Plutonic Rainbows

The original Wonder model turned everything into watercolour. Skin looked airbrushed, fabric lost its weave, and faces — especially small ones in group shots — came out waxy. I ran a batch of family photos from the early 2000s through it last year and the results were unusable. Everyone looked like they'd been smoothed in Photoshop by someone who'd just discovered the blur tool. I stopped using it.

Wonder 2 is different. Topaz finally acknowledged what users had been complaining about: the over-processing. The new model dials back the artificial sharpening and actually preserves texture. Hair looks like hair. Skin has pores. Fabric keeps its weave instead of melting into some vague suggestion of cloth.

I tried the same batch again. The difference is significant. Not perfect — I'm not sure any upscaler handles compression artefacts from early digital cameras gracefully — but the faces are recognisably human now. That waxy sheen is gone.

The catch: it's cloud-only. Topaz says the computational demands are too heavy for local processing, which is probably true, but it means you're uploading your images to their servers. For personal photos, I don't love that. For client work, some people won't accept it at all. I understand the technical reasoning — these models are enormous and running them locally would require hardware most photographers don't have — but it still feels like a step backward in terms of control.

There's also the subscription question. Topaz moved to a subscription model last year, which rubbed a lot of long-time users the wrong way. I'm not going to relitigate that argument here. The software works or it doesn't. For me, Wonder 2 works well enough that I've started using Topaz again after months of avoiding it.

What I actually wanted from an upscaler was always simple: make the image bigger without making it worse. Don't add detail that wasn't there. Don't smooth things that should be rough. Don't sharpen edges until they ring. Just scale it up and preserve what exists. Wonder 2 gets closer to that than anything else I've tried. It's not magic — you can't turn a 200x300 thumbnail into a printable image — but for moderate upscaling of decent source material, it does the job without leaving obvious fingerprints.

The Fidelity update that shipped alongside Wonder 2 includes a bunch of other models too. Recover 3 for softer results, some video stuff I haven't tested. But Wonder 2 is the one that matters to me. It's the reason I'm writing this instead of just ignoring another Topaz release.

Sources:

• Wonder Model Documentation - Topaz Labs

• Fidelity Update - January 2026 - Topaz Labs

I found my copy of Wintering Out in a box I hadn't opened since moving flats in 2019. The spine was cracked in three places, the pages yellowed in that particular way paperbacks get when they've lived in damp rooms. I'd forgotten I owned it.

Seamus Heaney published this collection in 1972, the year of Bloody Sunday, though you wouldn't necessarily know that from reading it. The violence is there — it's always there in his work from this period — but it comes at you sideways, through bog bodies and place names and the particular way rain sounds on different surfaces. He doesn't write about soldiers. He writes about the word "Anahorish" and how it feels in the mouth.

That indirection annoyed me when I first read him. I was twenty-two, impatient, wanted poets to say what they meant. Why all this business about etymology and townlands when people were dying? It felt like evasion. I put the book aside and didn't pick it up again for over a decade.

I was wrong.

The poems in Wintering Out aren't avoiding the Troubles — they're excavating the ground beneath them. When Heaney writes about the word "Broagh" and how the "gh" sound at the end is unpronounceable for English speakers, he's writing about borders. About who belongs and who doesn't. About how language itself draws lines that bodies later bleed across. This isn't evasion. It's archaeology.

"The Tollund Man" is the poem everyone talks about, and for good reason. A body preserved in a Danish bog for two thousand years, sacrificed to some fertility goddess, becomes a lens for looking at sectarian murder in Belfast. The logic shouldn't work. Denmark isn't Ireland, and ritual killing isn't the same as a car bomb. But Heaney makes the connection feel inevitable rather than forced. Both are forms of tribal violence. Both leave bodies in the earth.

I keep thinking about my grandmother's accent. She grew up in Tyrone, moved to England in the fifties, and by the time I knew her, her voice had become something strange — not quite Irish, not quite English, caught between. She pronounced certain words in ways I've never heard anyone else pronounce them. When she died, those pronunciations died with her. That's what Heaney is getting at in poems like "Traditions" — language as inheritance, but also language as loss. Every generation forgets something.

He wrote much of this collection while on sabbatical at Berkeley in 1971. California, of all places. He said the distance loosened something in his form, made the quatrains more relaxed. I find that odd — that you'd need to go to the other side of the world to write about the six inches of soil beneath your childhood home. But maybe that's exactly right. Too close and you can't see it. The Irish memory bank, he called it. Something you can only access from far away.

The shorter poems frustrate me. "Servant Boy" and "Limbo" feel slight next to the longer pieces, sketches rather than finished work. Critics at the time complained that Heaney wasn't addressing the violence directly enough, and I understand the impulse even if I think they were wrong. When your country is tearing itself apart, poems about place names can feel like fiddling while Rome burns.

But that misses what Heaney understood: the violence didn't come from nowhere. It grew from centuries of contested ground, contested language, contested memory. You can't address the present without digging into what made it. The bog preserves everything — bodies, butter, wooden trackways. It's a kind of memory that doesn't forget. Heaney keeps returning to that image because it's doing real work for him. The past isn't past. It's right there, just under the surface, waiting to be cut into.

