Poren Chiang

鬆散的共識也是不等於隨便的產出啦。

#社群的人

A new breed of analyzers (See how I cleverly did not mention AI in the title!) You know we have seen more than our fair share of slop reports sent to the curl project so it seems only fair that I also write something about the state of AI when we get to enjoy some positive aspects of this technology. Let’s try doing this in a chronological order. ## The magnitude of things curl is almost 180,000 lines of C89 code, excluding blank lines. About 637,000 words in C and H files. To compare, the original novel War and Peace (a _thick_ book) consisted of 587,000 words. The first ideas and traces for curl originated in the httpget project, started in late 1996. Meaning that there is a lot of history and legacy here. curl does network transfers for 28 URL schemes, it has run on over 100 operating systems and on almost 30 CPU architectures. It builds with a wide selection of optional third party libraries. We have shipped over 270 curl releases for which we have documented a total of over 12,500 bugfixes. More than 1,400 humans have contributed with commits merged into the repository, over 3,500 humans are thanked for having helped out. It is a very actively developed project. ## It started with sleep On August 11, 2025 there was a curl vulnerability reported against curl that would turn out legitimate and it would later be published as CVE-2025-9086. The reporter of this was the Google Big Sleep team. A team that claims they use “an AI agent developed by Google DeepMind and Google Project Zero, that actively searches and finds unknown security vulnerabilities in software”. This was the first ever report we have received that seems to have used AI to accurately spot and report a security problem in curl. Of course, we don’t know how much AI and how much human that were involved in the research and the report. The entire reporting process felt very human. ## krb5-ftp In mid September 2025 we got new a security vulnerability reported against curl from a security researcher we had not been in contact with before. The report which accurately identified a problem, was not turned into a CVE only because of sheer luck: the code didn’t work for other reasons so the vulnerability couldn’t actually be reached. As a direct result of this lesson, we ripped out support for krb5-ftp. ## ZeroPath The reporter of the krb5-ftp problem is called Joshua Rogers. He contacted us and graciously forwarded us a huge list of more potential issues that he had extracted. As I understand it, mostly done with the help of ZeroPath. A code analyzer with AI powers. In the curl project we continuously run compilers with maximum pickiness enabled and we though scan-build, clang-tidy, CodeSonar, Coverity, CodeQL and OSS-Fuzz at it and we always address and fix every warning and complaint they report so it was a little surprising that this tool now suddenly could produce over _two hundred_ new potential problems. But it sure did. And it was only the beginning. ## At three there is a pattern As we started to plow through the huge list of issues from Joshua, we received yet another security report against curl. This time by Stanislav Fort from Aisle (using their own AI powered tooling and pipeline for code analysis). Getting security reports is not uncommon for us, we tend to get 2 -3 every week, but on September 23 we got another one we could confirm was a real vulnerability. Again, an AI powered analysis tool had been used. (At the time I write this blog entry, this particular issue has not been disclosed yet so I can’t link it.) ## A shift in the wind As I was amazed by the quality and insights in some of the issues in Joshua’s initial list he sent over I tooted about it on Mastodon, which later was picked up by Hacker news, The Register, Elektroniktidningen and more. These new reported issues feel quite similar in nature to defects reported by code analyzers typically do: small mistakes, omissions, flaws, bugs. Most of them are just plain variable mixups, return code confusions, small memory leaks in weird situations, state transition mistakes and variable type conversions possibly leading to problems etc. Remarkably few of them complete false positives. The quality of the reports make it feel like a new generation of issue identification. Like in this ladder of tool evolution from the old days. Each new step has taken the notch up a level: 1. At some point I think starting in the early 2000s, the C compilers got better at actually warning and detecting many mistakes they just silently allowed back in the dark ages 2. Then the code analyzers took us from there to the next level and found more mistakes in the code. 3. We added fuzzing to the mix in the mid 2010s and found a whole slew of problems we never realized before we had. 4. Now this new breed, almost like a new category, of analyzers that seem to connect the dots better and see patterns previous tools and analyzers have not been able to. And tell us about the discrepancies. ## 25% something