of the time, from the cache or from static HTML files… and who add the CSP header on using webserver configuration… this approach just doesn’t work.

I experimented with a few solutions:

  • A long-lived nonce that rotates.
    CSP allows you to specify multiple nonces, so I considered having a rotating nonce that was applied to pages (which were then cached for a period) and delivered by the header… and then a few hours later a new nonce would be generated and used for future page generations and appended to the header… and after the cache expiry time the oldest nonces were rotated-out of the header and became invalid.
  • Dynamic nonce injection.
    I experimented with having the webserver parse pages and add nonces: randomly generating a nonce, putting it in the header, and then basically doing a s/<script/<script nonce="..."/ to search-and-replace it in.

Both of these are terrible solutions. The first one leaves a window of, in my case, about 24 hours during which a successfully-injected script can be executed. The second one effectively allowlists all scripts, regardless of their provenance. I realised that what I was doing was security theatre: seeking to boost my A-rating to an A+-rating on SecurityHeaders.com without actually improving security at all.

But the second approach gave me an idea. I could have a server-side secret that gets search-replaced out. E.g. if I “signed” all of my legitimate scripts with something like <script nonce="dans-secret-key-goes-here" ...> then I could replace s/dans-secret-key-goes-here/actual-nonce-goes-here/ and thus have the best of both worlds: static, cacheable pages, and actual untamperable nonces. So long as I took care to ensure that the pages were never delivered to anybody with the secret key still intact, I’d be sorted!

Alternatively, I was looking into whether Caddy can do something like mod_asis does for Apache: that is, serve a file “as is”, with headers included in the file. That way, I could have the CSP header generated with the page and then saved into the cache, so it’s delivered with the same none every time… until the page changes. I’d love more webservers to have an “as is” mode, but I appreciate that might be a big ask (Apache’s mechanism, I suspect, exploits the fact that HTTP/1.0 and HTTP/1.1 literally send headers, followed by two CRLFs, then content… but that’s not what happens in HTTP/2+).

So yeah, I’ll probably do a server-side-secret approach, down the line. Maybe that’ll work for you, too.

Reply posted at UTC on .

1 comment

Reply to Blogging for traffic not design

This is a reply to a post published elsewhere. Its content might be duplicated as a traditional comment at the original source.

Andy Hawthorne said:

When you’re writing online, being unique doesn’t matter nearly as much as being found.

I’m not sure I could disagree more. But I’ve jumped in half way through his post. Let’s backtrack a bit.

Andy begins:

A blogger showed me his website the other day.

But no one was reading it.

Firstly: let’s just observe that you were shown a website… and now you’re talking about it… but you haven’t linked to it? You’re complaining about its lack of discoverability, while simultaneously being part of the problem.

Hyperlinks remain, as they have been since the mid-to-late 1990s, a primary mechanism in helping search engines’ spiders to discover new sites, and nowadays they’re doubly-important because they help establish legitimacy.

When you search for, say, “history of web search” and this Wikipedia article is at the top, a significant reason for that is that people link to that page when talking about the history of web search! A secondary reason is that lots of people link to Wikipedia in general.

DuckDuckGo search for 'history of web search', showing 'Timeline of web search engines - Wikipedia' as the top result.
Your mileage may vary depending on your preferred search engine and other factors.

Berating somebody for an unindexed site… but not linking to that site… feels awfully-close to victim-blaming!

(Especially recently, as still-dominant search engine Google continues to make it harder and harder for “new” sites to get onto the ladder.)

When I asked him why he didn’t just use WordPress or Bear Blog, he looked offended.

“Those are so basic. Everyone uses those. I wanted something unique.”

I’m not sure I understand the logic of the person whose argument against e.g. WordPress is that it’s not “unique”. There are lots of great reasons that you might use WordPress. There are lots of great reasons that you might not. The right choice of CMS should be based on a variety of factors.