My copy still smells faintly of the flat I lived in during my twenties. Damp plaster, radiator dust, the particular staleness of single-glazed windows. I don't know why I kept it through three moves. Most of my books from that period went to charity shops or got left on trains. This one survived.

Harold Bloom called Heaney's voice "keyed and pitched unlike any other significant poet at work in the language anywhere." That's the kind of sentence critics write when they can't quite explain what they mean. But he's not wrong. There's something in the sound of these poems — the vowels, the consonant clusters, the way lines break mid-phrase — that doesn't sound like anyone else. You can recognise a Heaney poem by its music before you've parsed a single image.

The collection ends with "Westering," a poem about California, about being far from home, about the direction of travel that the word itself implies. West into the unknown. West into the sunset. West into America, where so many Irish ended up. It's not a conclusion exactly — more of a trailing off, a question left hanging. Where do you go when the ground you came from is contested? What happens to memory when it crosses an ocean?

I've started rereading the bog poems aloud. There's no other way to get them right. The sounds matter in a way that silent reading can't capture. "The Tollund Man" in particular needs to be spoken — the way "Tollund" itself echoes and dulls, the flat vowels of "the mild pods of his eyelids." Heaney was obsessed with how words feel in the body. The tongue, the teeth, the soft palate. Poetry as a physical act.

I still don't love all of it. Some of the mythological pieces feel like exercises. But the best poems here — "Anahorish," "Broagh," "The Tollund Man," "Gifts of Rain" — do something I can't quite name. They make the familiar strange and the strange familiar. They make language itself feel like archaeology, like digging.

Sources:

• Wintering Out - The Estate of Seamus Heaney

• Wintering Out - Wikipedia

A static site generator seems like the safest possible software. No database. No user authentication. No server-side processing. Markdown goes in, HTML comes out. What could go wrong?

Quite a lot, as it turns out. I spent part of today running a systematic security audit on the Python code that builds this blog, and the results were sobering. Forty-five issues across six severity categories, ranging from XSS vulnerabilities in the search functionality to race conditions in file operations. The code has been running in production for months. Every issue had been hiding in plain sight.

The most serious problem was a classic cross-site scripting vulnerability. The search feature highlights matching text by inserting content directly into the DOM via innerHTML — a pattern that the OWASP DOM-based XSS Prevention Cheat Sheet explicitly warns against. If a malicious post title contained script tags, the search results would execute them. The fix was straightforward: escape HTML entities before highlighting. However, the vulnerability should never have existed in the first place.

Race conditions appeared in several places. The build script called os.listdir() twice for duplicate detection — once to build a normalisation map, again to process files. Between those calls, the filesystem could change. The cache file for URL shortening used a naive write pattern that could corrupt data during concurrent builds. The asset copying routine deleted the entire output directory before recreating it, creating a window where the site would be unavailable. Each fix required thinking carefully about atomicity and the assumptions that file operations make about a static world.

Date arithmetic revealed a subtler class of bug. The time-based filtering used timedelta(days=months * 30) to calculate cutoff dates — a calculation that drifts by five or six days over a year. Posts from exactly twelve months ago might or might not appear depending on which months fell within the range. The dateutil library provides relativedelta specifically to handle calendar arithmetic correctly. There was no excuse for not using it.

Path traversal prevention was missing entirely. A crafted slug containing ../ could write files outside the output directory. Input validation existed for character sanitisation but not for structural attacks. The oversight was embarrassing.

What strikes me most is that this code was written with agentic coding tools — the same tools that are supposed to bring senior-level expertise to every developer. The tools generated working code that passed all tests and produced correct output. They did not generate secure code. They did not flag the race conditions or the XSS vulnerability or the date arithmetic error. The code worked, which is a different thing from the code being right.

This reinforces something I have been thinking about: no system can verify its own blind spots. The AI that helped write the code could not see what it had missed. The developer reviewing the output — me — did not catch the issues either. Only a deliberate, adversarial audit with a checklist of known vulnerability patterns found what was hiding in plain sight.

The fixes took a few hours. The lesson will last longer. Safe-looking code is not the same as safe code. Static sites are not immune to security issues. And the tools that accelerate development do not eliminate the need for the slow, careful work of verification.

Sources:

• DOM based XSS Prevention Cheat Sheet - OWASP

• Cross Site Scripting Prevention Cheat Sheet - OWASP

• dateutil - relativedelta - dateutil documentation

Spent the morning performing maintenance on my Roon music library—removing extended attributes from 26,948 audio files. macOS applies com.apple.quarantine and com.apple.provenance attributes to downloaded files as security measures, but these can cause file access issues with Roon's music server. The cleanup was straightforward using xattr -dr commands to recursively remove the problematic attributes. Tested playback afterward with Oneohtrix Point Never's Tranquilizer—no audio quality degradation, exactly as expected. Extended attributes are filesystem metadata stored separately from audio data itself. The files remain unchanged; only the invisible annotations have been stripped away. The library now runs cleaner without these unnecessary flags interfering with normal operation.