Bad input validation is the main underlying cause of many application security issues, because we haven’t made it easy enough for developers to implement good input validation. So how about a TypeScript[1] like language to resolve that – ValidScript – a language that makes it easy to do input validation?


Wendy Nather recently asked me:

Survey for my talk at OWASP’s 20th Anniversary conference:

In the last 20 years, what’s one of the most important things you personally have learned about appsec?

After not much thought my answer was:

Input validation should be baked into languages and frameworks, to make it stupid easy for developers to write safe apps, but still isn’t.

I then went on:

My thinking here is that if there was a language (likely a JavaScript derivative like TypeScript) that treated input as UNSAFE until it washed through a set of standard validators, then we could get to the place on input safety that we seem to have achieved with memory safety in Rust. The compiler would essentially support an input taint checker.

Wendy suggested that I should blog about it. This is the post. I’m calling my invented language ‘ValidScript’, and I’m somewhat amazed that the name isn’t already taken[2].

The problem

The OWASP Top 10 has pretty much remained the same for the whole time it’s existed. The ordering might shuffle around a bit, but the underlying problems remain firmly entrenched.

The root cause for many of those underlying problems is not doing (adequate) input validation.


Because input validation hasn’t been made easy enough. Because in every popular language it’s still left as an open ended exercise for the developer to write their own validator.

We’ve made great progress on memory safety

The proliferation of garbage collected languages made it harder to coerce a buffer overflow from some bad input, and then Rust came along to provide memory safety without the garbage collection overhead (you just have to fight with the compiler borrow checker instead).

But that doesn’t really solve the problem

Buffer overflows are just one of the things that can go wrong. Bad input can still go on to cause database injection, cross site scripting, insecure deserialization etc.

An example

I maintain some scripts to dump cards from GitHub projects into a .csv file that can be imported into Planning Poker. Our scrum master, who’s the primary user of the scripts, complained that import had been truncated to just 7 cards (from 18). I took a look at the file[3], and it was quickly clear what had gone wrong. Somebody had put a comma into an issue title, resulting in too many columns in that row, resulting in a bad import. I’d failed at input validation (and frankly so had the Planning Poker importer[4]).

I’d note that this code doesn’t even directly take user input. It’s reading stuff out of the GitHub REST and GraphQL APIs, which both output JSON. But valid JSON doesn’t necessarily make for valid .csv.

Of course I can take to Stack Overflow and find out how to strip out any commas with something like:

title = card["title"].replace(",", "")

But that doesn’t deal with other special characters that might cause trouble in my .csv, and it quickly becomes unwieldy (and slow) if I run the string through multiple replace operations.

So back to Stack Overflow for a more general purpose approach:

title = re.sub('[^A-Za-z0-9]+', '', card["title"])

But that strips out all the spaces, and a few other characters that I still want, like @ and .

Also I see some very long titles, that I want to truncate, which means I end up with:

title = re.sub('[^[email protected] ]+', '', card["title"])[:80]

This should not involve Google and Stack Overflow

My modest proposal is that the ValidScript language has input validation built in.

If you want your code to compile, then you have to specify where input is going, so that an appropriate validator can be applied.

For the case above I’m putting my input (from the GitHub API) into a .csv file, so I’d choose the CSV validator.

The validators can of course be overridden, but that’s an active choice, and the aim is to have safe defaults.


Input validation should be a first class construct of a programming language, and that’s what ValidScript would do. To make it easy to do input validation, to make it easy to avoid OWASP Top 10 mistakes.


1. I’m not a huge JavaScript fan, but I get the reasons why it’s #1, so building on the TypeScript approach seems like a pragmatic way of reaching the most people. I’d also note that most of the issues come from strings, so extending the TypeScript approach to better string safety seems sensible.

2. I already grabbed validscript .com, .org & .net and for now I’ll get them redirected to this post.

3. Looking closer at the file it’s almost like The @ Company team were playing a game of bad input golf. Double colons, leading spaces, mismatched quotes, the list goes on.

4. The importer shouldn’t have failed on one bad line, and I’d expect it to continue with the other lines.


This post has been a long time in the making. But a couple of things happened in the past week that prodded me to finally write it.

