I wanted to write for the blog for a while, in fact, I have quite a few items I want to cover and start discussing. Items like Personal Knowledge Management, rebuilding my site, thoughts on various trends - and how they have overlapped with other topics I have in mind like being more mindful on my time usage, and others. Unfortunately, I have also been very busy in life and so all that work has been put on the back burner.

I plan to get back into a routine by January, 2026. One big goal is to reevaluate the tools used for this site. I want to try to strip away the site to the bare bones and then build from there, either with Hugo or another tool. Because I haven’t build the theming myself I feel like I don’t own it as much as I could.

I want to establish more of my ownership - or perhaps knowledge-ship - of the site. Until I have the new site figured out, I will most likely not be posting or updating much here.

Until then, here is a quick, non-exhaustive, list of items I want to start covering:

Personal Knowledge Management

I really want to explore, more for myself than anything, what my current PKM system is, and how I am trying to manage all the information around me. I feel like it would be an exciting exercise to, one, codify it and two, to identify gaps and issues with what I am doing versus what I want to be doing.

Time Management (With heavy regards to Algorithms)

There are a few people I follow that have been pushing back on Social Media from the perspective of Algorithms. I’ve been looking and adopting a few of these to better avoid “Doomscrolling” in my various apps and websites. I’ve adopting disabling watch history on YouTube which essentially breaks their shorts feature and forces me to use the subscription tab - and it has been helpful in me avoiding time loss there. Other tactics like visiting apps from their website version compared to their native apps can reduce features and make you less likely to stay on them. Since social media apps want you to install the app their websites are intentionally more painful to use. Essentially they are using dark patterns to get you to install the app, but instead I use them as a way to dissuade myself from using the apps more.

Just finishing the book Digital Minimalism by Cal Newport has also helped me think about this topic from a new angle. The idea that it is okay to be bored, and thoughts around how I want to better control my time, attention and decisions., etc etc.

Process Mastery versus Process Perfection

I recently saw a [blog post ](This is, by contemporary standards, a committed relationship.)that discussed how jumping from one app to another for various processes or workflows is exhausting. They proposed that instead of trying to get the perfect process down, you instead focus on perfecting the use of the tools you already have. It’s making me consider how that overlaps with my stance on how a lot of apps are subscription based and I try my best to avoid “death-by-a-thousand-cuts.”

Like many, I see an app and think, oh that will solve a problem that I “think” I have - either because they are trying to sell a solution to a problem that doesn’t exist, or they are trying to sell an identity. Ironically, I am writing this post up with iA Writer in a trial mode to see if I find it helps me with my writing. Otherwise I will write this, and most posts in Obsidian.

Website Rebuild?

This is the big one, the one that has been causing me delays. I am thinking about rebuilding the website with a different static site generator. Right now I use Hugo, which I have honestly not had major issues with, but I wonder if there is a better one. 11ty has caught my eye and I am looking into it at the moment. We will see if I end up changing to this or not.

I do know, that regardless of changing the tool, I will want to build my own theme and tools for it. I enjoy the current Congo based theme, but I want to make my own, add some of my own “artistic” flair and also implement some features, like Webmentions.

So those are some of my plans, lets see how fast, or slow, I am with them.

Right now there is an ongoing development of the Tea App having multiple data exposures. I don’t think I can give the details justice, so please look to 404media.co as they have been covering it quite well!

The long and short, this app was purported to be a safe and private space for women to discuss dating. However, because they wanted to ensure it was only women they had a problem, verifying that fact.

They decided to use a selfie-with-id method, and ended up failing to secure that data both in storage and in deletion. Now, there are other issues with this app, but I want to focus on this particular problem they were trying to solve. How do you verify someone is who they say they are, with minimal compromise to their privacy?

Let’s look at what they ended up doing and where that failed.

To verify if someone was a woman, Tea would request the user to send them an iID document (License, Passport, etc) with a selfie of user in the photo. This is an effective way to verify someone, I will grant them that. However, it completely breaks any privacy expectations.

Because they chose to accept Personal Identifiable Information (PII) data the Tea app then needed to consider how they handle the data. How should it be transferred to the verification system? Who or what is verifying the data; is it automated or human based? Are you encrypting the data throughout this process? If so, you will need to decrypt it to verify, will that have any caching, logging or other artifact concerns? If there is a human involved, will they be able to exfiltrate the data by saving it, taking a photo with their phone, or otherwise? Once the data is reviewed how do you ensure it is deleted from the system properly?

As you can see, there are already a lot of questions, which will lead to more questions. In the end there was at least one point where the data was not encrypted and stored on a firebase storage bucket and that bucket was not protected.

So, in all honesty, it was a bad idea.

Looking back at the original problem, what is another way we could solve this problem that could have avoided these potential problems and resulting outcome?

A Trust Ring

Rather than having the App take the responsibility of verifying the user’s identity, they could let the users do it amongst themselves.

Setting up a system where the trust is created and developed between the users could allow for a more private and secure system. A hypothetical way this could work is:

1. Make the sign-up invite only from other members
2. Accepting an invite creates a trust between the two users
3. Users can also sign-off on others to create additional trusted links and networks of trust

This is a basic idea, you could add more layers like having to only send the invite over bluetooth (forcing a more localized requirement). Or adding in different levels of trust (invited, in real life confirmation, etc).

The trust ring would be able to rely on its core principles of:

1. Direct trust established between users
2. Transitive Trust: If User A and B trust each other, and B trust’s C, then A is one degree away from trusting that user.
3. Leveraging the Degrees you can weigh how much someone could be trusted to discuss sensitive issues with.
4. Someone that has many direct and reciprocated trusts could help establish them as trusted even at a distance.

How could this look for the user?

Suppose you hear about the app from a friend, they would give you their invite code and you can sign up. That creates an initial trust between you and that person. From there you might be able to see their first level trusted friends on the app, you could then ask your friend that invited you to verify if they know those users and also trust them, maybe at a lower level of trust, but you trust your friend and they trust these users. Over time this could create a network effect, where you have a strong set of trusted people to talk to. Since this app was designed around dating, and most of that is fairly localized, that can also help determine who is actually in your area or who might not be. Additionally, suppose a new user reaches out, you can see how you might know them through the trusted network you have, or maybe see that they don’t have much of a network at a time and work to confirm things first.

Now this wouldn’t be the final solution, but it would be a good start to keeping the users a lot more safe and private; rather than handing over their ID and everyone needing to trust the Application’s Owners and Moderators.

Additionally, this isn’t a perfect system, this can still be abused through manipulation of the trust network and it doesn’t directly prevent non-welcomed users (men in this case) from signing up and trying to pose as a legitimate user. But fake IDs and AI exist well enough to make a convincing selfie-with-ID - so I’d call it even there.

You could also extend this using other attribute based methods. As mentioned with using local proximity to verify or send invites, you could also use user general locations to help verify the legitimacy of trusts being created. I am sure there is some math to help determine what the average expected trusts would be between people and if it exceeds that or looks abnormal it could flag a user. I remember during COVID there were apps that would be able to share exposure proximity via BLE, that could potentially be adapted too. Anyway I am digressing a bit here.

