Blogging in Lisp


Lisplog is a templating system that blends Apache and Hunchentoot to aid in the maintenance of a blog-like web site.

It is open source, written in Common Lisp, and the code is at

My resumé is at


Submitted by Bill St. Clair on Tue, 22 Nov 2022 13:49:32 GMT

I retired in November of 2020, because my brain wasn't working. I sat in front of my computer, but nothing happened. Since I'm entirely reliant on my muse to write code, my mother had just died and left me some money, and my social security was enough to live on, I decided to retire.

Two years later, my brain has come back, and I'm writing code every day. Elm code, for my Mammudeck web application, a Tweet-Deck like multi-column interface to the Mastodon Client API. I still execute arithmetic in my Emacs *scratch* buffer, but my Lisp addiction is currently in remission (he said, while typing in a window put up by his Lisplog server).

Mammudeck is a Progressive Web App (PWA), meaning that you can save it to your home screen on a phone or tablet, and save it as a native desktop application from browsers that support that (I've confirmed that in Brave and Chrome).

I've been using Mammudeck for the Fediverse since shortly after it worked well enough for that. I started it on July 4, 2019. With all the new Fediverse denizens, fleeing from Twitter (which I find to be a lot more fun under Elon Musk), I'm finally working on the Account Dialog, so I can see new user profiles and easily follow them or add a column to track their posts.

Once I finish the account dialog, which still needs to display posts, followers, and following, I'll resume work on the DynamoDB backend.

Mammudeck stores state, including OAuth tokens, in the browser's LocalStorage database, but that is seen only by one browser. I use it on my iMac, iPhone, and iPad. The DynamoDB backend will enable sharing state between ALL of your browsers, so changes made in one will be automatically synchronized with the others.

My PWA philosophy is for my web servers to serve only as the source of the code. No other communication is done with them, except for games, which require a place to hold state and communicate between the players. I write those servers in Elm, and run them on the server under Node.JS. Hence, I will NOT be in the shared state database business. Users who want that feature can pay Amazon for the privilege.

Mammudeck is open source. There's a link at the bottom of its home page, to its GitHub repository. If you're interested in helping out, and can illustrate competence in writing Elm, let me know, via the email link at the bottom of this page.

The Web Apps section of my home page ( has a bunch more Web Apps that I've written over the years. All but "Two-Factor Authenticator" and "Conway's Life" are written in Elm. I haven't done the magic to turn most into PWAs. Ask if you want one packaged that way. It's not difficult.

I'm loving writing the code I want, and nothing else, in my retirement.

Add comment   Edit post   Add post


Submitted by Bill St. Clair on Tue, 15 Nov 2022 14:06:56 GMT

The Kindelia Foundation is Victor Taelin's creation, supporting the HVM (High-order Virtual Machine) runtime, the Kind2 language built on top of it, and their ecosystem. HVM implements a new computing model, which provides massive parallelism, by default, without anything special for the programmer to do. It uses the inherent parallelizability of functional programs. I haven't yet played with it, but I forked the repositories on GitHub, just to hold on to them. HVM is written in Rust, though there's also a JS version, which hasn't been worked on since September.

Twitter thread describing HVM:

"First, I attempted to run functional programs on the HVM. My 1-month silly prototype outperformed GHC, the state-of-art functional compiler used by most Haskell-based companies, in several real-world tasks... by more than 300% (!)"

"Right now, we're looking into compiling Elm to HVM, and run it on the GPU. Imagine writing 3D games and shaders as pure "Pos -> Color" functions, and it just works? That'd be insane, and I have a prototypal CUDA runtime that achieved linear speedup, suggesting that's possible!"

Add comment   Edit post   Add post

Lisplog still works!

Submitted by Bill St. Clair on Tue, 15 Nov 2022 13:48:34 GMT

I haven't added a post here in a long time, nor have I frobbed the server that handles interactive use (the pages themselves are all static HTML, served by Apache). But I was able to log in today, and make this post. Yow! CCL rocks!

Add comment   Edit post   Add post


Submitted by Bill St. Clair on Fri, 21 Feb 2020 15:09:44 GMT

"Micro-optimization is usually premature. Macro-optimization is essential." -- Bill St. Clair

Add comment   Edit post   Add post

Why Elm?

Submitted by Bill St. Clair on Fri, 19 Jul 2019 10:28:57 GMT

An AngularJS user in the Fediverse asked me to sell Elm to him. This is my first attempt.

I have never used AngularJS or any other JS framework besides jQuery, so I'm operating from a quick perusal of the Angular web site, making my comparisons mostly invalid.


First off, you're going to miss a lot of Angular's features with Elm. Elm has a functional flavor to it, not the templatey feel of Angular. Your entire site, except for the initial HTML file that loads the elm-generated JS, is Elm. And Elm wants total control. With a couple of exceptions:

  1. You may load Elm into only a single DIV of your larger site, and use regular HTML/JS for the rest of it. This, so I've read, can enable incremental conversion to Elm, but I've never done it.
  2. Elm supports two ways to get to your own JavaScript code:
    1. Ports - a send/receive messaging mechanism to get JS data out of and back into Elm. Fully type-safe, since incoming JS data goes through decoders to bring it into Elm, and errors there must be handled by the functional Elm code.
    2. Custom HTML Elements - Since Elm's virtual DOM can support ANY HTML element, you can roll your own, to do anything you can dream up.

