Text Posts

OpenAI announced Sora, a new model for text-to-video, and it's ... fine? I guess? I mean, I know why they announced it - it's legitimately really cool you can type something in and a video vaguely approximating your description in really high resolution shows up.

I just don't think it's really all that useful in real-world contexts.

Don't get me wrong, I appreciate their candor in the "whoopsies" segments, but even in the show-off pieces some of the video is weird to just downright bad.

Hands are hard! I get it! But there's also quite literally a "bag lady" (a woman who appears to be carrying at least two gigantic purses), and (especially when the camera moves) the main character floats along the ground without actually walking pretty often.

Are these nitpicky things people aren't going to notice on first glance? Maybe. But remember the outrage around Ugly Sonic? People notice small (or large) discrepancies in their popular entertainment, and the brand suffers for it. To say nothing of advertisers! Imagine trying to market your brand-new (well, "new" in car definitions) car without an accurate model of said car in the ad. Or maybe you really want to buy the latest Danover.

It seems like all the current AI output has a limit of "close-ish" for things, from self-driving to video to photos to even text generation. It all requires human editing, often significant for any work of reasonable size, to pull it out of the uncanny valley.

"But look how far they've gotten in such little time!" they cry. "Just wait!"

But nobody's managed to push past that last 10% in any domain. It always requires a human touch to get it "right."

Like the fake Land Rover commercial is interesting, except imagine the difficulty of getting it to match your new product (look and name) exactly. You're almost going to have to CGI it in after, at least parts, at which point you've lost much of the benefit.

Unfortunately, "close enough" is good enough for a lot of people who are lazy, cheap or don't care about quality. The software example I'd give is there probably aren't a lot of companies who'd be willing to pay for software consultant services who are just going to use AI instead, but plenty of those people who message you on LinkedIn willing to pay you $200 for a Facebook clone absolutely are going to pay Copilot $20 a month instead.

And yes, there will be those people (especially levels removed from the actual work) who will think they can replace their employees with chatbots, and it might even work for a little bit. But poorly designed systems always have failure points, and once you hit it you're going to wind up having to scrap the whole thing. A building with a bad foundation can't be fixed through patching.

I have a feeling it's the same in other industries. I do think workers will feel the hit, especially on lower-budget products already or where people see an opportunity to cut corners. I also think our standards as a society will be relaxed a little bit in a lot of areas, simply because the mean will regress

But in good news, I think this'll shake out in a few years where people realize AI isn't replacing everything any more than Web3 did, but AI will have more utility as a tool in the toolkit of professionals. It's just gonna take a bit to get there.

How many Ryan Reynoldses do we as a moviegoing public need? I felt like the original had it more than covered, but with the Chrises three (Pratt, Hemsworth and Evans) and now Ryan Gosling, I feel like my cup overfloweth with meta-acting and fourth-wall-chewing.

Not wanting to deal with security/passwords and allowing third-party logins has given way to complacency, or outright laziness. Here are some troubling patterns I've noticed trying to de-google my primary domain.

1) Google does not really keep track of where your account has been used. Yes, there's an entry in security, but the titles are entirely self-reported and are often useless (wtf is Atlas API production?). They also allow for things like "auth0" to be set as the responsible entity, so I have no idea what these accounts are even for.

2) This would not be a problem if systems were responsible with the user identity and used your Google account as signifier. However, many apps (thus far, Cloudinary and Figma are my biggest headaches) treat the Google account as the owner of the account, meaning if I lose access to that Google account (like now, when I'm migrating the email off of Google), I"m SOL.

The RESPONSIBLE way to do this is allow me to disconnect the Google sign on and require a password reset. This is just lazy.

Because I use this like three times a year and always have to look it up: When you want to merge folders of the same name on a Mac (e.g., two identically named folders where you want the contents of Folder 1 and Folder 2 to be in Folder 2), hold down the option key and drag Folder 1 into the container directory of Folder 2. You should see the option to merge.

Note that this is a copy merge, not a move merge, so you'll need to delete the source files when you're done. It also appears to handle recursion properly (so if you have nested folders named the same, it'll give you the same option).

