Similarly, in most countries, you cannot vote until you have reached a specific age.

These are age-gates. You do not need to prove your competence to drink, vote, smoke, or get married; you just need to be old enough.

Some things have skill-gates. If you want an amateur radio licence in the UK, you need to pass an exam. You can be any age⁰.

Similarly, most jurisdictions allow you to get a medical licence once you have passed the requisite tests¹.

There are also activities which are dual-gated. You can only get a driving licence after passing a test, but you can only apply to take the test once you are a certain age.

Where should society swap age-gates and skill-gates?

Perhaps the big one is voting. The UK is preparing to extend the franchise to all 16 and 17 year olds - but why is there an age-gate at all?

Children are affected by politics, they pay tax on the goods they buy, they exist in the world. Why shouldn't they vote?

The usual argument is that they are too immature. But maturity isn't dependent on age. Idiots are allowed to vote. Centenarians with no stake in the consequences of their politics are allowed to vote. People who don't understand what powers a government has are allowed to vote.

Would it really be so bad to introduce a voting licence? Make people take a short quiz to ensure they understand what they're voting for and why they're voting. Perhaps there are concerns about disenfranchising eligible adults (but not mature children) or that the state will rig the test (when they could rig the election) or whatever. But if we're sticking with the fiction that some people aren't mature enough to vote then we must give disenfranchised people a chance to prove their maturity.

You could make the same argument about driving. If a 7 year old is able to demonstrate mastery and control of a vehicle, are they likely to be a better driver than a 90 year old who has never taken a modern test?

Alcohol is different. We realise that the drug is harmful and especially harmful to developing humans. So we age-gate it. But do people really understand the health risks? Should you have to pass a test in order to imbibe? We make the people selling alcohol pass somewhat rigorous skills assessments. Perhaps the burden of proof should be reversed?

Wait, do you really believe all this?

No, not necessarily.

I find it fascinating that different cultures set different limits on people's activities. I wouldn't like to live somewhere that allowed anyone to drive on the public roads. Similarly, I don't particularly want governments restricting who can vote based on an arbitrary assessment.

But where are the limits? Why is the legal driving age so variable? Why are some driving tests easier than others?

Do you want a teenage doctor diagnosing you - even if they are legally certified? Should you be able to use a radio without passing a test if you're a legal adult?

Which age-gates and skill-gates do you think should be flipped?

Imagine a giant dying. You can't. They are huge and endless. A towering presence which, so it seems, has always been part of our world. They dominate and are indomitable. It is simply unfathomable that they can ever end. Yet end they must.

As the whale dies, we do not know what passes through its cavernous brain. But we do know what the rest of the ocean thinks.

Lunch.

The death of a whale is a thing to be celebrated. The thump of their still-warm body onto the floor is the starting bell for a feast. Some larger predators sense an easy meal and tear off the choicest morsels. But what of the scavengers? What about the new life not yet established? What happens to the weird little creatures just waiting for an energy boost?

In many ways, it was fortuitous that Twitter pre-signalled its death with the Fail Whale.

The twitching corpse is gently floating down to its watery grave. Some of the older and more established social networks have bitten out chunks of the still-fresh body and have run away with their spoils. But the fascinating thing is watching all the new services benefit from the death of a giant. Mastodon, Discord, BlueSky, Qaplion, Nostr, and a bunch of others hollowing out the rotting husk and using it to power their own growth.

Will those .meow social networks ever become a gigaton behemoth capable of ruling the waves? Maybe not, but size is not the only metric of success. Finding and defending an ecological niche is its own reward. Evolution abhors a monoculture.

Several bloated bodies meander through the brine, each one confident that its ageless wisdom will outlast the others. Had they any self-awareness, the hubris would gnaw at their tattered souls until the crushing realisation of their impending doom drove them mad.

Perhaps it will happen to GitHub next. The endless downtime and forced injection of crappy AI will start a death spiral. Already established forges are waiting to pounce once they smell blood in the water. But what critters will emerge to suck the bones of the old giant and develop in unexpected ways? Some bizarre fungal growth will devour the stinking jelly unlocked from those shattered bones and a new ecosystem will emerge.

Will WordPress's increasingly erratic leadership and tangle of legal disputes cause it fatal damage? Once minnows darted away from its presence; now they cautiously nip at its greying skin. Its mighty bellow still echoes through the clammy waters, but there's a tinge of frailty in its song.

Everything dies eventually.

The internal flora and fauna - be they parasitic or symbiotic - eagerly await their host's downfall. A chance to break free and explore new strange new world. A chance to begin a new relationship and co-evolve in unexpected ways.

The biological pump is primed, the hungry jaws of an uncountable fleet of new ideas is just waiting to pounce, the giants swim on in blissful ignorance.

You can read more about Whale Fall on Wikipedia.

My wife and I are preparing for a big Interrail journey through Europe. Whenever we go on holiday, we like to meet up with friendly locals to have a drink and chat. We did this on our last journey and it was great.