Final Thoughts

The long and short here is, if an App or service states it is privacy focused and asks for very sensitive information to be able to access it, maybe think twice before handing that over. And from the design perspective, sometimes the simplest choice initially, will be the more complicated and riskier process.

First, what is a supply chain attack? As the name suggests, it is when someone, we will call them the Threat Actor, attacks a part of the process that builds something, rather than attacking the end product. Take Google Chrome for example, the product, Chrome, is maintained by a huge company with a lot of staff involved in making sure it is secure. However, Chrome, like most software, doesn’t have all the parts built in-house, instead they leverage other software - often Free Open Source Software (FOSS) - as an off the shelf part. In the case of a supply chain attack, the Threat Actor would focus on identifying a part that Chrome uses, that might be maintained with minimal resources. If successful, they could get this compromised part into the final product, which would get to their ultimate goal of compromising Chrome.

There is a great recent example of a near miss with the well known XZ Utils Backdoor, it’s worth a deep dive if you don’t know much about it. You can start with the Wikipedia Article

Okay so this is well and good, but really the average person has no real control about what open source software is used in their favorite programs. Which is true, but there is another supply chain attack that is happening.

Exploiting your trust

Let’s again consider Chrome, when you download the software you expect it to be well maintained and secure. However, Chrome may not do everything you need it to do, so you install some extensions. And that is where these attacks are happening; based on people’s trust of extension, modification, or utility markets. Honestly though, browser extension compromises are nothing new.

There was the Cyberhaven compromise from an external threat actor.

Or worse still, when The Great Suspender sold the extension and the new owner/maintainer compromised it.

In both cases they were trusted extensions due to either a Company behind it or being recognized for a while as a trusted owner.

Further this is breaking out beyond what you think would be a “good” place to exploit.

For developers, more and more Packages are getting attacked, and now with the rise of long-con attacks, where a Threat Actor will work on trying to get trusted by a maintainer to eventually push malicious code.

For Gamers, mods are also a new vector for attack, recently there was one that aimed to compromise Crypto Wallet information in City Skylines. Which is a case where the Maintainer was compromised and then those credentials were used to maliciously impact the mod.

This list could go on, but what I want to hammer home on is that you may trust the source/product, whether it be Chrome, npm, or a video game, as soon as you start installing third party extensions, packages, mod or otherwise then you should be aware that those could lead to a compromise.

Where do I see this going?

I expect to see the types of vectors to continue to expand beyond what we might think as “the usual suspects”. Mainly because a lot of software out there is trying to act as a base foundation which you can then build up to your needs. I could see software that leverages and focuses on User-generated templates, functions, etc. to possibly become a new vector path, if it hasn’t already happened

With all that being said, what can you do?

Take a look at your computer or phone and consider the following:

First, take a look at the applications you have installed. Have you used them recently? Are they worth keeping installed or can you uninstall them without much issue? For example, do you really need your Airline app installed when you aren’t traveling anytime soon? What about having both Microsoft Office and Libre Office installed? Do you really need both installed?

Next, once you have cleaned up your applications, which ones offer extensions, mods, or otherwise “third-party” functionality. Review that in a similar way; especially extensions. Reduce down to the ones that really help you with your workflows. I often realize I have extensions or apps installed in a “just in case” scenario that has never actually happened!

Lastly, take this forward. Sometimes it isn’t worth installing the application, especially on phones, when the website works just fine. Create a checklist of apps you might need to install during certain events, like if you are traveling you install you airline app, taxi apps for where you are going, and so on.

Remember, you can always install the software again at a later date! When in doubt, delete and see if you still need it.

As we all know, people like to categorize things, and this extends to grouping people based on certain characteristics of when they were born. The obvious ones are: “Baby Boomers” mainly based on the fact that there was a Boom in babies during that period. “Millennials” because they were at the turn of the millennium. While other groups are stuck with their holdover name like “Gen X”, “Gen Z”, and “Gen Alpha.”

I’d like to propose that the next generation being born and raised right now, which I think is “Gen Beta” will be known as “Generation AI” (aka “Gen AI”) because of the proliferation of AI tools becoming the new search engine.

In the past there were books, and group meetings to raise kids. Then people started googling and moving online, but there was usually other people grouped up in these sites. Now, though, you can do all that with AI. Asking AI nuanced questions and getting answers is the strength of AI.

So, now we are going to start seeing kids being raised by parents that will get a vast majority of their support through AI. Now, I am not going to make any sweeping thoughts on if this will be good or bad, but I do think it is interesting. Beyond to being “raised by AI”, this next generation will also have AI all through their life, similar to how “Gen Alpha” is a post-internet generation.

Anyway, I just wanted to make this post because I don’t think I have seen anyone try to coin the term for the next generation, and I found it interesting.

Turns out he was working on a, then paid - now free, tool called Superbacked. In very simple terms, the tool will take a secret, passphrase, or some other text. It will then encrypt it with a password of your choosing. And then outputs multiple QR codes. To reconstruct the original passphrase, you need to have the encrypting password as well as a subset of the QR codes generate; for example 2 of the 3 generated.

The idea is you can use this for a lot of purposes where there is a need to share the passphrase between multiple people but they need some kind of quorum to reconstruct it. Think of it like in the movies where you need two keys to be turned at the same time to unlock the launch codes for a ballistic missile.

This can be a great way for companies to share “break glass” account information where you want to ensure not one single person can access it without another. As mentioned by Sun himself, it follows Shamir’s Sharing Secret .

Now for most people, this can still be useful in some narrow use-cases. The one that Sun proposes is as a way to share your master passwords, presumably to your password manager, to loved ones incase of your death. Which makes sense, you will probably want your loved one or family to be able to access things like emails and accounts to take care of your affairs.

So this made me think, what is my plan? I hope it won’t be needed anytime soon, but I should think about how my accounts might be set up to ensure that there isn’t more frustrations than needed at that time. Most accounts do let you set up trusted persons, emergency access, or beneficiaries; this is the best place to start for most.

I guess the takeaway here is to take a look at what you need to access your accounts from square one. If any of your accounts can set up a trusted person, like Apple, Bitwarden, Google, 1Password (they don’t seem to have a similar feature, but a similar blog post to this that goes into more details), etc., set those up! But keep in mind that you will be giving that person power to do just that, so make sure their security is up to snuff too. If any of those need a password, or you prefer that method, then you need find out a secure way to share the password that meets your needs, maybe using this or a similar tool.

Now, as it is a new concept I do expect it to continue to evolve, and the processes around it to become a bit more concrete. But I have some thoughts on some aspects and the overall concept of how it might play out.

vibe coding vs googling

Let’s start with the obvious, what this is replacing. Before vibe coding started taking off, one of the most common ways to “generate” code was to use google. You’d often end up in places like StackOverflow where you might find a snippet close to what you were trying to do. You’d then copy and paste this – and it doesn’t work! Because you still haven’t updated it to work with your actual code. You still have to do a bit of critical thinking with how the code actually works and how you need to update it to make it work for you.

