<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/"><channel><title>jacobian.org</title><link>https://jacobian.org/</link><description>jacobian.org</description><language>en-us</language><lastBuildDate>Thu, 25 Jun 2026 16:31:36 +0000</lastBuildDate><atom:link href="https://jacobian.org/index.xml" rel="self" type="application/rss+xml"/><item><title>🔗 Recommendations When Using LLM-backed Generative AI Systems for FOSS Contributions</title><link>https://jacobian.org/bookmarks/1772554970/</link><pubDate>Thu, 25 Jun 2026 16:31:36 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1772554970/</guid><description><![CDATA[<p>Several recommendations for LLM usage in the context of open source.</p>
<p>&ldquo;The long term goal of software freedom is to eliminate the harm of proprietary technology. While we work toward that greater goal, we should seek to mitigate the harms that we cannot immediately eliminate. These recommendations aim to abate the damage of these systems, and also consider how these tools might counter-intuitively help us advance FOSS.&rdquo;</p>
]]></description></item><item><title>This isn't a post about eating meat</title><link>https://jacobian.org/2026/jun/16/not-about-eating-meat/</link><pubDate>Tue, 16 Jun 2026 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2026/jun/16/not-about-eating-meat/</guid><description><![CDATA[<p>I think vegetarians are mostly right. Most of their arguments about why we shouldn&rsquo;t eat meet — environmental impact, treatment of animals, treatment of workers in the industry, health effects of too much meat consumption, climate impact, etc. — I tend to nod along. I&rsquo;m broadly in agreement with most of their main arguments.</p>
<p>And yet, I still eat meat. Why?</p>
<p>Partially, it&rsquo;s because while I agree with most arguments against meat eating, I also think that by and large vegetarians overstate their cases. Most of the environmental and social impacts aren&rsquo;t really effects of <em>eating</em> meat; they&rsquo;re results of the choices we&rsquo;ve made as a society about how we <em>produce</em> meat. Namely, our system of industrialized farming. We don&rsquo;t <em>have</em> to produce meat in a way that&rsquo;s environmentally damaging; we&rsquo;ve <em>chosen</em> to. Likewise, poor health outcomes are a result of eating <em>too much</em> meat (and not enough variety otherwise) — not something inherent in meat itself.</p>
<p>My guess, though, is that these arguments aren&rsquo;t actually that important to most vegetarians: I think that most are probably making the decision on a moral ground. They see killing animals as inexcusable, and sort of back into the other arguments because they&rsquo;re easier to explain. That&rsquo;s because &ldquo;killing animals is wrong&rdquo; isn&rsquo;t a scientific/analytical argument. You can&rsquo;t prove morality with CO2 emission numbers or whatever; it&rsquo;s something you <em>feel</em>. It&rsquo;s a matter of faith. And I don&rsquo;t share that belief. I believe there <em>are</em> moral ways to raise and kill animals for food.</p>
<p>I&rsquo;ll go even further: I eat meat because it tastes good, and I believe it&rsquo;s OK to make decisions with downsides, even significant downsides, just because they make us feel good. Living a moral life doesn&rsquo;t mean we have to live a miserable one.</p>
<p>But that said — I do believe that eating meat is carries some moral weight, and should be done deliberately and carefully. The environmental and social impacts are a fact — industrialized agriculture has so many nasty externalities.</p>
<p>So while I still eat meat, I apply a <a href="https://en.wikipedia.org/wiki/Harm_reduction">harm reduction</a> mindset. I&rsquo;m not a vegetarian, but I try to eat meat in a way that minimizes the downsides, both moral and physical. Specifically: when I eat out, it&rsquo;s mostly vegetables and some fish; at home, all of our meat comes from friends and neighbors raising animals in small numbers following sustainable practices. I know this because I can go to their farms and take a look! This means I eat a lot less meat, avoiding the health consequences. And as a nice side bonus, the money I spend on meat goes to people I know and like, instead of soulless multinationals.</p>
<p><strong>What I absolutely don&rsquo;t_do is use my own ethical decisions to judge other people</strong>. These are <em>my</em> choices, not a framework to criticize the relative morality of other people. I recognize my privilege in being able to eat the way I do. I can afford to buy a year&rsquo;s worth of meat up-front, a couple of freezers to store it in, and the electrical bills to keep those freezers running. I have the time and energy to cook from scratch. I have access to good grocery stores to get other sources of protein to supplement that meat. I live in a community that includes farmers raising meat sustainably, and so on.</p>
<p>And more importantly, I understand that my own choices come at least in part from a moral philosophy that&rsquo;s as much a matter of faith as it is science, and I have the humility to recognize <strong>that people with different beliefs, or people making different choices, aren&rsquo;t wrong just because I disagree with them.</strong> I&rsquo;ll very happily discuss my choices with people who are interested, and explain the environmental and social impacts to people who might be receptive to changing their approach to eating meat to minimize those externalities. But I certainly won&rsquo;t tell anyone who eats meat differently or more often than me that they&rsquo;re a bad person, or morally compromised, or whatever. Doing that wouldn&rsquo;t make me more moral — it&rsquo;d just make me an asshole.</p>
<p>In fact, I barely talk about my choices around eating meat — because hearing people spout off about their morality is most of the time annoying and exhausting. It&rsquo;s all true, but the only reason I&rsquo;m writing about eating meat at all is because it&rsquo;s a metaphor. This has really been about AI.</p>
]]></description></item><item><title>TIL: My Immich Setup</title><link>https://jacobian.org/til/immich-setup/</link><pubDate>Thu, 14 May 2026 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/til/immich-setup/</guid><description><![CDATA[<p>Notes (mostly for myself but maybe useful to others?) on how I set up <a href="https://immich.app">Immich</a> for storing/archiving photos.</p>
<h3 id="goals">Goals:</h3>
<p>Consolidate all my photos &ndash; old archives off a NAS, a couple of years of photos stored in Google Photos, and ongoing photos taken with my iPhone &ndash; into a self-hosted Immich instance running on my NAS (a Synology). iCloud remains as a capture tool; Immich is the storage, organization, and browsing interface.</p>
<p>Goals: Consolidate all photos — old NAS archives, Google Photos, and ongoing iPhone captures — into a self-hosted Immich instance on the Synology NAS. iCloud/Photos remains the primary mobile capture tool; Immich is the long-term archive and browsing interface.</p>
<h3 id="tools">Tools</h3>
<ul>
<li><a href="https://immich.app">Immich</a> - duh</li>
<li><a href="https://github.com/RhetTbull/osxphotos">osxphotos</a> - export photos out of Photos.app / iCloud</li>
<li><a href="https://github.com/simulot/immich-go">immich-go</a> - bulk upload photos to Immich (I found this did what I wanted out of the box better than the first-party <a href="https://docs.immich.app/features/command-line-interface/">immich-cli</a>)</li>
</ul>
<h3 id="immich-setup-and-installation">Immich setup and installation</h3>
<p>Streightforward, following the Immich community-maintained <a href="https://docs.immich.app/install/synology">Synology installation guide</a> - this installs Immich as a Docker Compose project via Synology&rsquo;s Container Manager interface.</p>
<p>My setup is 95% as-documented, with a few key config changes and differences:</p>
<ul>
<li>
<p>I pointed Immich&rsquo;s built-in library to <code>/volume1/photo</code> - a dedicated photo drive - rather than the suggested default of the Docker directory (<code>/volume1/docker</code> on my NAS). This is so I can have the large photo library separate from all my various Docker detritus, mostly so I can set up different backup schedules for the different items.</p>
</li>
<li>
<p>I configured Immich with a <a href="https://docs.immich.app/administration/storage-template">Storage Template</a> to store photos in a date heirarchy. This is so that if something goes terribly wrong, I&rsquo;ll still have a somewhat-navigable photo library just on the file system.</p>
</li>
<li>
<p>I have a few tools I&rsquo;m building on top of Immich (not covered here, may write about these later). These are JavaScript tools, and thus need Immich to send CORS headers to be able to consume the Immich API. Immich doesn&rsquo;t have anything built-in to do this, so for me the easiest way to make this happen was with a Caddy sidecar; here&rsquo;s the relevant <code>docker-compose.yml</code> parts:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#000080">services</span>:<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">  </span><span style="color:#000080">caddy</span>:<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#000080">container_name</span>:<span style="color:#bbb"> </span>immich_caddy<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#000080">image</span>:<span style="color:#bbb"> </span>caddy:2-alpine<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#000080">restart</span>:<span style="color:#bbb"> </span>always<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#000080">ports</span>:<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">      </span>- <span style="color:#b84">&#34;2283:2283&#34;</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#000080">volumes</span>:<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">      </span>- ./Caddyfile:/etc/caddy/Caddyfile:ro<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#000080">depends_on</span>:<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">      </span>- immich-server<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">  </span><span style="color:#000080">immich-server</span>:<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#998;font-style:italic"># as documented, except for ...</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">    </span><span style="color:#000080">expose</span>:<span style="color:#bbb"> </span>[<span style="color:#b84">&#34;2283&#34;</span>]<span style="color:#bbb"> </span><span style="color:#998;font-style:italic"># ... instead of port mapping</span><span style="color:#bbb">