Firstly there’s this epic thread from Shahid Kamal Ahmad about becoming a games developer in the early 80s.

And then there was the awful news of the passing of Sir Clive Sinclair, who made computers cheap enough that I was able to write programs in the first place.

The early part of my story was very similar to Shahid’s. I even once put a classified ad into a computer mag for my awful BASIC ‘Draw’ program for the Dragon 32, and I too got zero orders. I was younger, and a bit slower to learn machine code, so when ’84 came around I wasn’t the kid being asked to port Jet Set Willy to the C64.

It was October ’86 before I got anything published, and then I hit jackpot with two programs in the same month.


The first to hit the news stands was Commodore Computing International (CCI), who carried my Simon program for the C16 and Plus/4:

CCI never actually paid me for it, despite various chasing phone calls, letters, invoices etc.

This wasn’t the last time I coded Simon. It became one of those things that I often repeat as a way of learning my way around a new language or platform.

Commodore 1541 Disk Utilities

Personal Computer World (PCW) my favourite magazine of the era published these, which I used frequently myself:

PCW did pay (£60 if I recall), and then a little while later another cheque came from VNU for ‘Synd pub’, which was a pleasant surprise. I think the cash went towards paying my mum back for the Star LC10 printer I’d bought so that I could produce decent listings.

The front pages

CCI was featuring ‘Hands on the 64C’

and PCW heralded the debut of Amstrad’s cheap PC clone, the 1512, which was about to earn my a lot of pocket money as I got the small businesses of North Shields up and running on Sage accounts etc.

Who’s C Whitfield?

The eagle eyed amongst you might be wondering who C Whitfield was. That was me. Long story, and not one that I really want to recount here…

Here begins a new series for this blog…

I’ve been writing to Craig Murray whilst he serves his prison sentence for contempt of court arising from his reporting of the Alex Salmond trial.

I don’t recall how I first came across Craig, and his first book Murder in Samarkand, but I’ve been a keen follower of his blog (and reader of his subsequent books). I can’t say I agree with him on everything (who does?), but he’s succeeded in opening my eyes to how the world (and particularly the British Establishment) really works.

His campaign team have been encouraging people to write to Craig to help the time pass, and so I’ve been doing that. But I was also a little bothered that it was taking writing time away from blogging, so I asked Craig if he’d be OK with me posting some of my letters, and he agreed.

I’m not going to post the first 4. In part because they were written before I’d asked Craig about blogging, and in part because they were just getting to know each other stuff.

There’s likely to be a lot more politics than my usual output, and a leaning towards Scottish politics, as that’s one of Craig’s main concerns.

Letter #5 Delivered 12 Sep 21

Hi Craig,

It was nice to get such a swift reply to my last letter. I was just getting used to a weekly(ish) cadence, and thinking about sending something out of sequence, then boom, a reply inside a week.

It’s a shame that non of the books have reached you yet. The optimist in me hopes that they’re going through some protracted process to be added to the library. But I fear that they might just have been chucked out in line with Grayling’s spite. I’ll hold off sending anything else until you confirm that books are making it through.

I probably spent too much time on Twitter, but a couple of things passed through my time line this week that I feel would grab your interest:

Firstly this from Leah McElrath: “A global right-wing movement is underway to try to destroy democracies, accelerate social collapse, and cement authoritarian control of human populations and resources. It’s happening. The only remaining question is how to respond.” I’d be interested in your view on how to respond?

Leah has previously focussed much of her ire on Putin and Surkovism, but comments “Often I’ve focused on Putin’s role in some of this, but it’s a movement that transcends boundaries. The organizing principle seems to be raw power, not national identity.”

Scottish independence seemed to be the antidote to all this, at least locally, until the petty corruption of St Nicola and her cultists became clear to see.

Then there was a hilarious take down of some crackpot crypto bro idea of having cruise ships outside of territorial limits where they could be their whole libertarian selves without any state oversight. As a specialist on international maritime law it seemed like something you’d enjoy taking apart in a blog post. The whole thing is essentially Sealand on steroids, but with people who research things so superficially that Sealand won’t even have registered. So ultimately they seem to want to cosplay Waterworld.