In most cases, this isn’t seen negatively. You simply need a function and get a boilerplate that is 90% of the way there. You update it. And it works.

Now sometimes copied code “works” out of the box and you can straight up paste it and run it without thinking. This is what I think early vibe coding was without the AI wrapper we are seeing now. And that is usually when people start running into trouble, because they didn’t really analyze how the code works and down the line it could end up being the thorn in the lion’s paw.

What the function is doing, if it is inefficient, or could even created vulnerabilities – this wasn’t considered by the developer. But, hey, it works, so all is good! “That’s a problem for future me” is what many would say to justify this.

vibe coding vs no code solutions

Where I can see a strong use case of vibe coding is as a no-code solution. There are already many tools out there that position themselves as low-code, visual-coding or no-code - and now we can add vibe code to that mix. In all intents and purposes you may not even need to see the code when you are “truly” vibe coding, so services like https://lovable.dev/ already are pushing for this “no need to view the code” mentality. Compared to https://www.cursor.com which is more adjacent to helping you with the code, but you can still just have it make something and run with it.

My opinion here is that a blind box solution can work but only in highly scoped solutions, but the real winner will be the more open-box solutions. There still will be a need to understand some concepts of programming - but that need is getting smaller all the time.

dabbling in vibe coding at a ctf

I would be a bit amiss to not including how I’ve dabbled in the idea of vibe coding.

There was a CTF I was at recently where, as with most hacking or red-teaming, anything goes. To that effect, I wanted to focus on what commercial AI models could do when it came to some of the challenges.

If you’ve not participated in CTFs (this was my first real life event) before, they are usually a mixed game of knowledge challenges, riddles and puzzles. Usually there are clues in the name or description of the challenge on what might be the way to complete it or where the flag might be. From there it is up to you think about the approach and what exploits or vulnerabilities exist that could get you there.

Vibe coding these exercises worked extremely well with one major caveat, you still need some baseline knowledge to guide the AI to the right place or be able to discern when the AI might be going off track. Now, I’ll admit that I am still a novice with CTFs, but by shifting to include AI in a way where I directed it what I needed, tested and reworked the code with it, I was able to successfully complete quite a few challenges.

At this point, I am fairly convinced that the tooling is at a point where this tooling is able to heavily accelerate the skills of threat actors to a point that adoption is required for those on the defense. I like to think of this as part of the evolution from one threat actor with one machine, to the many threat actors each with fleets of machines, to each threat actor to now a fleet of agents on a fleet of machines.

This has brought out a new layer of resources available to threat actors that need to be considered.

dabbling in general

Additionally to trying a bit of vibe coding with the CTF, I have also found AI helpful when I need a quick script made in a language I am comfortable with, like python. I generally know what I need, how to phrase and and can review the code (yes, I am not the best vibe coder in that sense) if needed.

I have also managed to generate an, albeit janky, app built on JavaScript and html. It wasn’t anything mind blowing, but it really does show that the generalist models, like Gemini 2.5 Pro, can handle complex functions and files. However, I want to reiterate that it still required a lot of coaching and realigning the AI to get it to stay on track.

Occasionally, once it got stuck on a loop of a problem it couldn’t fix, the best option was to have it generate a new handoff prompt and spin up a “new” chat and get that instance up to the same speed. I would bet that the dedicated tooling is much better, but I have not tested them just yet.

vibe coding and security

One of the largest concerns about vibe coding is the quality of the security of the code. This is where I think a lot of the ethos misses the mark. Sure, you could just “vibe out” a cool new app, but if you aren’t considering security in either a secure-by-design (which I guess that would mean to make sure the AI agent is prompted to consider it?) nor in code reviews (which is against the core idea of vibe coding), nor implementing any security testing – then this is just a disaster waiting to happen.

There are already instances of this already happening. So, yeah, this isn’t ready for primetime at its current state. It reminds me of when someone might spin up a VPS with LAMP and maybe Wordpress and then not put in any security controls around access to the server, and then within a few days it becomes compromised. It’s not that it isn’t a secure option - it’s just that it wasn’t considered correctly.

pre-requirements to be a good vibe coder

So what makes someone a good vibe coder? Or better yet, what makes good vibe coding? I think there is still a heavy need to actually understand what you are making - even if it is just handed to you and “works.” Beyond security concerns, there is just the ability to know what the code is doing and how it could be improved and what limitations it might have at that moment.

Will we get to a point that we don’t need to look at the code? Probably, or at least close to it. But for now we should recognize the limitations, but understand the fact that this can help someone really accelerate their coding proficiency.

Design Decisions

The application itself is a bit of an opinionated look at how RSS, and other feeds in general, should be consumed. Rather than trying to capture everything and let you know what you have read, what you haven’t - it focuses on what is new now and consuming that content. This does help with having a high volume of content from your feeds where you just want to see what is happening - but if you want to keep up with a certain feed, this does not support that.

A more ephemeral RSS

At its core, this application will feed you a chronological list of your feeds. It will only update them when you open the application, and doesn’t sync between devices (by design). This means, if you don’t use the app all the time, or maybe don’t open it often on one device, you will notice a desync between your apps. This is even noted in the FAQ.

Supposing you have it installed on an iPad and your phone, and you read an article maybe a few weeks ago that you wanted to find. If you try to find it on the iPad you won’t see it in the feed. On the phone you would be able to find it, so long as you have your retention set long enough on your feed. Now, yes, you can save the article into one of the tags, like the “liked” tag, and that will sync - but I often will read items and then days later think about them and want to find them.

In my case, I can look at my phone and see about 32k total items, on the mac I see 22k and on an iPad I see 15k items. Note that in all I have set an unlimited retention. As you can see, if I want to find something I read, my best bet would be to use my phone to find it, then save it and then it will sync.

FOMO Overload Management

This does help with one thing I do struggle with a lot when it comes to RSS feeds, FOMO. When unread counters climb and I have thousands of posts just sitting there, I just want to close the app and ignore it. But by not showing unread counters and focusing on the now, I feel like I can keep up with my feeds, even if they post dozens of articles a day.

However, it doesn’t solve all my FOMO - there are the feeds that I do want to both see everything and know what I might have read and what I have not. Usually these are low volume, smaller blogs or sites - which usually only post a handful of articles that might have built up. This app does not help with that.

You can create filters and folders to help consolidate those feeds of interest, but because of the lack of “full” syncing and no automated way to indicated if you have read something - I find myself wanting to better track these feeds.

In short; I no longer feel overwhelmed by the number of articles, but now feel like I am missing the ones I really want to see.

Social Media Syncing (Bluesky, Mastodon, etc)

Taking a step back, I also want to touch on the types of feeds you can add.

For social media, like Bluesky and Mastodon, it does a nice job of rendering the posts. However, if you want to do more than just read them and either interact with them, view by author, or filter them - you have to do this all in the native app.

You cannot:

• Reply
• Block/Filter
• Select the author to see all posts synced
• Search based on the meta data

So unless you have a really curated home feed, you may not want to connect your account, and instead manually subscribe to posters that you really want to see in your feed. Otherwise you might get inundated with content you just don’t want to mentally sort through.

