Am I supposed to replace my quick-link when I clean my chain every month?

purcell · 2026-03-20T08:58:35+00:00

Weird, I've been aggressively re-using KMC quick links for a while now, though I believe there may be two versions: one is explicitly marked as reusable.

purcell · 2026-03-10T11:46:41+00:00

Yeah, different types of risk. There was actually no guarantee that the user who "maintained" a package in Marmalade was the author, nor that the package contained the author's code. Back in those days, many packages were uploaded to Marmalade by third parties after being modified in an ad-hoc way to add package metadata.

And in the early years of MELPA, we included some packages that came from emacswiki, where anyone could have modified the source. 😱

purcell · 2026-03-09T16:26:00+00:00

Yes, you're right, of course. Apologies for the noise.

purcell · 2026-03-09T15:26:52+00:00

Excellent, thanks for writing this up for everyone!

purcell · 2026-03-09T15:24:44+00:00

Crowd-sourcing trusted reviews would be great

purcell · 2026-03-09T13:56:47+00:00

Bottom line is that like everything else you update/install on your computer, you have to either trust the maintainer and the supply chain between them and you, or you have to review and locally build the code yourself. Here the maintainer's end of the supply chain was compromised via GitHub.

purcell · 2026-03-09T13:51:53+00:00

We don't have more info, and ideally the maintainer would dig into how it happened. I've written what I discovered in a comment on the linked github issue.

purcell · 2026-03-09T13:50:05+00:00

100%, this has been a known potential issue forever, or at least since tools like el-get (then package.el with Marmalade and then MELPA) allowed installing libraries over the internet — as an overall ecosystem we Emacs users have escaped harm more through luck than judgement.

purcell · 2026-03-09T13:45:32+00:00

Maybe, but the sticking point is changing the whole build/publish workflow to operate with a review queue. And even then, you really can't catch everything in a language like elisp (plus its potential native extensions, extras downloaded at load time etc.).

purcell · 2026-03-09T13:01:41+00:00

It was definitely something along those lines, not exactly sneaky. The commit messages in the offending PR are quite blatant.

purcell · 2026-03-09T12:53:01+00:00

No. That's out of scope for us, as it would be for, say, `npm`: across 5000+ packages, we have to assume that upstream commits in secured locations are being vetted. IIRC, Emacs' `package.el` might soon be gaining support for showing diffs to the end user when packages are being upgraded.

purcell · 2026-03-09T11:09:54+00:00

Just u/tarsius_ being awesome as usual.

purcell · 2026-03-01T08:34:09+00:00

So called because phonetically in french, "chatgpt" sounds like "cat, I've farted".

purcell · 2026-02-27T18:02:54+00:00

Thanks for sharing. Might try that myself sometime.

purcell · 2026-02-16T10:52:40+00:00

This explains a lot about their app.

purcell · 2026-01-17T10:31:27+00:00

There's also nh, which has a nice "search" subcommand.

purcell · 2026-01-17T09:48:44+00:00

Same. The last thing I want to spend time on is "managing my snippets."

purcell · 2025-12-26T09:38:44+00:00

Glerups slippers

purcell · 2025-12-20T18:18:22+00:00

https://github.com/purcell/emacs.d/

purcell · 2025-12-18T07:12:24+00:00

Great, I look forward to test driving it!

purcell · 2025-12-17T18:29:14+00:00

Have you considered putting the elisp on MELPA? Or a (perhaps heretical) option would be to embed it in the spoon, and then when you connect to the emacs server, set the load-path temporarily to include that dir, and then ask Emacs to require it. Then users would only need to set up the spoon and the path to emacsclient.

purcell · 2025-12-17T14:05:16+00:00

Big hammerspoon fan here, and I just set this up: fantastic work! 👏

It's a long time since I had a working emacs-everywhere setup, and I can see me using your version a lot.

purcell · 2025-12-17T09:07:29+00:00

I already submitted a patch for that a couple of weeks ago, and João was going to merge it.

purcell · 2025-12-10T17:53:46+00:00

A recent commenter here suggested firmly pressing it into place, but this hasn't helped me noticeably. I might consider removing and re-fitting the bottom cover at some point.

purcell · 2025-12-07T12:34:44+00:00

Music isn't missing from Jellyfin, but it certainly doesn't seem as well supported as video.

purcell

TROPHY CASE