Did I almost look up a whole app to do this? Yes, I did. Is it stupid this isn't one of the default options when you click and drag? Yes, it is.

Dislcaimer: I am not receiving any affiliate marketing for this post, either because the services don't offer it or they do and I'm too lazy to sign up. This is just stuff I use daily that I make sure all my new computers get set up with.

My current list of must-have Mac apps, which are free unless otherwise noted. There are other apps I use for various purposes, but these are the ones that absolutely get installed on every machine.

• 1Password
  Password manager, OTP authenticator, Passkey holder and confidential storage. My preferred pick, though there are plenty of other options. ($36/year)

• Bear
  Markdown editor. I write all my notes in Bear, and sync 'em across all my devices. It's a pleasant editor with tagging. I am not a zettelkasten person and never will be, but tagging gets me what I need. ($30/year)

• Contrast
  Simple color picker that also does contrast calculations to make sure you're meeting accessibility minimums (you can pick both foreground and background). My only complaint is it doesn't automatically copy the color to the clipboard when you pick it (or at least the option to toggle same).

• Dato
  Calendar app that lives in your menubar, using your regular system accounts. Menubar calendar is a big thing for me (RIP Fantastical after their ridiculous price increase), but the low-key star of the show is the "full-screen notification." Basically, I have it set up so that 1 minute before every virtual meeting I get a full-screen takeover that tells me the meeting is Happening. No more "notification 5 minutes before, try to do something else real quick then look up and realize 9 minutes have passed." ESSENTIAL. ($10)

• iTerm2
  I've always been fond of Quake-style terminals, so much so that unless I'm in an IDE it's all I'll use. iTerm lets a) remove it from the Dock and App Switcher, b) force it to load only via a global hotkey, and c) animate up from whatever side of the screen you choose to show the terminal. A+. I tried WarpAI for a while, and while I liked the autosuggestions, the convenience of an always-available terminal without cluttering the Dock or App Switcher is, apparently, a deal-breaker for me.

• Karabiner Elements
  Specifically for my laptop when I'm running without my external keyboard. I map caps lock to escape (to mimic my regular keyboards), and then esc is mapped to hyper (for all my global shortcuts for Raycast, 1Password, etc.).

• NextDNS
  Secure private DNS resolution. I use it on all my devices to manage my homelab DNS, as well as set up DNS-based ad-blocking. The DNS can have issues sometimes, especially in conjunction with VPNs (though I suspect it's more an Apple problem, as all the options I've tried get flaky at points for no discernible reason), but overall it's rock-solid. ($20/year)

• NoTunes
  Prevents iTunes or Apple Music from launching. Like, when your AirPods switch to the wrong computer and you just thought the music stopped so you tapped them to start and all of a sudden Apple Music pops up? No more! You can also set a preferred default music app instead.

• OMZ (oh-my-zsh)
  It just makes the command line a little easier and more pleasing to use. Yes, you can absolutely script all this manually, but the point is I don't want to.

• Pearcleaner
  The Mac app uninstaller you never knew you needed. I used to swear by AppCleaner, but I'm not sure it's been updated in years.

• Raycast
  Launcher with some automation and scripting capabilities. Much better than spotlight, but not worth the pro features unless you're wayyyy into AI. Free version is perfectly cromulent. Alfred is a worthy competitor, but they haven't updated the UI in years and it just feels old/slower. Plus the extensions are harder to use.

• Vivaldi
  I've gone back to Safari as my daily driver, but Vivaldi is my browser of choice when I'm testing in Chromium (and doing web dev in general. I love Safari, but the inspector sucks out loud). I want to like Orion (it has side tabs!). It keeps almost pulling me back in but there are so many crashes and incompatible sites I always have to give up within a week. So Safari for browsing, Vivaldi for development.

At some point companies and orgs are going to learn that when you attune so sharply to the feedback loop, you only hear the loudest voices, who are usually a small minority. If you only cater to them, you’re dooming yourself to irrelevance.

I've recently been beefing up my homelab game, and I was having issues getting a Gotify secure websocket to connect. I love the Caddy webserver for both prod and local installs because of how easy it easy to configure.

