Alcides Fonseca

Half of my education in URLs as user interface came from Flickr in the late 2000s.

[…]

This was incredible and a breath of fresh air. No redundant www. in front or awkward .php at the end. No parameters with their unpleasant ?&= syntax. No % signs partying with hex codes. When you shared these URLs with others, you didn’t have to retouch or delete anything. When Chrome’s address bar started autocompleting them, you knew exactly where you were going.

[…]

It was a beautiful and predictable scheme. Once you knew how it worked, you could guess other URLs. If I were typing an email or authoring a blog post and I happened to have a link to your photo in Flickr, I could also easily include a link to your Flickr homepage just by editing the URL, without having to jump back to the browser to verify.

— Marcin Wichary (via Michael Tsai)

The advent of Single-Page Applications (through Angular and React) screwed over the beautiful URL design of the late 2000s, of which Flickr is one of the best examples.

Back then, APIs were designed for the public. But the facebookesque progressive siloing of the internet made big companies stop providing public documentation for most APIs, in order to control the clients (where the money is made).

If only we could solve the monetization of the internet…

The only way to prove that someone is old enough to use a site is to collect personal data about who they are. And the only way to prove that you checked is to keep the data indefinitely. Age-restriction laws push platforms toward intrusive verification systems that often directly conflict with modern data-privacy law.
This is the age-verification trap. Strong enforcement of age rules undermines data privacy.

— Waydell D. Carvalho

To this point, here are some of the recent changes:

Here’s where each of the “All Operating Systems must do age verification” laws are as of today.

- Brazil (Law 15.211) : Signed into law. Requirements in effect on March 17th, 2026.

- California (AB-1043) : Signed into law. Requirements in effect on January 1st, 2027.

- Colorado (SB26-51) : Passed Senate on March 3, 2026.

- New York (S8102A) : In Senate Committee.

Note: As of today, March 4th, Operating Systems developers have only 13 days remaining before the Brazilian law takes effect.

Related: In order to “incentivize” age verification, The Federal Trade Commission (FTC) has announced that they will ignore COPPA violations for software performing age verification.

— The Lunduke Journal

As I have written before, social networks and short videos are a matter of public health. However, I disagree that is a matter of age — this affects adults as much as kids. But let us assume that the liberal side of me wants each and every one of us to make their own decision. Except minors, which are dependent on their guardian’s decisions (the American-centric way) or their government’s decisions (the European way).

The American approach is more suitable for a technologic translation — devices for kids (think iPhone 17e, with underage-mode enabled) require explicit permissions, either à priori, or an interactive prompt to their guardian’s devices.

The European approach is much more difficult — you need to use your government-issued ID certificate to authenticate on the web, which leads to the end of the anonymous internet. I believe this change is coming, but I would like to preserve the 2000s internet as the governance model, especially given how our global village navigates the geopolitical changes of the 21st century.

Regardless, internet websites require a way to asking the age of their users from either the user or the device. Users lie — everyone I know lied on website age checks, even after being 18, out of habit — so device-based checking is being instituted. Apple designed an API on the 26+ versions of their OSes, in response to the law changes mentioned above.

Mandating that operating systems even have accounts is insane. The Facebook dominance of the user-facing internet gives lawmakers the false impression that the whole internet follows the same siloed pattern. But the internet and operating systems are so much more than that: we should have the freedom to design operating systems (and internet protocols) however we like. If I want to design a user-less operating system, I should. Internet protocols should be designed by experts who understand how the internet works, with input from the social sciences to understand the impact.

Yes, we have a problem, but we are law-constraining the wrong things here. It’s like passing a law requiring all knives to have a fingerprint lock to only allow over 16 year olds to open it. Several internacional security and privacy researchers warn against these changes without proof that they have any impact.

A simpler alternative would be for a non-profit or a government authority to create whitelists of websites that are suitable for different age ranges, and let parents configure those whitelists in their kids devices.