</span></span></span></code></pre></div><p>And the Caddyfile:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-caddyfile" data-lang="caddyfile"><span style="display:flex;"><span><span style="color:#999">:2283</span> {
</span></span><span style="display:flex;"><span>        <span style="font-weight:bold">reverse_proxy</span> immich-server:<span style="color:#099">2283</span>
</span></span><span style="display:flex;"><span>        <span style="font-weight:bold">header</span> {
</span></span><span style="display:flex;"><span>                <span style="font-weight:bold">Access-Control-Allow-Origin</span> <span style="color:#b84">*</span>
</span></span><span style="display:flex;"><span>                <span style="font-weight:bold">Access-Control-Allow-Methods</span> <span style="color:#b84">*</span>
</span></span><span style="display:flex;"><span>                <span style="font-weight:bold">Access-Control-Allow-Headers</span> <span style="color:#b84">*</span>
</span></span><span style="display:flex;"><span>        }
</span></span><span style="display:flex;"><span>        @options <span style="font-weight:bold">method</span> <span style="color:#b84">OPTIONS</span>
</span></span><span style="display:flex;"><span>        <span style="font-weight:bold">respond</span> @options <span style="color:#099">204</span>
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div></li>
</ul>
<h3 id="one-time-imports">One-time imports</h3>
<p>Import raw photo directories:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>immich-go upload from-folder <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    --server<span style="font-weight:bold">=</span>https://im.jacobian.me/ <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    --api-key<span style="font-weight:bold">=</span><span style="font-weight:bold">$(</span>op <span style="color:#999">read</span> op://personal/immich-go/credential<span style="font-weight:bold">)</span> <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    --manage-burst Stack <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    photos-from-old-nas-to-import/
</span></span></code></pre></div><p>For Google Photos, I requested an export through the &ldquo;Takeout&rdquo; interface, which took a couple of days. <code>immich-go</code> is supposed to be able to operate on the raw zip files that you get from Takeout, but that didn&rsquo;t work for me. No problem, I just unpacked them, and ran:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>immich-go upload from-google-photos <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    --server<span style="font-weight:bold">=</span>https://im.jacobian.me/ <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    --api-key<span style="font-weight:bold">=</span><span style="font-weight:bold">$(</span>op <span style="color:#999">read</span> op://personal/immich-go/credential<span style="font-weight:bold">)</span> <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    --manage-burst Stack <span style="color:#b84">\
</span></span></span><span style="display:flex;"><span><span style="color:#b84"></span>    gphotos/Takeout
</span></span></code></pre></div><h3 id="ongoing-sync-from-icloud">Ongoing sync from iCloud</h3>
<p>Getting photos out of iCloud is easy: <a href="https://github.com/RhetTbull/osxphotos">osxphotos</a> works great, and has all sorts of options. There are several ways I could import those photos into Immich, depending on the workflow I want. I considered ditching iCloud entirely; if I&rsquo;d done that, I would have uploaded my photos into Immich using <code>immich-go upload from-folder</code> or expored the <code>upload from-icloud</code> option.</p>
<p>However, I decided I want to keep using iCloud: there are aspects of the workflow I like (namely: photos transparantly syucing to all devices; easy sharing with family members), and I&rsquo;ve read several accounts of the Immich mobile app being flaky, and my photo library isn&rsquo;t big enough to make my iCloud spend a problem. So, the approach I&rsquo;m taking is that iCloud stays as the primary way photos get taken and synced to my Mac, and then I&rsquo;ll periodically back them up into Immich for archival, organization, publication, etc.</p>
<p>I decided the best way to do this is to export photos from iCloud using <code>osxphotos</code> on to my NAS, and point Immich at that directory as an <a href="https://docs.immich.app/features/libraries">External Library</a>. I wasn&rsquo;t sure I&rsquo;d be able to figure out incremental uploads into Immich&rsquo;s built-in photo library &ndash; but osxphotos does incremental exports, so this works nicely. The one tradeoff is that if I make edits to photos in Photos.app or on my phone, those won&rsquo;t get synced to Immich. I&rsquo;m OK with that: that&rsquo;s not a thing I do except very very rarely.</p>
<p>So, here&rsquo;s the little wrapper around <a href="https://github.com/RhetTbull/osxphotos">osxphotos</a> that does the export:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#998;font-style:italic">#!/usr/bin/env -S uv run --script</span>
</span></span><span style="display:flex;"><span><span style="font-weight:bold">from</span> <span style="color:#555">pathlib</span> <span style="font-weight:bold">import</span> Path
</span></span><span style="display:flex;"><span><span style="font-weight:bold">from</span> <span style="color:#555">subprocess</span> <span style="font-weight:bold">import</span> run
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>HERE <span style="font-weight:bold">=</span> Path(<span style="color:#008080">__file__</span>)<span style="font-weight:bold">.</span>parent<span style="font-weight:bold">.</span>absolute()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="font-weight:bold">def</span> <span style="color:#900;font-weight:bold">main</span>():
</span></span><span style="display:flex;"><span>    <span style="color:#998;font-style:italic"># mount the network share</span>
</span></span><span style="display:flex;"><span>    run([<span style="color:#b84">&#34;osascript&#34;</span>, <span style="color:#b84">&#34;-e&#34;</span>, <span style="color:#b84">&#39;mount volume &#34;smb://jacob@ds2/photo&#34;&#39;</span>])
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    run(
</span></span><span style="display:flex;"><span>        [
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;osxphotos&#34;</span>, <span style="color:#b84">&#34;export&#34;</span>, <span style="color:#b84">&#34;/Volumes/photo/ios-photos&#34;</span>,
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--export-by-date&#34;</span>,                   <span style="color:#998;font-style:italic"># organize exported photos into folders by date</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--skip-original-if-edited&#34;</span>,          <span style="color:#998;font-style:italic"># just export  edited versions of photos</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--download-missing&#34;</span>,                 <span style="color:#998;font-style:italic"># download full-res versions from icloud</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--use-photokit&#34;</span>,                     <span style="color:#998;font-style:italic"># &#34;experimental&#34; downloader, per docs, but more robust?</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--exportdb&#34;</span>, (HERE<span style="font-weight:bold">/</span><span style="color:#b84">&#34;osxphotos.db&#34;</span>),  <span style="color:#998;font-style:italic"># store export state db here (be nice to NAS)</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--retry&#34;</span>, <span style="color:#b84">&#34;3&#34;</span>,                       <span style="color:#998;font-style:italic"># retry failed exports 3x</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--sidecar&#34;</span>, <span style="color:#b84">&#34;XMP&#34;</span>,                   <span style="color:#998;font-style:italic"># XMP &#34;sidecars&#34; (metadata) - immich reads these</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--fix-orientation&#34;</span>,                  <span style="color:#998;font-style:italic"># rotate images rotated in iphotos</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--update&#34;</span>,                           <span style="color:#998;font-style:italic"># incrementally update export</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--only-new&#34;</span>,                         <span style="color:#998;font-style:italic"># only export new files, not udpated ones</span>
</span></span><span style="display:flex;"><span>            <span style="color:#b84">&#34;--added-in-last&#34;</span>, <span style="color:#b84">&#34;7d&#34;</span>               <span style="color:#998;font-style:italic"># not strictly necessary, but speeds things up</span>
</span></span><span style="display:flex;"><span>        ]
</span></span><span style="display:flex;"><span>    )
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="font-weight:bold">if</span> <span style="color:#008080">__name__</span> <span style="font-weight:bold">==</span> <span style="color:#b84">&#34;__main__&#34;</span>:
</span></span><span style="display:flex;"><span>    main()
