GreatReads - Blog Aggregator · Phoenix Framework

0 views

David Bushell 1 weeks ago

Web whetstones

How do you stay sharp as a web developer and/or designer? I’ll share my advice below. I’m also looking for front-end folk to advise me too. What are your whetstones? That is to say: sources of news and knowledge to level up professionally. Does that metaphor work? We’re sharpening our minds, and I suppose the web too with our minds… are minds the whetstone here? Moving swiftly on, in rough order of preference: People love to declare “RSS is dead” because they’ve chosen the likes of Google to gate-keep their web access. Interesting choice, but RSS remains alive and well. When I discover a new blog and like what I read, I’ll subscribe. There’s a good chance that person will write something useful again one day! Funny how that works. I don’t flood my reader with big sites that exist to generate content. I collect personal blogs that may only post once a year. That’s still plenty of unique insights as the list grows. I won’t share my list because I feel for RSS to work you have to curate it yourself. Shop Talk Show has been number one forever. Syntax remains a decent source if you’re deft with the fast-forward button (it’s a little ‘sloppy’ these days.) Igalia Chats is packed with wisdom. For a Better Web is Bruce Lawson in your ears. Wonders of Web Weaving from James is new and hopefully a regular listen. I’ve unsubscribed from too many podcasts that pivoted to AI servitude which is disheartening. I’m not adverse to such discussion but the level of mindless platitudes and gigglefests about what their wacky chat boxes said ain’t my cup of tea. Mastodon and Bluesky is where I follow folk in the web industry. Socials can be a great whetstone if you manage your follow list carefully. Everyone uses these platforms for different reasons which can be difficult to balance. Personally I stick to shop talk and mute politics for example. I follow individuals and rarely organisations to avoid “brand engagement”. Email newsletters are useful to catch stuff I’ve missed. Many exist in RSS form too. My favourites are typically link dumps with a side of commentary. Current favourites: Sidebar still has the odd gem if I care to sift through the “AI” links. Newsletters are a declining category for me. Perhaps because I keep getting unsubscribed by those with failed tracking pixels. Email costs money to send so I’ll accept my loss. Lobste.rs , Hacker News , Reddit (e.g. web dev , experienced devs , frontend etc). Does dev.to have any humans left? These forums are a good source of links — if you can filter the bot spam and avoid the cesspit of comments. Toxicity spreads and it’s all too easy to get dragged in. Sometimes you just have to let people be wrong on the internet. I’ve heard these still happen! I only leave my house now to scavenge for essentials so I don’t have much to say. Clearleft events are guaranteed value if you’re in the UK. Some conferences have online tickets but I find the in-person socialising to be the main benefit. Everything listed above is (or has) a website. I’m poor at organising and utilising bookmarks. I’ll manually visit bigger blogs like CSS-Tricks and Smashing Magazine once a month to see if anything interests me. I bookmark a handful of YouTube channels like Kevin Powell because I have no Google account to “smash that subscribe button” . YouTube isn’t my thing though. I have an allergic reaction to algorithm driven content. I don’t use Discord but I hear it get promoted often. Are these communities lively or are they a ghost town? That’s my problem with Discord. It’s a blackhole for information; antithetical to an open web! Am I missing out? Not sure I care. For no particular reason I’ll end with this quote from Seth Rogen. “I don’t understand what it’s supposed to do. Every time I see a video on Instagram that’s like, ‘Hollywood is cooked,’ what follows is, like, the most stupid dog shit I’ve ever seen in my life,” he said. “And if your instinct is to use AI and not go through that process, you shouldn’t be a writer, because then you’re not writing.” Seth Rogen Says If “Your Instinct Is to Use AI” to Write Scripts, “You Shouldn’t Be a Writer” - The Hollywood Reporter P.S. no more blog posts until June. I’m due a holiday! Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds. Frontend Focus Design Systems News

Design

0 views

David Bushell 2 weeks ago

Surveys will continue until diversity improves

The web and tech industry is a veritable sausage party. We don’t need surveys to prove it but we have surveys to prove it . State of surveys have been running for a decade now. Let’s look at the 2025 survey demographics: Yes I think “sausage party” is accurate. Weißwurstfest even. And yes cock jokes are part of the problem. When I worked in London in the early 2010’s every tech meet-up was plaid shirts and IPA frosted moustaches. Larger tech conferences were better. They had a few women attending and occasionally allowed to speak and a better variety of beers. I worked and mingled with a good bunch of lads. Even good lads make cock jokes after a craft beer. Just a joke, innit? When you read accounts like Ana Rodrigues’ it’s easy to think “not my lads” but then you remember the boisterous punchlines, and that one guy… but he was more of a tagalong. Some of us grow up but the industry doesn’t. These days I work remotely and don’t get out much but I get the impression little has changed. Certainly the online bro-culture amplifies the worst traits. Now we have LLMs built by and trained on that culture. Ain’t that wonderful. The State of surveys continue to report alarming numbers. Are they a fair representation of the industry? Do they help or hinder diversity? Miriam Suzanne raised the concern in 2024. These correlations don’t tell us much without knowing how representative the data is. I’m just not sure what I’m looking at, or how it should be read. But it concerns me that browsers use surveys like this as a primary gauge of developer interest – seemingly without asking who’s represented, or who might be missing from the data. What do survey demographics tell us? - Miriam Suzanne As Miriam noted the State of surveys do influence browser vendors. The focus areas for 2026 include several areas identified as top interop issues in the State of HTML and State of CSS surveys. Interop 2026: Continuing to improve the web for developers - Rachel Andrew Yet survey after survey after survey the demographics remain the same. Maybe the web industry is actually dominated by white guys (and now their new chat box companions). Oh and 60–70% of those surveyed report “None” under “Disability Status” so there’s that too. This is all kind of a big problem, obviously. Other humans need to use the web. Their voices need to influence the web platform. Maybe if we actually listened we could support more diverse needs and spend less time fast-tracking bro-tech . So yeah I mock the State of surveys because what are we doing here? Why are we looking at these numbers and concluding: “Wow! I can’t believe Axios is still popular in [current year]!” Lack of diversity is the only relevant takeaway that means anything. I don’t know if these surveys are part of the problem. I know they’re not the solution. But who knows, if we keep asking six times a year maybe diversity will improve? Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Culture