So, if you're a member of RSS club and fancy showing some tourists a cool bar, awesome restaurant (with vegan options), local tech conference, or nifty museum - please get in touch.

Our exact dates aren't finalised yet, but from now until the beginning of July, we'll be taking roughly this route:

• 🇩🇪 Hamburg →
• 🇩🇰 Copenhagen →
• 🇸🇪 Gothenburg →
• 🇳🇴 Oslo →
• 🇸🇪 Stockholm →
• 🇫🇮 Helsinki →
• 🇪🇪 Tallinn →
• 🇱🇻 Riga →
• 🇱🇹 Vilnius →
• 🇵🇱 Warsaw →
• 🇩🇪 Berlin → Munich →
• 🇮🇹 Verona → Milan →
• 🇨🇭 Basel →
• 🇫🇷 Paris

If you're in one of those cities and fancy a beer & veggie burger, please give us a shout. We won't be able to meet everyone as we do have some existing plans and tight connections but, as they say, it's nice to go where everybody knows your name.

What's better than one Adrian Tchaikovsky novella? Three Adrian Tchaikovsky novellæ! Or is it "novellii"? Either way, a delightful triptych of stories on a common theme. On the surface, they're about travelling to a new destination (Space! The Future! For-Copyright-Reasons Not Narnia!)

Except, deep down, they're about loneliness. No matter how far or fast we run, no matter where or when we go, we can't outrun ourselves. When you enter the void, sometimes the void enters you.

There's also the constant theme about the hunter becoming the hunted. All three of the stories reminded me a bit of Piranesi by Susanna Clarke - in that I was never quite sure if the characters were simply delusional and waging war on an enemy of their own making.

It brims with a pathos which I find rare in modern science fiction. That's offset with the perfectly placed British humour within it. Yes, there's a touch of the Weir/Scalzi "Only I, a nerdy guy, can save the universe in a self-knowing way" - but those authors aren't brave enough to mention Reading town centre or have their hero hail from Stevenage. Whereas Tchaikovsky knows what's up with the Furries.

An excellent collection of tales.

Many thanks to NetGalley for the review copy. The book is available to buy now.

Which is what makes GDS's latest guidance so surprising. At the start of the month, NHS England made the bizarre and irresponsible decision to close all their Open Source repositories due to unfounded fears of AI hacking¹. Lots of people within the NHS were outraged. As were many outside - with this petition against the move gathering over 2,000 signatures.

Within other parts of government there was also alarm. Although I no longer work for Government Digital Service, I was contacted by several concerned people there who remembered all my work on Open Source. The brilliant team in Whitechapel have now published their guidance "AI, open code and vulnerability risk in the public sector".

It is brutal.

They utterly repudiate the NHS's stance and forensically eviscerate it. I'll let you read the whole thing, but here are a few choice excerpts:

Recent public reporting about organisations restricting access to public repositories due to AI-enabled code analysis illustrates how quickly leaders may reach for blanket closure in response to uncertainty.

Basically, non-technical managers need to stop over-reacting.

Private repositories can create a false sense of security.

I think that's the crux of the argument. Closing code doesn't solve the underlying problems.

Making code private is not an appropriate mitigation for lack of ownership, patching capability, or operational assurance, so systems that cannot be safely maintained should be remediated or retired.

If you are so concerned about the poor security of your systems, you should shut them down completely to mitigate the threat.

Closure can become a one-way door.

As I said to the BMJ, "nothing lasts longer than a temporary fix".

Where code has been developed in the open, making a repository private later may not remove access for a capable adversary as popular repositories are often mirrored or forked

Indeed. A friend of mine has already archived all of the NHS's repositories. You can see the ones they've tried to hide.

But the killer blow, I think, is this:

Moving code from public to private as a substitute for investment in secure-by-design delivery, ownership and remediation is a warning sign because it reduces sharing and scrutiny, can slow coordinated improvement across government and suppliers, and does not remove the underlying weaknesses in a running service.

Exactly! Coding in the open has been shown time and again to produce high quality and secure work. The looming threat of AI vulnerability scanners doesn't change that - security is a shared responsibility. Technical teams need to be well enough resourced to create secure systems; hiding code is as reliable as papering over structural cracks.

GDS was created was to be a strong centre with vast technology expertise. This was to counter the frankly shoddy approach to tech in other departments. Back then, a Service Assessment was a way for a department to prove that they were actually capable of designing, launching, and managing a complex IT project.

Most departments have become significantly better at the development and running of these sorts of projects, so the raison d'etre of GDS has somewhat waned. Departments feel more confident in running off on their own. Usually I'd celebrate that - it's important that GDS doesn't become a bottleneck and that the talent is distributed throughout the whole Civil Service.

But NHS England has always been a bit of a weird one. One of the reasons NHSX was created² was to ensure that the health service had strong expertise in technology and its deployment. As the Head of Open Technology there, I helped craft the policies which embedded Open Source and Open Standards within it³.