But I am sure I can embed an http proxy in our university domain. The bottomline is that there is no technology that can replace good parenting.

Today’s work session is brought to you by Colin Brittain playing and talking about Linkin Park’s From Zero, one of my favorite albums from the past two years.

O governo fez aquilo que melhor sabe para resolver um problem — e eu concordo que é um problema em Portugal —, que foi legislar na nova proposta do Regime Júridico das Insitutições de Ensino Superior. Em particular,

Escolas médicas querem regime de excepção nas regras contra endogamia académica
“As unidades orgânicas que não tenham pelo menos 40% de docentes e investigadores de carreira licenciados ou doutorados noutra instituição de ensino superior ficam impedidas de contratar, independentemente do tipo de vínculo, nos três anos subsequentes à obtenção do grau de doutor, como docentes ou investigadores que nela tenham obtido todos os seus graus académicos.

Esta regra é um grande tiro no pé, prejudicando imensamente universidades no interior ou em cidades que só têm uma universidade. Imaginemos, alguém que termina o doutoramento na Universidade de Lisboa, pode ir para a Nova, para o ISCTE ou para outra das várias universidades que Lisboa tem. Já alguém que termine o doutoramento na UTAD tem obrigatòriamente de mudar de cidade. Imaginem o problema da UTAD com dificuldade em contratar professores, porque os doutorados que lá vivem não podem lá trabalhar.

Ora, existem vários motivos válidos para alguém não querer mudar de cidade (apoio à família, não querer que os filhos mudem de escola, two-body problem, ou porque acumulam com outra actividade profissional que é local. Esta medida prejudica gravemente quem está nestas situações.

O Conselho de Escolas Médicas Portuguesas concorda, pois os médicos não estão em regime de exclusividade e não querem mudar de serviço nem de cidade. E não são só os médicos!

E sim, eu sei que existe muita endogamia controlada (incluindo na Medicina), mas a solução não é bloquear contratações. Nem é delegar a contratação para elementos externos, como acontece com os painéis de peritos imparciais, mas que são escolhidos pela casa a dedo para valorizarem o que querem valorizar, numa táctica de tit-for-tat. Nós devemos dar às instituições a liberdade de definirem os seus objectivos e as estratégias e práticas que levem a esses objectivos. Mas devemos também avaliar e fiscalizar as decisões tomadas, com fortes implicações na carreira. Se a estratégia de contratação de uma entidade não funciona, é preciso entender o porquê e perceber se foi de má fé ou não.

Isso é o que devemos combater: a endogamia que foi feita por má vé, vs a endogamia que acontece por factor externos e justificáveis.

What may happen is that software development involves less coding than it has in the past because of AI. At least coding by humans. So BLS is probably right about a decline in the need for computer programmers. At the same time, if software developers spend less time doing actual coding they may have more time for higher level (if that is the right term) thinking and involvement in design. Unless AI starts doing more of that. So maybe we will not need more of them. Or perhaps AI will make it possible for more people to be software developers who wouldn’t be that now. We’ll see I guess.

— Computer Programming or Software Development by Alfred Thompson

Alfred analyses the difference between a programmer and a software developer. AI is replacing programmers (those that implement features identified by software developers), but not Software Engineers.

On the other hand, we might not be preparing our SE students for the next decade. We have good, core CS and Programming courses. But advanced courses are not up to par with what the market needs. This aligns with the Barbell approach, which is the closest I have seen to a good path for our SE education. We need good, pen-and-paper, fundamental courses, and we need up-to-date advanced courses that make use of AI and whatever comes next.

The main problem is that technology is moving faster than Universities can adapt. Most professors are researchers in their own niche, and most are not doing Software Engineering, but they do teach it. We need more cutting-edge engineers to come back to universities to teach.