0 views

David Bushell 3 weeks ago

Unscrewing lightbulbs

Giving lightbulbs a MAC address was a mistake that I’m living with. I’m literally unscrewing lightbulbs to renew their DHCP lease @dbushell.com - Bluesky Instead of enjoying the bank holiday Monday I updated my homelab software. I was ‘inspired’ by the Copy Fail Linux bug to run full distro upgrades. This is my self-hosted update for Spring 2026 (rough documentation to give future me a chance). Monday’s fun risked a week of pain. I do have backups but restoring them on a broken LAN is tricky. I have an ISP provided wifi router to dust off in an emergency. Along with an absurdly long 15 metre HDMI cable I do not care to unravel. My winter update added a hardware fallback but that too requires careful rejigging. I have Proxmox hosts, virtual machines, and Raspberry DietPis . They were all on Debian 12 (Bookworm) with a kernel potentially susceptible to the bug. Minimal Debian installs are perfect because I run everything in Docker anyway. Data volumes are easy to backup or network mount. I can change host at will for any service. Debian is just sensible, well documented no-fuss Linux. I used to run “minimal” Ubuntu server. Following 24.04 I found myself debloating most of the Ubuntu part (i.e. snaps). It sounds like the new coreutils are a CVE party . Glad I escaped before that drama! As it happens, this week’s Linux Unplugged episode had Canonical’s VP of Engineering spewing embarrassing AI platitudes. “Ubuntu is not for you” was the only thing said worth remembering. I updated most of my VMs first because they’re easy to restore if anything fails. I followed Lubos Rendek’s guide . Start with a full package update and then change the package sources before running another step-by-step upgrade. The only non-Debian sources I have are Docker and Tailscale. Yes that means I run Docker inside Proxmox VMs — and you can’t stop me! That’s not even my worse crime… After the Trixie upgrade I found VMs were failing to obtain a LAN IP address. The virtual network device had been renamed from to . I edited and just changed the reference. There is surely a better/more predictable fix but this was the quickest. The same name was used across all VMs so I guess 18 is the magic number. Everything has been stable so far. If issues arise I’ll just nuke and pave from a Debian 13 ISO. Docker config and volumes are backed up independently of the VM images. DietPi has a long Trixie upgrade post I didn’t read. I just curled to bash: I gave the script a cursory glance before hitting enter. I have a Pi 4 running failover DNS and a Pi 5 running my public Forgejo instance . DietPi is ideal because of the tiny footprint; I run Docker here too. Raspberry Pi still hasn’t merged upstream Copy Fail fixes. I’m already in trouble if this bug can be exploited but I did the temporary fix out of caution. I wasn’t going to bother with Proxmox 9 but after a GUI update I was informed version 8 “end of life” was August 2026 . That is soon! I followed the official upgrade guide on my Mini-ITX server . Proxmox has a tool to check compatibility. I saw no red lights so I stopped all VMs, updated package sources to Trixie, and ran the upgrade. It is critical to run again before rebooting. I ran into the systemd-boot issue . Apparently if this is not removed the system fails to boot. If my particular box fails to boot I’m in big trouble because I broke video output and have yet to fix it. I have another Proxmox machine running virtualised OPNsense for my home router. I can’t stop the OPNsense VM and upgrade the host to Proxmox 9 because the host would have no network access. I had two options: I specifically set up option 1 for such a purpose. I went with option 2. I figured any software running in memory is still alive until I reboot, right? I didn’t question whether Proxmox would kill any processes itself (it didn’t). The update was suspiciously fast. I ran again and saw a lot of yellow warnings. Yikes. Eventually I noticed I’d failed to update some sources to Trixie and I’d installed a franken-distro. After fixing mistakes all I could do was reboot and pray for an agonising two minutes. OPNsense is the only non-Debian operating system in my homelab. I manage it entirely via the web GUI. The 26.1 update had quite a few significant changes. My DHCP setup was considered “legacy” and my firewall rules required a manual migration. Despite dumbening my smart home my lightbulbs still demand a WiFi connection. I program them myself to avoid Home Assistant and proprietary apps. Turns out I hard-coded IP addresses (discovery protocols are a joke.) Despite having dynamic IPs they remained stable until the OPNsense 26.1 DHCP update. I had no easy way to identify each light. Why would they name themselves anything useful? That’s how I ended up unscrewing the bulbs one by one to see which MAC address fell off the network. I gave them static IPs on a VLAN for future me to appreciate. And with that, my home network is up to date! Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds. Use my failover VM YOLO it live

Java

Linux

DevOps Bash

0 views

David Bushell 1 months ago

GitHub is sinking

TL;DR: GitHub used to be cool and now it’s a lame slop graveyard. GitHub is racing towards the mythical zero nines of uptime. Users are starting to notice that GitHub is now a Microsoft product. Eww! Official uptime paints a concerning chart. The missing status page tell a far worse story. Whatever the truth, it’s impossible to miss the delightful experience that is Microsoft GitHub if you use it semi-regularly. Microsoft acquired GitHub and applied their unique brand of enshittification. Amongst their achievements was the spawning of the Copilot circle of hell . Now they’re effectively DDoSing themselves with slop . I won’t dwell on what else went wrong. I don’t know and I don’t care. GitHub is impressively bad now. It’s embarrassing. Shameful. As I write this the obituaries are flooding in: It’s long past time to get off this sinking ship! GitHub has become synonymous with “source control” and I worry too many users don’t know that Git is not GitHub. The core technology of Git is open source. It’s distributed, meaning that all repositories are equal. Git works without a centralised service. Such a practice is a construct of social convenience. GitHub was a useful add-on. Microsoft has turned GitHub into an expensive liability. Network effects are hard to topple but if anyone can do it, Microsoft can. GitHub’s fake star economy is worthless. GitHub is inundated with bots and drowning in slop and doing everything to encourage it. Microsoft is turning GitHub into the Moltbook of code, it ain’t for you and me anymore. Your CI pipeline is over-engineered and GitHub Actions are an abomination (see: [1] [2] ). Finding another solution is an absolute chore but do you trust GitHub to be reliable? Look, the ship is sinking! Sure, the water looks freezing. Don’t hang around and allow Microsoft to pull you under. You don’t need to move everything in one go. Start the process. The nearest lifeboat to escape GitHub is another centralised Git forge. Just sign up and push your repo to the new upstream. Some services can automate the migration and maybe even import issues. Personally I’d leave issues behind in a tragic boating accident. Codeberg — a non-profit and community-led project with an established track record. This is the safe alternative that’ll stick around. It’s the flagship instance of Forgejo . Tangled — an alpha stage start-up with interesting AT protocol integration. Worth considering for smaller solo projects. Seems cool. Gitea — they offer cloud managed Git hosting. It’s the original open source project that Codeberg/Forgejo forked away from. GitLab — enterprise grade, meaning it’s bloated and confusing but it’ll impress your boss. This could be the choice if you need multiple meetings to make the choice. Bitbucket — trade one soul destroying corpo fun vacuum for another. Strongly discouraged, but Bitbucket does technically fit the anything but GitHub category. If you’re cool like me , you or your organisation can self-host a Git forge with actions and releases . My recommendation is Forgejo . There is talk of federation between Forgejo instances but it’s not happening anytime soon. If you want open collaboration push a copy to Codeberg. Gitea and GitLab also have self-hosted options. Be aware, GitLab is a comparative chonker. When I said “Git is not GitHub” the same applies to other forges. Do you need those add-ons? Nothing is stopping you from raw-doggin’ Git over SSH: How you manage collaboration is another question. If Linux can be maintained by sending patches to an email mailing list, “doesn’t work at scale” arguments are skill issues. But seriously, a centralised Git forge is a decent compromise in my opinion. Maybe they collapse like GitHub in future. Always have an exit plan. Just use anything but GitHub. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds. Ditching GitHub - Lonami Ghostty Is Leaving GitHub - Mitchell Hashimoto Before GitHub - by Armin Ronacher From GitHub to Codeberg/Forgejo - Jonas Hietala