At that point, I would rather just open the social media app, or use something like OpenVibe if I want to consolidate my socials a bit more.

Youtube Feeds

With YouTube, when you log in it auto defaults to the “for you” page. There is a recent push against this and using the subscription feed instead, per Technology Connections - YouTube.com. Reeder.app can help with seeing the content chronologically and without needing to remember to select your subscriptions feed. Just like any other feed, you can add the channels and see them when they are posted.

The biggest complaint I have with the YouTube integration, is that I cannot log in and sync down my subscription feed. Ideally, I would be able to log in, select the subscriptions I want to sync, and an option to add new subscriptions automatically, so that when I am on YouTube proper I can subscribe there and it will automatically be synced (or I have the option to check it off).

Right now, I need to manually search for the channel and add it to Reeder.app in addition to possibly subscribing in YouTube.

Additionally, the way videos (regardless of source) are handled in the app could be improved;

• Videos should float to the the bottom and keep playing when you scroll, like how the podcasts work.
• When playing a video the only way to get to a scrub bar is by selecting the fullscreen button, and then you can scrub the video. But then exiting fullscreen pauses the video and you have to tap it again to continue to play it.
• Play position isn’t saved when you leave and come back. This is most likely a limitation on how the videos are handled, but it would be nice to have it remember your position.

Podcast Feeds

Similar to YouTube, you can manually subscribe to podcasts and have them in your feed. This is helpful for podcasts that might be only relevant to the current time, like News podcasts. But, if it is a series or something you want track what you have listened to - this isn’t the app to put them in.

I do like that when you are playing a podcast it adds the player to the bottom. I would like to see a way to queue up some podcasts. I often will be scrolling and see something that would be interesting and will want to listen to it next but I have to either wait for the current one to end or just stop it and move to the next one.

Filtered Feeds

This is a new feature, so I do hope it improves. But it is very limiting I feel.

• It only supports include all terms include any terms or include exact term. For example I cannot create a filter like: Must include: “Some Phrase” OR “Term”
• I cannot filter specific feeds. For example: include any terms AND include "FeedA OR FeedB"

General Nitpicks

These I just couldn’t find a spot for, so let me just run through them here:

• You cannot tap on the content’s source to then quickly jump to that feed’s view. You need to find it in your side bar and then select it. Worse still is if you connect your social media then those sources aren’t really searchable (e.g. you cannot search source:"someone@some.social")
• When adding feeds, you have to add them one at a time, you cannot queue up multiple to be added. I.e. I can search for a YouTube Channel, select the + next to them, but have to then click Add otherwise if I go back to search for another it forgets that pending subscription
• Additionally, the Add menu just feels very clunky. You seem to have to make more clicks than necessary to do something. I.e. Search for feed, tap >, tap + next to the feed, finally tap Add and then it closes! No way to “Add more” or anything.
• When searching for feeds to add you cannot tap the name of the feed to get more information. This is a bit annoying when you aren’t sure which feed is correct if multiple appear.
• It would be nice to auto-tag or label certain feeds.

Overall Thoughts

After trying out this app, do I like it? Yes. I do, but it doesn’t work 100% how I want it to work. Which is okay, I can leverage it for its strengths while compensating them with another tool I might have.

For me, Reeder.app is great for “fire hose” sources that I don’t need to, or want to, retain a copy of for later reference. The best example here is News, which comes in fast. If it is worth saving the article, I need to make the conscious effort to send it to something like Readwise.

However, for feeds that I want to stay ontop of, then I think either Readwise Reader or Reeder Classic might be best. Where I can keep track of my read/unread and also have the articles automatically sync.

What now?

I’ve already started re-testing Readwise reader, but have already found that the discoverability is very difficult. It seems searching doesn’t include searching articles from your feeds, which isn’t great. And I also plan to re-test Reeder Classic.

What this has shown me is that I need the following core processes:

• “Stream Feed” - Feeds that I just want to see what is happening, where I don’t care too much about retention or revisiting.
• “Priority Feed” - Feeds that I want to review what is posted and most likely will want to retain a copy incase I want to go back. These often should be sent to my highlighter of choice. These also need to be searchable and discoverable.
• Discoverability - In general, I want to be able to find something if I had looked at it. Ideally I do like to know if I read something, or started reading it - and this should be fairly automatic.
• Highlighting - I do like to highlight, so either I have to remember to send something to Readwise or have it there in the first place.

Anyway this is mostly a ramble post, I do want to set some more time aside to work on going over my PKM processes as a whole too, that way as I work on them and maybe discuss them, there is a reference point.

1. Make the site more robust.
2. Have a little better insight into the usage of the site.
3. Adding interactivity.
4. Make it easier for me to post to the site.

Making the site more robust

Previously I was hosting my DNS with my registrar, but I have been working to split the two and migrate to different services. This should allow for a few things, one; I can use Cloudflare for DNS, which is a well known service and has a lot of additional tooling to boot. Two, I can move my Registrar a bit easier since I would just have to make Nameserver updates upon moving (Though I am still on Squarespace at the time of writing, I am looking at others, like Porkbun.com).

Additionally, I am moving from Github Pages to Cloudflare Pages. Though this goes against the idea of the above where I wanted to unconsolidated; here there are some added benefits from an analytics point of view. Also I can easily move back if I decide there isn’t much benefit.

Site Insight

I also want to try to get a better idea on if the site is getting any traffic. I would like to reiterate that this blog is more for me to work on my own skills, and have control over my content. But, it is still helpful to know if people do access the site.

I weighed some options and came to two possible tools; one was to use Fathom Analytics, which is a privacy focused analytics service. The other was to, as you can possibly guess, use Cloudflare. I am going to most likely opt for the Cloudflare option as it is free, and I really can’t justify (yet) on adding more to my monthly subscriptions. Now, if this site gets to a point where it can generate enough money to support itself then that will change. Though, I don’t see that as a current goal for the site.

Adding Interactivity

Next thing I wanted to setup were comments for those interested to interact with posts. Unfortunately it looked like a lot of the plug and play systems were either not free or needed to have more than just static pages.

Luckily, I found out that Matt Dyson made a way to integrate to Bluesky comments with my same Hugo and Congo setup. This works out well since Bluesky is my current primary sharing media. (Though maybe I can also add Mastodon next?) So, now there are comments available! I will need to update some of my older articles where I also posted on Bluesky.

Side note to all of this; I had also looked at migrating to a platform like Ghost or Beehiiv. Both would offer a lot of these tools, but again my issue would be justifying the cost to maintain them. Also their entry tiers seem to leave a lot of customization features out. Anyway, I am going to keep this as a static site for now.

Writing ease

Lastly, I think this will continue to be a struggle for me as I work out how to best write articles for the site. I would like to be able to do so both on my computer, which is the easier one; and on my iOS devices like iPad.

Right now, I am using Obsidian as it has strong markdown support - but there is still a gap on getting the files uploaded to Github easily, especially from iOS. And it isn’t the most seamless process. This will most likely be my next big focus on site improvements.

Firstly, I think that the following video does a good job covering what exactly is meant by “Apple removing encryption.”