I don't know what discussions have taken place within NHS England - although I looking forward to receiving a response to my FOI request. It looks to me like a small group within NHS England have received a report showing some potential vulnerabilities discovered by Mythos. Rather than following their own internal guidance, they've over-reacted and slapped a blanket ban on coding in the open.

I fervently hope that this new guidance will encourage DHSC to bring NHS England into line with best practice. If not, perhaps GDS ought to reassert itself as the technical authority with power to veto a department's incomprehensible decisions?

Right now you can go to https://www.contractsfinder.service.gov.uk and search for whichever bête noire has you riled up. You might want to argue that the company is corrupt, incompetent, or overpriced - but you can't argue that its contract is secret. There's no conspiracy. There's no secrecy. There's not even "beware of the leopard" shenanigans. It's all out in the open⁰.

The Government says who it paying money to.

But, of course, there are some things the Government can't say. It's rare for them to publicly disagree with a supplier, or call out how crappy they were. They need to maintain cordial relations with people¹. They don't want to scare off new suppliers who can't risk being publicly humiliated. When contracts are cancelled or ended, it is usually done quietly.

So you need to learn to read between the lines.

Let's take this excellent blog post from the Ministry of Housing Communities and Local Government²

"From emergency to sustainability: creating Share Homes for Ukraine data".

It's exactly the sort of blog post that some Civil Servants excel at writing. It clearly sets out how an ambitious and technically challenging project was delivered, why it is important, and who it benefits.

The blog post describes how the team…

exited our contract with our supplier.

And that:

Moving to this in-house model is already saving MHCLG millions of pounds a year in running costs.

They show user feedback for their new system saying:

It’s easier to navigate than the previous system

Of course, what they don't say is who supplied the previous system which was so costly and hard to use.

It was, of course, Palantir.

The original contract (CPD4124104) wasn't secret - although it was mired in some controversy as an urgent exemption to normal procurement rules³.

In 2023, the National Audit Office reported on the scheme - including Palanitr's software. They said:

The initial arrangement was put in place to help get the scheme up and running quickly. Consequently, the system did not undergo the usual research and testing that would be involved for the roll-out of a new digital system. There were initial issues such as the way it presented duplicated application data received from Home Office systems, and confusion from local authorities as to how to engage with the main data system.

How bad was Palantir's software? I've sent in a Freedom of Information request to find out. But we can tell that it was bad enough to convince MHCLG to rewrite it themselves.

A lean Civil Service may not have the in-house capability to rapidly create a new service. But, as their blog post shows, when given suitable resources Civil Servants can often outperform the private sector. More importantly, the new software is under the Ministry's direct control. This open source code is a triumph for sovereign technology.

MHCLG have shown the door to Palantir. They've built something better, easier to use, and cheaper.

I don't want to oversell this as the first victory in the war against this abominable company - but I hope where MHCLG leads, others will follow.

You can read more about this story on BBC News.

They're also really easy to create programmatically.

This uses the SVG "polyline" which takes a list of x,y co-ordinate pairs. But can you spot the small problem?

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1024 124">
    <polyline fill="none" stroke="#0074D955" stroke-width="3" 
        points="12,48 83,84 154,79 226,90 297,79 369,65 440,78 512,80 583,88 654,12 726,56 797,92 869,93 940,97 1012,106"></polyline>
</svg>

The SVG co-ordinate system has position 0,0 at the top left. Most graphics formats are like that. That's fine for our x value - but it means higher y values will appear lower on the graph.

Getting the x co-ordinate of each data point is easy. Take the width of the SVG image and divide it by the number of data-points.

The y co-ordinate is harder. The algorithm is:

1. Find the height of the SVG.
2. Find the maximum value in the data.
3. Find the minimum value in the data.
4. Divide the maximum value by the height of the graph.
5. For each data point, either:
   • To have the lowest value at the bottom of the graph, subtract the minimum from the value, then multiply by the ratio in (4).
   • Or, to retain the gap between zero and the lowest value, multiply the value by the ratio in (4).
6. The y co-ordinate is calculated by subtracting the value in (5) from the height in (1).

Here's some code showing how it works. I've added a little padding to the inside of the graph - you'll see why later:

//  Max and min of views.
$max_views = max( $svg_views_data );
$min_views = min( $svg_views_data );
$svg_data_length = sizeof( $svg_dates_data ) - 1;

//  SVG details for scaling.
$svg_padding = 12;
$svg_width_graph  = 1000;
$svg_width  = $svg_width_graph + ( $svg_padding * 2 );
$svg_height_graph = 100;
$svg_height = $svg_height_graph + ( $svg_padding * 2 );

//  Calculate where each point should be.
$x_per = $svg_width_graph / ( $svg_data_length );
$y_per = $svg_height_graph / $max_views;

//  Loop through the data.
foreach ( $svg_views_data as $index=>$views ) {
    //  X is from the left.
    $x_pos = intval( $x_per * $index ) + $svg_padding;
    //  Y is from the top.
    $y_pos = $svg_height - intval( $y_per * $views ) - $svg_padding;

    //  Add a point to the line.
    $polyline_points .= "{$x_pos},{$y_pos}\n";
}

echo <<< SVG
<svg xmlns="http://www.w3.org/2000/svg"
    viewBox="0 0 $svg_width $svg_height" class="chart">
    <polyline
        fill="none"
        stroke="#F00"
        stroke-width="3"
        points="{$polyline_points}"/>
</svg>
SVG;

Suppose someone suggests stupidly simple sparklines suffer seriously so someone should supplement statistics several circles?