</span></span></code></pre></div><p>I have this set up to run nightly on my Mac, and Immich set up to re-scan the external library about 3 hours later.</p>
<h3 id="next-steps">Next steps:</h3>
<p>The one missing piece is shared Google Photos libraries: frequently, after a group trip, someone will set up a Google Photos album to share photos. I&rsquo;d like to export those photos into Immich, but at a cursory glance it&rsquo;s not super streightfoward to do this in a fully-automated way (Google Photos has a pretty limited API for shared albums).</p>
<p>The other planned next step is a triage and publication workflow. The whole point of getting images into Immich was to have a foundation for building my own tooling/workflow on top of it. Key to that is a way to quickly triage albums down to a concise subset, and publish them. I have plans here, and an intiial proof of concept, but nothing I&rsquo;m ready to share/talk about yet.</p>]]></description></item><item><title>🔗 A beginner's guide to improving your digital security</title><link>https://jacobian.org/bookmarks/1564867051/</link><pubDate>Tue, 27 Jan 2026 21:39:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1564867051/</guid><description>&lt;p>Absolutely fantastic guide — all the impactful stuff, none of the nonsense.&lt;/p>
</description></item><item><title>How I'm voting in the 2026 DSF Board Elections</title><link>https://jacobian.org/2025/nov/9/dsf-2026-board-elections/</link><pubDate>Sun, 09 Nov 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/nov/9/dsf-2026-board-elections/</guid><description><![CDATA[<p>Elections for the 2026 Django Software Foundation Board are now open. You can <a href="https://www.djangoproject.com/weblog/2025/nov/05/2026-dsf-board-candidates/">read candidate statements on the Django blog</a>, and DSF members should have a ballot in their inboxes. (If you don&rsquo;t: email <code>foundation@djangoproject.com</code>). Elections are open through November 26th at 23:59 <a href="https://www.timeanddate.com/time/zones/aoe">Anywhere on Earth</a>.</p>
<p>Please vote!</p>
<h2 id="how-im-ranking-candidates">How I&rsquo;m ranking candidates</h2>
<p>The DSF faces some significant challenges in 2026, particularly around increasing our budget and moving our community forward, and that shapes how I&rsquo;m thinking about this election. Here&rsquo;s what I&rsquo;m prioritizing in candidates:</p>
<ul>
<li>
<p><strong>Fundraising experience</strong></p>
<p>This is my top criteria. The DSF&rsquo;s greatest challenge next year will be increasing our funding. We have ambitious goals that require substantially more revenue than we currently have. Anyone bringing fundraising experience moves to the top of my list</p>
</li>
<li>
<p><strong>Community management experience</strong></p>
<p>I&rsquo;m grateful to everyone who&rsquo;s contributed code to Django, but it&rsquo;s not relevant experience for the board. &ndash; the DSF doesn&rsquo;t write code. I&rsquo;m looking for people with experience in community management, preferably (in order of priority):</p>
<ol>
<li>Direct DSF experience — working groups, committees, etc. This is my highest priority</li>
<li>Other nonprofits of similar size and scope</li>
<li>Related groups like Djangonaut Space or DjangoCons</li>
<li>Broader Python ecosystem organizations like the PSF</li>
</ol>
<p>Experience trumps desire here. I want people who understand what they&rsquo;re signing up for.</p>
</li>
<li>
<p><strong>Clear vision and specific goals</strong></p>
<p>I&rsquo;m looking for candidates who articulate not just what they want the DSF to do, but how they plan to get there. Specific tactics and measurable goals carry more weight than general aspirations.</p>
</li>
<li>
<p><strong>Diversity of experience</strong></p>
<p>The DSF claims to represent a global community, and our leadership should reflect that. So, among candidates with the kind of experience covered above, I&rsquo;m prioritizing candidates outside the US and Europe. Similarly, Django is used across many industries, but we&rsquo;re overrepresented in traditional &ldquo;tech&rdquo; companies. So in the same way, I&rsquo;m prioritizing candidates with experience in other fields &ndash; education, finance, (physical) engineering, government, nonprofits, etc.</p>
</li>
</ul>
<p>Yes, this sounds self-serving — I&rsquo;m a candidate and check several of these boxes. Not all of them, though! In fact, on my ballot, I&rsquo;ve ranked several candidates above myself.</p>
<p>Still, even if you think I&rsquo;m biased, please think about these criteria &ndash; I think you&rsquo;ll agree they&rsquo;re important for the DSF. The DSF faces some challenges in the next few years, and we need board members who can navigate them successfully.</p>
<p>Now go vote!</p>
]]></description></item><item><title>Working in Between Public and Private</title><link>https://jacobian.org/2025/oct/18/working-in-between-public-and-private/</link><pubDate>Sat, 18 Oct 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/oct/18/working-in-between-public-and-private/</guid><description><![CDATA[<p>The default working model for open source projects is working in public: public bug trackers, public forums, &ldquo;pull requests welcome&rdquo;, and so forth. Sure, there&rsquo;s <em>some</em> level of gatekeeping &ndash; it&rsquo;s extremely rare for an open source project to accept code from anyone without some level of review by a trusted group &ndash; but the key point is: <strong>you don&rsquo;t need permission or an invite to get started, you can just show up.</strong></p>
<p>This is also the default for many small-to-medium-sized companies&rsquo; engineering organizations: while the engineering department is usually split into smaller teams, anyone from any team with sufficient time and interest is welcome to hop into another team&rsquo;s slack channel or corner of the codebase.</p>
<p>However, there are situations where this doesn&rsquo;t work (I&rsquo;ll talk about a few of those situations below). When that happens, the impulse is to go full-on in the other direction, and work entirely in private. &ldquo;Private&rdquo; meaning: work done by a select group of insiders, with no mechanism for the broader company/community to get involved.</p>
<p>But… it&rsquo;s not a binary! There are many working models that fall in between fully public and fully private. This blog post is about those middle-ground options. My goal is to convince you to think about using them more often. <strong>If working in public isn&rsquo;t working, consider adopting a middle-ground option instead of retreating into fully-private.</strong></p>
<h2 id="ends-of-the-spectrum">Ends of the spectrum</h2>
<p>The two options, as usually presented, are:</p>
<h3 id="working-in-private">Working in private</h3>
<p>All work is done by a select group of insiders. There&rsquo;s no mechanism for someone outside the group to add themselves. Conversations happen solely within the group. Perhaps there&rsquo;s some level of reporting out, but if so it&rsquo;s a one-way communication: &ldquo;look, we did a thing&rdquo;.</p>
<p>The problems with this model, especially in the context of open source, seem fairly obvious. There&rsquo;s no mechanism for feedback from outside the group. Work is presented as a fait accompli. This model is not great for building community, and it&rsquo;s also pretty risky: if the in-group gets something wrong, they can go pretty far down the wrong path before finding out about it. This is how you get, for example, companies launching new versions of their product that are significantly worse than the older version<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>. Or less dramatically, a group working in private on a pull request that never lands because they missed something critical early on.</p>
<h3 id="working-in-public">Working in public</h3>
<p>The other end of the spectrum: all work happens fully out in the open. As discussed in the introduction, this is usually the default for open source projects and, to a lesser degree, small-to-medium-sized companies. There&rsquo;s almost always <em>some</em> level of gatekeeping, but the key part is: you don&rsquo;t need permission or an invite to get started, you can just show up.</p>
<p>There&rsquo;s a reason why this is the default for open source: <em>it works!</em> (Most of the time, that is &ndash; but we&rsquo;ll get to that.) Open source projects live and die on the strength of their community, and this model optimizes for community engagement. It also maximizes your changes of getting great contributions from someone outside (or new to) your community.</p>
<h4 id="when-working-in-public-doesnt-work">When working in public doesn&rsquo;t work</h4>
<p>But from time to time, we run across situations where this &ldquo;no permission required&rdquo; model breaks down. Two examples that come to mind:</p>
<ol>
<li>
<p><strong>Design decisions</strong>. There&rsquo;s a reason why &ldquo;design by committee&rdquo; is a pejorative. Good design relies on a strong vision, and too many voices only dilutes a vision. I&rsquo;ve seen this hold true for both visual design and API design &ndash; matters of style and taste. These situations don&rsquo;t have clear &ldquo;correct&rdquo; answers; there&rsquo;s a universe of good options. That&rsquo;s a recipe for paralysis, where it feels impossible to move forward because there are too many credible options. Or, if it does move forward, it does so as an average of many competing options, and thus is confused, or bland, or otherwise incoherent &ndash; because it&rsquo;s no longer a design with a vision behind it.</p>
</li>
<li>