TLDW

What appears to be happening is the following;

The UK has demanded a backdoor access to Apple’s iCloud data so that they can decrypt it at will. This demand also is behind closed doors and with apparent orders not to share any information about it, so we are learning through various leaks and policy changes.

Apple had three major choices:

1. Deny the request - This would force them to either enter into a long legal battle or leave the market.
2. Accept the request - This would entail creating a backdoor that would allow the UK to be able to decrypt any data at-will, but also creating a major threat surface for bad actors to target - and eventually exploit.
3. Remove features that prevented Apple from decrypting the data upon request from the UK.

It seems, they went with option three. This has been an ability of apple, and really any provider that holds the encryption keys to your data, to do. However, they released a feature back in 2023 called Apple Advanced Data Protection.

This feature, in short, allowed iCloud users to move the decrypting private key from Apple’s Servers to their local devices. Thus Apple could no longer decrypt the data unless you provided your trusted device in the request. For reference, Apple has information here - note the services that support “Trusted Devices”.

As you might be able to see, this wouldn’t work for the third option to be viable.

Ergo Apple is rolling back this feature for all UK users - most likely this is based on your iCloud user location, and not where your device was bought or is currently located.

TLDR

What does this all mean then? Is Apple removing encryption?

No.

Apple is just disallowing full control over your encryption, and they will retain a copy of the key to decryption so that they can hand it over on requests.

What to do now?

If you are in a region that isn’t affect, you should enable the Apple Advanced Data Protection. It is still a great tool to use. But keep an eye on any changes, this can be a very slippery slope; and more countries may follow the UK’s stance.

If you are affected, then you should consider either moving your more sensitive information to another service provider that will not be accessible so easily. Or look into running local backups to avoid another policy change at the next provider.

I must preface this by stating I’m not an LLM expert; however, there is a lot of information to unpack. My aim is to highlight which aspects of Deepseek are crucial, worth considering now, and which remain unknown. I’ll try to break this down into a couple of topics; how it affects the current AI incumbents, is it safe to use, what information we could accept or should be critical of, and how this can affect things in the future.

Deepseek and the Incumbents

This is most likely where most have initially heard of Deepseek, that it is a new Chinese built LLM that is comparable to the most powerful, available, models from places like OpenAI. Benchmarks are available to analyze how different models compare. However, many people simply want to know whether it’s good, and in that regard, yes, it is.

A new model being better than an older one isn’t really news worthy in of itself, but it is more so the cases of how it was made, where it was made and its availability.

Starting with how it was made; this was a side project from a Chinese investment firm which was able to make this model with around $6 Million dollars worth of investment. It is important to be critical of this number for various reasons, but we should not overly focus on it. Even if it cost $100 Million, it would still be significantly less than what it has cost to create the models it is competing with.

The next key fact of its creation is that China is under an embargo from getting the latest computer hardware, e.g. chips. Meaning this model was trained on older hardware. Again, it should be noted there is a consideration of “standing on the shoulders of giants,” in that some research and development has already been done, and they were potentially leveraging other available models to support the training of this model. Regardless, they proved that it was relatively cheap to create this model.

Lastly, the model was made under an open license: meaning (1) the model is free to use and modify; (2) you can use their website or app and run the model on their servers; (3) you can also download the model and run it locally. Essentially, this means that you now have the ability to run a model on par with the best available from OpenAI for a fraction of the cost.

So in short, this was made extremely cheaply, provided freely with the ability for others to modify it for their needs - showing that maybe the incumbents with their access to powerful hardware may not be as untouchable as initially thought. Thus confidence fell, causing the stock market to react.

Is it safe?

With that being said, is it safe to use? Well, it depends.

Starting with the hosted version, from their website or app. When it first came out I was wary of it, mostly because it is a new SaaS tool and hasn’t really been reviewed or tested. So use at your own risk, and maybe don’t ask it (read provide it) anything personal or private. That wariness proved to be warranted as security researchers have already found a fully accessible database that they were using to chats and logs.

Additionally, Italy has begun pressuring them to review and adhere to various data processing laws. They did something similar with OpenAI’s ChatGPT when it first came out, and was later sufficiently reviewed and approved. However, with Deepseek, they have taken the stance that they only seem to fall under Chinese data laws; as that is where their servers and company are located.

So, is it safe to use the app and website? I would say no, not until they start adhering to and proving that they are handling data securely. Now, I do also think that when you use ChatGPT, Google Gemini or any of the other hosted AIs, you should always take care to avoid providing more information than you feel comfortable with being used and stored by them.

Consider using DeepSeek locally instead. Running a large language model (LLM) locally, without an internet connection, should offer more privacy since you control the computer processing the requests and have full control over it.

Being Critical

There is a point of contention on the model’s training data and censorship. The gist is, this model has censorships on things like the Tiananmen Square and other topics. Now, I think the topic of censorship is beyond this post, but I do want to say that all models are censored in some way; they will all have bias and you should always consider who built the model.

Furthermore, there are concerns about models being trained to provide seemingly harmless but actually malicious information. This is theoretically possible. It is important to carefully examine the information provided by any model before taking action.

I have often taken the stance that you should treat an AI like an Intern, where they have a lot of time to get you answers on things or confirm things, but they can get things wrong. And they are heavily dependent on how you ask them to do something. In short, use them to augment and not replace you processes.

The future

In summary, DeepSeek has demonstrated that creating a powerful large language model (LLM) doesn’t require massive hardware investments like OpenAI and others have made. This opens up the possibility of more players entering the field. However, it also highlights the importance of not blindly trusting new SaaS offerings with sensitive information until they have been thoroughly vetted.

For now, it might be prudent to avoid using the app until it has passed regulatory scrutiny in both the EU and US. Although these regions have their own biases, a consensus of reviews can help establish a baseline level of security.

We will probably see more models come out that are based on Deepseek, or trained in similar ways. This also applies to the big players, who should also benefit from this information to optimize their own training on top of having the most compute power to do even more.

Time will tell if this pushes to more availability of LLM models, or if the most powerful will still be closed behind big technology players.

Recently, I’ve been reevaluating how RSS fits into my workflows. To better understand what I need from it now, I’ve reflected on what has worked for me in the past—and what hasn’t.

Google Reader

My first real expirence with RSS was with Google Reader (RIP). Back then, I used it primarily to track my favorite websites in one place. It wasn’t anything fancy, but it was a start. Unfortunately, a combination of Google shutting down the service and my growing use of Reddit led me to abandon RSS entirely.

Regrettably, I didn’t save my OPML file — a mistake I would repeat.

TT-RSS: A Golden Age

My next attempt at RSS feels like a golden age. I was learning DevOps skills, deploying various tools and services, and came across TT-RSS. This highly customizable application allowed me to fine-tune my RSS experience.

Two features stood out:

1. Full-article fetching: This ensured I didn’t have to visit ad-filled or inaccessible websites. And it provided a consistent reading expirence.
2. Scoring system: I could assign positive or negative points to articles based on their source or content. For example, I might give WebsiteA a score of +5 but reduce points for articles mentioning SubjectA with -10, effectively curating my feed before I even saw it.