At about the same time the FT published a ‘Inside the cult of crypto’, which did a decent job of dissecting the bros ponzi scheme along with the climate catastrophe and lawlessness it drives. I mined some bitcoin in 2013 to learn how things worked, which was enough to show me the den of scum and villainy that’s been allowed to grow too big.

Speaking of blog posts, I wonder if you’d object (or indeed have legal troubles) if I were to post some of these letters (and summaries of your replies) as a ‘Letters to Craig Murray’ series on my blog?


Highlights of Craig’s reply

Certainly you can publish if you wish.

I found that guilt at having such a pile of unanswered mail was stopping me from concentrating on the research materials I have here for my biography of Lord George Murray. I therefore worked hard to clear the backlog and keep up to date. The perverse effect of this is that people feel obliged to also write back immediately, so instead of writing once a week they struggle to write four times a week and so no research gets done anyway.

Books are beginning to trickle through the system.

August 2021



Max had his first birthday, and Milo is now able to join him on walks after being vaccinated.

They also go down to sleep at night in their pen downstairs, which is a step in the right direction. Though there’s been some amazing escapology from Max, and we’re still working on mornings.


After the trouble I had with boots last month, it was the turn of trainers this month. I don’t exactly remember when I bought my pair of Reeboks, but it might have been as far back as 6th form college days, so over 30y ago. I don’t wear trainers as a matter of course, but they do get used for my daily workouts. So they haven’t just been sat in a cupboard.

For a while I’ve been gluing various bits back into place, but the whole sole came away, and my attempt at regluing it didn’t hold up. So I have a new pair of ‘Quick Chase’ trainers, that look similar to my old ones, but maybe aren’t so comfortable.

Up North

My daughter has been checking out universities for next year, and wanted to take a look at Durham and York. So it was road trip time, except we didn’t want to drive, so it was actually train trip time. The original plan was York, Durham, and then Newcastle to visit friends and family. But that had to be reversed to fit into how breaks of journey are allowed on train tickets. It all worked out just fine, with the exception of the Ibis Hotel in York, which earned itself a review titled ‘Second worst hotel stay of my lifetime‘[1].

It was great to see my dad for the first time in 18m, and my sister for the first time in years. It was also good to return to York. I haven’t missed the place in the years that I’ve been away, but it was good to be reminded why it’s my favourite city in England.

Documentation, Samples & Examples

Adam Gordon Bell’s ‘An Introduction to JQ‘ shows how it should be done. I’ve been using jq for a while, but I always struggled with getting queries right, because I wasn’t getting the fundamentals. Perhaps if I was experienced in JSON wrangling in JavaScript it would be obvious, but I’m not, so it wasn’t. Adam’s guide fixed that for me, and I was also pleased to find jiq via the HN comments thread.


I like a beer/wine/whisky, but sometimes it’s nice to skip the alcohol. I needed to restock on Ginish, and found a good price at Wise Bartender, so I used their free shipping on £59 orders as an opportunity to try some other drinks:


This is supposed to be like an Aperol Spritz, but I found it more like Kinnie, which I’ve had before when visiting Malta. Not a hit with the ladies of the house.

Belle & Co (Bees Knees) Sparkling Alcohol Free Sparkling Brut

It wasn’t clear that the SpritISH was a pre mixed drink, so I got some fizz to mix with it. Sadly this one tasted like fizzy grape juice, and cost a lot more than Schloer.

McGuigan Sparkling

This on the other hand tasted to me just like a good dry fizz. I like it a lot. But unfortunately the ladies of the house found it vinegary. Which is weird, as they’re enjoying Equinox Organic Kombucha, which I think tastes like fizzy fruity vinegar.

Thatchers Zero Alcohol Free Cider

There was a risk of this tasting like fizzy apple juice, but it doesn’t. I’ll be getting more.

Erdinger Alkoholfrei

I’d tried this one before after being introduced to it by a neighbour, but not in cans. They’ve done a really good job with this, as it tastes just like a proper Weisbeer. If only I liked that style more.

