2025-12-08 03:00:00
I complained about this on the socials, but I didn’t get it all out of my system. So now I write a blog post.
I’ve never liked the philosophy of “put an icon in every menu item by default”.
Google Sheets, for example, does this. Go to “File” or “Edit” or “View” and you’ll see a menu with a list of options, every single one having an icon (same thing with the right-click context menu).
It’s extra noise to me. It’s not that I think menu items should never have icons. I think they can be incredibly useful (more on that below). It’s more that I don’t like the idea of “give each menu item an icon” being the default approach.
This posture lends itself to a practice where designers have an attitude of “I need an icon to fill up this space” instead of an attitude of “Does the addition of a icon here, and the cognitive load of parsing and understanding it, help or hurt how someone would use this menu system?”
The former doesn’t require thinking. It’s just templating — they all have icons, so we need to put something there. The latter requires care and thoughtfulness for each use case and its context.
To defend my point, one of the examples I always pointed to was macOS. For the longest time, Apple’s OS-level menus seemed to avoid this default approach of sticking icons in every menu item.
That is, until macOS Tahoe shipped.
Tahoe now has icons in menus everywhere. For example, here’s the Apple menu:
Let’s look at others. As I’m writing this I have Safari open. Let’s look at the “Safari” menu:
Hmm. Interesting. Ok so we’ve got an icon for like half the menu items. I wonder why some get icons and others don’t?
For example, the “Settings” menu item (third from the top) has an icon. But the other item in its grouping “Privacy Report” does not. I wonder why? Especially when Safari has an icon for Privacy report, like if you go to customize the toolbar you’ll see it:
Hmm. Who knows? Let’s keep going.
Let’s look at the "File" menu in Safari:
Some groupings have icons and get inset, while other groupings don’t have icons and don’t get inset. Interesting…again I wonder what the rationale is here? How do you choose? It’s not clear to me.
Let’s keep going. Let’s go to the "View" menu:
Oh boy, now we’re really in it. Some of these menu items have the notion of a toggle (indicated by the checkmark) so now you’ve got all kinds of alignment things to deal with. The visual symbols are doubling-up when there’s a toggle and an icon.
The “View” menu in Mail is a similar mix of:
You know what would be a fun game? Get a bunch of people in a room, show them menus where the textual labels are gone, and see who can get the most right.
But I digress.
In so many of these cases, I honestly can’t intuit why some menus have icons and others do not. What are so many of these icons affording me at the cost of extra visual and cognitive parsing? I don’t know.
To be fair, there are some menus where these visual symbols are incredibly useful. Take this menu from Finder:
The visual depiction of how those are going to align is actually incredibly useful because it’s way easier for my brain to parse the symbol and understand where the window is going to go than it is to read the text and imagine in my head what “Top Left” or “Bottom & Top” or “Quarters” will mean. But a visual symbol? I instantly get it!
Those are good icons in menus. I like those.
What I find really interesting about this change on Apple’s part is how it seemingly goes against their own previous human interface guidelines (as pointed out to me by Peter Gassner).
They have an entire section in their 2005 guidelines (and 1992 and 2020) titled “Using Symbols in Menus”:
See what it says?
There are a few standard symbols you can use to indicate additional information in menus…Don’t use other, arbitrary symbols in menus, because they add visual clutter and may confuse people.
Confused people. That’s me.
They even have an example of what not to do and guess what it looks like? A menu in macOS Tahoe.
It’s pretty obvious how I feel. I’m tired of all this visual noise in my menus.
And now that Apple has seemingly thrown in with the “stick an icon in every menu by default” crowd, it’s harder than ever for me to convince people otherwise. To persuade, “Hey, unless you can articulate a really good reason to add this, maybe our default posture should be no icons in menus?”
So I guess this is the world I live in now. Icons in menus. Icons in menus everywhere.
Send help.