Out of that initial list, we merged about 50 separately identifiable bugfixes. The rest were some false positives but also lots of minor issues that we just didn’t think were worth poking at or we didn’t quite agree with. ## A minor tsunami We (primarily Stefan Eissing and myself) worked hard to get through that initial list from Joshua within only a couple of days. A list we mistakenly thought was “it”. Joshua then spiced things up for us by immediately delivering a _second_ list with 47 additional issues. Follow by a third list with yet another 158 additional potential problems. At the same time Stanislav did the similar thing and delivered to us two lists with a total of around twenty possible issues. Don’t take me wrong. This is good. The issues are of high quality and even the ones we dismiss often have some insights and the rate of obvious false positive has remained low and quite manageable. Every bug we find and fix makes curl better. Every fix improves a software that impacts and empowers a huge portion of the world. The total amount of suspected issues submitted by these two gentlemen are now at over _four hundred_. A fair pile of work for us curl maintainers! Because how these reported issues _might_ include security sensitive problems, we have decided to not publish them but limit access to the reporters and the curl security team. As I write this, we are still working our way through these reports but it feels reasonable to assume that we will get even more soon… ## All code An obvious and powerful benefit this tool seems to have compared to others is that it scans _all_ source code without having a build. That means it can detect problems in all backends used in all build combinations. _Old style_ code analyzers require a proper build to analyze and since you can build curl in countless combinations with a myriad of backend setups (where several are architecture or OS specific), it is literally impossible to have all code analyzed with such tools. Also, these tools can inject (parts of) third party libraries as well and find issues in the borderland between curl and its dependencies. I think this is one primary reason it found so many issues: it checked lots of code barely any other analyzers have investigated. ## A few examples To illustrate the level of “smartness” in this tool, allow me to show a few examples that I think shows it off. These are issues reported against curl in the last few weeks and they have all been fixed. Beware that you might have to understand a thing or two about what curl does to properly follow here. ### A function header comment was wrong It correctly spotted that the documentation in the function header incorrectly said an argument is optional when in reality it isn’t. The fix was to correct the comment. # `Curl_resolv`: NULL out-parameter dereference of `*entry` * **Evidence:** `lib/hostip.c`. API promise: "returns a pointer to the entry in the `entry` argument (**if one is provided**)." However, code contains unconditional writes: `*entry = dns;` or `*entry = NULL;`. * **Rationale:** The API allows `entry == NULL`, but the implementation dereferences it on every exit path, causing an immediate crash if a caller passes `NULL`. I could add that the fact that it takes comments so seriously can also trick it to report wrong things when the comments are outdated and state bad “facts”. Which of course shouldn’t happen because comments should not lie! ### code breaks the telnet protocol It figured out that a piece of telnet code actually wouldn’t comply with the telnet protocol and pointed it out. Quite impressively I might add. **Telnet subnegotiation writes unescaped user-controlled values (tn->subopt_ttype, tn->subopt_xdisploc, tn->telnet_vars) into temp (lines 948–989) without escaping IAC (0xFF)** In lib/telnet.c (lines 948–989) the code formats Telnet subnegotiation payloads into temp using msnprintf and inserts the user-controllable values tn->subopt_ttype (lines 948–951), tn->subopt_xdisploc (lines 960–963), and v->data from tn->telnet_vars (lines 976–989) directly into the suboption data. The buffer temp is then written to the socket with swrite (lines 951, 963, 995) without duplicating CURL_IAC (0xFF) bytes. Telnet requires any IAC byte inside subnegotiation data to be escaped by doubling; because these values are not escaped, an 0xFF byte in any of them will be interpreted as an IAC command and can break the subnegotiation stream and cause protocol errors or malfunction. ### no TFTP address pinning Another case where it seems to know the best-practice for a TFTP implementation (pinning the used IP address for the duration of the transfer) and it detected that curl didn’t apply this best-practice in code so it correctly complained: No TFTP peer/TID validation The TFTP receive handler updates state->remote_addr from recvfrom() on every datagram and does not validate that incoming packets come from the previously established server address/port (transfer ID). As a result, any host able to send