It’s possible that the person being referred to meant “customisable”. They’d still be wrong (in the case of WordPress, at least: Bear Blog offers significantly less customisation options, which is fine if the other features are what you’re looking for), but anyway: the short of it is that I briefly agreed, here, until:

WordPress powers about 43% of all websites. That means search engines know exactly how to read WordPress sites.

They know where to look for the content, the metadata, the tags.

Let’s correct the points here:

  • Search engines know exactly how to read HTML. WordPress outputs HTML. (If you’re outputting HTML, your site can be indexed. Hell, even that isn’t a firm requirement: my plaintext-only blog shows up in search engines!)
  • Web standards dictate how content, metadata, and tags should be laid out. A search engine’s spider doesn’t look at your site and go “hey, it’s WordPress, so I need to look for this“. Instead, it’ll generally look for content and metadata based on established standards. Titles, headings, <meta> tags, semantic elements: these are the things a search engine looks for.
  • Sure, WordPress gets those things right. But they’re not hard to get right. You shouldn’t use WordPress (or Bear, or anything else) based just on the fact that it exposes metadata correctly. Any site can do this. And because what’s eventually exposed to the search engine – and to the user – is HTML code… which is independent of the CMS that generated it… it doesn’t have to matter what the underlying CMS is.

Then there’s some more confusion:

Here’s what matters: WordPress and other major platforms have spent years optimising for search engines and social sharing.

They’ve spent millions making sure posts load fast.

This sounds like it’s conflating WordPress (the open-source CMS) with one or more of several WordPress hosting providers (probably WordPress.com). That’s a common mistake, but it is a mistake.

WordPress can do terrible SEO. WordPress can be really slow. Trust me: in a previous life I’ve made a part of my living out of fixing and improving people’s WordPress-powered websites! A large part of this comes from WordPress’s flexibility: the theme you choose, for example, can completely change the functionality of your site. Inspired by my plain text blog, Terence Eden made a WordPress theme that does the same thing! That WordPress theme completely upends the way that most people would use WordPress, but it’s still fundamentally WordPress, even though it exposes to search engines no HTML code, no metadata, and no tags.

WordPress can also do great SEO, and it can be really fast. A properly-configured WordPress site can be a well-oiled machine. But if you conflate WordPress itself with its output, you’re arguing against a straw man.

Don’t get me wrong: I love WordPress! But I dislike people making the false claim that if you’re not using it (or another popular blogging tool), you’re destined to fail at SEO. There’s nothing “magical” about WordPress. It just takes content and renders HTML, in the end!

But all of this is moot, perhaps, when we get back to that first point:

When you’re writing online, being unique doesn’t matter nearly as much as being found.

This entire statement presupposes the purpose of “writing online”.

It’s 100% okay to write for yourself, first and foremost. It’s also okay to write for a small target audience, like for your friends or family. It’s okay to write content that isn’t exposed to search engines (consider all of the wonderful content that my fellow RSS Club members put out, sometimes!). It’s okay to write just for the joy of making things.

A website doesn’t have to be “professional”, as Andy’s post goes on to imply. A website doesn’t have to be anything in particular. A website can just… be. And that’s enough.

×

Reply posted at UTC on .

1 mention

Get Ready with Me: Techfluencer Edition

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

WordPress.com (via YouTube)

WTF did I just watch?

It’s possible I don’t understand social media any more. To be fair, it’s possible that I never did.

This is something between absurd and hilarious. Aside from the 100 year plan (which is fascinating, and I keep meaning to share my thoughts on), I’m not sure what it’s supposed to be advertising. Maybe it’s trying to showcase how cool it is to work with Automattic? (It’s not… exactly like it’s depicted in the video. But I’d be lying if I said that fewer than 50% of my meetings this week have included a discussion on snack foods, so maybe we are I guess at least a little eccentric.)

I think I understand what it’s parodying. And that’s fun. But… wow. You don’t see many videos like this attached to a corporate YouTube account, do you? Kudos for keeping the Internet fun and weird, WordPress.com.

Repost posted at UTC on .

No comments