DevOps

Git

0 views

David Bushell 1 months ago

Alternative thoughts

My regular schedule of CSS and HTML tips will return after this brief look at the sorry state of the web and tech industry. It’s grim. Our press secretary, Sean Spicer, gave alternative facts to that… Alternative facts - Kellyanne Conway (Wikipedia) Following the 2017 inauguration of Mr “grab ’em by the pussy” the world was treated to a deluge of alternative facts . Few were prepared for the new era of “you can just say things” . The rule books were torn to shreds. Whilst liberals were angsting over decorum, the techno-fascists were rising up. When America decided for a second time that a pedo-in-chief was preferable to a woman, all pretence fell away . The AI industrial complex is the culmination of tech, money, and power that the Musk’s and Thiel’s of the world were waiting for. For a monthly subscription users can disengage their brain and choose alternative thoughts to escape a dystopia they voted for. The endgame of techno-facism is more money, more power; a price tag on humanity . At this point, those who work in tech and refuse to acknowledge the harm and the violence are hopelessly naive and/or complicit in their selfishness. Violence is more than just hitting people. Taking away people’s agency is violence, exposing people to suffering is violence. Violence has many shapes and forms. And “AI” needs an acceptance of endless amounts of violence AI as a Fascist Artifact - Jürgen Geuter I can understand why someone doomscrolling slop-tok shorts might not pause to consider the effect of their implicit acceptance. But the “it’s just a tool” crowd in the tech industry — well, is it wilful ignorance or feeble apologism? Why is it that those most embedded in tech are most eager to push the AI narrative? Hint: they’re almost all looking to get in on the grift. Sell shovels. Sell guides on how to shovel. Sell B2B automated shovelling logistics. All the while enriching the pockets of the techno-facists looking to control those hooked on tokens. It’s quite a tool. A tool that has the tech industry clapping like sea lions and giddily proclaiming there are five lights . Apparently the public at large don’t yearn for automation . Let’s hope those across the pond can connect the red flags before we get Vance/Kirk 2028. Software “engineers” have been more than happy to pull the one-armed code bandit and recite the 10× productivity mantra. What incentive do they have to care when they’re strongly encouraged to gamble on their employer’s dime. More. Faster. Burn those tokens! Stop thinking, your context is getting cold! They get subsidised rates and front row seats to the looming collapse. Collapse it assuredly will. The wheels are falling off . Are the thrills of addiction waning, too? Anecdotally, I’ve seen an increase in developers becoming bored with their new toys. When the bubble bursts it will be too late for many. The AI mandate has been busy destroying the careers and opportunities of those who still care. Craig Cook said “fuck AI” and quit. The fantasy of AI efficiency has rapidly devoured the brains of every Silicon Valley MBA prick like a body-snatcher invasion. Predator-class oligarchs are positively horny to replace their annoying human workforces with a compliant, manufactured slave race that doesn’t demand a living wage and won’t whine about their “health” and “dignity” and “fundamental rights.” The End - Craig Cook Ky Decker quit too, questioning whether they belong in tech anymore. Tech organizations have now given up on pushing back against an unethical and violent administration, deciding that it is in their best business interest to flatter the president’s ego with gold trophies and pandering praise. Elon Musk and the “Department of Government Efficiency” took a sledgehammer to 18F and replaced it with National Design Studio, a propaganda shop whose main talent is building expensive and inaccessible landing pages. Do I belong in tech anymore? - Ky Decker These are just two stories from those brave enough to speak out. The usual “you’re prompting it wrong” commenters on Hacker News and Lobste.rs were atypically sympathetic to Ky’s plight. Perhaps reality is sinking in? Or the reply-bots were offline. That’s a good sign I guess. Nevertheless, the ostracising and harassment towards a “no thanks” stance on AI and techno-facism remains a real problem (source: my inbox). I don’t care about the anonymous cowards that think I’ll read one thousand words of LLM-extruded abuse after they gave the game away in the subject line. They exist, but I’m talking about the private conversations I’ve had with those suffering the burnout alone. They are trapped in jobs. They’re forced to bear the alternative thoughts proxied via the mouth holes of their managers. They are afraid to speak up. It takes some combination of financial privilege, mental exhaustion, or foolhardiness to quit a job when the market is so bleak. I respect those that do but I don’t blame anyone for bunkering down. Wait it out is practical advice but it doesn’t ease the anxiety. “Preserve your mental health” is key but what that means is different for each of us. And throughout all of this, I felt such an energetic sense of purpose and activation in creating new music for the first time in over a decade that I also felt I had rediscovered my true self. I released a song for the first time in 15 years - Salma Alam-Naylor Salma Alam-Naylor released a certified banger: reject the machine . Salma created this music to fight against an abusive relationship with the technology industry. I see this passion project as a middle finger to the aesthetics of fascism . To me it’s a reminder that by rejecting the alternative thoughts peddled by techno-facists we deny what they really want: control. I’ve been inspired to continue pursuing my own creativity . Will that bear fruit? It doesn’t matter. It’s my life and I will remain in control. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

AI

Culture

0 views

David Bushell 1 months ago

RSS Club #007: Running

Today Sabastian Sawe ran an historic sub-two-hour marathon in a competitive race. A marathon is around 42 kilometres, aka 26 miles in freedom units (we use miles in the UK too but not for running distances). I feel the record is a little unfair on Kipchoge who achieved the milestone first under non-competitive conditions. Even more unfair on Kejelcha who finishing second today in 1:59:41. Two unbelievable athletes in the same day. If my maths is correct that’s not far off a 14 min 5km pace. That’s simply outrageous! My personal best for a 5km is 22 mins. With the caveat of questionable GPS cutting a park corner. My fastest half-marathon is 1:51:42. Basically half as slow as an elite marathon runner. Of course, they run half-marathons even faster. I do not believe my knees could withstand double that distance. Anyone who can drag their body 42km deserves applause. I doubt I could even sprint 100 metres as fast as these guys maintain a marathon pace. More napkin maths suggest that is 100 metres in around 16 seconds? Usain Bolt did it once in 9.58s. Maintaining a pace of 16s/100m for 42,000 metres in incredible. If the maths ain’t exciting you see this video of runners attempting to match Kipchoge’s pace . Elite sprinting in anaerobic . Long distance running is aerobic (aka “cardio”). I wont feign expertise on the exact science. All I know is the 200 metre sprint is notoriously difficult. It pushes the human body beyond what it can maintain for anaerobic sprinting. You gotta just start sucking in oxygen and try to ignore the fact that it feels like you’re dying. When it comes to superiority over other animals, top of the list is our brain and our dexterity. But more impressive I think is our endurance . Our ancestors started walking upright and evolved as persistence hunters . Prey cramps up and physically cannot move to save its life. Brutal way to go! Long-distance running is more about breathing, a steady pace, and good form to avoid injury. The perfect running shoe is less important than people want to think. A good fit matters. Pheidippides didn’t run the first marathon in Nikes (fashion sneakers fall apart instantly). He probably wore sandals or was barefoot. The most important attire is short shorts, underwear of synthetic material to keep your bits in place, and plenty of lube on the thighs. Never wear a cotton T-shirt unless you want bloody nipples. Chafing is like the boiling frog parable. You don’t realise until it’s too late and you’re walking like a cowboy for a week. Unless you’re running competitively, never compare yourself to others. It does not help you in the slightest. There is no “good” time to run any particular distance. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Sports Science

0 views

David Bushell 1 months ago

Web tools are cool

My website has a new page! The URL pathname is an “official” slash page . I’m only listing web tools I use for now. My default apps change too frequently. The list is an evolution of an old post I was secretly maintaining. 👉 Visit my /uses page! Web tools are web-based tools, obviously. Used in a web browser without a download. Some may be installed as progressive web apps but I prefer a progressive browser tabs . Most tools do one thing and do it well. Some of my links are actually just text information, but “web tools and documentation and specifications” is a mouthful. All the tools I’m collating are related to web development. I’d guess I use Squoosh the most, followed by Can I use or this specificity calculator (there are many, I like that one.) Stu Robson’s ReliCSS is a new addition that looks very useful. I realise now I’m not hosting any web tools myself. Many moons ago I maintained a few NPM packages that did stuff ( grunted , mostly). Web tools are so much better. Less malware, for one. I once hosted a to-do app , but who hasn’t? That reminds me, sub-domains are the secret to hosting side projects. I must stop buying short-lived project domains. Anyway, I should build a web tool . Any ideas? Do you have any favourite web tools I should be aware of? I’m not looking to list everything, just stuff I might personally use. P.S. This is definitely not another bookmarks project I’ll forget about. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Frontend

0 views

David Bushell 1 months ago

Warning: containment breach in cascade layer!