UDP packets to the client (e.g., on-path attacker or local network adversary) can inject a DATA/OACK/ERROR packet with the expected next block number. The client will accept the payload (Curl_client_write), ACK it, and switch subsequent communication to the attacker’s address, allowing content injection or session hijack. Correct TFTP behavior is to bind to the first server TID and ignore, or error out on, packets from other TIDs. ### memory leaks no one else reported Most memory leaks are reported when someone runs code and notices that not everything is freed in some specific circumstance. We of course test for leaks all the time in tests, but in order to see them in a test we need to run that exact case and there are many code paths that are hard to travel in tests. Apart from doing tests you can of course find leaks by manually reviewing code, but history and experience tell us that is an error-prone method. # GSSAPI security message: leaked `output_token` on invalid token length * **Evidence:** `lib/vauth/krb5_gssapi.c:205--207`. Short quote: ```c if(output_token.length != 4) { ... return CURLE_BAD_CONTENT_ENCODING; } ``` The `gss_release_buffer(&unused_status, &output_token);` call occurs later at line 215, so this early return leaks the buffer from `gss_unwrap`. * **Rationale:** Reachable with a malicious peer sending a not-4-byte security message; repeated handshakes can cause unbounded heap growth (DoS). This particular bug looks straight forward and in hindsight easy enough to spot, but it has existed like this in plain sight in code for _over a decade_. ## More evolution than revolution I think I maybe shocked some people when I stated that the AI tooling helped us find 22, 70 and then a 100 bugs etc. I suspect people in general are not aware of and does not think about what kind of bugfix frequency we work on in this project. _Fixing several hundred bugs per release is a normal rate for us._ Sure, this cycle we will probably reach a new record, but I still don’t grasp for breath because of this. I don’t consider this new tooling a _revolution_. It does not massively or drastically change code or how we approach development. It is however an excellent new project assistant. A powerful tool that highlights code areas that need more attention. A much appreciated evolutionary step. I might of course be speaking too early. Perhaps it will develop a lot more and it can then turn into a revolution. ## Ethical and moral decisions The AI engines burn the forests and they are built by ingesting other people’s code and work. Is it morally and ethically right to use AI for improving Open Source in this way? It is a question to wrestle with and I’m sure the discussion will go on. At least this use of AI does not generate duplicates of someone else’s code for us to use, but it certainly takes lessons from and find patterns based on others’ code. But so do we all, I hope. ## Starting from a decent state I can imagine that curl is a pretty good source code to use a tool of this caliber on, as curl is old, mature and all the minor nits and defect have been polished away. It is a project where we have a high bar and we want to raise it even higher. We love the opportunity to get additional help and figure out where we might have slipped. Then fix those and try again. Over and over until the end of time. ## AIxCC At the DEF CON 33 conference which took place in August 2025, DARPA ran a competition called the AI Cyber Challenge or AIxCC for short. In this contest, the competing teams used AI tools to find artificially injected vulnerabilities in projects – with zero human intervention. One of the projects used in the finals that the teams looked for problems in, was… curl! I have been promised a report or a list of findings from that exercise, as presumably the teams found something more than just the fake inserted problems. I will report back when that happens. ## Going forward We do not yet have any AI powered code analyzer in our CI setup, but I am looking forward to adding such. Maybe several. We _can_ ask GitHub copilot for pull-request reviews but from the little I’ve tried copilot for reviews it is far from comparable to the reports I have received from Joshua and Stanislav, and quite frankly it has been mostly underwhelming. We do not use it. Of course, that can change and it might turn into a powerful tool one day. We now have an established constructive communication setup with both these reporters, which should enable a solid foundation for us to improve curl even more going forward. I personally still do not use any AI at all during development – apart from occasional small experiments. Partly because they all seem to force me into using VS code and I totally lose all my productivity with that. Partly because I’ve not found it very productive in my experiments. Interestingly, this productive AI development happens pretty much concurrently with the AI slop avalanche we also see, proving that one AI is not necessarily like the other AI.