2025-12-03 03:00:00
As ever, Mandy Brown casually drops a blog post that makes you examine the everyday meaning of words:
One of the imperatives in contemporary, professional work culture is to “grow.” There is often a sense of height or largeness with that imperative, as if growth must be measured in your distance up the ladder, your territory across the way. In The Soul’s Code, James Hillman implores us to think rather of growing down, of growth not of branch but root, of becoming more grounded, sturdier, less able to be pushed around by the whims of others.
I love this idea of “growing down”, becoming more rooted and sturdy.
It got me thinking about the word “growth”.
Contemporary usage of the word in business often communicates human intervention and imposition against an otherwise natural outworking.
“Growth” in a forest is different than “growth” in business.
In business, we talk about “growth hacking” as if the natural cadence of growth isn’t sufficient. It requires modification because we deem it insufficiently slow.
We “engineer” growth instead of tending it.
Personally, when I say I want to grow, I mean like a tree. Not like a cancer.
Tree growth responds to its environment and integrates with its ecosystem. Growth is sustainable, balancing expansion and repair. It scales in harmony with its context.
Cancer growth is selfish, consuming resources at the expense of its host. Growth is uncontrolled until the system that supports it collapses. It scales through extraction until failure.
When we talk about the growth of technology in the 21st century, which kind of growth do you think best describes it?
“Hey, {social media | AI} grew so big, we all sat together under its canopy and enjoyed the shade.”
Said no one.
More likely: “Hey, {social media | AI} grew so big, it metastasized beyond what society could bear and now look at the mess we’re in.”
2025-12-01 03:00:00
I wrote about the 404s I serve for robots.txt. Now it’s time to look at some of the other common 404s I serve across my static sites (as reported by Netlify’s analytics):
/wp-login.php/wp-admin/news/wp-includes/wlwmanifest.xml/login//wp-includes/wlwmanifest.xml/news/wp-includes/wlwmanifest.xml/website/wp-includes/wlwmanifest.xml/info.phpI don’t run WordPress, but as you can see I still get a lot of requests for wp-* resources.
All of my websites are basically just static files on disk, meaning only GET requests are handled (no POST, PUT, PATCH, etc.). And there’s no authentication anywhere.
So when I see these requests, I think: “Sure is nice to have a static site where I don’t have to worry about server maintenance and security patches for all those resources.”
Of course, that doesn’t mean running a static site protects me from being exploited by malicious, vulnerability-seeking traffic.
Here are a few more common requests I’m serving a 404 to:
/.env/.env.production/.env.local/.env.dev/.git/config/data.sql/database.sql.gz/mysql.sql/db.sql.gz/backup.sql.gz/database.sqlWith all the magic building and bundling we do as an industry, I can see how easy it would be to have some sensitive data in your source repo (like the ones above) end up in your build output. No wonder there are bots scanning the web for these common files!
So be careful out there. Just because you’ve got a static site doesn’t mean you’ve got no security concerns. Fewer, perhaps, but not none.
2025-11-27 03:00:00
Patrick Collison, CEO of Stripe, interviewed Jony Ive at Stripe Sessions. Below are my notes from watching the interview. I thought about packaging these up into a more coherent narrative, but I just don’t have the interest. However, I do want to keep these notes for possible reference later, so here’s my brain dump in a more raw form.
On moving fast and breaking things:
breaking stuff and moving on quickly leaves us surrounded by carnage.
There’s an intriguing part in the interview where Ive reflects on how he obsessed over a particular detail about a cable’s packaging. He laughs at the story, almost seemingly embarrassed, because it seems so trivial to care about such a detail when he says it out loud.
But Collison pushes him on it, saying there’s probably a utilitarian argument about how if you spend more time making the packaging right, some people mights save seconds of time and when you multiply that across millions of people, that's a lot of savings. But Collison presumes Ive isn’t interested in that argument — the numbers, the calculation, etc. — so there must be something almost spiritual about investing in something so trivial. Ive’s response:
I believe that when somebody unwrapped that box and took out that cable, they thought “Somebody gave a shit about me.”
I think that’s a nice sentiment. I do.