<p><strong>Filibuster</strong>. Sometimes, a public conversation ends up getting dominated by one (or a few) loud voices who, for whatever reason, are willing to talk way, way more than anyone else. Instead of making space for community consensus to form, they dominate the conversation, drowning out other voices through sheer volume. People who might have good contributions don&rsquo;t want to get involved because reading through hundreds of pages of forum posts, most by the same person, is exhausting. Thus filibusterers create a false sense of consensus as their point of view appears to dominate. (And they burnout/exhaust other community members in the process.)</p>
</li>
</ol>
<p>These are real dynamics; anyone who&rsquo;s worked in open source long enough has seen them happen. I&rsquo;m thinking of several real-world examples of these dynamics as I write this. So it&rsquo;s understandable that, when faced with one of these situations, people conclude that working in public is the wrong approach.</p>
<p>However, here&rsquo;s the fallacy I want to address: faced with a situation that&rsquo;s wrong for a fully-public working style, many people conclude the only other option is to do the work in secret, and only present it to the larger community when it&rsquo;s done.</p>
<h2 id="in-between-public-and-private">In between public and private</h2>
<p>This is a wrong! <strong>There are all sorts of options that lie somewhere in-between &ldquo;anyone can show up and contribute&rdquo; and &ldquo;only insiders allowed.&rdquo;</strong> It&rsquo;s quite possible to set up a working model that has most of the benefits of working in public &ndash; a wide net for contributions, community engagement and involvement, rapid and frequent feedback mechanisms, etc. &ndash; while also retaining many of the benefits of working in private &ndash; more rapid movement, less bikeshedding, ability to execute a clear vision, etc.</p>
<p><strong>If working in public isn&rsquo;t working, consider adopting a middle-ground option instead of retreating into fully-private.</strong></p>
<h3 id="common-successful-patterns-for-in-between-public-and-private-working-models">Common successful patterns for in-between-public-and-private working models</h3>
<p>While there are innumerable ways to structure a middle-ground approach, the ones I&rsquo;ve seen be successful share a few common patterns:</p>
<ul>
<li>
<p>A <strong>clearly-defined charter or mission</strong> that lays out what the group is for, what its remit is, who the membership is, and so forth. This is a key bit of transparency that lets outsiders know who&rsquo;s doing what and why. And having a clear scope keeps the the group on track, and prevents surprises (&ldquo;I didn&rsquo;t know they were working on that!&rdquo;)</p>
</li>
<li>
<p><strong>Leadership buy-in</strong>: whatever &ldquo;leadership&rdquo; means in your context, it needs to support the charter of the group. Sure, occasionally that &ldquo;leadership&rdquo; may need to override a sub-group&rsquo;s decisions, but the general expectation should be that whoever chartered the group has their back.</p>
</li>
<li>
<p><strong>Clear rules and procedures for adding and removing people from the group</strong>. This could be elections, appointments, an application procedure, etc. The specific mechanism is relatively unimportant; what matters is that outsiders need to be able to understand why the group composition is the way it is, and what mechanisms are available to join.</p>
</li>
<li>
<p><strong>Regular report-outs</strong>: the group needs to report on what its doing, frequently enough to (again) provide transparency and prevent surprises. Frequency varies a lot depending on the nature and scope of the group, but somewhere between weekly and monthly is a good starting point for most groups.</p>
</li>
<li>
<p><strong>Well-defined, structured mechanisms for broader input</strong>: finally, the group needs mechanisms to take feedback in. This needn&rsquo;t be a free-for-all; it can be structured (feedback forms), timed (notice and comment periods), public or private, etc. What matters is that outsiders who want to contribute have a direction to channel their energy. If they don&rsquo;t, it&rsquo;ll spill out into the kinds of unproductive sprawling public discussions you were trying to avoid in the first place.</p>
</li>
</ul>
<h2 id="if-working-in-public-isnt-working-consider-a-middle-ground">If working in public isn&rsquo;t working, consider a middle ground</h2>
<p>I hope this opened your mind to more options for working models beyond fully-public and fully-private. If you do end up choosing a middle-ground working model, <a href="/contact/">get in touch</a> &ndash; I&rsquo;d love to hear about it!</p>
<div class="footnotes" role="doc-endnotes">
<hr>
<ol>
<li id="fn:1">
<p>Looking at you, Sonos.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
</ol>
</div>
]]></description></item><item><title>🔗 Writing a risk scenario</title><link>https://jacobian.org/bookmarks/1378353086/</link><pubDate>Wed, 08 Oct 2025 19:21:26 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1378353086/</guid><description>&lt;p>A risk scenario is a fictional but plausible event that could harm your organization. Writing one well improves communication with others…&lt;/p>
</description></item><item><title>🔗 FACETS - Avalanche.org</title><link>https://jacobian.org/bookmarks/1330537992/</link><pubDate>Tue, 09 Sep 2025 16:41:34 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1330537992/</guid><description>&lt;p>“FACETS is an acronym presented by Ian McCammon to describe a set of 6 heuristic traps that were common in his study of recreational accidents.”&lt;/p>
</description></item><item><title>🔗 This World of Ours (James Mickens)</title><link>https://jacobian.org/bookmarks/1296204323/</link><pubDate>Tue, 12 Aug 2025 16:57:55 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1296204323/</guid><description>&lt;p>I was reminded of this classic paper in the threat modeling literature canon. Hilarious and also insightful — worth a read if you haven&amp;rsquo;t seen it before.&lt;/p>
</description></item><item><title>Two Scenario Threat Modeling</title><link>https://jacobian.org/2025/aug/8/two-scenario-threat-modeling/</link><pubDate>Fri, 08 Aug 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/aug/8/two-scenario-threat-modeling/</guid><description><![CDATA[<p>A trap that many people fall into when trying to threat modeling or risk planning is a fear of being incomplete that leads them to not even try. People think, &ldquo;there are so many possible things that could go wrong, so many potential risks. It&rsquo;s going to be such a <em>huge</em> effort to enumerate all possible scenarios, and I don&rsquo;t have time, so I guess I can&rsquo;t do threat modeling.&rdquo; That is, threat modeling seems so big, so hairy, that people believe it&rsquo;s too complex to tackle.</p>
<p>This just isn&rsquo;t true! <strong>Some planning is always better than no planning</strong>. In fact, you can get a surprising amount of value out of a very simple and fast technique: imagine a couple of scenarios &ndash; <strong>just two!</strong> &ndash; and game out what you could do to mitigate them.</p>
<p>I&rsquo;ll cover a bit of background first, but if you just want to get to the exercise, <a href="#two-scenario-threat-modeling">skip ahead to that section</a>.</p>
<h2 id="scenario-based-threat-modeling">Scenario-based threat modeling</h2>
<p>What do I mean by &ldquo;scenario&rdquo;? There are a variety of techniques for doing threat modeling: systems-oriented (diagram a system and consider threats at each node in the system); data-oriented (map all the data in your system and consider threats to each bit of it); attacker-oriented (enumerate the possible &ldquo;bad guys&rdquo;), and so forth.</p>
<p>One of the very simplest, though, is to <strong>tell stories</strong>. Make up something that might go wrong, imagine how it might happen, and think about how we might mitigate the risk. These can be stories we make up from whole cloth, &ldquo;ripped from the headlines&rdquo; scenarios we&rsquo;ve seen happen elsewhere, or (most commonly) scenarios &ldquo;based on true events&rdquo; that mix some reality with some imagination.</p>
<p>Scenario-based planning tends to work really well because human beings are great at telling and remembering stories. We think in narratives, stories prime our imagination. It&rsquo;s easy for us to keep our risk scenarios in mind — far easier than remembering some complex threat model or risk plan or attack tree.</p>
<h2 id="you-only-need-a-few-scenarios-to-generate-a-ton-of-insight">You only need a few scenarios to generate a ton of insight</h2>
<p>With other forms of threat modeling (especially systems-oriented and data-oriented techniques) incompleteness can be a big problem. For example, a systems diagram that leaves off the build server that bridges testing and production leaves off a critical node, and leads to faulty insights about the security of your network perimeter. But with scenario-based planning, incompleteness is sort of inherent — there are a near-infinity of possible futures — and it only takes a very small number of scenarios to yield tons of insight.</p>
<p>It&rsquo;s a similar dynamic to usability testing. In that field, Jacob Nielsen famously found that <a href="https://www.nngroup.com/articles/why-you-only-need-to-test-with-5-users/">very small usability studies &ndash; five users &ndash; offer similar results to much larger studies</a>:</p>
<blockquote>
<p>The most striking truth [&hellip;] is that <strong>zero users give zero insights</strong>.</p>
<p>As soon as you collect data from a <strong>single test user</strong>, your insights shoot up and you have already learned almost a third of all there is to know about the usability of the design. The difference between zero and even a little bit of data is astounding.</p>
<p>[&hellip;]</p>
<p>As you <strong>add more and more users, you learn less and less</strong> because you will keep seeing the same things again and again. [&hellip;]</p>
<p>After the fifth user, you are wasting your time by observing the same findings repeatedly but not learning much new.</p></blockquote>
