Notices by Simon Willison (simon@fedi.simonwillison.net), page 4

The https://phanpy.social/ desktop timeline browsing experience is genuinely the first time I've actively enjoyed scrolling through my Mastodon timeline, it feels really fresh and the way it groups boosts together is a huge improvement on the default chronological lists from other tools

I want to run a quick informal survey on SQLite versions people have in their Python environments... could you run the following command in a terminal and reply with the output?

python -c 'import sys, sqlite3, platform; print(sqlite3.connect(":memory:").execute("select sqlite_version()").fetchone(), sys.version, platform.platform())'

I get this:

('3.45.2',) 3.10.14 (main, Mar 19 2024, 21:46:16) [Clang 15.0.0 (clang-1500.3.9.4)] macOS-14.1.1-arm64-arm-64bit

Woohoo! @kellan has a new Link Blog https://laughingmeme.org/links/

Way more people should have one of these, they're great

> Like many people I’ve been dealing with the collapses of the various systems I relied on for information over the previous decades. [...] And particular with the collapse of the social spaces many of us grew up with, I feel called back to earlier forms of the Internet, like blogs, and in particular, starting a link blog.
https://fiasco.social/@kellan/112583726435885054

I got a good quote in this story about that dumb Zoom Idea to have "digital twins" attend meetings in your place https://arstechnica.com/information-technology/2024/06/zoom-ceo-envisions-ai-deepfakes-attending-meetings-in-your-place/

Via @mhoye here's a foresightful piece about this by @anildash in 2019 https://www.anildash.com//2019/12/10/link-in-bio-is-how-they-tried-to-kill-the-web/

Several of the major social media platforms - Instagram, TikTok, LinkedIn, Twitter - have effectively declared war on linking to things and I absolutely hate it

"Link in my bio" / "Link in thread" / "Link in first comment"... or increasingly no link at all, just an unsourced screenshot of a page

Here's a brilliant neologism: "slop", for text generated entirely by LLMs and published, unwanted, on the Internet

> Watching in real time as "slop" becomes a term of art. the way that "spam" became the term for unwanted emails, "slop" is going in the dictionary as the term for unwanted AI generated content

Source: https://twitter.com/deepfates/status/1787472784106639418

I'm considering building a feature for a SaaS app that lets you "invite" a customer support person to be able to see your private data in order to help you debug an issue - where everything they look at is logged in an audit log that's visible to you and you also get to see when they "resign" from their temporary access

Is this a common feature? Has anyone seen good implementations of this kind of pattern before?

I gave a 50 minute talk at the Story Discovery at Scale data journalism conference at Stanford a few weeks ago. I've now turned the video into an extensive write-up with images, links and screenshots:

AI for Data Journalism: demonstrating what we can do with this stuff right now https://simonwillison.net/2024/Apr/17/ai-for-data-journalism/

The video includes 12 live demos! You can watch it on YouTube here: https://www.youtube.com/watch?v=BJxPKr6ixSM

Weeknotes: Three major LLM releases in 24 hours
https://simonwillison.net/2024/Apr/10/weeknotes-llm-releases/

If I have a JSON API that's protected by "Authorization: Bearer XXX" API tokens, what are the arguments against sticking these headers on it?
```
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Authorization
```
I want users of my API to be able to access it via JavaScript from any host

The best argument I can think of is that it may encourage people to leak their private API token in publicly visible HTML documents, anything else?

I built a new tool: https://tools.simonwillison.net/ocr - it runs OCR against images and PDFs entirely in your browser (no file upload needed) using Tesseract.js and PDF.js

I wrote more about the tool and how I built it (with copious amounts of Claude 3 Opus and a little bit of ChatGPT) here: https://simonwillison.net/2024/Mar/30/ocr-pdfs-images/

Security question: there's a web API I want to use that doesn't support CORS, so I can't directly access it from JavaScript

I span up a proxy server which proxies to the API and adds CORS support, and it works - now I can call it from JavaScript

Are there any reasons NOT to use this technique in production, or release it to the wider world?

It's an API-key protected API so it wouldn't be providing access to anyone without an API Key

@inthehands @jenniferplusplus I love this analogy so much

In this case, for me at least, the ghosts are kind of real though... https://simonwillison.net/2024/Mar/23/building-c-extensions-for-sqlite-with-chatgpt-code-interpreter/

Make of that what you will!

@inthehands @jenniferplusplus maybe the analogy here holds in that sometimes a spiritualist might give you life advice that turns out to be useful anyway?

@msw Urgh what a miserable diff

There's a story doing the rounds at the moment about private GitHub repos showing up in AI training data

If your repo has ever been public there's a chance it was archived by https://www.softwareheritage.org/ and ended up in The Stack training data: https://huggingface.co/spaces/bigcode/in-the-stack

If it's never been public that obviously should NOT have happened

You can use ClickHouse and the GitHub Archive to try and see which of your repos may have been public in the past using this tool I just built: https://observablehq.com/@simonw/github-public-repo-history

"The Open in OpenAI means that everyone should benefit from the fruits of AI after its built, but it’s totally OK to not share the science (even though sharing everything is definitely the right strategy in the short and possibly medium term for recruitment purposes)." - Ilya Sutskever, in an email to Elon Musk

Nice to have that strategy confirmed in writing! https://openai.com/blog/openai-elon-musk#email-4

For those of us running our own Mastodon servers, any tips on how to deal with this flood of spam notifications? If I had a server admin I'd ask them, but I'm my own server admin!

Is there a mechanism for sharing blocklists I can subscribe to somehow?

What's your process for vetting a new open source dependency before adding it to your project?

I'm interested in language too: do you have a different process for evaluating dependencies written in JavaScript/Python/Go/Rust etc?