A new breed of analyzers.

And they use AI.

https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/

And what if it is the answer? What if perfectly personalized entertainment takes over our screens and our socializing? The arrival of Sora has made those questions feel suddenly more urgent. This is the first social network that — on launch day — said it will disable infinite scroll for teens, and nudge adults to put their phones down when they've been browsing for too long. It's a responsible step for OpenAI to take. But it might better be viewed as a warning.

Tried out the new slop app https://www.platformer.news/sora-2-hands-on-openai-social-network/

這次的 NTU COOL 事件好像算是暫時圓滿落幕了。雖然在臉書塗鴉牆開重砲罵教務處，不過在小傑老師塗鴉牆上還是寫了一小段文字做溝通，先存在這裡：

> 「跨國企業單方面修改條款拿資料訓練AI、再用AI取代工作，於知識工作者而言無疑是種新型態的剝削與威脅。對這個世代的同學來說，對抗Meta都忙不過來了，如果連當作自己人的教務處都覺得『基於教學公益可以先拿再說、反正法務處說可以』，我想對許多人而言都會覺得灰心。
> 臺大明明有很好的校內溝通管道與學術對話機會，在推出這樣的條款（按：可以將同學上傳 Canvas […]

學會對情緒勒索說NO！如果自己已經很累了，就把精力放在「就算不會被感謝，我也想讓這件事發生」的事情上。ʕ•̀ω•́ʔ✧

#社群的人

在 @g0v.tw 初登陸 threads 後，還是期盼 meta 可以將這個平台 fediverse 的功能實作開發完全，這樣像是 @summit@g0v.social 這類聯邦宇宙帳號的發文就可以互通，豐富整個內容生態🥴

In case you missed it, Quote Posts are live on mastodon.social and mastodon.online — let us know what you think!

This feature has been a long time coming because we wanted to take the time to do it right. Part of that process was sharing our work and getting feedback along the way […]

好像還沒有在小站上說過，不過明年 #g0vSummit2026 年會主題是 #反客為主​。

在籌備開始前先蹦出主題是滿少見的，不過意外達成的共識是「看看學學不能實踐民主」，希望別再把社群當數位民主的海外仙島、觀光勝地，該像自助滷味那樣想吃什麼自己下來煮。 :nightmarket:

我想也是透過年會做議題設定的小小期許啦。ᶘ ᵒᴥᵒᶅ

https://g0v.social/@poga/115245950233134983

#g0v #社群的人

Congress also worried — perhaps unconstitutionally — that the Chinese government would pressure ByteDance to manipulate its recommendation algorithms to sow division in the United States. (Among other things, members of Congress complained that the app seemed too pro-Palestinian.) Well, now we know what the deal will do to address the threat of ByteDance manipulating the content in Americans' TikTok feeds: nothing. The spun-out company will simply license the recommendations from its parent company, and that will be that.

After all that hand-wringing about the dangerous Chinese TikTok algorithm, it appears that Trump is going to let the new American TikTok just license it from China. Whatever!! https://www.platformer.news/tiktok-deal-bytedance-china-trump-bessent/

A macOS window with glass reflection effect, resembling a Windows 7-style Aero window.