<p>In a very similar fashion, with scenario-based planning, the <em>very first scenario</em> you consider yields a surprising amount of information, and after that there are rapidly diminishing returns.</p>
<p>I&rsquo;m not aware of any sort of formal study here, so I can&rsquo;t offer a number as specific as Nielsen&rsquo;s &ldquo;five&rdquo;. But I can tell you, from a ton of personal experience, that considering <strong>just two</strong> scenarios &ndash; as long as they&rsquo;re the right scenarios &ndash; can yield nearly as much actionable insight as a much more in-depth, complex, formal threat model exercise.</p>
<h2 id="two-scenario-threat-modeling">Two-scenario threat modeling</h2>
<p>Thus, we get to what I&rsquo;ve been calling <strong>two-scenario threat modeling</strong>. In this exercise, you<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> come up with two specific scenarios to guide your risk migitation conversation:</p>
<ol>
<li>
<p><strong>Worst-case scenario.</strong></p>
<p>This is the big, existential threat; the scary thing that keeps you up at night. An avalanche on a ski trip; a bank losing customer funds; a total data breach; a medical device being compromised to harm a patient; and so on.</p>
<p>Usually this is fairly easy to imagine: most situations have a couple-three &ldquo;really bad things&rdquo; that everyone&rsquo;s already thinking about. Don&rsquo;t waste time trying to decide which of a few options is &ldquo;worst&rdquo;: this doesn&rsquo;t have to be <em>the</em> worst-case scenario, it can simply be <em>a</em> worst-case scenario.</p>
<p>This scenario can be pretty unlikely — though, make sure it&rsquo;s at least reasonably possible — as long as it has very high impact.</p>
</li>
<li>
<p><strong>Most-likely scenario with tangible impact</strong></p>
<p>This one&rsquo;s a bit hard to describe. It&rsquo;s not the <em>most</em> likely scenario, since these are often boring. E.g., the most likely problem for a web app is probably some sort of minor crash without data loss which just doesn&rsquo;t have a lot of &ldquo;meat&rdquo; for discussing mitigation.</p>
<p>Instead, look for a scenario that ranks somewhat high on both impact and likelihood. Something that&rsquo;s fairly likely to happen, and that would really hurt if it did. Err on the side of higher likelihood: you want a scenario that&rsquo;s as likely to happen as possible, while still having at least <em>some</em> impact.</p>
<p>Some examples: a partial data breach; an attacker is able to escalate privileges, not to a full admin but to some sort of partially-privileged role like customer support; mild hypothermia; getting lost; a breach of embarrassing (but not existentially-threatening) internal documents; etc.</p>
</li>
</ol>
<p><strong>Be super-specific about both scenarios.</strong> Remember: tell stories. The examples I gave above are just starting points; a full scenario should include a detailed narrative. For example, instead of &ldquo;partial data breach&rdquo;, go with something like:</p>
<blockquote>
<p>We accidentally deploy a testing version of our web app with debug mode on to a public domain. An attacker discovers this testing app, and is able to generate a crash which, because of debug mode, reveals an AWS credential. This credential that allows read-only access to some of our S3 buckets, one of which contains a partial backup of our user database. The attacker downloads this backup before we discover the error and take down the app. This backup contains about 30% of our user data, including names, emails, and zip codes; it <em>doesn&rsquo;t</em> contain passwords, hashed or otherwise.</p></blockquote>
<p>Write down both scenarios in detail. There are then any number of things you could do from here, from informal (e.g. brainstorm mitigations and come up with some potential projects to reduce risk) to formal (e.g. construct formal attack trees for each scenario). Perhaps I&rsquo;ll write about some of those techniques in the future &ndash; <a href="/contact/">let me know</a> if that sounds interesting. The very easiest, however, is simply to circulate these scenarios widely, and encourage people to keep them front-of-mind during their work. Once again, this leans into our propensity for stories; people usually find it pretty easy to remember a couple of scenarios, and avoid making decisions that increase risks in those areas.</p>
<p>So there you go: a threat modeling / risk planing exercise that doesn&rsquo;t take much time. Give yourself an hour for a brainstorm meeting, and a few more hours to write something up &ndash; boom, you have a useful threat model in under a day.</p>
<div class="footnotes" role="doc-endnotes">
<hr>
<ol>
<li id="fn:1">
<p>This can be done individually, but I recommend making this a group exercise. Brainstorming/imagination exercises almost always turn out better when doing in a group context.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
</ol>
</div>]]></description></item><item><title>Comfort Scores: A risk mitigation tool for pre-trip briefings</title><link>https://jacobian.org/2025/aug/4/comfort-scores/</link><pubDate>Mon, 04 Aug 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/aug/4/comfort-scores/</guid><description><![CDATA[<p>Here&rsquo;s a tool I find useful at pre-trip briefings that can help the group assess its ability to tackle some tricky objective. It&rsquo;s especially good for groups with mixed skill levels where people aren&rsquo;t necessarily familiar with everyone else&rsquo;s skill set. I&rsquo;ve used this in contexts like group kayak trips, group canyoneering trips, ambitious adventure runs, and so forth.</p>
<p>You do need a small baseline of trust and psychological safety with the group since it requires being a little bit vulnerable about your comfort level. So it&rsquo;s probably best in situations with shared context, e.g. kayak or climbing clubs; or among groups with similar training backgrounds, e.g. a group of guides with similar certifications</p>
<p>It works like this: everyone individually thinks about the trip and the group&rsquo;s objectives, and states their comfort with the trip as planned, giving a score of 1, 2, or 3.</p>
<ul>
<li>
<p><strong>3</strong> means: &ldquo;I&rsquo;m super comfortable. This is well within my skill &ndash; so much so that I&rsquo;lll be able to help others.&rdquo;</p>
<p>At a &ldquo;3&rdquo;, you&rsquo;re not just getting through the day; you&rsquo;ve got spare mental and physical capacity to help out others. This might be a Class IV boater on a Class III river they&rsquo;ve run a bunch of times, or an experienced backpacker out for a short overnighter in easy terrain, etc.</p>
</li>
<li>
<p><strong>2</strong> means: &ldquo;I can do this, I can look out for myself. but it will require focus.&rdquo;</p>
<p>At a &ldquo;2&rdquo;, you&rsquo;re <em>at</em> your comfortable level &ndash; not above it, you&rsquo;re not overreaching, but you&rsquo;re doing something that&rsquo;ll challenge you and require your full attention. You will not be available to help others.</p>
</li>
<li>
<p><strong>1</strong> means: &ldquo;I&rsquo;m uncomfortable or nervous, and I&rsquo;ll need some help getting through the day.&rdquo;</p>
<p>A &ldquo;1&rdquo; doesn&rsquo;t mean you&rsquo;re over your head, or that you shouldn&rsquo;t go on the trip; it means that there&rsquo;s a reason you&rsquo;re doing this in a group! You&rsquo;ll be stretching some, and may need a hand to have an optimal day. For example, I&rsquo;m going on a canyoneering trip next week where I&rsquo;m going to be a &ldquo;1&rdquo;: it&rsquo;s a canyon I&rsquo;ve done once before, and I know there&rsquo;s a very tricky move on the final rappel sequence. I needed an assist there last time, and I don&rsquo;t think I&rsquo;ve improved enough to attempt that bit unassisted.</p>
</li>
</ul>
<p>The group then totals up the scores. Your total score should be around double the size of your team &ndash; e.g. if you&rsquo;re a team of 6, you&rsquo;d like a total score of 12 or more. Anything above that mark indicates you&rsquo;ve got more help available than you have need for help &ndash; a good sign!</p>
<p>If the total score is <em>below</em> that mark, it&rsquo;s a sign you should stop and think carefully, and even consider cancelling the trip or changing objectives. An average below &ldquo;2&rdquo; indicates that <strong>you have more need for help than you have help available</strong>, and that might be dangerous. At the very least, you should carefully discuss how you can increase your safety bargain.</p>
<p>This exercise can also prompt discussion with the &ldquo;1&quot;s about what and where they might need a hand. Often I&rsquo;ve seen &ldquo;3&quot;s and &ldquo;1&quot;s connect during/after this exercise and make some specific plans for where/when/how to work together to increase safety/comfort.</p>
<p>I think this is probably most useful in wilderness risk mitigation, but you can probably apply it to other disciplines. If you do, <a href="/contact/">I&rsquo;d love to hear about it!</a>.</p>
]]></description></item><item><title>🔗 Using AI to build a tactical shooter</title><link>https://jacobian.org/bookmarks/1271275736/</link><pubDate>Mon, 28 Jul 2025 15:20:22 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1271275736/</guid><description>&lt;p>Via RC’s AI article, a fascinating recording of someone programming a game almost entirely by prompting Claude by voice. This feels truly “futuristic” to me. Sure it’s clunky at times, but damn if this isn’t closer to the Star Trek computer than I ever thought I’d see in my lifetime.&lt;/p>
</description></item><item><title>🔗 Developing our position on AI - Blog - Recurse Center</title><link>https://jacobian.org/bookmarks/1271273881/</link><pubDate>Mon, 28 Jul 2025 15:17:34 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1271273881/</guid><description><![CDATA[<p>Detailed, nuanced, and well-thought-out. Tons of great and insightful quotes from RC alums. And their conclusion is, I think, perfect:</p>