CSS cascade layers are the ultimate tool to win the specificity wars. Used alongside the selector, specificity problems are a thing of the past. Or so I thought. Turns out cascade layers are leakier than a xenonite sieve. Cross-layer shenanigans can make bad CSS even badder. I discovered a whole new level of specificity hell. Scroll down if you dare! There are advantages too, I’ll start with a neat trick. To setup this trick I’ll quickly cover my favoured CSS methodology for a small website. I find defining three cascade layers is plenty. In I add my reset styles , custom properties, anything that touches a global element, etc. In I add the core of the website. In I add classes that look suspiciously like Tailwind , for pragmatic use. Visually-hidden is a utility class in my system. I recently built a design where many headings and UI elements used an alternate font with a unique style. It made practical sense to use a utility class like the one below. This is but a tribute, the real class had more properties. The class is DRY and easily integrated into templates and content editors. Adding this to the highest cascade layer makes sense. I don’t have to worry about juggling source order or overriding properties on the class itself. I especially do not have to care about specificity or slap everywhere like a fool. This worked well. Then I zoom further into the Figma picture and was betrayed! The design had an edge case where letter-spacing varied for one specific component. It made sense for the design. It did not make sense for my system. If you remember, my cascade layer takes priority over my layer so I can’t simply apply a unique style to the component. For the sake of a demo let’s assume my component has this markup. I want to change back to the normal letter-spacing. Oops, I’ve lost the specificity war regardless of what selector I use. The utility class wins because I set it up to win. My “escape hatch” uses custom property fallback values . In most cases is not defined and the default is applied. For my edge case component I can ‘configure’ the utility class. I’ve found this to be an effective solution that feels logical and intuitive. I’m working with the cascade. It’s a good thing that custom properties are not locked within cascade layers! I don’t think anyone would expect that to happen. In drafting this post I was going to use an example to show the power of cascade layers. I was going to say that not even wins. Then I tested my example and found that does actually override higher cascade layers. It breaches containment too! What colour are the paragraphs? Suffice it to say that things get very weird. See my CodePen . Spoiler: blue wins. I’m sure there is a perfectly cromulent reason for this behaviour but on face value I don’t like it! Bleh! I feel like should be locked within a cascade layer. I don’t even want to talk about the inversion… I’m sure there are GitHub issues, IRC logs, and cave wall paintings that discuss how cascade layers should handle — they got it wrong! The fools! We could have had something good here! Okay, maybe I’m being dramatic. I’m missing the big picture, is there a real reason it has to work this way? It just feels… wrong? I’ve never seen a use case for that wasn’t tear-inducing technical debt. Permeating layers with feels wrong even though custom properties behaving similar feels right. It’s hard to explain. I reckon if you’ve built enough websites you’ll get that sense too? Or am I just talking nonsense? I subscribe to the dogma that says should never be used but it’s not always my choice . I build a lot of bespoke themes. The WordPress + plugin ecosystem is the ultimate specificity war. WordPress core laughs in the face of “CSS methodology” and loves to put styles where they don’t belong . Plugin authors are forced to write even gnarlier selectors. When I finally get to play, styles are an unmitigated disaster. Cascade layers can curtail unruly WordPress plugins but if they use it’s game over; I’m back to writing even worse code. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

0 views

David Bushell 1 months ago

No-stack web development

This year I’ve been asked more than ever before what web development “stack” I use. I always respond: none. We shouldn’t have a go-to stack! Let me explain why. My understanding is that a “stack” is a choice of software used to build a website. That includes language and tooling, libraries and frameworks , and heaven forbid: subscription services. Text editors aren’t always considered part of the stack but integration is a major factor. Web dev stacks often manifest as used to install hundreds of megs of JavaScript, Blazing Fast ™ Rust binaries, and never ending supply chain attacks . A stack is also technical debt, non-transferable knowledge, accelerated obsolescence, and vendor lock-in. That means fragility and overall unnecessary complication. Popular stacks inevitably turn into cargo cults that build in spite of the web, not for it. Let’s break that down. If you have a go-to stack, you’ve prescribed a solution before you’ve diagnosed a problem. You’ve automatically opted in to technical baggage that you must carry the entire project. Project doesn’t fit the stack? Tough; shoehorn it to fit. Stacks are opinionated by design. To facilitate their opinions, they abstract away from web fundamentals. It takes all of five minutes for a tech-savvy person to learn JSON . It takes far, far longer to learn Webpack JSON . The latter becomes useless knowledge once you’ve moved on to better things. Brain space is expensive. Other standards like CSS are never truly mastered but learning an abstraction like Tailwind will severely limit your understanding. Stacks are a collection of move-fast-and-break churnware; fleeting software that updates with incompatible changes, or deprecates entirely in favour of yet another Rust refactor. A basic HTML document written 20 years ago remains compatible today. A codebase built upon a stack 20 months ago might refuse to play. The cost of re-stacking is usually unbearable. Stack-as-a-service is the endgame where websites become hopelessly trapped. Now you’re paying for a service that can’t fix errors . You’ve sacrificed long-term stability and freedom for “developer experience”. I’m not saying you should code artisanal organic free-range websites. I’m saying be aware of the true costs associated with a stack. Don’t prescribed a solution before you’ve diagnosed a problem. Choose the right tool for each job only once the impact is known. Satisfy specific goals of the website, not temporary development goals. Don’t ask a developer what their stack is without asking what problem they’re solving. Be wary of those who promote or mandate a default stack. Be doubtful of those selling a stack. When you develop for a stack, you risk trading the stability of the open web platform, that is to say: decades of broad backwards compatibility, for GitHub’s flavour of the month. The web platform does not require build toolchains. Always default to, and regress to, the fundamentals of CSS, HTML, and JavaScript. Those core standards are the web stack. Yes, you’ll probably benefits from more tools. Choose them wisely. Good tools are intuitive by being based on standards, they can be introduced and replaced with minimal pain. My only absolute advice: do not continue legacy frameworks like React . If that triggers an emotional reaction: you need a stack intervention! It may be difficult to accept but Facebook never was your stack; it’s time to move on. Use the tool, don’t become the tool. Edit: forgot to say: for personal projects, the gloves are off. Go nuts! Be the churn. Learn new tools and even code your own stack. If you’re the sole maintainer the freedom to make your own mistakes can be a learning exercise in itself. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Go