Here in Portugal, we have incentives not to hire professionals (I am fighting this locally, and got two real-world engineers to teach Functional Programming with me) and our degrees have to stay static for three to four years. This does not work for this day and age when the development process changes so frequently, and professors are so busy to actually get some hands on experience. I am also fighting that, but that’s for some other post.

Fantastic piece by Mark Nottingham on the future and openness of the Internet!

New applications and networks appear daily, without administrative hoops; often, this is referred to as “permissionless innovation which allowed things the Web and real-time video to be built on top of the network without asking telecom operators for approval

Yes, the internet is a huge, but unlikely success that (I believe) was only possible because it moved faster than regulatory and legislative bodies could understand it.

On the other hand, the Australian eSafety Regulator’s effort to improve online safety – itself a goal not at odds with Internet openness – falls on its face by applying its regulatory mechanisms to all actors on the Internet, not just a targeted few. This is an extension of the “Facebook is the Internet” mindset – acting as if the entire Internet is defined by a handful of big tech companies. Not only does that create significant injustice and extensive collateral damage, it also creates the conditions for making that outcome more likely (surely a competition concern). While these closed systems might be the most legible part of the Internet to regulators, they shouldn’t be mistaken for the Internet itself.

Yes, countries are regulating something that they do not own (the internet), without considering that (critical, public and international) infrastructure’s wellbeing. There are no border controls on the internet, and while I agree there should be regulation and laws on what you can do with the internet, the internet itself (the infrastructure) should not be regulated.

Likewise, the many harms associated with the Internet need both technical and regulatory solutions; botnets, DDoS, online abuse, “cybercrime” and much more can’t be ignored. However, solutions to these issues must respect the open nature of the Internet; even though their impact on society is heavy, the collective benefits of openness – both social and economic – still outweigh them; low barriers to entry ensure global market access, drive innovation, and prevent infrastructure monopolies from stifling competition.

This is where I think Mark is wrong. The unlikely success of the internet is coming to an end, due to the economics of LLM-generated content. If we want the internet to remain open, it should remain open to humans and agents alike. If everyone has an OpenClaw agent running around, they multiply their internet footprint by 1000x or more. ISPs will notice, and change the pricing and economics of the internet. As I warned before, the signal-to-noise ratio will decrease substantially and something alternative will arise from the Internet’s ashes.

As any unix aficionado, I have my own stash of custom commands. At some point in time, I mimicked Pedro Melo’s idea of starting all of them with an underscore, to have a more precise auto-complete.

Fast-forward some years, and in my macOS and ubuntu shell, I have plenty of system scripts that start with one or two underscores, undermining the autocomplete advantage.

Brandon Rhodes proposes to use the comma. Personally, I am not a fan of having a punctuation symbol that has other meaning in programming languages inside a shell that parses input as a programming language (zsh these days). But this is the type of yak shaving that automates your workflows.

It’s impossible to keep up with all the new developments in the LLM-era. However, one thing has been true: they never stopped improving.

Malte Skarupke explains How LLMs Keep on Getting Better, covering a few of the different visible and invisible aspects of LLMs that have been worked on over the past couple of years. It’s a really good overview for those who are not into the weeds of it.

(via Antónia)

An excellent layman’s recap on the dependency (in terms of defense, but also economy) that Europe has on the US tech. What happens if we cannot have US-owned operating systems in our mobile phones? Or we cannot buy American brands for our hospital computers and servers? Will you still receive emails or direct messages?

I will continue my quest to move out of gmail to something European. Unfortunately, Portuguese SAPO is no longer an alternative, so I will have to go for something German, Dutch or Swiss.

via Aws Albarghouthi

So Feyman did the 15 competing standards joke before xkcd. And apparently, he did some ocasional industrial consulting.

Apesar de a Polícia Municipal assegurar que a remoção de bicicletas incide sob veículos abandonados, Paula, a moradora que denunciou a situação, garante ao LPP que as bicicletas removidas na Rua Lopes tinham um aspecto novo ou em bom estado – situação que as suas fotografias comprovam.