Coast Beer Co Alcohol Free DDH IPA

This is the style I like, and it’s really well executed. Another one I’ll buy again. I also got their Single Hop Series Centennial IPA, but I’ve yet to try that, and it seems to be out of stock now.

Beavertown Lazer Crush Alcohol Free IPA

I like a lot of what Beavertown do, but sadly this didn’t hit the mark.

Cloudwater Green Tea & Simcoe Sour Soda

I’ve saved the best until last. I love Cloudwater beers, but this isn’t a beer. It is however really tasty and refreshing. I’ll be getting a sample box for the full range next time.

Pi Stuff

Not much going on with my own Pis this month, but this State of netbooting Raspberry Pi in 2021 caught my eye.

Beating Beat Saber

Another month of hardly putting the headset on, so not much to report. My excuse is that my Apple Fitness target for the month was 250km walking or running, but I missed that too – not by a huge margin, but by enough that I wasn’t tempted to just head out and do one big walk to make up the distance.


[1] If you’re wondering what was worse, it was the New Yorker back in 2003 when it was part of the Ramada chain. Over an hour to check in, waiting with a tired and cranky 2y old. A room that felt like a plumbing cupboard that they’d squeezed a bed into, and the eye rolling receptionist when I’d looked at another room, but asked for one that was hygienic. Third time was the charm though; if we’d had that room from the start it would just have been the check-in that was awful.



In my July 2021 post I mentioned being a bit miffed about my hiking boot falling apart:

I was annoyed when it happened as:

  1. I’d hardly worn those boots, as they’d been bought as replacements when my beloved Timberlands had fallen apart
  2. The (repaired) beloved Timberlands had been left at home
  3. Now I needed to buy replacements for my replacements for the planned hike up Helvellyn

I subsequently learned that polyurethane (PU) soles have a nasty habit of doing this, even if they’ve been left in a nice dry cupboard for years on end.

This left me with a dilemma – should I spend money on getting them fixed? In the end I sent them off to Cheshire Shoe Repairs thinking that the repair and return postage would be £59. But I hadn’t reckoned on the need for a midsole (£20) and re-randing (another £20). This worsened the dilemma, but in the end the chap from Cheshire made a convincing case that the repaired boots would likely last longer than any new boots I might buy. Also with Vibram soles my Contour boots would be pretty much up to the same spec as the Scarpa boots they were a cheaper version of.

They came back today, and are looking good, and of course they’re as comfortable as they ever were (which was great from day one).

Part of my motivation in getting the Contour boots repaired is that my beloved Timberlands are still going strong after their repair. I got the Timberlands on my first trip to the US in 1997. We were staying at a hotel on International Drive in Orlando, and near the end of the week we discovered a bunch of ‘outlet’ shops, which included Timberland. I found some nice Gore Tex lined boots for (if I recall correctly) $140, which made them a lot less than £100 (a real bargain at the time). I still have the bumf that came in the box:

I wore those boots for my 2008 Helvellyn hike:

But when I got home the original soles were shredded, and those boots weren’t going to come on another hike with me, so I bought the Contours the next day. The shop I got the new boots in had leaflets for a boot repair place (Lancashire Sports Repairs if I recall correctly), which did a great job of putting a Vibram sole on the Timberlands.

Thirteen years later they’re still looking great on the outside:

Though the wear on the inside suggests that they won’t be getting rebuilt again.

But now I have another pair of boots to spread the walking over, as I got some Meindl Merans for that Helvellyn hike (which never happened due to my daughter being bitten by an insect).

They’re super comfortable, though I’ve not had the chance to properly test them yet.

July 2021



The big news this month is the arrival of Milo. So we now have double the fun.


The other big news was that we went on holiday for a week in the Lake District. The Lakes were for a while a regular family destination, and then for a variety of reasons we stopped going. But last autumn it seemed reckless to plan a holiday abroad for this year, so we checked availability on Wheelwrights, as we’d used them many times before. All they had was Keepers Cottage on the Graythwaite Estate, which was more cottage that we really needed, but we hoped that maybe the kids could bring some friends along. It was also a bit of the Lakes we’d not really spent time in before, and more isolated than we were used to.