My lightning talk at @COSCUP not only covered the wide gamut OKLCH color picker I made last week:

https://g0v.social/@RSChiang/114992011636165125

but also introduced the sacrilegious Windows Aero style window, recreated on macOS. (Who would think of that? 🥴) […]

[Original post on g0v.social]

為專案取名永遠是最困難的 / The Eternal Struggle of Naming a Project Lightning talk @ COSCUP 2025. Project website: Hydrobolic, <a href="https://github.com/rschiang/…

今天在 COSCUP 2025 Lightning Talk 的簡報，羅列了最近開坑的三個 side project！(・ω・)✨

「為專案取名永遠是最困難的」
“The Eternal Struggle of Naming a Project”

https://speakerdeck.com/rschiang/the-eternal-struggle-of-naming-a-project

所有程式碼都以開源授權放在 GitHub！
#COSCUP #COSCUP2025 #Swift #AppKit

A screenshot depicting the FOSS color picker app Kiunrhong, set in Taiwanese Hakka language and natively supported by macOS localization pipeline. The opened menu reads “Sed-caí” (“Color”) and lists a variety of color functions spelled in romanized Hakka. The window in the background also showed “Wide Gamut Gradient Chart” translated.

#DailySwift

雖然好像 lag 很久但第一次知道 Foundation.framework 支援的不只是翻譯主流語言，ISO 639-3 的 `ain`（愛努語）、`hak`（客家話）都可以設成目標語言，也會出現在作業系統「語言與地區」的可選清單裡。

嘗試把最近在做的 side project 翻成客家話 (`hak-tw`)，其實意外的覺得有趣！（至於 macOS 系統文字預設變回英文就是另一回事了 😅）

the recent burst of companies flagrantly disregarding robots.txt are eating their seed corn — the entire point is that as long as everyone shows some basic manners to other internet hosts, there’s no need for some international regulatory body to get involved and make everyday matters difficult […]

The full agenda of #COSCUP 2025 is finally here! You could find me at the FOSS License Kaleidoscope track on Aug 9th, in “Litigating Against the Philosopher’s Stone.”

I’ll be covering how artists are pushing back against AI companies by suing their way (and their artistic works) out of LLM […]

COSCUP x RubyConf Taiwan 2025 Conference for Open Source Coders, Users, and Promoters is a free annual conference providing a platform to connect FLOSS folks across Asia since 2006. It's a major force of free software movement advocacy in Taiwan.

今年 #COSCUP 的議程出來啦！這次我會在開源授權軌帶大家導讀藝文作家與工程師如何槓上大型語言模型公司、以訴訟阻止自己的作品被煉成賢者之石。有興趣的朋友還請不要錯過了！:blackcat_11127:

「對抗魔法石」
8/9 15:20 @ 台科大 TR412-1

https://coscup.org/2025/sessions/7KR878
#COSCUP2025 #開源授權

macOS: Fix incorrect CDB length param (!19) · Merge requests · VideoLAN / libaacs · GitLab This commit fixes MMC authentication failure by providing the correct Command Descriptor Block (CDB) length to the IOKit API. Previously, the code just asked for 16-byte...

為了一個 libaacs 的 bug 弄了一個晚上還找出 SCSI MMC spec 出來讀，最後只是改一行就修好了。

以後可以宣稱自己是 VLC 貢獻者啦。(*ﾟ∀ﾟ)

