Reminding myself after failure: Having An Opinion is not your task. Your task is small, local, centered on your family. Your task is to live in right relationship, work faithfully, and do what good you can. Use fewer and fewer words, until they become unnecessary.
Page 2 of 9
Podcast Notes: Feross Aboukhadijeh on The Changelog
I enjoyed listening to Feross Aboukhadijeh, founder and CEO of the security firm Socket, on the Changelog podcast “npm under siege”. The cat-and-mouse nature of security is a kind of infinite source of novel content, like a series of heist movies that never produces the same plot so you can never quite guess what happens next.
I like how succintly Feross points out the paradox of trying to keep your software safe by upgrading packages on npm:
The faster you upgrade your packages, the safer you are from software vulnerabilities. But then the faster you upgrade the more vulnerable you are to supply chain attacks
He points out (and I learned) that pnpm has a feature called minimumReleaseAge that lets you avoid installing anything super new. So you can, for example, specify: “Don’t install anything published in the last 24 hours.”
In other words: let’s slow down a bit. Maybe we don’t need immediacy in everything, including software updates. Maybe a little friction is good.
And if security vulnerabilities are what it took to drive us to this realization, perhaps it’s a blessing in disguise.
(Until the long running cat-and-mouse game of security brings us a bad actor who decides to exercise a little patience and creates some kind of vulnerability whose only recourse requires immediate upgrades and disabling the minimumRelaseAge flag, lol.)
Later in the podcast Feross is asked whether, if he was the benevolent dictator of npm, he would do things the same. He says “yes”. Why? Because the trade-offs of “trust most people to do the right thing and make it easy for them” feels like the better decision over “lock it down and make it harder for everyone”. He’s a self proclaimed optimist:
There’s so much good created when you just trust people and you hope for the best.
Obviously Feross has an entire business based on the vulnerabilities of npm, so his incentives are such that if he did change things, he might not exist ha. So read that how you will.
But I like his optimistic perspective: try not to let a few bad actors ruin the experience for everyone. Maybe we can keep the levers where they are and try to clean up what remains.
#
Bluesky is expanding their moderation tools and the granularity of reporting. Sounds like good changes:
Not every violation leads to immediate account suspension - this approach prioritizes user education and gradual enforcement for lower-risk violations. But repeated violations escalate consequences, ensuring patterns of harmful behavior face appropriate accountability.
#
Congrats to Gus Mueller on Acorn's recognition as a finalist in the App Store Awards! I use Acorn pretty much every day, sometimes for design or mockups, and sometimes just as a scratchpad of screenshots and other graphics that need a quick crop or edit before uploading to my blog.
#
Love the covers on these special TikTok editions of a few of Brandon Sanderson's books. Might've ordered a set for gifts. And I'll keep The Emperor's Soul, which I don't have in print. 📚
#
After a rocky bit early in the year, I feel that Micro.blog is in a really good place right now. New users are joining and the features are the best they've ever been. So now I'm nervous that something else is about to go wrong. 🤪
#
This report from Matthew Prince about Cloudflare's outage yesterday shows the mind-boggling scale of their network. The graph has 25 million HTTP 500 errors per second.
Blinking fuel lights
I recently launched a new theme for Bear. After that, I created scripts for photo galleries and a few other things. Somewhere in between, I also started moving old posts to my new blog.
Shortly after, I hit the brakes.
That happens to me a lot. I want too much, too soon. I love what I’m doing, and that gives me extra energy, which makes me want to do even more.
It’s been like that my whole life.
But there’s one important change these days compared to just a few years ago. I don’t ignore the blinking low on fuel light anymore.
These days, I notice it before running on fumes. I catch myself before getting completely stalled. Not always, but most of the time.
Being able to do that doesn’t require any new knowledge. That’s the beauty of it. We’re born with it.
Our body and mind make an impressive and intelligent piece of machinery. They tell us when it’s time to pull over and fuel up.
We just need to pay attention.
Blink, blink, blink...
See you over at baty.blog for a bit
I’ve become a bit overwhelmed by text after using mostly CLI/TUI tools for the past few weeks. I need a break from looking at tedious walls of text all day, so instead of creating posts here using Markdown, I’m posting to my WordPress blog over at baty.blog for a while1. I needed a change of venue. Hope to see you there!
-
I don’t know what I mean by “a while”, so don’t go too far. ↩
Scripting News: Wednesday, November 19, 2025
If Bluesky and Mastodon were "on the web" they would already interop because friends that's what the freaking web does. They behave like closed off silos, and until that changes, they can't claim to be on the web. Don't sell out the web so cheap. It really means something to be on the web.#
One of the reasons Mastodon doesn't get credit for being "on the web" is that there's been no buzz about the ActivityPub support in WordPress. Ghost has been beating the drum about their ActivityPub support for (many) months. I don't know if they're actually there yet, I've never knowingly seen something from Ghost on Mastodon. I sent an email to Matt this morning suggesting that we promote the incredible connection between WordPress and Mastodon via ActivityPub. In the early days of the blogosphere we had the same problem, there was no good way to see who was writing, so we started a site called weblogs.com, which ping'd each site that we knew about to see if it had changed, if so it went to the top of a list that was published at weblogs.com. So if you wanted to find out what's new you'd just go there. It got more complicated over time, as the blogosphere grew at a very fast clip. We could do that for WordPress sites on ActivityPub by pointing to their site from a weblogs.com-like site. There's no shame in telling the world about the cool new technology you've made, esp when it will make life so much more interesting! But it can't do that if they don't know it's there. Let's do some promotion. :-)#
The news gets everything wrong about the nouns of our political system. They talk about Repubs and Dems, but the real power is with the people. Something that Heather Cox Richardson said so eloquently in this week's podcast with Nicolle Wallace. I know I recommended it yesterday, but please do listen to this and don't forget it. When you're watching MSNOW you're getting the wrong nouns. I think this problem could be solved by moving every show on MSNOW to a different American city. The people on the panels should come to work in Detroit, St Louis, Phonenix, Denver, Charleston, Cleveland, Seattle, places like that. Get out of NY and DC. Really connect yourself to the whole country. That would rock a lot of boats. #
I love the domain for MSNOW. Just before it came out, Jeff Jarvis wondered on all the social networks why it wasn't msnow.com. Well, because they found an even better domain. #