Using the same co-ordinates, we can place an SVG circle on top of the point. Give it a "title" attribute and you have a little bit of interactivity.

<circle cx="12" cy="48" r="5" fill="#0074D955"><title>4,707 Views</title></circle>

Here's how it looks (view source to understand how it is constructed).

Hover over any of those little circles and you'll see some pop-up text giving you information about that datapoint.

…that's it! If you have an array of data points, you can easily create a graph with no graphing library, no plugins, no 3rd party dependencies. Just super simple SVG.

How can you quickly and easily find any posts which don't have a featured image?

For this, I use WP CLI - it allows you to run complex WordPress actions and queries using the command line. After you have installed WP CLI you can get started.

Missing Images

On the command line, run:

wp eval 'foreach(get_posts(array("post_type"=>"post","post_status"=>array("publish"),"posts_per_page"=>-1,)) as $post){if(get_the_post_thumbnail($post)==""){$post_type_object=get_post_type_object($post->post_type);$link=admin_url(sprintf($post_type_object->_edit_link . "&action=edit", $post->ID));echo $post->post_date . " " . $link . " " . $post->post_title . "\n";}}'

Here's the code in a slightly more readable format:

foreach ( 
   get_posts( 
       array( "post_type"      => "post", 
              "post_status"    => array("publish"), 
              "posts_per_page" => -1,
       ) 
   ) as $post) { 
      if( get_the_post_thumbnail( $post)== "" ) { 
         $post_type_object = get_post_type_object( $post->post_type ); 
         $link = admin_url( sprintf( $post_type_object->_edit_link . "&action=edit", $post->ID ) ) ;
         echo $post->post_date . " " . $link . " " . $post->post_title . "\n";
      } 
}

That will print out:

2024-05-02 12:34:11 https://example.com/wp-admin/post.php?post=123&action=edit "A post about sausages" 
2023-09-13 20:55:52 https://example.com/wp-admin/post.php?post=456&action=edit "I like cheese"
2021-12-31 15:43:33 https://example.com/wp-admin/post.php?post=789&action=edit "Touching computers"

You can then go and edit each of those posts to add a featured image.

Missing Alt Text

Adding alt text means that people who can't see images will still be able to understand what the picture represents. Here's another one-lines to find all featured images with missing alt text:

wp eval 'foreach (get_posts(array("post_type"=>"post","post_status"=>array("publish"),"posts_per_page" => -1,)) as $post){if(simplexml_load_string(get_the_post_thumbnail($post))["alt"]==""){$post_type_object=get_post_type_object($post->post_type);$link=admin_url(sprintf($post_type_object->_edit_link . "&action=edit",$post->ID));echo $post->post_date . " " . $link . " " . $post->post_title . "\n";}}'

And, in slightly more readable form:

foreach (
   get_posts( 
      array( "post_type"      => "post", 
             "post_status"    => array("publish"), 
             "posts_per_page" => -1,
           ) 
   ) as $post) { 
      if( simplexml_load_string( get_the_post_thumbnail( $post ) )["alt"] == "") { 
         $post_type_object = get_post_type_object( $post->post_type ); 
         $link = admin_url( sprintf( $post_type_object->_edit_link . "&action=edit", $post->ID ) ) ;
         echo $post->post_date . " " . $link . " " . $post->post_title . "\n"; 
      } 
}

Again, that lists the datetime of the post, its edit link, and its title.

Now, if you'll excuse me, I have about 873 posts which need updating 🤯

As a little thank-you for being a member of RSS Club I thought I'd show you some trailers for upcoming blog posts.

I use the brilliant Editorial Calendar Plugin to organise all my scheduled blog posts. Here's what you can expect over the next month:

I tend to write in bursts - rather than once per day - and then spread the posts out. As I'm going on a long break soon, I want to make sure there are plenty of posts in the queue. There are also a bunch of posts scheduled over the next few years on specific dates.

Of course, if I unexpectedly die, I guess they be posthumous…

I'm also working on what will be (I hope) a reasonably big political story. I'm under embargo until my media partner publishes it - but I hope it'll go live in the early hours of Tuesday. Stay tuned 😊

If there's something you'd like to see me write about, please drop me a comment via your favourite method.

This has an excellent narrative structure, some beautiful prose, and I just didn't enjoy it.

The story is Sliding Doors meets Same Time Next Year mixed with a distressing amount of domestic violence.