For local installs, it defaults to running its own CA and issuing a certificate. Now, if you're only running one instance of Caddy on the same machine you're accessing, getting the certs to work in browsers is easy as running caddy trust.

But in a proper homelab scenario, you're running multiple machines (and, often, virtualized machines within those boxes), and the prospect of grabbing the root cert for each just seemed like a lot of work. At first, I tried to set up a CA with Smallstep, but was having enough trouble just getting all the various pieces figured out that figured there had to be an easier way.

There was.

I registered a domain name (penginlab.com) for $10. I set it up with an A record pointing at my regular dev server, and then in the Caddyfile gave it instructions to serve up the primary domain, and a separate instance for a wildcard domain.

When LetsEncrypt issues a wildcard domain, it uses a DNS challenge, meaning it only needs a TXT record inserted into your DNS zone to prove it should issue you the server. Assuming your registrar is among those included in the Caddy DNS plugins, you can set your server to handle that automatically.

(If your registrar is not on that list, you can always use

certbot certonly --manual

and enter the TXT record yourself. You only need to do it once a quarter.)

Now we have a certificate to use to validly sign HTTPS connections for any subdomain for penginlab.com. You simply copy down the fullchain.pem and privkey.pem files to your various machines (I set up a bash script that scps the file down to one of my local machines and then scps it out to everywhere it needs to go on the local network.)

Once you have the cert, you can set up your caddy servers to use it using the tls directive:

tls /path/to/fullchain.pem /path/to/privkey.pem

You'll also need to update your local DNS (since your DNS provider won't let you point public URLs at private IP addresses), but I assume you were doing that anyway (I personally use NextDNS for a combination of cloud-based ad-blocking and lab DNS management).

Bam! Fully accepted HTTPS connections from any machine on your network. And all you have to do is run one bash script once a quarter (which you can even throw on a cron). Would that all projects have so satisfying and simple a solution.

Re: Apple’s convoluted EU policies

It's surprising how often D&D is relevant in my everyday life. Most people who play D&D are in it to have fun. They follow the rule - not just the letter of the law, but the spirit.

But every once in a while you'll encounter a "rules lawyer," a player who's more concerned with making sure you observe and obey every tiny rule, punish every pecadillo, than actually having fun.

All the worse when it's your GM, the person in charge of running the game.

But there's one thing you learn quickly - if someone is trying to game the rules, the only way to win (or have any fun) is play the game right back.

For smaller/mid-tier devs, if you're only offering free apps you should probably just continue in the App Store.

But for larger devs who might run afoul of the new guidelines where apps distributed outside the App Store get charged a fee every time they go over a million users?

Oops, Apple just created collectible apps, where if you have Facebook (and not Facebook2), we know you got in early. Think about it: Same codebase, different appId. The external app stores can even set up mechanisms for this to work - every time you hit 999,000 installs, it creates a new listing that just waits for you to upload the new binary (and switches when you hit 995K). Now your users are incentivized to download your app early, in case becomes the big thing. Lower app # is the new low user ID.

If I'm Microsoft, I'm putting a stunted version of my app in the App Store (maybe an Office Documents Viewer?) for free, with links telling them if they want to edit they have go to the Microsoft App Store to download the app where Apple doesn't get a dime (especially if Microsoft uses the above trick to roll over the app every 995K users).

Even in the world where (as I think is the case in this one) Apple says all your apps have to be on the same licensing terms (so you can't have some App Store and some off-App Store), it costs barely anything to create a new LLC (and certainly less than the 500K it would cost if your app hits a million users). Apple's an Irish company, remember? So one of your LLCs is App Store, and the other is external.

To be clear, I don't like this setup. I think the iPhone should just allow sideloading, period. Is all of this more complicated for developers? Absolutely! Is the minimal amount of hassle worth saving at least 30% percent of your current revenue (or minimum $500K if you go off-App Store)? For dev shops of a certain size, I would certainly think so.

The only way to have fun with a rules lawyer is to get them to relax, or get them to leave the group. You have to band together to make them see the error of their ways, or convince them it's so much trouble it's not worth bothering to argue anymore.

I'll be hitting the lecture circuit again this year, with three conferences planned for the first of 2024.