https://code.videolan.org/videolan/libaacs/-/merge_requests/19

#VLC #VideoLAN #libaacs #乳齒象友的PR哀嚎

**Growth narratives on the new social networks** Communities on alternative social media platforms like the fediverse and Bluesky tend to create narratives about how their networks grow. For both networks the narrative is fairly similar: Big Tech platforms and their leaders behave badly, which in turn causes users to search for more ethical alternatives. This narrative is visible in the fediverse’s understanding of the 2022 Twitter Migration and Bluesky’s explosive growth in 2024. But what happens when these migration waves disappear, even though the conditions for them do not? Musk’s continuous egregious actions have not led to new growth for the fediverse and Bluesky, indicating that our narratives of growth need updating. Meanwhile, the continuous growth of Threads shows that cultural impact might just matter more than user counts. ### Where we think growth comes from Late 2022, when Elon Musk bought Twitter, Mastodon and the fediverse experienced the Twitter Migration, where a massive group of people moved away from Twitter to Mastodon, in search for a different microblogging platform that is not owned by a tech billionaire. During 2023 this process continued, with various actions and statements by Musk resulting in people moving away from Twitter in waves to Mastodon. This time period shaped the way the fediverse understands itself. Open social platforms like Mastodon and PeerTube have been around for quite a while before this time period, and the platforms and its users have always understood that they function in opposition to Big Tech platforms. Building a network that is owned by the community, not a Big Tech company, has always been an integral part of why platforms like Mastodon and PeerTube were created. The inflow of new people during 2022 and 2023 affirmed that vision, and expanded on it: the fediverse could exist as an alternative network to the Big Tech social networks, and it could grow by people getting fed up with platforms like Twitter and Facebook and moving to platforms like Mastodon. In summer 2023 Reddit made changes to their API, which led to a number of popular third-party Reddit clients shutting down. Again, people looked for alternative platforms, and found one in Lemmy, which multiplied in size. The mindset became one of “we can present ourself as an ethical alternative, and over time people will join the fediverse and the network will grow”. This worked, until it didn’t. Bluesky’s moments came in the second half of 2024. The network opened up access in early 2024, but growth had been fairly slow in the first half of the year. In the second half of the year this changed when Brazil banned the use of X in the country over a dispute with Musk, leading to a massive surge in new users for the platform. The election in the US and the presidency of Trump, tied closely to Musk’s involvement led to another three spikes in signups for Bluesky. The start of the Trump presidency in January 2025 was the latest of the spikes for Bluesky’s user growth. The impact was not only on the user numbers for Bluesky, but also on how the world sees Bluesky. The promotion and enthusiasm about Bluesky by MSNBC’s news anchor Rachel Maddow is a good example of this: it solidified Bluesky’s perception in wider mainstream culture as a safer network than X, and also as a network that is predominantly on the left of the political spectrum. After the spike in growth in January 2025 things changed again. The perception on Bluesky was still that every time Elon Musk did something especially outrageous, evil or stupid, this would lead to people leave X and join Bluesky. This did not pan out: Musk managed to put himself up high on the list of people whose actions directly led for the largest number of deaths in the twenty-first century due to his involvement in the shutdown of USAID, but such evil did not meaningfully lead to people leaving Musk’s social network for other places. This was far from the only action that Musk took that led to outrage and moral objections by people who use X, without a corresponding move by the people condemning Musk towards other platforms. The story these communities on these alternative platforms tell themselves about growth emerged from specific set of circumstances that proved temporary rather than permanent. The narrative that ethical alternatives can attract users wanting to move away from controversial platforms worked during specific time periods. These are windows of time, which seem to close again within a year or so. After this window has closed, the perception that this is where growth comes from remains however. ### Evolving competitors In the years since Musk bought Twitter, the platform has changed and evolved as well. The name change to X is not just symbolic, but an indication that it is a different