<blockquote>
<p>You should use AI-powered tools to complement or increase your agency, not replace it.</p></blockquote>
]]></description></item><item><title>What if We Thought About Risk Decisions Differently?</title><link>https://jacobian.org/2025/jul/22/what-if-we-thought-about-risk-decisions-differently/</link><pubDate>Tue, 22 Jul 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/jul/22/what-if-we-thought-about-risk-decisions-differently/</guid><description><![CDATA[<figure class="my-4 lg:w-3/4 mx-auto"><img src="/2025/jul/22/what-if-we-thought-about-risk-decisions-differently/waterfall.jpeg"
    alt="someone doing free-hanging rappel down a waterfall">
</figure>

<p>Would you believe me if I told you that this was safe? That we&rsquo;ve considered the risks very carefully, and mitigated them? Or would you say that someone who rappels down waterfalls probably isn&rsquo;t thinking very clearly about risk?</p>
<h2 id="the-people-suck-at-thinking-about-risk-framing">The &ldquo;people suck at thinking about risk&rdquo; framing</h2>
<p>There&rsquo;s a common belief among risk professionals that people are inherently bad at thinking about risk. Specifically, that people inherently make poor decisions when confronted with risk of the &ldquo;low probability, high consequences&rdquo; variety (e.g. traveling in avalanche terrain, releasing software with known but difficult-to-exploit vulnerabilities, etc.). I&rsquo;ve certainly said many times, and I think I mostly believe it. But in the last couple years I&rsquo;ve started to question this foundational narrative, so I want to spend a few minutes thinking through the implications of starting from a different point of view.</p>
<p>The &ldquo;people suck at thinking about risk&rdquo; view certain has plenty of weight behind it. Talk to any risk professional and they&rsquo;ll have hair-raising stories about people doing intensely idiotic things, believing themselves to be safe. (I once witnessed a person who could barely swim launch themselves into dangerous whitewater without any plan to get out, and, after being pulled out by their shoulders, continue on the trip blithely unaware that they had been moments away from drowning.) Any software engineer with a modicum of experience will tell you about launching software known to be unsafe or unstable, only to have management be genuinely shocked when the inevitable eventually happens. And then there&rsquo;s the reams of social science research and pop psychology to back this up &ndash; Nicolas Taleb (<em>Black Swan</em>) has made a very lucrative career covering the &ldquo;people suck at thinking about risk&rdquo; beat, for example.</p>
<h2 id="experiences-that-challenge-this-framing">Experiences that challenge this framing</h2>
<p>However, in the last couple of years, I&rsquo;ve had some experiences that cut against this common narrative:</p>
<h3 id="people-have-surprisingly-keen-assessments-of-their-digital-security-risk">People have surprisingly keen assessments of their digital security risk</h3>
<p>Over the last six months I&rsquo;ve conducted dozens of <a href="https://jacobian.org/2024/nov/11/digital-security-checkup/">digital security checkups</a> (probably well over 100, but I stopped counting). My approach to risk during these calls has been to start with assuming that people&rsquo;s concerns are valid, and moving directly to actions they can take to address those concerns. In other words, I don&rsquo;t spend any time on questioning if their perceived risk is &ldquo;correct&rdquo; (unless that&rsquo;s something they&rsquo;ve explicitly asked for). If someone tells me they&rsquo;re worried about being doxxed, I take that worry at face value and talk through what they can do to prevent and respond to a doxing.</p>
<p>This wasn&rsquo;t a considered decision: it was purely pragmatic. I have 90 minutes with someone, who I&rsquo;m almost certainly meeting for the first time, and I want that time to be as valuable as possible. Starting from an assumption that the risk analysis is correct, and moving immediately to giving them tools and techniques for risk reduction just seemed like a way to make the best use of the time.</p>
<p>What really surprised me was discovering that nearly everyone I spoke to seemed to have a pretty solid grasp of their risk! Almost nobody came to me with movie-plot threats or paranoid conspiracy theory nonsense. Instead, people had pretty keen assessments of their risk: activists were afraid of their communications being monitored; pregnant people were nervous about crossing state lines to get health care; therapists working with trans people were nervous about their EMR systems being compromised; content creators worried about being doxxed; and so forth. With very few exceptions, people came to me already zeroed in on exactly the threats I would have likely identified as the most risky to them, without any prompting or help on my part. If most people are bad at thinking about risk, why wasn&rsquo;t I seeing that?</p>
<h3 id="risky-outdoor-activities-are-much-less-risky-than-they-seem-to-an-outsider">&ldquo;Risky&rdquo; outdoor activities are much less risky than they seem to an outsider</h3>
<p>And then, I&rsquo;ve had some shifting of my thoughts on risk through my outdoor adventures. In the last 3-4 years I&rsquo;ve picked up some new forms of wilderness travel that carry more <a href="https://outdoorblueprint.com/read/objective-vs-subjective-hazards/">objective hazard</a>: canyoneering, packrafting, and backcountry skiing. It&rsquo;s common to characterize people who engage in those activities as &ldquo;risk-seekers&rdquo;, or as having a &ldquo;high risk tolerance&rdquo;, but I think that&rsquo;s incorrect. Sure, a few people are — but they&rsquo;re a minority. Communities around these sports have <strong>strong</strong> cultures of safety; the people who engage in these activities think about risk in a much more sophisticated and systematic way than I&rsquo;ve encountered nearly anywhere else. To put the finest point on it: these communities are significantly better at thinking about risk than the software and security communities. I apply risk tools I learned outdoors to computer things <em>far</em> more often than I apply risk tools learned at a keyboard to my &ldquo;risky&rdquo; outdoor activities.</p>
<p>Many people — including me — are drawn to these activities not by the risk but by the challenge of risk mitigation. It&rsquo;s tremendously satisfying and empowering to develop the skills that allow making something that could be dangerous acceptably safe. Many (most?) people who engage in these sports aren&rsquo;t &ldquo;risk-seekers&rdquo;; rather, they&rsquo;re &ldquo;risk-mitigation-enjoyers&rdquo;.</p>
<p>Return to the picture at the top of this post. If you&rsquo;re unfamiliar with canyoneering, the &ldquo;people suck at thinking about risk&rdquo; framework would lead you to think that I&rsquo;m most likely deluded about the risk. But the &ldquo;trust people to assess their own risks&rdquo; framework will lead you to conclude that we&rsquo;ve thought carefully about doing something like this, and taken proper steps to mitigate risk. And indeed, if we spent time talking through the risks and the safety systems we&rsquo;re using to mitigate them, I think you&rsquo;d conclude, as I have, that the most dangerous part of the day was driving to and from the trailhead.</p>
<p>It&rsquo;s counterintuitive, but I believe that engaging in activities with more hazards has made me <em>more</em> safe outdoors, rather than less. That&rsquo;s because these activities have forced me to think about risk much more carefully, and learn more tools to mitigate those risks.</p>
<h2 id="implications-of-a-trust-people-to-assess-their-own-risks-narrative">Implications of a &ldquo;trust people to assess their own risks&rdquo; narrative</h2>
<p>So, what would it mean if, instead of assuming that &ldquo;people suck at thinking about risk&rdquo;, we started from a foundation of trusting someone&rsquo;s risk assessment?</p>
<p>The major benefit is that we get to skip a whole complex risk analysis discussion and <strong>skip directly to the giving people tools to mitigate risk</strong>. Practically-speaking, I&rsquo;ve found it very difficult to convince people to change their risk assessment; unless they&rsquo;re explicitly asking for help calculating risk, telling someone they&rsquo;re wrong about their risk assessment is unlikely to go over well. I once encountered a group of young men getting into a position for a fairly dangerous cliff jump &ndash; a jump that kills about one person a year<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>. I tried to convince them not to jump, but obviously that didn&rsquo;t work. How often does telling someone they&rsquo;re thinking about risk &ldquo;wrong&rdquo; actually work?</p>
<p>But what if that&rsquo;s because people aren&rsquo;t actually taking &ldquo;too much&rdquo; risk, but instead they&rsquo;re taking the right amount of risk <em>for them</em>, and really only need better tools to manage their risk? What if instead of telling them not to jump I&rsquo;d told them where the bolts were and encouraged them to get the gear to rappel next time?</p>
<p>This is basically a harm reduction approach to risk. Instead of trying to convince people to change their behavior wholesale, we give them tools to make their current behavior safer.</p>
<p>Here&rsquo;s a good example from the security field: password management. This came up in most of the digital security reviews I performed; nearly everyone had questions here. There&rsquo;s a &ldquo;correct&rdquo; answer here according to conventional wisdom in the security industry: use a password manager, and use different passwords for every site. But the people I spoke to had a very wide range of digital expertise and &ndash; let&rsquo;s be real here &ndash; password managers aren&rsquo;t exactly the easiest piece of software to use. Nearly everyone I&rsquo;d spoke to knew about password managers, most had tried them, but many had had terrible experiences of getting locked out of something important, and had fallen back to some other technique.</p>