In February, I'll be at Developer Week in Oakland (and online!), talking about Data Transfer Objects.

In March, I'll be in Michigan for the Michigan Technology Conference, speaking about clean code as well as measuring and managing productivity for dev teams.

And in April I'll be in Chicago at php[tek] to talk about laws/regulations for developers and DTOs (again).

Hope to see you there!

Hey everybody, in case you wanted to see my face in person, I will be speaking at LonghornPHP, which is in Austin from Nov. 2-4. I've got two three things to say there! That's twice thrice as many things as one thing! (I added a last-minute accessibility update).

In case you missed it, I said stuff earlier this year at SparkConf in Chicago!

I said stuff about regulations (HIPAA, FERPA, GDPR, all the good ones) at the beginning of this year. This one is available online, because it was only ever available online:

I am sorry for talking so fast in that one, I definitely tried to cover more than I should have. Oops!

WordPress 6.2.1 changelog:

Block themes parsing shortcodes in user generated data; thanks to Liam Gladdy of WP Engine for reporting this issue

As a reminder, from Semver.org:

Given a version number MAJOR.MINOR.PATCH, increment the:
1. MAJOR version when you make incompatible API changes
2. MINOR version when you add functionality in a backward compatible manner
3. PATCH version when you make backward compatible bug fixes

As it turns out, just because you label it as a "security" patch doesn't make it OK to completely annihilate functionality that numerous themes depend on.

This bit us on a number of legacy sites that depend entirely on shortcode parsing for functionality. Because it's a basic feature. We sanitize ACTUAL user-generated content, but the CMS considers all database content to be "user content."

WordPress is not stable, should not be considered to be an enterprise-caliber CMS, and should only be run on WordPress.com using WordPress.com approved themes. Dictator for life Matt Mullenweg has pretty explicitly stated he considers WordPress' competitors to be SquareSpace and Wix. Listen to him.

Rarely is the question asked, "Is our children tweeting?" This question is likely nonexistent in journalism schools, which currently provide the means for 95+ percent of aspiring journalists to so reach said aspirations. Leaving aside the relative "duh" factor (one imagines someone who walks into J101 without a Twitter handle is the same kind of person who scrunches up his nose and furrows his brow at the thought of a "smart ... phone?"), simple (slightly old) statistics tell us that 15% of Americans on the Internet use Twitter.

(This is probably an important statistic for newsrooms in general to be aware of vis-a-vis how much time they devote to it, but that's another matter.)

For most journalism students, Twitter is very likely already a part of life. Every introduction they're given to Twitter during a class is probably time better spent doing anything else, like learning about reporting. Or actually reporting. Or learning HTML.

I know this idea is not a popular one. The allure and promise of every new CMS or web service that comes out almost always includes a line similar to, "Requires no coding!" or "No design experience necessary!" And they're right, for the most part. If all you're looking to do is make words appear on the internet, or be able to embed whatever the latest Storify/NewHive/GeoFeedia widget they came out with, you probably don't need to know HTML.

Until your embed breaks. Or you get a call from a reader who's looking at your latest Spundge on an iPad app and can't read a word. Or someone goes into edit your story and accidentally kills off a closing </p> tag, or adds an open <div>, and everything disappears.

Suddenly it's "find the three people in the newsroom who know HTML," or even worse, try to track down someone in IT who's willing to listen. Not exactly attractive prospects.

Heck, having knowledge of how the web works would probably even help them use these other technologies. Not just in troubleshooting, but in basic setup and implementation. In the same way we expect a basic competence in journalists to produce their stories in Word (complete with whatever styles or code your antiquated pagination system might prescribe), so too should we expect the same on digital.

Especially in a news climate where reporters are expected as a matter of routine to file their own stories to the web, it's ludicrous that they're not expected to know that an <img> tag self-closes, or even the basic theory behind open and closed tags. No one ever did their job worse because they knew how to use their tools properly.

I'm not saying everyone needs to be able to code his or her own blog, but everyone should have a basic command of their most prominent platform. It's time we shifted the expectations for reporters from "not focused entirely on print" to "actually focused on digital."