In the end the cottage and location were perfect. It was fantastic to be able to just walk out the front door and explore the various paths and trails through the estate. It was also great to have activities and water sports facilities on our doorstep. I’ve already booked up again for next year.


I’ll do a separate post on this, but I was pretty miffed about my hardly worn Contour hiking boots just falling apart. Apparently polyurethane soles just rot away in the cupboard, which is where these boots have spent most of the last 13 years since I bought them.

As we were planning a hike up Helvellyn via Striding Edge I ended up having to buy another pair of boots.

Cookaway on holiday

As we were pretty isolated there wasn’t much takeaway food within reach, or any delivery services, so we ordered a Cookaway Indian box to be delivered (and I put the lat/long into the order details to help the delivery driver find the place). It all worked out perfectly, so we were able to enjoy a tasty fresh Indian meal on out final night.


I’ve already written a post about MapOut and OS Maps apps, and I found myself using OS Maps a lot when out walking.

Travel router

I bought a GL.iNet GL-MT1300 travel router for the trip, and it performed well, though I never tried using it for VR gaming, which is why I’d got it. My full review is here.

Insect bites

Last month Ken Corless mentioned that he’d bought a ‘Bug Bite Thing’ in his monthly update, and I thought it looked useful and got (a similar looking generic) one. Sadly it wasn’t able to help with the bite my daughter suffered that kyboshed the Helvellyn hike, but I think it saved me from some discomfort.

I’ve seen tick warnings (especially for dog owners) on previous trips to the Lakes, but I’ve never previously encountered the nasty little blighters. Things were different this time. After an arrival walk around Green Hows Tarn I found a tick on my shin the following morning, and as the week progressed another couple got me. Max was victimised more, and we were having to pull off a handful each day. I didn’t have exactly the right tool, but I was very glad I’d taken my Tweezerman hangnail clippers.

Pi stuff

I got to do some serious Pi stuff for work this month. We’ve been sharpening up the ‘distributed edge secondary server’ (dess), and one of the target platforms for that is Raspberry Pi. We already had automation in place to build Arm64 images that would work on 64bit Pis running 64bit OSes; but most people run Raspberry Pi OS (previously Raspbian), which is still 32bit, and that needs Armv7 images. Building Armv7 images for Dart based stuff doesn’t ‘just work’ with the Docker Buildx Github Action, so I’ve had to setup a cloud based Raspberry Pi (running on Mythic Beasts) to be part of our continuous delivery pipeline.

I was also intrigued to see this use of a Pi – ‘Digital Film Cartridge Adds a Raspberry Pi to an Old Film Camera‘, though it’s a shame that it’s not full frame. Twenty years ago I’d have loved a digital drop in for my 35mm SLRs, and Intel patented ‘Method and apparatus for taking digital pictures with an industry standard film camera‘, but I guess cost for a full frame sensor, and other considerations (like dust) meant that it was never really practical.

Beating Beat Saber

I took the Oculus Quest with me on holiday, but as the weather was good it didn’t come out of its shiny new travel case. Usage was light for the rest of the month too, although I did try out the new Interscope Mixtape music pack I’d bought – so there are some fresh full combo challenges ahead.



For those who know me well you may be surprised that this is not a post about Wardley Maps. It’s about regular maps to find where you’re going, and the various mapping apps now available.


I spent last week in the Lake District, my first time back there in over a decade, after it was once a regular family holiday spot. From previous visits I had an almost complete set of Ordnance Survey (OS) Explorer Maps for the Lakes with OL4, OL5 & OL7. I’d also tried digital mapping products in the past, but the quality, reliability and safety have improved dramatically since 2010.


In a thread about “must-have” apps a friend had RT’d this from Neela Jacques:

My favorite app will only cost you a couple bucks…MapOut…downloadable USGS quad-like resolution with openstreetmap overlays… so awesome.

I had no hesitation in buying MapOut for £4.99 and downloaded the area around my home, and also the maps covering the Lakes. It quickly became clear that I wouldn’t have got lost in Bedelands Nature Reserve the previous day if I’d had MapOut in my pocket.

OS Maps

After spending a bit of time exploring MapOut I found that the maps of the Lakes were sometimes missing details[1] from the OS maps. So I took a look at their latest app, and it’s really good.