A mother faces a difficult choice. Should she name her child after her abusive and violent husband? In one strand she does, in another she doesn't, and in the third she makes a compromise. We rejoin the story every few years to see how our protagonists are progressing.

It mostly works and pushes us to consider how much the path of our life is influenced by factors outside of our control.

I have a real difficulty with books about violence. All of the characters are unsympathetic - trapped by tyrant but also trapped by their own inaction. I also struggled with how pedestrian and limited it was. In a world where you can read anything, why would you choose to spy on your horrible neighbours? Like a tawdry soap-opera it offered nothing more than misery and heartbreak. Fine if you need that sort of substitute empathy, but it left me feeling grubby and unsatisfied.

To be fair, the characters in the book address this:

‘Why read them if they make you feel bad?’

‘Because I’m hoping one of them might feel like me,’

It isn't a bad book - although it does veer into cliché a little too often - and the structure is interesting enough. But I found its subject matter too distressing to be enjoyable,

Book Club Discussion

This isn't the sort of book I'd normally pick up - but it was chosen by the book club I attend. The majority of readers rated it higher than I did. Here are some of the things we discussed.

The central message sees to be that, no matter how hard you try, the tragedy which infects your life can never be escaped. I found that depressing and disempowering. The domestic dreariness was stifling and just left me irritated with the passivity of the characters.

The evil father is an arsehole - but a one-dimensional arsehole. I get that there's a risk to humanising an antagonist, but other than a brief mention of his back-story there's nothing about him. I didn't want a justification for his actions, but he felt like a cartoon villain.

Even when one character gains a moment of happiness, it is offset by another's misery. No matter which path is chosen, someone always ends up broken.

Are we "destined" to meet the same people, no matter what path we take?

During the episode, Eddie starts reading this newspaper:

Obviously, the "Hammersmith Bugle" is not a real paper and they never ran a headline "No News Shocker". But judging from all the other shots, the prop is based on a real newspaper.

So I decided to rip off Dirty Feed's shtick and find out what was used to create the fake newspaper. The quest took me o'er hill and dale. Through the rough hinterlands of Hammersmith and into the nether regions of Wimbledon. By which I mean - I used lots of online archive sources.

And it nearly worked! I found all of the internal pages. I also found the back page:

That's from The Surrey Herald - but that's a paper with lots of regional editions. None of which had the right headline.

So I emailed my (frankly asinine ) request to Surrey Museums. They were polite, but unable to help. Their website gave a clue though - the location of the archives of the Surrey Herald:

Surrey Herald: Chertsey, Addlestone and Byfleet edition (also Walton, Weybridge and Hersham edition Feb 1979 to 1999 at Elmbridge Museum)

So I contacted the fine people at Elmbridge Museum who were happy to rummage through their microfiche for me. I expect, much like Indiana Jones, the archivists had to knock down fake walls, find a mystic box containing the treasure, and then dodge various snakes and villains to retrieve the priceless artefact. Or they may have a well designed archival system which is a pleasure to use. I don't know.

Anyway! All of which is to say that they very kindly sent me a quick scan of the front page of Surrey Herald's Walton, Weybridge and Hersham edition from November 3rd 1994.

Here it is in all its glory!

That's a perfect match for what's seen on screen:

Hurrah! Another mystery solved thanks to publicly funded museums!

What have we learned today?

• Archivists are lovely, generous, and helpful people.
• Museums are brilliant.
• Not everything in the world has been digitised.
• There was quite a lot of news that day no matter what the drunken hacks at the Hammersmith Bugle say.
• We do not know if centenarian Elsie Bartlett was aware that her photo featured in this seminal part of British comedy.

I recently read Susam's blog post where they said that "most of the traffic to my personal website still comes from web feeds" - I wondered if that was true for my site.

I've been writing this blog for a while. I've never much bothered with "aggressive" SEO - I have a fairly semantic layout, all my reviews have metadata, and stuff like that - but I'm not cramming in keywords, using AMP, or whatever other chickens Google requires to be sacrificed for a higher ranking. Nevertheless, I do OK.

Last year, I added a bit of local-only, lightweight statistics-gathering to my blog. I can see which sites people click on to reach mine. Google is right up the top, DuckDuckGo is surprisingly high, Bing is lucky to crack the top 20 on any day. Similarly, I can see how much traffic I get from the Fediverse and BlueSky (Twitter has all but vanished).

A few weeks ago I added RSS and Newsletter tracking. These data are very lossy. If someone is subscribed to my RSS feed and opens a post and their client downloads a lazy-loaded image at the end of the post, I get a hit. For email it's broadly the same. If an email is opened and the tracker image is loaded, I get a hit (although Gmail does obfuscate that somewhat).

I'm not looking for super-accurate numbers (although I do block as many AI crawlers and bots as possible). I'm not creepily following people around the web nor am I trying to sell them anything. I just want a rough idea of where people find me.

Here are my blog's views for the last 28 days.