0 views

David Bushell 1 months ago

CSS subgrid is super good

I’m all aboard the CSS subgrid train. Now I’m seeing subgrid everywhere. Seriously, what was I doing before subgrid? I feel like I was bashing rocks together. Consider the follower HTML: The content could be simple headings and paragraphs. It could also be complex HTML patterns from a Content Management System (CMS) like the WordPress block editor, or ACF flexible content (a personal favourite). Typically when working with CMS output, the main content will be restricted to a maximum width for readable line lengths. We could use a CSS grid to achieve such a layout. Below is a visual example using the Chromium dev tools to highlight grid lines. This example uses five columns with no gap resulting in six grid lines. The two outer most columns are meaning they can expand to fill space or collapse to zero-width. The two inner columns are which act as a margin. The centre column is the smallest or two values; either , or the full viewport width (minus the margins). Counting grid line correctly requires embarrassing finger math and pointing at the screen. Thankfully we can name the lines. I set a default column of for all child elements. Of course, we could have done this the old fashioned way. Something like: But grid has so much more potential to unlock! What if a fancy CMS wraps a paragraph in a block with the class . This block is expected to magically extend a background to the full-width of the viewport like the example below. This used to be a nightmare to code but with CSS subgrid it’s a piece of cake. We break out of the column by changing the to — that’s the name I chose for the outer most grid lines. We then inherit the parent grid using the template. Finally, the nested children are moved back to the column. The selector keeps specificity low. This allows a single class to override the default column. CSS subgrid isn’t restricted to one level. We could keep nesting blocks inside each other and they would all break containment. If we wanted to create a “boxed” style we can simply change the to instead of . This is why I put the margins inside. In hindsight my grid line names are probably confusing, but I don’t have time to edit the examples so go paint your own bikeshed :) On smaller viewports below the outer most columns collapse to zero-width and the “boxed” style looks exactly like the style. This approach is not restricted to one centred column. See my CodePen example and the screenshot below. I split the main content in half to achieve a two-column block where the text edge still aligns, but the image covers the available space. CSS subgrid is perfect for WordPress and other CMS content that is spat out as a giant blob of HTML. We basically have to centre the content wrapper for top-level prose to look presentable. With the technique I’ve shown we can break out more complex block patterns and then use subgrid to align their contents back inside. It only takes a single class to start! Here’s the CodePen link again if you missed it. Look how clean that HTML is! Subgrid helps us avoid repetitive nested wrappers. Not to mention any negative margin shenanigans. Powerful stuff, right? Browser support? Yes. Good enough that I’ve not had any complaints. Your mileage may vary, I am not a lawyer. Don’t subgrid and drive. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

0 views

David Bushell 1 months ago

I quit. The clankers won.

… is what I’m reading far too often! Some of you are losing faith! A growing sentiment amongst my peers — those who haven’t already resigned to an NPC career path † — is that blogging is over. Coding is cooked. What’s the point of sharing insights and expertise when the Cognitive Dark Forest will feed on our humanity? Before I’m dismissed as an ill-informed hater please note: I’ve done my research. † To be fair it’s a valid choice in this economy. Clock in, slop around, clock out. Why not? It’s never been more important to blog. There has never been a better time to blog. I will tell you why. We’re being starved for human conversation and authentic voices. What’s more: everyone is trying to take your voice away. Do not opt-out of using it yourself. First let’s accept the realities. The giant plagiarism machines have already stolen everything. Copyright is dead. Licenses are washed away in clean rooms . Mass surveillance and tracking are a feature, privacy is a bug. Everything is an “algorithm” optimised to exploit. How can we possibly combat that? From a purely selfish perspective it’s never been easier to stand out and assert yourself as an authority. When everyone is deferring to the big bullshitter in the cloud your original thoughts are invaluable. Your brain is your biggest asset. Share it with others for mutual benefit. I find writing stuff down improves my memory and hardens my resolve. I bet that’s true for you too. It’s part rote learning part rubberducking † . Writing publicly in blog form forces me to question assumptions. Even when research fails me Cunningham’s Law saves me. † Some will claim writing into a predictive chat box helps too, and sure, they’re absolutely right! Blogging makes you a better professional. No matter how small your audience, someone will eventually stumble upon your blog and it will unblock their path. Don’t accept a fate being forced upon you. The AI industry is 99% hype; a billion dollar industrial complex to put a price tag on creation. At this point if you believe AI is ‘just a tool’ you’re wilfully ignoring the harm . (Regardless, why do I keep being told it’s an ‘extreme’ stance if I decide not to buy something?) The 1% utility AI has is overshadowed by the overwhelming mediocracy it regurgitates. We’re saying goodbye to Sora. To everyone who created with Sora, shared it, and built community around it: thank you. What you made with Sora mattered, and we know this news is disappointing. @soraofficialapp - XCancel Is there anything, in the entire recorded history of human creation, that could have possibly mattered less than the flatulence Sora produced? NFTs had more value. I’m not protective over the word “art”. Generative AI is art. It’s irredeemably shit art; end of conversation. A child’s crayon doodle is also lacking refined artistry but we hang it on our fridge because a human made it and that matters. We care and caring has a positive effect on our lives. When you pass human creativity through the slop wringer, or just prompt an incantation, the result is continvoucly morged ; a vapid mockery of the input. The garbage out no longer matters, nobody cares, nobody benefits. I forgot where I was going with this… oh right: don’t resign yourself to the deskilling of our craft . You should keep blogging! Take pride in your ability and unique voice. But please don’t desecrate yourself with slop. The only winning move is not to play. WarGames (1983) We’ve gotten too comfortable with the convenience of Big Tech . We do not have to continue playing their game. Don’t buy the narratives they’re selling. The AI industry is built on the predatory business model of casinos. Except they’ve forget the house is supposed to win. One upside of this looming economic and intellectual depression is that the media is beginning to recognise gate keepers are no longer the hand that feeds them. Big Tech is not the web. You don’t have to use it nor support it. Blog for the old web , the open web , the indie web — the web you want to see. And if you think I’m being dramatic and I’ve upset your new toys, you’re welcome to be left behind in the miasmatic dystopia these technofacists are racing to build. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Writing