While I loved these features, maintaining the system eventually became too time-consuming. I shut it down — and, once again, lost my OPML file.

Rediscovering RSS for Productivity

I returned to RSS during a hectic period in my career, focusing on productivity and controlled information flows. This time, RSS became a tool for professional growth rather than casual interest. It helped me stay up to date across industries without the distractions of social media.

I experimented with several readers, but two stood out:

• Reeder 5: A clean, organized app that I enjoyed using but found lacking for capturing deeper insights.
• Readwise Reader: A powerful tool for collecting and acting on articles, though I became overwhelmed by the sheer volume of content. At one point, I had over 50,000 articles saved—a clear sign my system wasn’t sustainable.

Less Is More

Now, I’m shifting to a simpler, more intentional approach. Here’s what I’ve learned about making RSS work for me:

• Keep it interesting: A mix of professional and personal interests prevents burnout or wasted time.
• Let go of perfection: Not every article needs to be saved or dissected. Sometimes reading is just reading.
• Streamline article handling: For important articles, I can quickly move them to Readwise for deeper engagement.
• Customize feeds: Filtering out irrelevant content reduces noise and improves focus.
• Balance feed frequency: Some feeds dominate with frequent posts, overshadowing less active but equally valuable sources.
• Prioritize accessibility: A good interface that works consistently across devices is crucial.

Exploring New Options

With these lessons in mind, I’m considering a few options for the future:

Revive TT-RSS

Setting up TT-RSS again could meet most of my needs, especially its scoring system. However, the interface feels outdated compared to other tool, and the extra work to maintain it is not appealing.

Embrace the New Reeder

The developer of Reeder recently launched a new version with a timeline-based approach. This aligns with my goal of treating articles as transient, rather than something to hoard.

Refine the ReadWise Reader Workflow

By dividing content between Readwise (for in-depth articles and “important” sources) and Reeder (for casual browsing), I could create a more focused system. However, this split approach risks neglecting one platform over the other.

Moving Forward

For now, I’m giving Reeder.app an honest effort. Its integration with services like BlueSky and Mastodon adds a layer of connectivity I find interesting, as well as with YouTube.

Will this approach work? Perhaps. Things are always changing, but for now, it feels like an engaging way to stay informed, educated, and entertained.

Because as we know, strong defenses are only useful if they actually get used.

First let’s start with making a scammers job harder to begin with.

Lockdown accounts

This isn’t just make sure you have secure passwords and MFA - which you should have. Locking down your accounts means being aware of what you post, how someone could determine information about you, like where you are, problems you might have, interests they could tempt you with, and so on.

With AI, if there are videos or pictures of you - which I am sure there are of most people - then you could be cloned fairly easily. Honestly I don’t expect people to not post these types of things, which is why diligence is key.

Making accounts private, culling your followers, using multiple accounts to professional and personal interests. These can help minimize the potential knowledge scope on you if you are targeted.

Additionally, making sure you can recover your accounts and that your recovery email is well protected.

In short:

• Make sure your posts aren’t more revealing than you want them to be
• Know who follows you
• Take your account private by default
• Consider multiple accounts to split between public and private

This is something everyone should do, and you should do it on a cadence that makes sense. Because settings change, your tolerance for posting personal information changes and all that should be considered over time.

Set up strong authentication

Get a password manager, randomize your passwords, and if possible randomize your emails too! On top of all that, set up MFA where possible. I suggest software plus hardware (like a YubiKey).

Also, if you are helping a parent or loved one, then a family account with the password sharing may help when needed. We have all been there when their parent can’t remember the password to an account they need your help with, and you have to go through the recovery dance.

Avoid clicking suspicious links

This should also be an obvious one, but just don’t click links you don’t trust. These are links randomly texted to you, or just don’t look right (like fedex-com[.]net).

Now obviously clicking on links in social media is going to happen. Just make sure before you do click. And if you’re a bit suspicious of it. Google the website and the title of the article instead.

With that being said, suppose you’re targeted and a bad actor is realistically posing as someone you know. Maybe it’s a phone call, or a voice message, or even as sophisticated as a video call - all leveraging AI tooling.

Secret family codes

I see this being suggested a lot. And it can be helpful, but really it is a historical knowledge challenge. So, realistically the best way to leverage this in your daily life is to ask questions only the two of you might know. Like a conversation you had previously or the last place you ate and what you ordered.

Obviously people are human, and I’m not the only one that forgets what I had eaten a day or two later. Also, as mentioned earlier, depending how open your life is on the internet someone might know what you ate last Sunday because you posted it on your stories.

Better yet would be to use intimate knowledge. These are things like inside jokes the two of you might have, personal discussions or other things that have a very low chance of being online.

Which is why creating a code phrase can still be helpful, as it is a better type of shared knowledge - intimate knowledge.

Secondary channel of communication

Another way to check if someone is who they say they are is to either ask them to send you the same message on a known secure form of communication you two share. This could be instagram DMs, signal messaging, or something where they need to authenticate to access. Or you could reach out yourself and not tell them you’re planning to do it.

Now this isn’t perfect either, especially if the bad actor has already compromised those accounts and has access.

Third person check

Now if you really aren’t sure how compromised that person might be. You can also reach out to someone else that is close with them to check. Depending on the time of day it could be a colleague, or a partner, someone you expect them to be with at that moment, have seen recently or will see soon. They can then work one physically finding the person to confirm if it is them. Or might be able to confirm the request.

Lastly is education, not only for yourself but others around you. Knowing not only who is aware, but also the extent they are capable of. The sad truth is, the most vulnerable are often targeted the most. Knowing who you might have around that needs the extra help can make all the difference in the world.

Again, the best tools are the ones that are used, and the more in use the more layers of defense you have available.

How scams are changing

I want to reiterate that who this is most important for isn’t necessarily going to be the reader, nor most of their immediate friends and family. It will be the grandparents and older generations. Yes I do hope you learn something or use one of these techniques, but I also want you to be proactive.

There’s an event I was told of, which didn’t involve AI but is of the same vein of directed attacks. The scammer was watching a home of an elderly woman. Their adult children were visiting and some left for home. About 10 minutes later the woman received a phone call from the scammer, posing as one of the people that had just left, saying that the other was in trouble with the police and needed to pay a fine otherwise they were going to go to jail. Luckily the woman didn’t recognize the voice, and instead called someone else to check.

Now imagine if this same tactic added AI generated voice copies of the person they know? Just being that little more convincing could have lead to a successful scam. It’s these enhancements that people need to be prepared for.

As with everything in security, the bad actors only need to succeed once - so be diligent!

Unfortunately, it’s highly likely that your information will be exposed at some point. This has become a common enough occurrence that instead of asking, “If it happens, what do I do?” it’s more prudent to ask, “When it happens, have I prepared enough to minimize the impact?”

I’ve considered this from various angles, but one method of protection worth discussing is “Hide My Email Services” like Apple’s service with iCloud, or Proton’s service and how these services can be used to protect your privacy.

Keep in mind though, that whenever you plan to increase your security or privacy you will, in most cases, lose some convenience or ease of use.