Some months I get a surge of hits from link aggregators like HN or Reddit. Sometimes I'm linked to from a popular site or cited in academic work. But most of the time I bumble along getting hits from here, there, and everywhere. Nevertheless, it's lovely to see so many people choosing to subscribe⁰ (for free!) and astonishing that they provide more traffic than a major search engine.

Obviously, these are two very different types of traffic. People who are searching for a specific thing and stumble upon my blog are different from those who decide to like and subscribe.

But, yeah, about 25% of my traffic comes from people who have chosen to subscribe.

I'm just delighted that so many people read my random thoughts.

A little while ago I added some locally hosted, privacy first stats to my blog. Using an offline GeoIP service I can get a very rough idea of where visitors are from.

It doesn't deal with people using a VPN, or their mobile roaming to a different country, or rapid changes in IP allocation - but it's good enough for my purposes.

Here's a quick table showing the vague distribution of RSS Club members.

There are a few more rows but, in the spirit of privacy, I've not included some of the more unique countries. Not all of those are unique views - these are aggregate statistics. If your RSS reader is hosted in a different country - or on a large platform - it may only show up inaccurately.

If you don't see your country in this list, please drop me a comment via your favourite method.

$romanNumerals = [
    "Ⅿ"  => 1000,
    "ⅭⅯ" => 900,
    "Ⅾ"  => 500,
    "ⅭⅮ" => 400,
    "Ⅽ"  => 100,
    "ⅩC" =>  90,
    "Ⅼ"  =>  50,
    "ⅩⅬ" => 40,
    "Ⅹ"  => 10,
    "Ⅸ"  => 9,
    "Ⅷ" => 8,
    "Ⅶ"  => 7,
    "Ⅵ"  => 6,
    "Ⅴ"   => 5,
    "Ⅳ"  => 4,
    "Ⅲ"  => 3,
    "Ⅱ"  => 2,
    "Ⅰ"   => 1
];

The problem is, the operators don't line up and the whole thing looks messy. Why? Because the Unicode Roman Numerals are not monospaced! ⅭⅯ is a different width to ⅩC and Ⅷ is only a single character! Copy the above to a text editor and see if you can get neat columns. I bet you can't!

I'm obsessed with vertically aligning my code. So how to solve this ugly problem?

The answer was simple. Assign keys to the values and then flip the array!

$romanNumerals = array_flip([
    1000 => "Ⅿ",
     900 => "ⅭⅯ",
     500 => "Ⅾ",
     400 => "ⅭⅮ",
     100 => "Ⅽ",
      90 => "ⅩC",
      50 => "Ⅼ",
      40 => "ⅩⅬ",
      10 => "Ⅹ",
       9 => "Ⅸ",
       8 => "Ⅷ",
       7 => "Ⅶ",
       6 => "Ⅵ",
       5 => "Ⅴ",
       4 => "Ⅳ",
       3 => "Ⅲ",
       2 => "Ⅱ",
       1 => "Ⅰ"
]);

There! Doesn't that look much neater!

As was written long ago:

A computer language is not just a way of getting a computer to perform operations but rather … it is a novel formal medium for expressing ideas about methodology. Thus, programs must be written for people to read, and only incidentally for machines to execute.

Throughout my time working for the UK Government - in GDS, NHSX, i.AI, and others - I championed Open Source. I spoke to dozens of departments about it, wrote guidance still in use today, and briefed Ministers on why it was so important.

That's why I'm beyond disappointed at recent moves from NHS England to backtrack on all the previous commitments they've made about the value of open source to the UK's health service.

It's rare that multiple people leak the same story to me, but that's what gives me confidence that lots of people within the NHS are aghast at this news.

A few days ago, I was sent this quote which was attributed to a senior technical person in NHS England.

We are obviously looking at things like Mythos, which is more sophisticated at finding vulnerabilities. In the next week or so, we will be changing our tack on coding the open and making our code public until we're on top of that risk.

Most of our repos, unless they're essential, will be removed for security reasons.

As I've written before, this is not the correct response to the purported threat by Mythos. Neither the AI Safety Institute nor the NCSC recommend this action. While there may be some increase in risk from AI security scanners, to shutter everything would be a gross overreaction.

Nevertheless, that's what the NHS is preparing to do.

On the 29th of April, guidance note SDLC-8 was sent out. Here's what it says:

The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They're mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.

When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.

Furthermore, this new guidance is in direct contradiction to the UK's Tech Code of Practice point 3 "Be open and use open source" which insists on code being open.

Similarly, the Service Standard says:

There are very few examples of code that must not be published in the open.

The main reason for code to be closed source is when it relates to policy that has not yet been announced. In this case, you must make the code open as soon as possible after the policy is published.

You may also need to keep some code closed for security reasons, for example code that protects against fraud. Follow the guidance on code you should keep closed and security considerations for open code.

There's also the DHSC policy "Data saves lives: reshaping health and social care with data":

Commitment 601 – completed May 2022

We will publish a digital playbook on how to open source your code for health and care organisations

And, here's NHS Digital's stance on open source in their Software Engineering Quality Framework:

The position of all three of these documents is that we should code in the open by default.