When you have data, it seems to be possible to get maps at all levels of detail, free, which is great.

Offline maps need to be bought, and there are broadly two ways to do this:

  1. Recent paper OS maps come with a digital code, which once redeemed allows the area covered by that map to be downloaded at the scale offered by that map. I’ve since bought OL6 to complete my Lakes set, and the three Explorer maps that cover the area around my home.
  2. A subscription, which then allows a given area to be saved offline.

There was a two week free trial for the subscription, so I gave it a try, and I was sufficiently impressed that I’ll buy subscriptions again when I need offline maps in places where I’m not going to buy the paper map.

With these maps available on my iPad I could plan trips, and then once out and about check on progress with my iPhone. Battery consumption when using GPS isn’t the tragedy that it used to be, so I felt safe knowing that I could check the map in my pocket without risking a flat battery (and the potential safety issues that runs into)[2].


Both apps support GPX files, and also offer a variety of routes from other sources.

I wish the Apple Fitness app allowed export of such files, but thankfully the Apple Health app can do that (How to export GPX tracks from the Apple Watch).

So I can take a track like this:

and drop it into MapOut:

Or OS Maps


The OS Maps app is great, and definitely my favourite. But it only covers the UK, so I expect I’ll get plenty of use from MapOut too.


[1] Though when out and about I might argue that the real world was sometimes missing details illustrated on OS maps :0 There was one particular path I tried to follow one day that was very clear on the map, and very much absent from reality.
[2] For longer, more adventurous walks I’d still take a paper map and compass, though I’d also take a battery pack to recharge my phone if needed, because the map app is so much more convenient than folded paper.


A travel router has been part of my kitbag for many years, starting with a D-Link DWL-G730AP back in 2007. More recently I’ve been using a few GL.iNet GL-MT300N (v2), as they’re small and cheap enough to have in my work bag and my travel bag. I wasn’t particularly worried about speed, as I generally thought that at 300MBps the WiFi would be much faster than whatever I was connecting it to. But… for a recent trip I thought I might want to use Virtual Desktop on my Oculus Quest, and that needs fast (5GHz) WiFi.

MT1300 (left) vs MT300N (right)


The MT1300 ‘Beryl’ is a LOT bigger than the MT300N – more like the size of a pack of cigarettes than a box of matches. I wouldn’t want it in my daily bag, particularly as it also needs a USB-C supply at 3A, which is more size and weight.

More capable

The MT1300 has 256MB RAM, 32MB Flash, and a dual core SOC, which is twice the MT300N in every dimension.

The 2.4GHz and 5GHz WiFi subsystems run pretty much standalone, each with their own SSID and accompanying pre shared keys. With the flip up antennae signal was nice and strong (even in a big old stone cottage), though I never got around to testing whether it had the throughput to support VR virtual desktop (as the sun was shining and there were better things to do outside).


GL.iNet firmware is a customised version of OpenWRT. With the MT300Ns I’ve always re-flashed them to upstream OpenWRT, but that’s not (yet) possible with the MT1300. At least the custom UI is pretty nice, and it’s easy to get to regular OpenWRT stuff via the web interface and SSH.


The MT1300 is a great router, I’m just not quite sure that it’s a great travel router. For my usual pattern of travelling hand luggage only it’s just a little on the hefty side, so I don’t see it displacing its smaller older siblings. But for trips when you’re driving, or even packing hold luggage, for that it’s just fine.

Dart is the main language that The @ Company uses, so after a few months here are the things that I’m missing the most:

1. YAML output

Dart is pretty much build around YAML. Dependencies are defined in a pubspec.yaml, so of course there’s a YAML parser, that’s what yaml/yaml.dart does. But:

This library currently doesn’t support dumping to YAML. You should use json.encode from dart:convert instead.

I shouldn’t have to say this, but when I want YAML, it’s not good enough to have the subset of YAML that’s JSON (and yes, I’m aware of the json2yaml and the fhir_yaml fork – neither of them are the real deal). What’s needed here is a proper YAML 1.2 dumper with round tripping, like ruamel.yaml in the Python world, though even a 1.1 dumper like PyYAML would be better than nothing.