AI

0 views

David Bushell 2 months ago

Top ten Figma betrayals

Figma is the industry standard for painting pretty pictures of websites. It’s where designers spend my designated dev time pushing pixels around one too many artboards. Figma promises to remove the proverbial fence between design and development. In reality it provides the comfort of an ideal viewport that doesn’t exist. I don’t mind Figma (the software), although I prefer Penpot myself. I still dabble in the deceptive arts of web design. Don’t be thinking I’m out here hating on designers. I like to stick my nose inside a Figma file and point out issues before they escalate. Below I cover classic Figma betrayals that I bet you’ve experienced. Betrayals happen when software promises more than it can deliver. Take a gander at this amazing website design I whipped up in Figma to illustrate the most common betrayals. I told you I was a designer! I’ll evolve this design throughout the post. Figma has deemed 1440×1024 to be “Desktop” resolution so I’ve started there. In this mockup I’ve added a full-width banner of our hero Johnny Business . I’ve built this website far too many times than I care to remember. I’ll repeat the same question here I ask every time I build it: what happens at other viewport sizes? Do I scale the banner proportionally? On wider viewports this is likely to push content out of sight. It might even require scrolling to see the entire image on Johnny’s ultra-wide 8K. The phrase “above the fold” will be spoken in a Teams call, can we avoid that? Do I also set a maximum height on the banner? This is going to decapitate poor Johnny! He paid a lot for that haircut. What are we doing below the “Desktop” viewport, by the way? Let’s design for the 402×874 resolution Figma calls “iPhone 17” because it was first on the list. Note the absolute perfect crop of Johnny’s sockless businessing. Okay, next question: how do we move between “mobile” and “desktop”? That’s a very specific focal point. We can’t just change it willy-nilly! Code has rules; logic. A website must be responsive between all breakpoints. Are we going to use multiple images? At what breakpoint do they swap? Because that perfectly cropped mobile image doesn’t scale up very far. Hold the phone! A shadow stakeholder has asked for a redesign to “make it pop!” The ultra-wide problem has been solved with a centred fixed-width style. If that is the intention? Does either the banner or header stretch to the edge of the viewport? More importantly, that image and text has no room to move. I’ve only reduced the viewport by 200 pixels and it’s already crashing into Johnny’s face. Are we expecting breakpoints every 100 pixels? — No, wait! Please don’t spend more time designing more breakpoints! Okay, I’ll hold until more breakpoints are designed. Are we extending my development deadline? No. Okay. As development continues I’ve got more bad news to share. Figma is very happy allowing us to enter arbitrary line breaks for the perfect text fit. That’s not how the web works. One of these options is probably what we’ll see if text is left to naturally break. Yes, we can technically allow for a manual line break. That’s a pain in the content management system, but sure. Text is still forced to wrap on a smaller viewport, then what? Oh that? Now you want the manual line break to magically disappear? (╯°□°)╯︵ ┻━┻ I lied when I said “top ten” Figma betrayals. The issues above can appear in hundreds of guises across any component. If you’re betrayed once you’ll be hit again and again. Figma is not exactly conducive to responsive web design. Designing more breakpoints often leads to more questions, not less. Another betrayal I pull my hair out over is the three card pattern packed with content. This leads to an immediate breakpoint where one card drops awkwardly below. I dread this because the word “carousel” will be uttered and my sobbing is heard far and wide. Carousels are not a content strategy. I was once inspecting a Figma file only to witness the enemy cursor drive by and drop several dots underneath an image. The audacity! Figma betrayals are classic waterfall mistakes that are solved by human conversation. Developers need to be part of the design process to ask these questions. Content authors should be involved before and not after a design is complete. You’ll note I never answered the questions above because what might work for my fictional design isn’t universal. On a tangential topic Matthias Ott notes: Think about what actually happens when a designer and an engineer disagree about an interaction pattern. There’s a moment of tension – maybe even frustration. The engineer says it’ll be fragile. The designer says it’s essential for the experience. Neither is wrong, necessarily. But the conversation – if your process allows for it to happen – that back-and-forth where both sides have to articulate why they believe what they believe, is where the design becomes robust and both people gain experience. Not in the Figma file. Not in the pull request. In the friction between two people who care about different things and are forced to find a shared answer. The Shape of Friction - Matthias Ott Figma is not friction-free and that’s fine. We can’t expect any software in the hands of a single person to solve problems alone. Software doesn’t know what questions to ask. Not then with Clippy, not now with Copilot. Humans should talk to one another, not the software. Together we can solve things early the easy way, or later the hard way. One thing that has kept me employed is the ability to identify questions early and not allow Fireworks, Photoshop, Sketch, XD, and now Figma to lead a project astray. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Design

0 views

David Bushell 2 months ago

I should build a game

I should build a game! I feel like that’s a common dream, right? Game development is what got me interested in design and programming to begin with. I learnt ECMAScript via Flash ActionScript many moons ago. Some time later “Thoughts on Flash” brought a swift demise and ruined legacy to Flash. History is written by the winners, they say. Although Flash was largely proprietary software, and Adobe would have ruined it themselves, Flash was a wonderfully creative tool in its prime. I studied art and went into print/web design before transitioning almost entirely to front-end dev. I’ve been trapped here every since! In that time, open web standards have become way more powerful than Flash every was. Today HTML is the new Flash. Over my winter break I created a new playground where I relearned old tricks by building fun little canvas prototypes. Just basic stuff. No libraries or game engines. This is my retreat of solace until the “AI” fallout blows over. I’ll be sharing my slop-free explorations into game dev. The purpose here is understanding and creativity. No amount of prompt-fondling can achieve that! Work got busy, which is a good thing I guess, and I haven’t had time to build more. If the web industry does fall apart, at least I have a fallback plan to keep me busy! I’m going to build the games I always wanted to. Or at least try. I’ve been playing Slay the Spire 2 recently and I thought, “I could build that!” — I mean, I could technically build a shallow shitty clone. Nevertheless, it inspired me once again to consider if I really could design and build a game. I’ve set myself a personal goal of spending a few hours every week to create something game related. Maybe that’s sketching concept art, or plotting puzzles, or writing code, or researching, or just daydreaming ideas. Not with the grand plan of creating “the game”. I don’t know where it will lead but I know I’ll enjoy the process. Whether I share anything is unknown. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Gaming

Swift

0 views

David Bushell 2 months ago

RSS Club #006: Burnout

This is an RSS-only post, which I like to do sporadically! Thank you for subscribing :) Am I burning out? Let me know what you think, internet doctors. I work a four day week and I have done so for many years. Fridays are mine to have fun. By fun I mean making my own websites without the pressure of clients. That helps me wind down. When the weekend arrives my mind is already stress free. At least it was! I’ve been struggling more than usual lately. My watch monitors heart rate, steps, sleep etc. It has started to report a lower than average “body battery” — that’s what Garmin has trademarked to say: “sir, you look like shit.” A major factor here is definitely a hamstring tear that has kept me from running. Not long ago I was doing half-marathons every other week. Now I can only manage a light 5k or risk prolonged injury. Being stuck inside isn’t helping my mental or physical health. Hopefully before summer I’ll have recovered. But there is more I reckon. I’m fed up. Everything makes me grouchy. Is it too simple to say that the web industry, and tech at large, has lost its collective marbles? Not a week goes by where I don’t mute a word on social media, or unsubscribe from a blog. Everyone is talking nonsense. Everyone is grifting. It never used to be this way. What depresses me most though is how negative my own blog can be on occassions. Part of me wants to defend my career. To call out the ludicrous stuff that is said and done these days. I’m not worried about upsetting people. The clients that hire me don’t care that I dared mock an industry influencer or challenged one of the old boys’ club. I try to do that in a joking way but my tone has always been blunt. That has gotten me into a wee bit of trouble before. Lately though, I can’t help but feel I’ve been looking for trouble. Is it even possible to ‘fight back’ in a positive way? I’m not just talking about “AI” bollocks, I mean the general enshittifcation of the web industry and tech at large. The hot drama and spicy takes are great for clickbait and like-farming. I’ve been too guilty of that. Even though I know for a fact that my most popular posts, over the long run, are topics like: Multiple Accounts and SSH Keys . That got zero attention the day I published it but I’ve received random “thank you” emails every year since. Thing is though, I actually do get “thank you” emails for my stance against AI. There are a lot of developers who aren’t in a position to speak their mind. I don’t blame anyone for staying quiet when their job is on the line. I’m lucky I am my own boss. I’ve always blogged primarily for myself. That’s the secret to blogging I think. Regardless, after so many years I have the power to reach a significant audience. I feel somewhat obliged to do something with that. I’m just not sure I’m venting my frustrations in the right way. Maybe I am burning out and it’s affecting my judgement? I’m genuinely curious. Send me an email: [email protected] Are you burning out? Am I burning out? Or is the industry burning down around us? Feedback is always welcome. I can take criticism. I’ve received some absolute scorchers from anonymous cowards recently. I wish I could share those but I do respect my privacy policy . (That’s not an invitation for hate!) Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