All of which is reflected in the NHS service standard:

Public services are built with public money. So unless there's a good reason not to, the code they're based should be made available for other people to reuse and build on.

All of which is to say - open source should be baked into the DNA of the NHS by now. There are thousands of NHS repositories on GitHub. The work undertaken to assess all of them and then close them will be massive. And for what?

Even if we ignore the impracticality of closing all the code - it is too late! All that code has already been slurped up. If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.

And if it were both practical and effective to hide source code - that doesn't matter. These AI tools are just as effective against closed-source. They can analyse binaries and probe websites with ease.

There are tens of thousands of NHS website pages which refer to their GitHub repos - will they all need to be updated? What's the cost of that?

I've no idea what led to NHS England making this retrograde decision - so I've send a Freedom of Information request to find out.

I am convinced that closing all their excellent open source work is the wrong move for the NHS. I hope they see sense and reverse course.

Until then, I've helped make sure that every single NHS repository has been backed up and, because the software licence permits it, can be re-published if the original is closed.

In the meantime, you should email your MP and tell them that the NHS is wrong to shutter its world-leading open source repositories.

Don't let them take away your right to see the code which underpins our nation's healthcare.

Further Reading

• I'm quoted in this article from The New Scientist.
• Matt Hancock on the issue
• Discussion by Jessica Morley, PhD
• Free Software Foundation Europe press release
• Further commentary from New Scientist
• Petition - Keep Things Open
• Update 2026-05-14: GDS have published their Guidance "AI, open code and vulnerability risk in the public sector " which explicitly says closing repos is the wrong approach.

The wonderful folks at DigVentures allow members of the public to assist with archaeology projects in their local area. We arrived on a sunny Thursday to find a couple of areas of Lesnes Abbey cordoned off, with the turf taken up, and a set of tools waiting for us.

After a suitable health-and-safety briefing and some instruction on the tools, we got cracking. I was slightly sceptical that we'd find anything digging only a few centimetres of dirt. The professionals reassured us that we'd all find something.

After scrabbling around for ages, I was feeling despondent. I found some interesting stones, some underwhelmed worms, and some prehistoric crisp packets - but nothing else.

And then.

CBM - Ceramic Building Material - tiles started popping out of the ground. Big orange chunks of ancient tiles were everywhere. My mate Cam and I also found some with holes in them - evidence of them being used on a roof.

A surprising number of oyster shells were present - the discarded detritus of someone's lunch from hundreds of years ago. I even found a tiny bone (assessed as non-human, thankfully. Apparently that comes with a hell of a lot of paperwork!).

Gorgeous! And then, something shiny! Was it metal? Sadly, no. A chunk of pottery apparently. I kept digging, sraping, hoeing, looking, and then I found more shiny!

The local pottery expert reckoned it was 18th Century salt-glazed creamware.

You can take a look at the DigVentures Timeline or the Lesnes Abbey Facebook page to see more photos of what we all found.

It was a brilliant day out - I never realised just how close under our feet you can find history. It was also a physically demanding day, lots of kneeling on the ground, heaving speades, dragging wheelbarrows, etc.

If they're running something near you, please get involved with DigVentures

Perhaps it was sitting right at the front of the stalls, but the opening of Hadestown feels like dinner theatre; almost cosy in its intimacy. The first act is so busy - there are a hundred-and-one things happening on stage that it occasionally becomes overwhelming. The second act is slightly more intimate, but no less dazzling.

Having the musicians on stage lends to the feel of being in a nightclub. The stereo separation makes it easier to pick out the various musical threads and brings a lovely texture to the songs. Also, who knew a trombone could steal a show?

Lots of the cast sing in their natural accents. A roaring northern Hades versus a Mancunian Orpheus makes for quite the thrilling combination. Having subsequently listened to the Broadway cast recording, it is amazing what a positive difference it makes.

And, yes, the obligatory revolve spins the performers on a near-constant merry-go-round. When I am King of the West End, the revolve will be banned for the laze cliché that it is!

A stunning show with a killer soundtrack and a delightful set of performers.

I've written before about how the pre-show and post-show experience shapes an event. The Lyric theatre is generously sized, so plenty of space to mill about before the show, rather than being crammed into a tiny bar. The toilets weren't in too bad a condition. Once again, no set dressing in the liminal spaces. Would it have been so hard to mock up some travel posters for the eponymous station? Or have something for people to take photos with?

The themed cocktail menu was inventive but shockingly expensive, even for London prices. The programme is only a fiver and, unlike other West End shows, is full of interesting information and not just an excuse to cram in adverts - excellent value for money.

After the curtain call, we get a few more minutes with the musicians, which was delightful. On the way out there was no leaflet offering a discount on return visits (unlike Avenue Q). There is, apparently, a "Hadestown Passport" which you can get stamped every visit - although I didn't see any evidence of that.