One of the consequences of this is that Dart can’t manipulate its own pubspec files :/

As it’s Wimbledon time as I write this…

2. Stable release notifications

I’d like to know each time there’s a patch release on the stable channel, which seems like the sort of thing there would be an RSS/ATOM feed for in the good old days.

I can get major and minor releases from the Dart Announcements group, and I can get the flurry of every single dev release with the stable patches buried in there somewhere from SDK releases on GitHub. But I’ve yet to find the happy medium of something that will just keep me up to date on the Stable channel. This of course means that I can’t automate stuff to use new stable releases.

3. Restrict TLS to a minimum version

Transport Layer Security (TLS) is what Secure Socket Layer (SSL) became when it grew up, and it’s kept on growing. TLS 1.3 is the latest version, and TLS 1.2 is still alive and well.

TLS 1.0 and 1.1 were deprecated last year by RFC 8996, and Google was very much part of that plan, but work in the browser space hasn’t filtered through. This is a bad thing, as clients can force servers implemented in Dart onto less secure old versions.

This will hopefully be the first on my wish list to be fixed, as just a few days ago the SDK issue #37173 (opened 6 Jun 2019) ‘SecurityContext with minimal protocol version‘ was bumped to P1, and had the label customer-google3 attached.

I’ll keep this updated

As the items above (hopefully) get resolved, I’ll drop them down here and add stuff that’s either less important, or that I haven’t encountered yet.

Meanwhile… WASM Modules

Dart getting support for Web Assembly (WASM) with dart-lang/wasm is super cool, and opens the door to lots of potential in the future. I’m just left wondering why WASM was more important than say YAML output? The cynic in me suspects that the incentives within Google are aligned such that new and shiny trumps mundane but useful when it comes to promotions etc.

Now… if only there was a good WASM module for dumping YAML… lots of parsers, but…

June 2021



My Apple Fitness challenge for June was to walk/run 225.5km, which resulted in some bonus walks for Max, despite the mostly awful weather.

Back to London

I went into London for the first time in 15 months. It was for an emergency dentist visit (which turned out OK), but it’s a trip I’d rather not have needed to make. The trains were pretty quiet, though mask discipline was sketchy – lots of chin maskers, and mouth only maskers.

Veterans Railcard

Returning to London gave me a reason to buy a Veterans Railcard. It’s a much better deal than the Network Railcard I used to get, as it provides 1/3 off a much wider range of fairs – including peak time tickets and 1st class.

Slightly annoyingly though all four times I tried to use a ticket at an automated gate it didn’t work. I get that they need to occasionally check that people haven’t fraudulently bought railcard tickets without the railcard itself, but 100% feels more like harassment than random sampling.

Daughter Driving

I wrote back in February about $daughter0 getting a Mini for her 17th birthday so she could start learning to drive. Despite all the obstacles of lockdown, and post lockdown shortages of driving lessons and test availability she managed to pass first time with no professional lessons. When she grabbed a cancellation booking at the local test centre there were only 12 days to go, which resulted in some pretty intensive practice runs around the routes we found online. So when the big day arrived I thought she was ready, and indeed she was.

It’s a watershed moment in parenting when you stop having to ferry your kids around, and they just take themselves where they need to be. We’re starting to get used to it though :)


The start of the month also saw me getting my second dose of the AstraZeneca vaccine, not long followed by $wife getting hers. $son0 has also been able to get his first shot of Pfizer, which just leaves $daughter0 waiting for the government to get its act together for ‘children’ (as the way things are playing out with the Delta variant makes me feel that waiting another 6-7 months for her to reach adulthood isn’t a great strategy).

Raspberry Pi Stuff

We’ve been working on ‘Distributed Edge Secondary Server (dess)’, which lets people self host the services for their @ signs. Of course Raspberry Pis are an ideal platform for that, so I’ve been doing a bunch of stuff to ensure that the @ Platform works on them (and Arm more generally). I did a talk for the June Flutter Bangalore Meetup about Dart on Arm (slides here).

No Beating Beat Saber

I spent my exercise time walking instead. I expect I’ll be getting the headset back on for July.