Poems for our "bureau" reporter in Santa Fe, whose stories I'm always left waiting for when I'm laying out:

Sitting at my desk
wondering if you're still alive
unmoved either way.

Four stories at noon
two out, two new by midday;
none ever find me.

He's slaving away
Interviewing, contacting;
AP filed at 5.

A blank page, staring
waiting to be filled with news ...
Angry Birds high score!

The downside of biking to work is I have to interact with people. To wit:

Our HEROINE is biking to work, since she lives like six blocks away and gas is well north of $3 in New Mexico. After a minutes-long coast (it's mostly downhill), she arrives at work and begins to lock up his bike.

FRIGHTENING BLOND WOMAN, who was lurking behind the building, comes around the corner talking loudly on her cell phone.

FBW: I don't know, I don't have the money.

Our HEROINE is doing her best not to listen, as it doesn't sound like a fun conversation to be dropping eaves on. Due to the volume the conversation is conducted at, however, she has no choice.

FBW: I don't have the money to file papers! If I have to go see a lawyer, I'm gonna go bankrupt.

At this point, our HEROINE realizes she's overhearing a discussion about divorce. Though the woman is glib, it's difficult to tell if she's joking or not. Her face is strained, even when smiling, giving it an almost movie-like quality - as if, at any moment, you'd expect her to pitch forward with an arrow sticking out of the back of her head.

FBW: Well if you're just going to die, I won't have to worry about it. I'll just be a widow, no problem.

Our HEROINE finally manages to work the lock, clicks it into place, and fairly runs into the building.

See, you can give me the environmental, physical and financial benefits of the bike versus the car all you want, but at least when I'm in my car I don't have to deal with the insanity of others. It's not like I'm deficient in that category myself.

Yesterday was Moving Day; as is tradition, that means today is "Not Moving Day," owing to the soreness from yesterday.

Moving is supposed to bring about an onslaught of different emotions: a twinge of nostalgia at leaving the place you've called home, sadness at altering/losing the different interpersonal relationships you've developed at said location, and excitement or trepidation at thought of what's to come.

I don't know that exhaustion can rightly be counted as an emotion, but the depth to which I feel it now seems to indicate it should at least be in the running.

After the third or fourth major geographical upheaval in 12 months (with a few minor phase shifts as well), moving just doesn't have the same impact anymore. Sleeping for the first time under a new roof felt just as comfortable as sleeping under the old one, which is to say "not very" because I never really "settled in" to the old apartment in the proper sense. Despite living there for eight months, the overly spacious two-bedroom apartment treated me more as a guest in a motel room than a permanent occupant.

Sure, I have some memories. The hideously overweight 40-some-year-old creepster who lived on the ground floor and sat outside his apartment 80 percent of the time, whiling away the days smoking, eating peaches or painting his fingernails a flamboyant hunter orange. That wouldn't have been so bad were it not for his completely obvious leering at women half his age or whenever he'd get in the mood to go shirtless.

Or consider the Albertson's grocery cart in the parking lot that mysteriously disappeared and reappeared on no set schedule, without rhyme or reason. Nothing says class like an Albertson's grocery cart.

Obviously, it wasn't all bad. Friends came over, drinks were drunk (and drunks kept drinking), movies were watched, great books were read and many a sleep was slept. But none of this served to dispel the ever-present air of transiency.

I'm now in Spokane, more specifically Browne's Addition, working at a job that seems pretty damn perfect for me (more on that later). The hope is to keep this apartment for quite some time, to break the moving cycle. At least long enough so that the next time I have to move, it actually means something again.

I realize that former Gonzaga basketball player Josh Heytvelt was trying to give a heartfelt interview and express his remorse over being arrested for possession of 'shrooms, but there's a reason why athletes usually have people talk for them. This quote is why:

Heytvelt was ordered to do 240 hours of community service. He did more than 300, working primarily with terminally ill children at a Ronald McDonald House. "That really made me think that those kids aren't choosing to have cancer. They're given that," Heytvelt said. "I realized I had made some really bad choices and that really made me think about every choice I made from then on out."

Two questions: Did Heytvelt previously think those children had chosen to have cancer, and who did he think gave it to them?