But consume it how? There are lots of excellent parsing libraries for PHP. But isn't there a simpler way? Yes! You can use PHP's parse_ini_file() function and it works.

But…

.env and .ini have subtly different behaviour which might cause you to swear at your computer.

Let's take this example:

# This is a comment
USERNAME="edent"

Run $env = parse_ini_file( ".env" ); and you'll get back an array setting the USERNAME to be "edent". Hurrah! Works perfectly. Ship it!

But consider this:

# This is a comment
USERNAME="edent" # Don't use an @ symbol here.

It will happily tell you that the username is "edent# Don"

WTAF?

Here's the thing. The comment character for .ini is not # - it's the semicolon ;

Let me give you some other examples of things which will fuck up your parsing:

# Documentation at https:/example.com/?doc=123
DOCUMENTATION=123
# Set the password
PASSWORD=qwerty;789

That gets us back this PHP array:

[
  '# Documentation at https:/example.com/?doc' => '123',
  'DOCUMENTATION' => '123',
  'PASSWORD' => 'qwerty',
];

When the .ini is parsed, it ignores every line which doesn't have an = sign. It also treats literal semicolons as the start of a new comment until they're wrapped in quotes.

My code highlighter should show you how it is parsed:

# Documentation at https:/example.com/?doc=123
DOCUMENTATION=123
# Set the password
PASSWORD=qwerty;789

It gets worse. Consider this:

# Set the "official" name
REALNAME="Arthur, King of the Britons"

That immediately fails with PHP Warning: syntax error, unexpected '"' in envtest on line 1

You can use single quotes in pseudo-comments just fine, but if the ini parser sees a double quote without an equals then it throws a wobbly.

I'm sure there are several other gotchas as well. For example, there are certain reserved words and symbols you can't used as a key.

This will fail:

# Can we fix it? Yes we can!
FIX=true

It chokes on the exclamation point.

How to solve it (the stupid way)

The comments on an .env file start with a hash.

The comments on an .ini file start with a semicolon.

So, it is perfectly valid for a hybrid file to have its comments start with #;

Look, if it's stupid but it works…

What Have We Learned Here Today?

• There's a right way and a wrong way to do .env parsing.
• The wrong way works, up until the point it doesn't.
• You should probably use a proper parser rather than hoping your .env looks enough like an .ini to pass muster.

On next week's show - why you shouldn't store your passwords inside a JPEG!

So should you close all your Open Source projects to make them safe?

No.

Firstly, all your Open Source code has already been slurped up.

It was all ingested for "training purposes" years ago. If it was moderately interesting then it was backed-up by a digital hoarder. It has been archived by various digital libraries. Anyone who wants to do research on your code base can.

Closing now doesn't meaningfully protect you.

Secondly, most of the security holes in your systems are probably not in your code. Vulnerabilities exist throughout your supply chain. All the dependencies - your OS, libraries, and even hardware - are all richer targets for hackers. Finding a CVE in a popular library is almost certainly more worthwhile than investigating your Open Source code.

The bigger risk comes not from subtle logic bugs but from phishers, poor password hygiene, and insider threats. Securing your existing systems provides more protection than rushing to close-source your code.

Finally, closing the source of something doesn't protect you. These new AI models can easily investigate and your closed source systems and potentially penetrate them. It has always been possible to analyse websites and binaries. AI doesn't change that - although it might accelerate it.

Open Source does have risks but AI doesn't upend decades of evidence that closed-source is just as vulnerable to attackers.

In cases where the state creates code using public money, it has a responsibly to share that code. Automated threat analysis - even by hypercapabe AI - doesn't change that.

I would strongly recommend reading the UK's AI Safety Institute's evaluation of Claude Mythos Preview’s cyber capabilities and the NCSC's advice. Neither of them recommend closing down Open Source code.

Nevertheless, some get through. Here's a particularly pernicious one - it appeared as three comments ostensibly in reply to each other.

At first glance these look like normal comments. They each address the content of the blog post albeit somewhat superficially. The first comment looks like it was from a social media post sharing my link - I get a lot of those as pingbacks, so it initially didn't trigger any suspicions from me.

The second is ostensibly a reply to the first and continues the conversation. Again, a bit shallow, but seems to be engaging in good faith.

The third looks like yet another reply. They all have unique email addresses, none of them have set their username to anything overly odd, and none of the users have filled out their URl.

But notice, in the second one, there's a link to a dodgy casino! There's no https:// so it didn't jump out as a link.

All three came from the same IP address in the Philippines, so easy to block for now.

Each reply is spaced exactly 3 minutes apart which, in retrospect, looks a little odd.

Re-reading them carefully, they all look like AI slop. A plausible sounding summary, written in a casual style, but with very little semantic content. Seeing them as replies to each other primed me to think they were genuine because I'm used to spam coming in individual replies. Having the spam in the middle comment made it easy to glaze over.

Remember, there are no technological solutions to social problems. Sticking more and more barriers in the way of commenting only discourages genuine replies while the profit motive incentivises spammers to work around them.