platform with a different purpose. Another indication is that xAI, Musk’s AI company that also builds X’s AI chatbot Grok, recently bought X. If you understand the X platform through the lens of corporate structure, it becomes clearer that the future of the app is in being a distribution platform for Grok. In that context, it matters even more that Grok used to surprisingly politically neutral (mostly), to the annoyance of Musk. Musk critiqued Grok for being too woke, promised he’d make changes and now Grok functions to further spread the message of fascism. That these changes have not lead to any corresponding reaction by X users to start using other platforms out of protest is a clear indication that the dynamic out of which the fediverse and Bluesky have grown in the past year is truly over. People who continue using a platform where the owner openly manipulates core functions to favour fascist messaging should not be assumed to have any further ‘red line’ that would finally drive them to leave. Meanwhile, Threads continues to grow at a steady pace. Data from Similarweb show that Threads is now almost as big as X is worldwide, with 115M Daily Active Users (DAU) for Threads and 132M DAU for X. Bluesky is much smaller at an estimated 4.1M DAU. Mastodon does not publish DAU, but it is roughly an order of magnitude smaller still than Bluesky. What’s notable about Threads’ growth is how steady it is, the graph by Similarweb shows effectively a straight line for Threads’ user statistics. This is in stark contrast with the user graphs for Bluesky over the same time period, which shows large spikes in growth, followed by a drop in users, until another spike takes the user numbers even higher. These different growth patterns also show up in media stories. Threads has surprisingly few stories about growth of the network. The only story about real-world events leading to growth for Threads I can find is when Threads suddenly got popular in Taiwan as it was used for promotion during the presidential election of early 2024. In contrast, almost every growth spike for Bluesky and Mastodon over the last few years can be pointed to with news stories about what caused people to look for new platforms. ### Cultural impact Talking about network growth in terms of active users and account registration gives a good pretence of objectivity, and a sense that this represents the “true” growth of a network. However, the reason why people care so much about Twitter and finding a good replacement is not because of total user numbers: Twitter was always the smallest of the Big Tech platforms after all. Twitter and X matter because of its unparalleled ability to generate culture and shape politics. Twitter and X are the places where elite consensus is formed. It is the dominant platform for shaping our collective understanding of the world. That’s why control over X’s algorithm (and chatbot) is so valuable: it is not about telling individuals what is correct, but it is about influencing what people think about what other people think. Measuring the cultural output and political impact of a social network is a fool’s errand, as it is both incredibly unclear what exactly it is you are measuring, how to measure such a thing as “culture”, and if such a thing can be measured in the first place anyway. As such, I’m not going to pretend that the following is anything more than a personal vibe. Regardless, I find that Bluesky has a high amount of cultural relevancy, and Threads with a surprisingly low amount of cultural impact, with X still at the top. Internet culture newsletters like Garbage Day also seem to feature predominantly cultural events that involve X, and to a lesser extend Bluesky, with little attention to Threads. Somewhat related, large media organisations such as Wired and Washington Post also report that Bluesky is one of the biggest drivers of traffic and news subscribers. That Bluesky is even in the same league as platforms that have 25 times the number of active users is an indication how the new social networks can be culturally and politically impactful without having the largest number of users. The stories that networks like the fediverse and Bluesky tell themselves about growth matter. It impacts decisions and future expectations. Even after the inflows of new users to Mastodon from X looking for an ethical alternative have stopped for a while, future expectations in the community still often seem to be based on the same pattern. But how growth has happened for both the fediverse and Bluesky seems to be tied to specific moments in time. The circumstances that lead to such behaviour can disappear all of a sudden again. That’s not to say that growth is over for either network. It just might come from different places, and for others reasons that people might not expect. https://connectedplaces.online/growth-narratives-on-the-new-social-networks/