Elm's package manager is centered on open source, stored at GitHub. I've proposed a simple mechanism to open this up, so that you can easily define your own package plugins, or not use Microsoft's repository system, but Evan Czaplicki, Elm's creator, has not been open to the idea.

A normal way around this for organizations that need their code to be proprietary is a mono-repo for your code, and just include ths whole thing in every project. Elm's compiler is so fast, and so good at rebuilding only what needs to be rebuilt, and including in the output only what is actually used, that this isn't as bad a solution as it sounds.

Or, if you have Haskell chops, you could fork the Elm source, and add the package manager plugin yourself.


Now that I've highlighted some caveats, on to Elm's advantages.

No run-time errors. Ever. If it compiles, the JS generated by the Elm compiler will contain logic errors that you need to find and fix, but it will NEVER mistakenly reference a null value or call an undefined function. This is remarkable to experience, for one accustomed to the runtime-error-prone JS environment. And it really works.

The same kind of type-checking that C programmers have had for decades, but without the necessity to say everything twice, and with a much friendlier compiler, and no way to get around the type safety (except in your own custom JS, as mentioned above). JS linters may give you a lot of this, but they don't do a complete job. The Elm compiler does.

As a long-time lisper, accustomed to run-time type checking, but compile-time laxity, I was surprised to find that I really like this. It takes a little longer to get your code to compile, but once you do, you know it won't fail because of a runtime error.

Refactorings, even large refactorings, are a joy, and usually "just work" once you get the refactored code to compile. In Elm, I'm not afraid to make radical changes to pieces of my code. This causes a large list of compiler errors early in the process, but you fix them one at a time until it builds, and then it usually works.

The generated JavaScript is not difficult to read, and is pretty good, performant code. You definitely lost a little in efficiency over hand-coded JS, but you can always move inner loops into ports if necessary, and it is rarely necessary.

Elm webapps behave pretty much like native apps. With all the JS frameworks available, this isn't as much of a sell as it used to be.


I wish I knew how to express my sheer joy when I program in Elm. If I had Shakespeare's skill, I'd write a sonnet. "Shall I compare thee to a summer's day?"

1 comment   Edit post   Add post

OAuth2 and Mastodon

Submitted by Bill St. Clair on Mon, 01 Jul 2019 22:15:18 GMT

This page explains my thinking of doing OAuth2 authorization for an Elm web frontend talking to a Mastodon API backend.

The OAuth2 Authorization Code Grant Flow Dance

OAuth2 has a number of authentication methods. For end users, using web apps, the Authorization Code Grant Flow is common. It lets the user authenticate with the service she's using, such that the client code never sees her userid or password, then the client code fetches a token it can use to authenticate API requests. If the user notices the client misbehaving, she can go to the service's web site, and remove permission for that client to access her account.

There are three computers involved:

  1. The user's computer, often via a web browser.
  2. The client application's web server, accessed via the redirectUri.
  3. The API service's web server, accessed via the authorizationUri, the tokenUri, and the apiUri.



Mastodon requires /oauth/authorize and /oauth/token as the OAuth 2 endpoints and /api/v1 as the base of the REST API URLs.

There is some information that the API service uses to identify the client application:

  1. The application name
  2. The application Url (optional)
  3. The clientId
  4. The clientSecret

The clientId can be present in the webapp, on the users's computer, since without the clientSecret, it cannot be used for anything. The clientSecret is kept secret, on the redirect server.

Steps in the dance:

  1. The user clicks a "Login" button in her web browser.
  2. The webapp redirects to the authorizationUri, passing the clientId, the redirectUri, scope descriptors, saying what the client app will be allowed to do, and a state string.
  3. The authorizationUri puts up a form, requesting userid and password.
  4. If the user logs in successfully, the authorizationUri server forwards the user's browser to the redirectUri, passing the clientId, state, and an authentication code that it generates and remembers.
  5. The redirectUri server posts the clientId, clientSecret, and authentication code to the tokenUri, and receives back a token.
  6. The redirectUri server then uses the state to put up a web page for the user to interact with the server via the API.
  7. When the user does something that requires an API call, the token is passed along, for authentication and identification of the user.

The Status Quo

First, I'll explain from where I started, back in December of 2017, before adding Mastodon to the mix.

I published the billstclair/elm-oauth-middleware in the public Elm repository. It works with Google, Facebook, GitHub, Gab Legacy, and likely any other proper implementation of the OAuth2 Authorization Code Grant Flow (but I only tested those four). It is running at It contains both server and client code.

The elm-oauth-middleware server expects application definitions to be mostly static, with the tokenUri, clientId, and clientSecret stored in a JSON file on the server, which is queried periodically, and reloaded if it changes. This allows hot changes to the applications, with a text editor on the server.