What Are Hide My Email Services?

To start, these services create an alias that will relay any emails sent to it directly to your main email address. These aliases are often a randomly generated name with one or several domains. So, if your email is jdoe@gmail.com and you use Apple’s Service, it will generate an email like Jade.0a.Kiwi@icloud.com. You can then use this email for a website, and even generate multiple aliases that point back to jdoe@gmail.com

Think of it as having an unlimited number forwarding addresses for your main email.

Website --Sends Email--> Alias Email --Forwards--> Main Email

Aliases Alternatives

Some email services also offer a similar feature by allowing you to append a + to your email address. So jdoe@gmail.com can use something like jdoe+facebook@gmail.com as an email for Facebook. This would allow them to know that, in theory, only emails from Facebook should be going to that email, and if they get something from somewhere else they may be able to assume that the email was sold, exposed, or otherwise leaked.

Now, the issue with this from a privacy perspective is that the root email is clearly exposed. Instead, the goal is to make it difficult to guess your main email address and to ensure your provided email is as unlinkable to you as possible.

When to Use Hide My Email Services

Now that we know, in general, that these services offer an ability to create unique, random emails that can be used to protect your main email, let’s discuss when it might be appropriate to use these services, and the drawbacks in each case. I will order these in what I think are the best way to start as a path to more “advanced” usage.

Level 1: This is just temporary

If you run into a site or service that needs an email, but you don’t ever plan to really manage the account (I will come back to this point though) then this is a perfect service for that.

Suppose you’re at a restaurant and want to place an order through their website, which requires an email address. You can use these services to generate a temporary email, complete your order, and then delete that email to prevent any future spam.

And that’s really it! Use the service as a temporary email, you can make just one for all use cases or generate a new one every time. I would suggest making a unique one for each, if possible, because that let’s you get used to managing multiple ones at ones and move on to the next level.

Level 2: Why do I Have to Make an Account?!

Okay, so same as before, you’re in a situation where you have to not only provide an email, but also make an account. Rather than using your main email, use a Hidden email instead! Additionally, make sure to use your password manager to generate a random password.

This site will now send spam only to your randomly generated email. And since the site now has associated login credentials, it could potentially be a source for email and password leaks. However, since they are both random, it is basically just junk. Sure you do need to make sure to secure that account the best you can, remove any other information, credit cards, etc.

But now this data cannot be used to comprise your accounts on other sites.

Level 3: Change My Email

At this point, I hope you see where we are going. Taking this a step further, we can start changing our non-critical accounts to use Hide My Email services. Randomly generate a new email, log in to your site still using your root email, and then change it. Oh, and update your password while you are there to make sure it is fully randomized while you are there; and set up MFA.

Remember, this is only protecting you when it comes to linking the email to you directly and cross referencing/attacking to other sites.

I will want to also add a note here that you should take care on which sites you do this with. For social media, video game accounts, shopping accounts, there shouldn’t be too much of a risk using these emails. However, financial sites, government accounts, and other “Identity based sites” you may want to use your root email or other softer alias techniques like the + appending technique. Why? Well, it could be more frustrating to maintain or get support with a randomly generated email. Also, these sites tend to, but not always, have a stronger security posture. Remember, we are looking at minimizing impact here, not remove it entirely!

Is it worth the effort?

To summarize what we can do here is:

1. Get a new service, and yet another subscription.
2. Give spammers meaningless, disposable emails.
3. Use throw-away emails for throw-away accounts.
4. Move existing accounts to these new, randomly generated emails.

This helps isolate sites to a single email, lowering the value of your data provided and protecting you from being identified in a data leak. Additionally, in combination with randomly generated passwords, helps to isolate credential stuffing attacks to just that one site.

But, it isn’t all perfect. There are some negatives to consider!

Negatives

Communication

There are times when you may need to send an email from that randomly generated address, like when reaching out to support. This can be clunky or even impossible, depending on the service, and it’s generally not as simple as using your regular email address.

Also, trying to call support, or provide the email can get you some odd looks. And it is cumbersome to generate one in person, but not a non-stopper.

Authenticity

Another thing to be aware of, some sites have protections around temporary email addresses, particularly ones like 10minutemail. This can lead to issues where your generated email may not be accepted if the domain isn’t well known. For example, Apple’s uses icloud.com as the domain, which is well known and accepted in most cases. However if you use a service that uses less known domains, or you can use your own, that can lead to issues with the email not being accepted.

Service Provider trust

A significant concern with these services is that all emails going to those alias addresses are accessible to the service providers. For example, Apple could, in theory, see what is sent to Jade.0a.Kiwi@icloud.com.

Data breaches

When a breach happens you can go to places like Have I been Pwned and put in your email to see where you were affected. However, now you don’t see all your potential accounts, as most will have a unique email. In these cases, usually the site does send you an email to alert you, so you will want to monitor for those a bit more actively. When you do get one, you can do your normal response like resetting the password, but also reset the email!

All in all

Is this worth it? For you, I don’t know. But for me, it is worth applying some of these items.

For those curious this guide is how I got this site up and running using a combination of Github, as the deployment automation and hosting of the site, and Hugo, a static website generator tool, using the Congo theme. This is all better documented on all the referenced sites, but this might help with bridging any gaps, or maybe provide a more concentrated interpretation of the above guides.

The assumptions are that you know your way around the terminal and know how to use tools like git, brew (for macs) and modify your domain’s DNS.

All references can be found at the following sites:

https://gohugo.io/getting-started/quick-start/ - Hugo quickstart guide. I would start here if you have no idea what is going on. https://jpanther.github.io/congo/docs/installation/ - An end to end guide from the theme’s creator. Really this should cover most everything. https://docs.github.com/en/pages/getting-started-with-github-pages/about-github-pages - Important information using GitHub Pages (which is what we will be doing) https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/managing-a-custom-domain-for-your-github-pages-site - Important information on DNS for your domain to point it to GitHub Pages. https://github.com/CodeOnRye/codeonrye.github.io - Lastly, here is all the code running this site, so you could always start from there!

Schema

First let’s lay out all the pieces to best understand how this will work.

As shown, wherever you may be sourcing your markdown files, once they are pushed to GitHub then the magic starts happening. A GitHub Action will run on commits, running a hugo service to generate the html files and pushing them back to a specific branch, gh_pages. This branch is configured in the repository to be the source for the github site. On the other end, the DNS registrar has an A Record set so that it redirects to the GitHub Provided site. Once it is all set up, then all you need to do is update your Hugo files and push!

GitHub

You should start by setting up your GitHub repository and various settings as needed. This will help prepare for the automations and configurations later.

Create Your Repo

One thing that got me, was that since we want to point to use the GitHub Pages functionality, we have to name the repository YOURUSERNAME.github.io. There may be another way to do this, but this is what I did.

Once created, go ahead and clone it down to your local environment.

git clone git@github.com:YOURUSERNAME/YOURUSERNAME.github.io.git

Hugo

First things first. You need to get Hugo up and running and become familiar enough with it. Use the linked guide above to just try setting up a quick one locally. Once you get a feel comfortable with how it works with markdown files, then we can initialize it in the repository file we created in previous step.

cd /PATH/TO/YOURUSERNAME.github.io 
hugo new site ./

Congo Theme

Next we will install and set up the theme. As all themes are different, this may not apply to others, so take that with a grain of salt if you are deviating here.

