Gobbler’s Month One Update:

Gobbler is one month old. Overall, it’s been a stable first month, with user numbers growing and a few interesting events along the way.

Stability

According to DigitalOcean, Gobbler had over 99% uptime. There was the odd latency spike from distant regions (think us_east to se_asia), but nothing worrying. The database is also performing well as the number of entries grows (at time of writing, ~150,000).

Success, 403s, and 404s When You Least Expect Them

Despite initially working fine, *.substack.com and medium.com feeds stopped working in their entirety in weeks three and four, respectively. This has largely been resolved by routing fetches to these domains via Cloudflare egress. Gobbler has also been submitted to Cloudflare’s Bot Verification Program, which should make the egress workaround a thing of the past.

youtube.com feeds are special. For most of the day they’ll work fine, then they’ll 404 for a few hours, then they’ll work fine again. It’s a known issue and there doesn’t appear to be a solution.

The only other problematic sites belong to, or are partnered with, IGN Entertainment. We have reached out to IGN to see if this can be resolved. However, as these sites are protected by Cloudflare, Bot Verification is hopefully the long-term solution.

Outside of the above, 5% of feeds are not reachable due to network errors, and Gobbler’s article fetch success rate sits at 84%.

Improvements in Month 1

• New accounts: switched from email/password to social sign-in (Apple, Microsoft, Google) and app passwords
• Implemented WebSub support
• Improved newsletter rendering

Austin Ginder, Anchor Hosting:

Last week, I wrote about catching a supply chain attack on a WordPress plugin called Widget Logic. A trusted name, acquired by a new owner, turned into something malicious. It happened again. This time at a much larger scale.

[…]

The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners. And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time.

[…]

Two supply chain attacks in two weeks. Both followed the same pattern. Buy a trusted plugin with an established install base, inherit the WordPress.org commit access, and inject malicious code. The Flippa listing for Essential Plugin was public. The buyer’s background in SEO and gambling marketing was public. And yet the acquisition sailed through without any review from WordPress.org.

WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no “change of control” notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught.

It’s truly astonishing that WordPress, despite its scale, has such exploitable supply-chain security. I’m aware of a similar npm supply-chain risk with Gobbler, though I am using both Dependabot and Socket.dev to mitigate it.¹

Let’s start with the original article by Terry Godier:

For example, if you have a 4.1 star rating in the App Store, any 4 star review is going to decrease that average. In other words, leaving a 4 star review is essentially leaving a negative review.

John Gruber:

Problem #1 […] If you’re going to collect and average ratings from users, the system that works best is binary: thumbs-up or thumbs-down. Netflix switched from stars to thumbs in 2017, and YouTube switched all the way back in 2009.

I’d add one more to this list, and certainly one that’s more analogous to the App Store: Steam. Steam’s thumbs-based model is far superior. Not only can you rate and review the game (or app), but other users can also rate your review. Potential buyers can then find and filter by the most helpful reviews. It’s a better model for all involved. See UPDATE #1 below.

Next:

Problem #2 is that even if the App Store switched from stars to thumbs, the system would still be gamified by developers, rewarding, as Godier aptly puts it, not the best apps but instead the apps that are best at “review prompt execution”. Apple should remove the APIs that allow apps to prompt for reviews, and forbid the practice of prompting for them.

Apple should remove those APIs, but they won’t, and until they do, we’re playing within that ruleset. Full disclosure, I’ve built what Terry and John are describing, Singapore Buses does include a review prompt. It’s insidiously well designed. On the third launch, the app asks for a rating.

UPDATE #1: I just discovered that the App Store also has a thumbs-up/thumbs-down rating system for reviews of an app. Long-press a review and a context menu appears with Helpful vs. Not Helpful responses. Its outrageous that this system is hidden behind a long-press.

Juli Clover, Macrumors:

Apple’s MacBook Neo has been a huge hit, and it’s still in high demand over a month after it launched. The ‌MacBook Neo‌ is just $599, and with PC makers raising prices because of global RAM shortages, the Neo’s low price tag and Apple allure are even more appealing.

MacBook Neo‌ orders placed today on the online Apple Store won’t reach customers until May, which means that it’s sold out for the month of April, as 9to5Mac points out. All colors and both the 256GB and 512GB SSD configurations will be delivered between May 1 and May 8 at the earliest.

That the MacBook Neo is a success doesn’t surprise me. I used one briefly in the nearby Apple Store and it’s a really nice laptop. For $599 you’re getting something cheaper and more capable than my iPad Pro paired with a Magic Keyboard. In fact, if the iPad Pro doesn’t start running macOS in the future, I’m not sure I’d buy another one: iPadOS hobbles the iPad Pro to the point where it can’t justify its price tag.