I store the clientId, and redirectUri in the Elm client code, compiled to JavaScript in the browser, again loaded from a JSON file that ships with the client application. It redirects to the authorizationUri, passing the clientId, redirectUri, scope, and some state. The authorization server (Google, Facebook, GitHub, Gab, etc.) prompts the user for ID and password, and redirects to the redirectUri with an authorization code and some Base64 encoded JSON state. That server posts the code to the tokenUri to get a token, which it returns to the client code, by using the state to go to a URL on a redirectBackHost that are validated from its configuration file. Validation of that redirectBackHost is my invention.

This is a non-standard use of the Authorization Code Grant Flow. Usually, the token stays on the server, and it uses it to make API calls and then populate HTML for the client browser. Since my clients are all in Elm, and work with no HTML generation by a server, other than an initial static HTML file that loads the Elm JavaScript, that client needs to have the token, and make calls itself to the apiUri. The client typically stores the token in JavaScript localStorage, so that it doesn't have to request it again every time the user goes to its web site.

Enter Mastodon

Normal Mastodon servers have a Your Applications page, linked from </> Development in the left column of the preferences page. This allows you to create a standard, static, OAuth2 application, giving an Application name, Application website, Redirect URI list, and allowed Scopes, and receiving a clientId, clientSecret, and token.

This is fine if your application is targeted to a small set of Mastodon servers, but the nature of Mastodon is hundreds of federated servers, so the API has a POST /api/v1/apps call to create a new client_id and client_secret.

My idea for using this is to have the Elm app send its own URL as the Redirect URI, use POST /api/v1/apps to get a client ID and secret, then redirect to https://<mastodon-host>/oauth/authorize, so the user can log in, get back the authorization code when restarted as the redirectUri, then POST to https://<mastodon-host>/oauth/token to turn that code into a token. The only thing I don't now yet is whether that final POST will pass CORS muster. The API calls have to, but that one doesn't. If it doesn't, then that part of the dance needs to be moved to a server, with the clientId and clientSecret passed in the state, so that the server doesn't need any state itself.

This is likely an unusual use of the POST /api/v1/apps call. I think it's expected that the redirectUri host will save the association of the <mastodon-host> and a clientId/clientSecret pair, so that it doesn't need to request a new one unless a new user specifies a never-before-seen server. I plan to cache the clientId/clientSecret pair (and the most recently issued token) in localStorage on the user's machine, but store no state on the server, even if I need one to get around CORS.

1 comment   Edit post   Add post

ZAP Meme

Submitted by Bill St. Clair on Thu, 18 Apr 2019 05:25:32 GMT is a meme maker written in Elm.

It's open source, with a link at the bottom of the page. It uses <svg> to layout the meme, and converts to JPEG or PNG for saving.

It stores meme and images (as data:// URLs) in your browser's localStorage database. They may be exported as JSON and imported into another browser.


Add comment   Edit post   Add post

stackoverflow April Fools 2019

Submitted by Bill St. Clair on Mon, 01 Apr 2019 07:57:03 GMT

For April Fools Day, 2019, stackoverflow put fairy dust on every question page, and had a definite retro look.

I saved the fairy dust, and the ASCII art HTML comment at

Also see Announcing the Stack Overflow Time Machine.

Add comment   Edit post   Add post

Image Sizing in elm-ui

Submitted by Bill St. Clair on Thu, 06 Dec 2018 03:53:36 GMT

I've been using Matthew Griffith's wonderful elm-ui package to make the user interface for GabDecker, a TweetDeck-like web app I'm building for I've had inline images since the beginning, scaled to fit the column width. Today I made clicking on one of those image open a dialog with the full-size version, scaled down if necessary to fit the available space.

elm-ui eschews CSS in the source code, usually making it much easier to get what you want. But in this case, I was NOT getting what I wanted, so I wrote my own CSS, and learned about the object-fit property in the process.

Here's the code that's now running:

imageDialog : String -> Model -> Element Msg
imageDialog url model =
        maxw =
            9 * model.windowWidth // 10

        maxws =
            String.fromInt maxw ++ "px"

        maxh =
            9 * model.windowHeight // 10

        maxhs =
            String.fromInt (9 * model.windowHeight // 10) ++ "px"
        -- This is black magic.
        -- It took much play with the CSS to get it right.
        [ centerX
        , centerY
        [ standardButton "" CloseDialog <|
                [ "object-fit" "contain"
                , "max-width" maxws
                , "max-height" maxhs
                , "border" "2px solid black"
                , "width" "auto"
                , "height" "auto"
                , Attributes.src url
                |> Element.html

Add comment   Edit post   Add post


Submitted by Bill St. Clair on Wed, 19 Sep 2018 10:04:00 GMT

"APL is like a diamond. It has a beautiful crystal structure; all of its parts are related in a uniform and elegant way. But if you try to extend this structure in any way - even by adding another diamond - you get an ugly kludge. LISP, on the other hand, is like a ball of mud. You can add any amount of mud to it and it still looks like a ball of mud." -- Joel Moses

Add comment   Edit post   Add post