But I also think there’s a counter argument here of: “They cared when they didn’t have to, but they were getting paid to spend their time that way. And now those who can pay for the result of that time spent get to have the feeling of being cared for.”
Maybe that’s too cynical. Maybe what I’m getting at is: if you want to experience something beautiful, spend time giving a shit about people when you don’t stand to profit from it.
To be fair, I think Ive hints at this with his use of “privilege” here:
I think it’s a privilege if we get to practice and express our concern and care for one another [by making things for one another at work]
People say products are a reflection of an organization’s communication structure.
Ive argues that products are a function of the interpersonal relationships of those who make them:
To be joyful and optimistic and hopeful in our practice, and to be that way in how we relate to each other and our colleagues, [is] how the products will end up.
Ive talking about how his team practiced taking their design studio to someone’s house and doing their work there for a day:
[Who] would actually want to spend time in a conference room? I can’t think of a more soulless and depressing place…if you’re designing for people and you’re in someone’s living room, sitting on their sofa or floor and your sketchbook is on their coffee table, of course you think differently. Of course your preoccupation, where your mind wanders, is so different than if you’re sitting in a typical corporate conference room.
Everybody return to the office!
Ive conveying an idea he holds that he can’t back up:
I do believe, and I wish that I had empirical evidence
What is the place for belief in making software?
Ive speaks about how cabinet makers who care will finish the inside parts of the cabinet even if nobody sees them:
A mark of how evolved we are as people is what we do when no one sees. It’s a powerful marker of who we truly are.
If you only care about what's on the surface, then you are, by definition, superficial.
2025-11-24 03:00:00
The data is in.
The number one requested resource on my blog which doesn’t exist is:
/robots.txt
According to Netlify’s analytics, that resources was requested 15,553 times over the last thirty days.
Same story for other personal projects I manage:
“That many requests and it serves a 404? Damn Jim, you better fix that quick!”
Nah, I’m good.
Why fix it? I have very little faith that the people who I want most to respect what’s in that file are not going to do so.
So for now, I’m good serving a 404 for robots.txt.
Change my mind.
Reply via: Email · Mastodon · Bluesky
Related posts linking here: (2025) Malicious Traffic and Static Sites
2025-11-20 03:00:00
I enjoyed listening to Feross Aboukhadijeh, founder and CEO of the security firm Socket, on the Changelog podcast “npm under siege”. The cat-and-mouse nature of security is a kind of infinite source of novel content, like a series of heist movies that never produces the same plot so you can never quite guess what happens next.
I like how succintly Feross points out the paradox of trying to keep your software safe by upgrading packages on npm:
The faster you upgrade your packages, the safer you are from software vulnerabilities. But then the faster you upgrade the more vulnerable you are to supply chain attacks
He points out (and I learned) that pnpm has a feature called minimumReleaseAge that lets you avoid installing anything super new. So you can, for example, specify: “Don’t install anything published in the last 24 hours.”
In other words: let’s slow down a bit. Maybe we don’t need immediacy in everything, including software updates. Maybe a little friction is good.
And if security vulnerabilities are what it took to drive us to this realization, perhaps it’s a blessing in disguise.
(Until the long running cat-and-mouse game of security brings us a bad actor who decides to exercise a little patience and creates some kind of vulnerability whose only recourse requires immediate upgrades and disabling the minimumRelaseAge flag, lol.)
Later in the podcast Feross is asked whether, if he was the benevolent dictator of npm, he would do things the same. He says “yes”. Why? Because the trade-offs of “trust most people to do the right thing and make it easy for them” feels like the better decision over “lock it down and make it harder for everyone”. He’s a self proclaimed optimist:
There’s so much good created when you just trust people and you hope for the best.
Obviously Feross has an entire business based on the vulnerabilities of npm, so his incentives are such that if he did change things, he might not exist ha. So read that how you will.
But I like his optimistic perspective: try not to let a few bad actors ruin the experience for everyone. Maybe we can keep the levers where they are and try to clean up what remains.