MUBi assinala ainda que as bicicletas foram “removidas sem qualquer registo ou informação no local, impossibilitando o direito ao contraditório e deixando os seus legítimos proprietários na convicção de terem sido vítimas de furto”, e manifesta “a sua profunda preocupação e repúdio” em relação à acção levada a cabo pela autoridade policial municipal.

— Lisboa Para Pessoas

Também me incomodam as bicicletas estacionadas em passeios. Mas a solução não é roubá-las aos donos, mas sim oferecer aqueles cacifos de bicicletas que tanto sucesso têm em Londres.

There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. […] Starting 2025, the confirmed-rate plummeted to below 5%. Not even one in twenty was real. The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. Time and energy that is completely wasted while also hampering our will to live.

— The end of the curl bug bounty by Daniel Stenberg

Early last year I defended that the internet needed to stop being anonymous, so that we can live among LLM-generated content. The end of the curl bug bounty program is another piece of evidence — if we cannot tie submissions to real-people, tracking their reputation and eventually blocking them from trying a second or third time.

PGP was probably a solution behind its time. On the other hand, maybe we were lucky of what we achieved with anonymous developers working together on the internet.

Every time I play Uno, I have to ask the owner of the game (or the group), exactly which rules are we playing with. There are multiple variations of the rules, and yet, I never played with the correct ones, explained in the video below.

However, I still like to play with my own set of rules, that gathers several variations that I’ve experience and found to be fun. In particular:

• If you have multiples of the same number/symbol, you can play them all at once. This is useful for changing the color, and speeds up the game. You can play multiple skips to skip multiple players. And yes, you can play multiple +2 or +4 at the same time. But it might come back to bite you (see rule below).
• If someone plays a +2 (or multiple), you can play another (or multiple) +2, to pass the accumulated punishment to the next player. This can go around the table and come back to you, and that makes it even more fun.
• If someone plays a +4 (or multiple +2 and a final +4), they have to announce the color. If you have a +2 of that color, you can play it (along with other +2s). This forces players to keep track of what other players have or do not have, making it more of a game.
• Even if it is not your turn, you can always play a card that is exactly the same as the one on the top of a discard pile. This allows the flow of the game to be interrupted, and the next player is the one after the player that “stole” the turn. This makes the game much more immersive, but requires all your attention. You cannot do other stuff while playing with this rule. Additionally, you should force people who play multiple cards at once to do it one at a time (with one hand), so they can be interrupted by others.
• Finally, when you only have one card, you have to say Uno , like Uno Restaurant or Uno Airport. This is a brain twister on people who are used to play uno. They will just say uno, and then they get the 7 cards.

Yes, these rules might make the game longer, but on average they make it much shorter and will give you plenty of laughs. Do try it and let me know if it worked for you or not.

• Declare variables at the smallest possible scope, and minimize the number of variables in scope, to reduce the probability that variables are misused.

• There’s a sharp discontinuity between a function fitting on a screen, and having to scroll to see how long it is. For this physical reason we enforce a hard limit of 70 lines per function. Art is born of constraints. There are many ways to cut a wall of code into chunks of 70 lines, but only a few splits will feel right.

— TigerBeetle codestyle

I remember when getting into Haskell, back in 2010: “If your function has more than 4 lines, it is wrong”. For me, that is more meaningful than the 80 character limit. Soft-wrap exists to adapt lines of any length to your own screen. However, managing the complexity of functions and code-blocks is way more important in my book.

I know you have larger functions in Haskell (especially with monads), but keeping functions within 4 lines makes it an interesting trade-off between badly-named functions and the complexity of each function.

I know when to break this rule, as do most senior programmers. However, junior programmers lack the sensitivity to make such decision. I love having a rule-of-thumb for newcomers who are not familiar with the ecosystem or programming in general.