<p>The &ldquo;people suck at thinking about risk&rdquo; framing would tell us that these people are making incorrect risk/reward judgements. Yes, password managers are hard to use, but the risks they mitigate make it worth it to power through. This framing would tell us we need to help these people understand that risk better, and once they see how risky their behavior is, they&rsquo;ll choose the password manager.</p>
<p>Man, I don&rsquo;t know. That feels pretty dismissive of the actual lived experience of trying to use the tools balanced against that actual practical real-world impact of an account breach (which, for most people, ends up being more of an annoyance than a life-changing event). So the approach I took was to assume that people were basically correct about their risk/reward judgement, and to try to give them suggestions and nudges to improve their current behavior. If they were using the same password everywhere, I&rsquo;d explain about credential-stuffing attacks, and encourage them to use a unique password on a few of their most important accounts (email, banking, medical records, etc.). If they were writing passwords down somewhere, I&rsquo;d help them make sure that it was a good somewhere. If they were using a password manager but struggling, I&rsquo;d help debug or suggest an easier-to-use password manager. And so on.</p>
<p>Is this the &ldquo;right&rdquo; approach? At the end of each of these calls, very few of the folks I spoke to were doing the best possible thing according to conventional wisdom. By that mark, no, not great. But nearly everyone I spoke to about passwords left the call a little better protected than they were earlier that day. I think if I&rsquo;d tried to browbeat people into using password managers I&rsquo;d have had little success. A world where I help dozens of people make a modest improvement feels better to me than one where I&rsquo;m only able to convince a small handful to make a huge improvement.</p>
<p>There&rsquo;s a pragmatic wisdom to starting from a position of trust. Maybe people aren&rsquo;t always making perfect risk decisions, but treating their concerns as legitimate is often the only way to have a productive conversation about risk at all.</p>
<h2 id="this-is-a-conversation-starter-not-a-strong-argument">This is a conversation-starter, not a strong argument</h2>
<p>I must admit that this approach makes me deeply uncomfortable in some contexts. I can&rsquo;t bring myself to &ldquo;trust people&rsquo;s risk assessment&rdquo; about vaccines, for example. There&rsquo;s objective scientific evidence here, and anti-vaxxers are just totally wrong.</p>
<p>So I&rsquo;m not trying to make a strong argument here that &ldquo;trust people&rsquo;s risk assessment&rdquo; is a better way of framing risk than &ldquo;people suck at thinking about risk&rdquo;. But I am arguing that we should keep both framings in mind, and probably choose the &ldquo;trust&rdquo; approach more often than we do.</p>
<p>What do you think? <a href="/contact/">Get in touch!</a></p>
<div class="footnotes" role="doc-endnotes">
<hr>
<ol>
<li id="fn:1">
<p>Punchbowl Falls on the Eagle River near Portland. The waterfall is stronger than it looks and can hold people down; the cliff is less vertical than it looks and people sometimes hit the wall; and there are often invisible submerged logs in the pool. On a warm summer day it looks like a great easy super fun jump, but it&rsquo;s significantly more dangerous than it looks.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
</ol>
</div>
]]></description></item><item><title>Ultralight Heresies</title><link>https://jacobian.org/2025/jul/21/ultralight-heresies/</link><pubDate>Mon, 21 Jul 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/jul/21/ultralight-heresies/</guid><description><![CDATA[<ol>
<li>
<p>10 pounds is a ridiculous and arbitrary limit chosen entirely on the basis of how &ldquo;nice&rdquo; the number 10 sounds. If the US was on the metric system, would it have been 10 kilograms instead? If we used a base 16 number system would it be 16 pounds?</p>
<p>A slightly better target would be a percentage of body weight, but …</p>
</li>
<li>
<p>The original &ldquo;point&rdquo; of the ultralight ethos is that experience can substitute for gear. A ultralight tarp weighs much less than a tent, but you have to know how to pitch it, select a site that&rsquo;ll help shelter you from rain and wind, etc. The experience needs to come first, then the gear.</p>
</li>
</ol>
<!-- prettier-ignore-start -->
<ol start="3">
<li>
<p>There&rsquo;s no single point below which you are &ldquo;really&rdquo; ultralight, that&rsquo;s just gatekeeping. There are instead two important inflection points:</p>
<ol class="list-items-tight list-upper-alpha">
<li>The weight below which your hiking speed is more or less unaffected by the pack.</li>
<li>The weight above which your pack is noticeably heavy and uncomfortable.</li>
</ol>
<p>Importantly, these inflection points differ for each person <em>and for each pack</em> — the comfort zone for a flimsy frameless pack is quite different from that of a full suspension load hauler.</p>
</li>
</ol>
<!-- prettier-ignore-end -->
<ol start="4">
<li>
<p>Adding weight as long as you don&rsquo;t cross an inflection point is basically free. Cutting out luxuries or spending money to get lighter when doing so doesn&rsquo;t change your subjective experience of backpacking is an exercise in gear hoarding or showing off online, not something that actually matters.</p>
</li>
<li>
<p>&ldquo;Base weight&rdquo; is a ridiculous concept. What matters is the weight on your back. A better metric than base weight is &ldquo;average pack weight&rdquo;: how much are you carrying, including food and water, at the midpoint of your trip? (Or the midpoint between resupplies.)</p>
</li>
<li>
<p>Making gear lists and weighing individual items can be fun (I love me a good spreadsheet), and is a useful exercise to figure out where the weight is coming from. But it&rsquo;s totally useless if you don&rsquo;t weigh your actual pack — with food and water.</p>
</li>
<li>
<p>For any trip longer than a couple-three days, efficient food weight matters more than gear weight. Seven days worth of food at 100 calories per ounce weighs over 15 pounds; at 125 calories per ounce you save 3 pounds. Or you could spend $800 on a Dyneema tent and save 6 ounces.</p>
</li>
<li>
<p>SmartWater bottles suck. They don&rsquo;t last, contributing to plastic waste; the caps are easy to lose rending them useless; the narrow mouth makes the hard to fill from shallow water sources and hard to add drink mixes too; and they melt if you put boiling water in them, so they can&rsquo;t be used as a hot water bottle in cold conditions, narrowing your safety margin. The Nalgene has been the right answer all along.</p>
</li>
<li>
<p>The point of a trip is to have fun. Maybe Type 2 fun, but fun all the same. Generally speaking you&rsquo;ll have a better time with a lighter pack, but that&rsquo;s not a law of the universe. Once you&rsquo;ve reached the point where cutting out gear is leading to a much worse experience, stop and add back some luxurious.</p>
</li>
<li>
<p>Stay off r/ultralight. <a href="https://andrewskurka.com/the-right-way-to-backpack-hike-your-own-hike/">Bring the gear that&rsquo;s appropriate to your trip objectives and conditions</a>.</p>
</li>
</ol>
]]></description></item><item><title>🔗 Evan Reese - Custom OnShape features</title><link>https://jacobian.org/bookmarks/1244762452/</link><pubDate>Sat, 12 Jul 2025 13:37:07 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1244762452/</guid><description>&lt;p>A bunch of really useful custom features for OnShape&lt;/p>
</description></item><item><title>TIL: 3d printed parts have different strength characteristics than conventionally-manufactured parts</title><link>https://jacobian.org/til/3d-printing-strength/</link><pubDate>Tue, 08 Jul 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/til/3d-printing-strength/</guid><description><![CDATA[<p>An interesting 3d printing lesson about how the physical characteristics of printed parts differ from other manufacturing:</p>
<p>I needed to replace a rubber hydraulic hose retention strap on my tractor. The part&rsquo;s $40 + shipping &ndash; ludicrous for a 6x2&quot; strip of rubber &ndash; so perfect to try to replicate. I have some TPU filament that&rsquo;s of similar flexibility, let&rsquo;s go.</p>
<p>For V1, I just replicated the geometry exactly - including, without thinking about it, some little relief holes around the main hose holes:</p>
<figure class="my-4 w-2/3 mx-auto"><img src="/til/3d-printing-strength/3d-printed-hose-clip-v1.png"
    alt="A model of a hose bracket. It&#39;s got 4 big holes for hoses, with 4 very small relief holes around the edges of each big hole.">
</figure>

<p>In the original rubber part, these holes serve to <strong>weaken</strong> the rubber around the hose holes, allowing the strap to be stretch around the hoses. But 3D printing is different: 3d printed parts make a few solid permitter loops around the outside edges of the part, and then weaker sparse patterned &ldquo;infill&rdquo; around the rest of the part:</p>
<figure class="my-4 w-2/3 mx-auto"><img src="/til/3d-printing-strength/3d-printed-hose-clip-v1-sliced.png"
    alt="A shot of the same part in the slicer, showing solid filament paths around the relief holes and sparse infill elsewhere.">
</figure>

<p>Thus, in the 3d printed part, these holes actually make the part <strong>stronger</strong> in those areas — precisely the opposite from the conventionally-manufactured rubber original. Oops!</p>