0 views

David Bushell 2 months ago

404 Deno CEO not found

I visited deno.com yesterday. I wanted to know if the hundreds of hours I’d spent mastering Deno was a sunk cost. Do I continue building for the runtime, or go back to Node? Well I guess that pretty much sums up why a good chunk of Deno employees left the company over the last week. Layoffs are what American corpo culture calls firing half the staff. Totally normal practice for a sustainable business. Mass layoffs are deemed better for the moral of those who remain than a weekly culling before Friday beers. The Romans loved a good decimation. † If I were a purveyor of slop and tortured metaphors, I’d have adorned this post with a deepfake of Ryan Dahl fiddling as Deno burned. But I’m not, so the solemn screenshot will suffice. † I read Rome, Inc. recently. Not a great book, I’m just explaining the reference. A year ago I wrote about Deno’s decline . The facts, undeterred by my subjective scorn, painted a harsh picture; Deno Land Inc. was failing. Deno incorporated with $4.9M of seed capital five years ago. They raised a further $21M series A a year later. Napkin math suggests a five year runway for an unprofitable company (I have no idea, I just made that up.) Coincidentally, after my blog post topped Hacker News — always a pleasure for my inbox — Ryan Dahl (Deno CEO) clapped back on the offical Deno blog: There’s been some criticism lately about Deno - about Deploy, KV, Fresh, and our momentum in general. You may have seen some of the criticism online; it’s made the rounds in the usual places, and attracted a fair amount of attention. Some of that criticism is valid. In fact, I think it’s fair to say we’ve had a hand in causing some amount of fear and uncertainty by being too quiet about what we’re working on, and the future direction of our company and products. That’s on us. Reports of Deno’s Demise Have Been Greatly Exaggerated - Ryan Dahl Dahl mentioned that adoption had doubled following Deno 2.0. Since the release of Deno 2 last October - barely over six months ago! - Deno adoption has more than doubled according to our monthly active user metrics. User base doubling sounds like a flex for a lemonade stand unless you give numbers. I imagine Sequoia Capital expected faster growth regardless. The harsh truth is that Deno’s offerings have failed to capture developers’ attention. I can’t pretend to know why — I was a fanboy myself — but far too few devs care about Deno. On the rare occasions Deno gets attention on the orange site, the comments page reads like in memoriam . I don’t even think the problem was that Deno Deploy, the main source of revenue, sucked. Deploy was plagued by highly inconsistent isolate start times . Solicited feedback was ignored. Few cared. It took an issue from Wes Bos , one of the most followed devs in the game, for anyone at Deno to wake up. Was Deploy simply a ghost town? Deno rushed the Deploy relaunched for the end of 2025 and it became “generally available” last month. Anyone using it? Anyone care? The Deno layoffs this week suggest only a miracle would have saved jobs. The writing was on the wall. Speaking of ghost towns, the JSR YouTube channel is so lonely I feel bad for linking it. I only do because it shows just how little interest some Deno-led projects mustered. JSR floundered partly because Deno was unwilling couldn’t afford to invest in better infrastructure . But like everything else in the Deno ecosystem, users just weren’t interested. What makes a comparable project like NPMX flourish so quickly? Evidently, developers don’t want to replace Node and NPM. They just want what they already have but better; a drop-in improvement without friction. To Deno and Dahl’s credit, they recognised this with the U-turn on HTTP imports . But the resulting packaging mess made things worse. JSR should have been NPMX. Deno should have gone all-in on but instead we got mixed messaging and confused docs. I could continue but it would just be cruel to dissect further. I’ve been heavily critical of Deno in the past but I really wanted it to succeed. There were genuinely good people working at Deno who lost their job and that sucks. I hope the Deno runtime survives. It’s a breath of fresh air. B*n has far more bugs and compatibility issues than anyone will admit. Node still has too much friction around TypeScript and ECMAScript modules. So where does Deno go from here? Over to you, Ryan. Where is Deno CEO, Ryan Dahl? Tradition dictates an official PR statement following layoffs. Seems weird not to have one prepared in advance. That said, today is Friday, the day to bury bad news. I may be publishing this mere hours before we hear what happens next… Given Dahl’s recent tweets and blog post , a pivot to AI might be Deno’s gamble. By the way, it’s rather telling that all the ex-employees posted their departures on Bluesky. What that tells you depends on whether you enjoy your social media alongside Grok undressing women upon request. I digress. Idle speculation has led to baseless rumours of an OpenAI acquisition. I’m not convinced that makes sense but neither does the entire AI industry. I’m not trying to hate on Dahl but c’mon bro you’re the CEO. What’s next for Deno? Give me users anyone a reason to care. Although if you’re planning a 10× resurgence with automated Mac Minis, I regret asking. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

TypeScript

Business

0 views

David Bushell 2 months ago

SMTP on the edge

Disclaimer: this post includes my worst idea yet! Until now my contact form submissions were posted to a Cloudflare worker. The worker encrypted the details with PGP encryption . It then used the Amazon AWS “Simple Email Service” API to send an email to myself. PGP encryption meant that any middleman after the worker, like Amazon, could not snoop. (TLS only encrypts in transit.) The setup was okay but involved too many services. If you thought that was over-engineered, get a load of my next idea. My experiment with a self-hosted SMTP server was short-lived but I did learn to code SMTP protocol with server-side JavaScript. During that tinkering I had issue upgrading TLS on the SMTP server for receiving email. In my recent AT Protocol PDS adventure I learned that Proton Mail can generate restricted tokens for SMTP client auth. I’ve also been slowly migrating from Cloudflare to Bunny in my spare time. I was reminded that Bunny has Deno edge workers. Lightbulb moment: can I rawdog SMTP in a Bunny worker? This cuts out the AWS middleman. Neither Bunny nor Proton ever see the unencrypted data. True end-to-end encryption for my contact form! I threw together a proof-of-concept. My script opened a TCP connection to Proton using and sent the SMTP message. The connection was upgraded with to secure it. It then followed a very fragile sequence of SMTP messages to authenticate and send an email. If the unexpected happened it bailed immediately. Surprisingly this worked! I’m not sharing code because I don’t want to be responsible for any misuse. There is nothing in Bunny’s Terms of Service or Acceptable Use policy that explicitly prohibits sending email. Magic containers do block ports but edge scripting doesn’t. I asked Bunny support who replied: While Edge Scripting doesn’t expose the same explicit port limitation table as Magic Containers, it’s not intended to be used as a general-purpose SMTP client or email relay. Outbound traffic is still subject to internal network controls, abuse prevention systems, and our Acceptable Use Policy. Even if SMTP connections may technically work in some cases, sending email directly from Edge Scripts (especially at scale) can trigger automated abuse protections. We actively monitor for spam and unsolicited email patterns, and this type of usage can be restricted without a specific “port block” being publicly documented. If you need to send transactional emails from your application, we strongly recommend using a dedicated email service provider (via API) rather than direct SMTP from Edge Scripting. bunny.net support …that isn’t an outright “no” but it’s obviously a bad idea. To avoid risking an account ban I decided to use the Bunny edge worker to forward the encrypted data to a self-hosted API. That service handles the SMTP. In theory I could decrypt and log locally, but I’d prefer to let Proton Mail manage security. I’m more likely to check my email inbox than a custom GUI anyway. The OpenPGP JavaScript module is a big boy at 388 KB (minified) and 144 KB (compressed). I load this very lazily after an event on my contact form. Last year in a final attempt to save my contact form I added a Cloudflare CAPTCHA to thwart bots. I’ve removed that now because I believe there is sufficient obfuscation and “proof-of-work” to deter bad guys. Binning both Cloudflare and Amazon feels good. I deleted my entire AWS account. My new contact form seems to be working. Please let me know if you’ve tried to contact me in the last two weeks and it errored. If this setup fails, I really will remove the form forever! Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds. PGP encryption in the browser to Bunny edge worker SMTP directly to Proton

Security

DevOps

JavaScript

C#

0 views

David Bushell 2 months ago

What is agentic engineering?