Btw, the rest of the style guide is quite good! Except for the number of columns thing.

How do you acquire the fundamental computer skills to hack on a complex systems project like OCaml? What’s missing and how do you go about bridging the gap?

— KC Sivaramakrishnan

KC gives several resources for students to get up to speed with contributing to OCaml.

One of the interesting resources is MIT’s the Missing Semester. This semester I created our own version of this course, covering git, docker, VMs, terminal/bash, testing, static analysis and LLMs for code.

While we cover how to do a Pull Request, I don’t believe students are ready to actually contribute. Reading large codebases is a skill that even our graduate MSc students don’t have. Courses are designed to be contained, with projects that need to be graded with few human effort, resulting in standard assignments for all the students.

I would love to run something like the Fix a real-world bug course Nuno Lopes runs. But being able to review so many PRs is a bottleneck in a regular course.

To really understand a concept, you have to “invent” it yourself in some capacity. Understanding doesn’t come from passive content consumption. It is always self-built. It is an active, high-agency, self-directed process of creating and debugging your own mental models.

— François Chollet (via Simon Willison)

It’s a rephrasing of our “The best way to understand something is to teach it to someone else”. And that’s why I still love my job.

I use Hacker News as a tech and economy news feed, but I don’t necessarily comment or upvote a lot.

Just like Youtube or Spotify’s wrapped (I personally use Last.FM), there is this fun HN wrapped that was done with a tongue-in-cheek style that I particularly love.

Like last year, my 2025 music trends are quite steady:

My Last.FM shows me that I did not listen to a lot of new music. Here are the 2025 albums I have added to my library:

• Avantasia – Here be Dragons. In the same line of the previous trilogy of albums, with a callback to the original fantasy sounds. However, I still miss the opera style of the first couple of albums, while these latest 6 albums are more of a Tobias album with a few guests. I wanted more of Sign of the Cross epic song with several singers.
• Arjen Anthony Lucassen — “Songs No One Will Hear”. Ayreon has been my fix to this epic opera song. This is clearly not an epic Ayreon album, but Dr Slumber’s Blue Bus is a happy song that I just can’t enough.
• Halestorm – Everest It’s not one of the older albums “every song is a banger”, but it has a slower, more mellow tonality to it. In particular, my favorite song, Darkness Always Wins, gives me a déjà vu feeling, as if it was a song from my teens.
• Majestica – Power Train I mostly listen to it because of No Pain, No Gain which is one of the songs that I wake up to if I want energy right in the morning.
• Dynasty – Game of Faces Nills still has time to record with his original band (I love him in Amaranthe, despite having a slight preference for Jake’s era songs), but despite generally good, it does not have a really over-the-top song like earlier albums.

While not A-side, I have also enjoyed the two alternative releases by Linkin Park (A Capella) and The Mars Volta (Lucro Sucio; Los Ojos Del Vacio) but the original material still plays more on my speakers.

In hindsight, I have spent very little time searching for new bands, other than Majestica. One interesting Top40 source of recommendations is the Hitster boardgames, where you try to create a timeline of popular songs just by Spotify’s 30 second preview.

As software engineers we don’t just crank out code—in fact these days you could argue that’s what the LLMs are for. We need to deliver code that works—and we need to include proof that it works as well. Not doing that directly shifts the burden of the actual work to whoever is expected to review our code.

Simon defends that engineers should provide evidence of things working when pushing PRs onto other projects. I recently had random students from other countries pushing PRs onto my repos. However, I spent too much time reviewing and making sure it worked. I 100% agree with Simon on this, but I feel the blog post is a bit pessimistic in the sense that software engineers might only be verifiers of correctness.

Don’t be tempted to skip the manual test because you think the automated test has you covered already! Almost every time I’ve done this myself I’ve quickly regretted it.

This is my experience for user-facing software. But these days, I spend little time writing user-facing code other than compiler flags.