<p>The fix was to weaken those holes in a different way more suitable to 3d printing:</p>
<figure class="my-4 w-2/3 mx-auto"><img src="/til/3d-printing-strength/3d-printed-hose-clip-v2.png"
    alt="Version 2 of the part. Instead of the small relief holes, there&#39;s now a long cutout running the length of the part, connecting all the hose holes.">
</figure>

<p>(I also used the &ldquo;grid&rdquo; infill patterns, on the suggestion of a friend, because it&rsquo;s weaker in the vertical direction and thus allows the part to flex a bit more than other infill patterns that are designed to be strong in all three dimensions.)</p>
]]></description></item><item><title>Potential causes of accidents in outdoor pursuits (the Meyer/Williamson matrix)</title><link>https://jacobian.org/2025/jun/17/meyer-williamson-matrix/</link><pubDate>Tue, 17 Jun 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/jun/17/meyer-williamson-matrix/</guid><description><![CDATA[<p class="italic">The Meyer/Williamson matrix is a framework enumerating potential causes of accidents in outdoor activities. I first ran across it in Deb Ajango&rsquo;s <a href="https://wildmed.com/book-store/lessons-learned-ii-by-deb-ajango/">Lessons Learned II</a>, but I&rsquo;ve had a really hard time finding an original source to cite. It appears to be taken from various presentations that Dan Meyer and Jed Williamson have given over several decades. There are various PDF versions floating around the web, but they tend to linkrot and I&rsquo;ve never found a good HTML version. I&rsquo;m reproducing it here so that I&rsquo;ve got a good stable HTML version to link to in the future. If folks know of a better primary source, <a href="/contact/">please get in touch</a>.</p>
<hr>
<h2 id="potential-causes-of-accidents-in-outdoor-pursuits">Potential Causes Of Accidents In Outdoor Pursuits</h2>
<div class="mt-8 xl:columns-3">
  <div>
    <p class="text-lg font-bold m-0 p-0">Potentially unsafe conditions due to:</p>
    <ul>
      <li>Inadequate area security (physical, political, cultural)</li>
      <li>Falling objects (rocks, etc)</li>
      <li>Weather</li>
      <li>Equipment/clothing</li>
      <li>Swift/cold water</li>
      <li>Animals/plants</li>
      <li>Physical/psychological profile of participants</li>
    </ul>
  </div>
  <div>
    <p class="text-lg font-bold  m-0 p-0">Potentially unsafe acts due to:</p>
    <ul>
      <li>Inadequate protection</li>
      <li>Inadequate instruction</li>
      <li>Inadequate supervision</li>
      <li>Unsafe speed (fast/slow)</li>
      <li>Inadequate or improper food/drink/medications</li>
      <li>Poor position</li>
      <li>Unauthorized/improper procedure (includes failing to follow directions, misuse of technology)</li>
    </ul>
  </div>
  <div>
    <p class="text-lg font-bold  m-0 p-0">Potential errors in judgement due to:</p>
    <ul>
      <li>Desire to please others</li>
      <li>Trying to adhere to a schedule</li>
      <li>Misperception</li>
      <li>New or unexpected situation (includes fear and panic)</li>
      <li>Fatigue</li>
      <li>Distraction</li>
      <li>Miscommunication</li>
      <li>Disregarding instincts</li>
    </ul>
  </div>
</div>
]]></description></item><item><title>Changing Directions</title><link>https://jacobian.org/2025/jun/3/changing-directions/</link><pubDate>Tue, 03 Jun 2025 00:00:00 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/2025/jun/3/changing-directions/</guid><description><![CDATA[<p>I have two important announcements:</p>
<ol>
<li>
<p>I&rsquo;m leaving the tech industry. Hopefully &ldquo;for good&rdquo;; if not, at least &ldquo;for now&rdquo;.</p>
</li>
<li>
<p>As such, the content on this blog is going to shift, perhaps dramatically. I&rsquo;m going to be writing about a broader range of topics that interest me (projects around my hobby farm, wilderness trips, emergency medicine) &ndash; more writing for <em>me</em>, less writing for some imagined audience. (I&rsquo;ll probably still end up writing about some of the same topics as I&rsquo;ve been covering since 2020, just less often.)</p>
</li>
</ol>
<p>I&rsquo;m writing this post mostly to give myself permission to make that change, and to give readers the opportunity to unsubscribe/unfollow if they&rsquo;re not interested.</p>
<p>If you&rsquo;re interested in more details about why I&rsquo;m leaving the industry and what&rsquo;s next for me and this blog, read on.</p>
<h3 id="leaving-the-tech-industry">Leaving the tech industry</h3>
<p>I left what I hope will be my last tech job in October. In many ways it was the perfect job: work I enjoyed, great clients, co-workers I loved (and still miss), at a company whose mission and ethics I aligned with. And despite all that I found myself increasingly burnt out. I started telling people that &ldquo;I love my job, but I hate my career.&rdquo;</p>
<p>I&rsquo;ve been working in tech more or less non-stop for more than 25 years, and in that time my feeling about the industry has changed dramatically. When I began, I held straightforwardly techno-utopian ideas: I believed that technology was an unalloyed force for Good, that the computer revolution would bring about a more just and equitable society. I thought the industry was going to create a Star Trek-esque post-scarcity society.</p>
<p>I cringe at past-Jacob&rsquo;s naiveté. It&rsquo;s been incredibly demoralizing to discover what the tech industry actually did was to invent surveillance capitalism, create exploitative &ldquo;gig economy&rdquo; business models, create a new generation of robber barons, enable the rise of global fascism, <a href="https://erinkissane.com/meta-in-myanmar-full-series">facilitate genocide</a>, and I could go on but Christ I&rsquo;m exhausted.</p>
<p>I&rsquo;ve been thinking about leaving the industry since at least 2016, but haven&rsquo;t been brave enough to do so. This career pays really well for easy work (physically, at least), and it&rsquo;s all I&rsquo;m good at. Doing something different is terrifying. But I&rsquo;m able to afford a change in direction, despite the massive pay cut, so I&rsquo;m doing it.</p>
<p class="aside">I want to be super-clear about this: <strong>I&rsquo;m in no way criticizing anyone who makes a different decision</strong>. Leaving a good tech career is a <em>terrible</em> financial decision, and I absolutely won&rsquo;t criticize people who&rsquo;re unable or unwilling to make such a bad decision. This is about <em>me</em>: I&rsquo;m able to make this move, so I&rsquo;m going to. There&rsquo;s no judgement of anyone else here, explicit or implied.</p>
<p>I still find computers themselves incredibly exciting. When I first learn to program, being able to make a computer do whatever I wanted felt like a superpower &ndash; and it still does! I&rsquo;m not planning a total exit from anything computer related; I don&rsquo;t think I could. I plan on continuing to be involved in the Django community and with the Django Software Foundation. I&rsquo;m continuing on as an advisor to a couple of small companies I&rsquo;ve been working with (with a change: I&rsquo;ll step down if/when those companies do a traditional VC raise). I&rsquo;m remaining open to limited advising/consulting work &ndash; though, I&rsquo;m going to be pretty picky about who it&rsquo;s for. And I&rsquo;m sure I&rsquo;ll always write software, it&rsquo;s just too fun and useful a skill.</p>
<p>My plan is to go into emergency medicine: I&rsquo;ll be training as an EMT this fall, and I&rsquo;m starting to volunteer with our local county Search and Rescue team. I plan to work as a EMT for a year or so, and then perhaps work towards becoming a Paramedic.</p>
<p>I don&rsquo;t know if this&rsquo;ll work out. It might not. But I&rsquo;m giving it a shot.</p>
<h3 id="changing-the-focus-of-my-writing">Changing the focus of my writing</h3>
<p>I&rsquo;ve been writing here since 2005. At first, this was a typical early-2000s personal blog: I wrote whatever I wanted &ndash; technical posts, recipes, live updates, whatever. Then there a long fallow period starting around 2010 when I wrote sporadically, just a few posts a year.</p>
<p>In 2020 I rebooted the blog, with a very specific editorial focus: tech leadership, focused on software engineering and security. I wrote with a fairly specific audience in mind: engineering managers and technical leads, working in software development and information security. Mostly the theme was: things I wish someone had told me before I messed it all up. I put a concerted effort into building an audience for this content, and I think I&rsquo;ve been pretty successful at it. I&rsquo;m happy with the results, at least. I&rsquo;m sure I&rsquo;ll keep writing about these topics &ndash; I remain fascinated by risk decisions, and will almost certainly continue my <a href="/series/risk/">Thinking About Risk</a> series.</p>
<p>But as I step away from tech, I find the things I&rsquo;ve been writing about since 2020 less and less interesting. I&rsquo;ve been wanting to write about a broader range of topics for well over a year, but have felt constrained by my own editorial choices. So a large part of writing this post is just to give myself permission to stop writing for this imagined audience, and go back to writing more for myself, for the pleasure of writing itself.</p>
<p>The editor in my head is telling me that I need an effective ending to this piece, and that I shouldn&rsquo;t publish it without one. But that&rsquo;s the same guy telling me to stay in my lane, so&hellip;</p>]]></description></item><item><title>🔗 Decision making matrix for alpine climbing</title><link>https://jacobian.org/bookmarks/1039517808/</link><pubDate>Tue, 13 May 2025 15:36:29 +0000</pubDate><dc:creator>Jacob Kaplan-Moss</dc:creator><guid>https://jacobian.org/bookmarks/1039517808/</guid><description>&lt;p>Great example of a simple risk framework in action.&lt;/p>
</description></item></channel></rss>