We need to first pull down the theme, to do this we will use the git submodule function. This keeps our tooling from becoming more complex.

cd /PATH/TO/YOURUSERNAME.github.io
git init
git submodule add -b stable https://github.com/jpanther/congo.git themes/congo

Next we will need to configure Hugo to use this Theme. The theme’s guide is best to follow, as it will be more up-to-date. But to boil it down you need to copy the /PATH/TO/YOURUSERNAME.github.io/theme/congo/config/_default folder to /PATH/TO/YOURUSERNAME.github.io/. Now we customize the files as needed.

• config.toml - Your main config file for Hugo where you set your website name, theme (congo) and other settings
• languages.en.toml - Sets your defaults for the site when set in the en language.
• markup.toml - Used for the theme, I have not touched this.
• menus.en.toml - Like languages.en.toml, this is the configuration for the menus when set to the en language.
• module.toml - Used for the theme, I have not touched this.
• params.toml - Allows you to further configure the theme.

Making a Post

With this theme, I’ve decided to set up my posts within their own folders, rather than all under the ./content/ folder. This seems to work best for this theme. So a post will look roughly like this

content/posts/building-my-site
├── img
│   ├── gh_actions_permissions.png
│   ├── gh_pages_config.png
│   └── gh_workflow_permissions.png
└── index.md

Notice that the markdown file is named index.md and not the name of the post, that is reserved for the folder name. More examples can be found here

GitHub Actions

Lastly, once you have a nice site configured, and you’ve tested it out locally with the hugo server -D we can start working on getting the automations going to publish this online.

GitHub Actions Workflow File

You can leverage the default one provided by the theme here. This should work out of the box for you. Once you add it to your /PATH/TO/YOURUSERNAME.github.io/.github/workflows/ folder and push it to GitHub you will need to verify it runs successfully.

One thing to note here, if you are going to use a custom domain you will want to add a run command into your YAML file to recreate that file like below:

...
      - name: Build
        run: hugo --minify

      - name: GH CNAME
        run: echo "YOURDOMAIN.COM" > ./public/CNAME

      - name: Deploy
...

On GitHub you can navigate to your repository, and then the Actions Page to verify if it is running properly. If not you will want to check the follow settings.

GitHub Repository Settings

Make sure your settings are as follows:

Those should fix it to allow the actions to properly run. Once they do you will now have a gh_pages branch that mirror’s the contents of the public folder that Hugo generates when running the hugo commands.

DNS

Last but not least, we will now make the site available online! First we finish configuring GitHub, test and then point our domain to it.

GitHub Pages

Under the repository’s settings for Pages you will want to configure it as follows

A few things to note, you can only enable SSL enforcement once your custom domain is configured (next step). But this will be fine for now to test. You should now be able to got to YOURUSERNAME.github.io and see your site! If you do then finish configurations on your domain registrar.

Domain DNS

First you should go to your account settings, then under the Pages option on the left sidebar, add your domain there. You will need to verify the domain with a TXT Record .

Per the details from GitHub you will want to add the follow records to your Domain’s DNS provider.

A Record

185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

AAAA Record

2606:50c0:8000::153
2606:50c0:8001::153
2606:50c0:8002::153
2606:50c0:8003::153

CNAME Record

www.YOURDOMAIN.com

I would avoid using the Alias, as that would block you from using DNSSEC.

At this point you should now be able to go to yourdomain.com and load your github site. If needed, go back to your settings and enable SSL.

Conclusion

This rough guide is how I have mine set up with tips on how you can do it yourself. Again, it isn’t meant to be an end-to-end guide. But over time I will probably update this guide to better clarify or expand items.

The classic initialization of any project always ends up beginning with those words. I’ve decided to take another shot at curating a digital space for myself. In the past I have tried to create websites using various frameworks and tools, but they always became more work than I felt they were worth. Looking back, I’ve always tried to create something more complex than I needed. Hoping to grow into it, rather than grow with it. But I really hadn’t hammered out the foundation of what I actually needed, and focused on what I wanted. Taking a step back I wanted to focus on what I needed from this projected. With hopes that the choices will be flexible enough to not require a lot of work to expand later or maintain.

Those needs have boiled down to the following.

Defining My Goals

In short, answering this was the hardest part. Simply “a website” is too broad of an answer; I needed to really think about what content I wanted, how I wanted to present it, how it should be maintained and what I wanted to get out of my time with the project. So lets start with defining the content.

The content will be my own musings, or ramblings for some. I don’t want to lock myself into a certain type of topic or subject matter. So a semi-professional blog and portfolio I think will strike a balance. That means the site must be able to provide an easy way for me to both create that content and present it.

Presentation of the website should be clean and modern. Next I need to be able to customize it once I start having a more fully formed idea of the content. So again, it needs to be a flexible solution that can be changed without much headache.

And headaches is what I have gotten in the past with frameworks like wordpress or other blog focused solutions. They did so much more than I needed at the time, that I would get stuck in the weeds. I’d enable features I didn’t need, or maybe even fully understand. This solution needed to be simple, but extendable when I needed it to be.

Lastly, in the end what I want out of this project is a website I can call my own. A place that is easy for me to keep up to date both on content and patches. It had to work for me, rather than me work for it. Which has lead me to go with this set up.

The Project

This project is created with as minimal tools as possible; Hugo as the website generator and will be served by GitHub.

• Hugo - This is the website framework tooling solution, a static website generator
• Github/Gitlab Pages Hosted - Since I am setting up a static website, that means no backends - and not servers - needed! So why not use Github or GitLab’s pages and actions to handle the hosting and publishing?

Openness

I am always a big fan of Free and Open Source Software, FOSS for short. So where I can, I try my best to leverage systems and tools for that. Granted there comes a time where, well, time isn’t as available. Its the well-known adage of FOSS not being free in the cost of time. However, if the system is simple enough and the data portable enough, then it might very well be worth that time and effort to setup and maintain.

The Framework

Needing the site to be maintainable, is key to keeping the project, and thus the site, up and running. So, where I could, I would remove systems that needed my attention to work or stay in good working order. Too many website frameworks required lots of backends, databases and the like, as well as had features I simply didn’t care for. I just needed something that was dead simple to set up, run and update with new content when I felt like it.

The Platform

In the past I have always set up servers, installed the needed services and then install any applications to get a website up and running. But each of those items introduces complexity and friction. I need to make sure the services are up to date. The database needs to be backed up properly. How do I migrate to a new server if needed, and so on. With the static aspect of Hugo I can avoid this because, in the end, the website is just a bunch of files. And those files are already backed up in Github which is also “publishing them.” Overall reducing complexity to make it easier to maintain and use, which is exactly what I want.

TL;DR

In short, I have set up a Hugo based static website that I can use Github Pages and Actions to host and manage! I will probably also post a guide incase someone wants to try themselves!