Below is a parody of Simon Willison’s What is agentic engineering? I use the term agentic engineering to describe the practice of casino gambling with the assistance of random superstitions. What are random superstitions ? They’re superstitions that can both write and execute entropy. Popular examples include blowing on dice, wearing lucky socks, and saying a prayer. What’s a superstition ? Clearly defining that term is a challenge that has frustrated gambling researchers since at least the 1990s BC but the definition I’ve come to accept, at least in the field of Random Number Generators (RNGs) like GPT-5 and Gemini and Claude, is this one: The “superstition” is a belief that calls upon God with your prompt and passes it a set of magic definitions, then calls any ritual that the deity requests and feeds the results back into the slot machine. For random superstitions, those rituals include one that can confirm bias. You prompt the random superstition to define a bias. The superstition then generates and executes random numbers in a loop until that bias has been confirmed. Dogmatic faith is the defining capability that makes agentic engineering possible. Without the ability to directly play a hand, anything output by an RNG is of limited value. With automated card shuffling, these superstitions can start iterating towards gambling that demonstrably “works”. Enough of that. If you want to experience agenetic engineering yourself, visit my homepage and play the one-armed code bandit! Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

Gaming

0 views

David Bushell 2 months ago

SvelteKit i18n and FOWL

Perhaps my favourite JavaScript APIs live within the Internationalization namespace. A few neat things the global allows: It’s powerful stuff and the browser or runtime provides locale data for free! That means timezones, translations, and local conventions are handled for you. Remember moment.js? That library with locale data is over 600 KB (uncompressed). That’s why JavaScript now has the Internationalization API built-in. SvelteKit and similar JavaScript web frameworks allow you to render a web page server-side and “hydrate” in the browser. In theory , you get the benefits of an accessible static website with the progressively enhanced delights of a modern “web app”. I’m building attic.social with SvelteKit. It’s an experiment without much direction. I added a bookmarks feature and used to format dates. Perfect! Or was it? Disaster strikes! See this GIF: What is happening here? Because I don’t specify any locale argument in the constructor it uses the runtime’s default. When left unconfigured, many environments will default to . I spotted this bug only in production because I’m hosting on a Cloudflare worker. SvelteKit’s first render is server-side using but subsequent renders use in my browser. My eyes are briefly sullied by the inferior US format! Is there a name for this effect? If not I’m coining: “Flash of Wrong Locale” (FOWL). To combat FOWL we must ensure that SvelteKit has the user’s locale before any templates are rendered. Browsers may request a page with the HTTP header. The place to read headers is hooks.server.ts . I’ve vendored the @std/http negotiation library to parse the request header. If no locales are provided it returns which I change to . SvelteKit’s is an object to store custom data for the lifetime of a single request. Event are not directly accessible to SvelteKit templates. That could be dangerous. We must use a page or layout load function to forward the data. Now we can update the original example to use the data. I don’t think the rune is strictly necessary but it stops a compiler warning . This should eliminate FOWL unless the header is missing. Privacy focused browsers like Mullvad Browser use a generic header to avoid fingerprinting. That means users opt-out of internationalisation but FOWL is still gone. If there is a cache in front of the server that must vary based on the header. Otherwise one visitor defines the locale for everyone who follows unless something like a session cookie bypasses the cache. You could provide a custom locale preference to override browser settings. I’ve done that before for larger SvelteKit projects. Link that to a session and store it in a cookie, or database. Naturally, someone will complain they don’t like the format they’re given. This blog post is guaranteed to elicit such a comment. You can’t win! Why can’t you be normal, Safari? Despite using the exact same locale, Safari still commits FOWL by using an “at” word instead of a comma. Who’s fault is this? The ECMAScript standard recommends using data from Unicode CLDR . I don’t feel inclined to dig deeper. It’s a JavaScriptCore quirk because Bun does the same. That is unfortunate because it means the standard is not quite standard across runtimes. By the way, the i18n and l10n abbreviations are kinda lame to be honest. It’s a fault of my design choices that “internationalisation” didn’t fit well in my title. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds. Natural alphanumeric sorting Relative date and times Currency formatting

TypeScript

Svelte

JavaScript

0 views

David Bushell 2 months ago

Building on AT Protocol

At Protocol has got me! I’m morphing into an atmosphere nerd . AT Protocol — atproto for short — is the underlying tech that powers Bluesky and new social web apps. Atproto as I understand it is largely an authorization and data layer. All atproto data is inherently public. In theory it can be encrypted for private use but leaky metadata and de-anonymisation is a whole thing. Atproto users own the keys to their data which is stored on a Personal Data Server (PDS). You don’t need to manage your own. If you don’t know where your data is stored, good chance it’s on Bluesky’s PDS. You can move your data to another PDS like Blacksky or Eurosky . Or if you’re a nerd like me self-host your own PDS . You own your data and no PDS can stop you moving it. Atproto provides OAuth; think “Sign in with GitHub” . But instead of an account being locked behind the whims of proprietary slopware, user identity is proven via their PDS. Social apps like Bluesky host a PDS allowing users to create a new account. That account can be used to login to other apps like pckt , Leaflet , or Tangled . You could start a new account on Tangled’s PDS and use that for Bluesky. Atproto apps are not required to provide a PDS but it helps to onboard new users. Of course I did. You can sign in at attic.social Attic is a cozy space with lofty ambitions. What does Attic do? I’m still deciding… it’ll probably become a random assortment of features. Right now it has bookmarks. Bookmarks will have search and tags soon. Technical details: to keep the server stateless I borrowed ideas from my old SvelteKit auth experiment. OAuth and session state is stored in encrypted HTTP-only cookies. I used the atcute TypeScript libraries to do the heavy atproto work. I found @flo-bit’s projects which helped me understand implementation details. Attic is on Cloudflare workers for now. When I’ve free time I’ll explore the SvelteKit Bunny adapter . I am busy on client projects so I’ll be scheming Attic ideas in my free time. What’s so powerful about atproto is that users can move their account/data. Apps write data to a PDS using a lexicon ; a convention to say: “this is a Bluesky post”, for example. Other apps are free to read that data too. During authorization, apps must ask for permission to write to specific lexicons. The user is in control. You may have heard that Bluesky is or isn’t “decentralised”. Bluesky was simply the first atproto app. Most users start on Bluesky and may never be aware of the AT Protocol. What’s important is that atproto makes it difficult for Bluesky to “pull a Twitter”, i.e. kill 3rd party apps, such as the alternate Witchsky . If I ever abandon attic.social your data is still in your hands. Even if the domain expires! You can extract data from your PDS. You can write a new app to consume it anytime. That’s the power of AT Protocol. Thanks for reading! Follow me on Mastodon and Bluesky . Subscribe to my Blog and Notes or Combined feeds.

TypeScript