Great piece on how we think about growth of Mastodon, Bluesky etc. and why it's (mostly) not working. By @laurenshof

https://connectedplaces.online/growth-narratives-on-the-new-social-networks/

“If people get one thing out of this whole Q&A, I hope it’s that. You do not have to make an A.I. version of your own employees that operate at 1.5x speed but produce purely iterative garbage, especially in media and journalism. People don’t actually want that shit. Make a good, human thing and […]

“The abuse of Miyazaki’s lifeworks in service of vapid virality, at the overwhelming scale enabled by these machines…provides an exquisite demonstration of the casual violence of these systems. Specifically, in their total denial of authorial consent for endless extractions from the lifeworks of […]

“Dataset is not free”

看到 fineweb-zhtw 被中央社要求下架、作者以「學術使用」辯駁這件事，就想到前串流時代會看到的附註「本影片僅供學術交流使用，請於下載後二十四小時刪除」(・ω・)

一方面可以先思考的是，為什麼我們的資訊教育至今還會讓大家覺得網路上的東西可以隨便抓——AI 時代的支援前線，可以允許我們隨便搶路邊便利商店的商品嗎？從部分資料集以蒐集網址而非重製文字，就可以看出不同團隊對風險的謹慎程度；

二方面才去思考說，網路爬蟲到底是什麼樣的天賦人權(?)、大型語言模型到底能達成什麼程度的進步，讓我們的 AI […]

DMA: tell us how gatekeepers are handling your interoperability requests - FSFE Free Software developers: your voice is needed! The Free Software Foundation Europe has launched the Digital Markets Act Interoperability Survey to gather ...

Please help us to reach #ios developers. We need their feedback to our survey https://fsfe.org/news/2025/news-20250618-01.en.html in order to keep #Apple accountable under the #DMA in a developer friendly way. #DeviceNeutrality

詹雯如在 Apple Music 上的《快樂旅社》 專輯 · 2025年 · 9 首歌

想要偷偷分享我很喜歡的木吉他歌手 @chanwenju ！輕快的旋律不論是週末早晨或是午夜時分都很撫慰人心。

《快樂旅社》
• iTunes Store: https://music.apple.com/tw/album/%E5%BF%AB%E6%A8%82%E6%97%85%E7%A4%BE/1822804717
• Spotify: https://open.spotify.com/album/01wtvbyk51x128s26faatl

#乳齒象友的深夜歌單

A purple image with a number of cute Mastodon mascots in a series of poses (running, this is fine, waiting, waving, greeting, boosting, liking, and typing)

📢 We've sat down with our artist @dopatwo and created a sticker pack for @signalapp. Now you can send cute elephants to your friends, and promote the #fediverse at the same time. We ❤️ Signal, too! […]

[Original post on mastodon.social]

I rarely subtoot, but when I do just to say: if an open source project that your commercial project depends on breaks something in your software stack, causing you trouble, no matter how much, that's your problem and your problem alone.

"The software is provided as is" is a part of OSS licenses […]

COSCUP 2025 投稿系統的螢幕截圖，畫面上顯示：「恭喜，您投稿的議程被接受了！」、議程名稱「對抗魔法石 Litigating Against the Philosopher’s Stone」、以及議程軌「開放授權的克萊兜史夠普 / Open Licensing Kaleidoscope」。

#COSCUP 投稿上了！還請大家今年跟我一起看怎麼追討廠商的疏失！(・ω・)ノ（欸）

#社群的人

覺得今天網路自由小聚表現不好，拿到麥克風的時候突然整個腎上腺素起來大怯場orz。

想要 callout 的是「過度關注在對個人的言論限縮、而忽視平台明明有更多資源採取其他倡議手段——在跟著公民團體一起喊民主國家獨裁之前，科技寡頭應該也要開誠佈公，運用資源跟人脈做 lobbying 以及訴訟倡議吧。」

現場講得不是很好，先在這邊筆記一番，希望之後可以再繼續 deepdive。

預告制定「促進資料創新利用發展條例」-眾開講-公共政策網路參與平臺

@taiwanmoda 數位發展部預告制定《促進資料創新利用發展條例》。

https://join.gov.tw/policies/detail/4fcaaa73-e5e4-4f59-a6cb-bcb9f43f3630

Aqua desktop on Mac OS X Developer Preview 3, in 2000

Liquid Glass feels like that earliest reveal of Aqua — flashy, and completely over the top and needing twelve months of refinement and public feedback to get the balance quite right. The problem is, Apple's yearly schedule doesn't allow for that kind of […]

[Original post on mastodon.social]

Doing a lot with a little: ECS identifiers Tricks to get the most out of your bits

https://ajmmertens.medium.com/doing-a-lot-with-a-little-ecs-identifiers-25a72bd2647