Suppose I want to extract all substrings of a text that consist of one-or-more letter as followed by a letter b. This is obviously both:

1. trivial to do with a single short regex
2. trivial to do in linear time

but if you try to do it with a regex in linear time, you may well screw it up and never even realise. There is a nasty trap here!

Until recently, I would have solved this problem with code something like this (example in JavaScript):

function extractABs(text) {
  return text.match(/a+b/g);
}

... and I would have assumed that this would execute in linear time. After all, you can easily envisage the linear-time algorithm - you just need to make a single pass over text, keeping track as you go of the index at which each sequence of consecutive as starts, and checking at the end of each one whether it is followed by a b or by another character. But the regex-based solution above does not execute in linear time in the worst case! Chuck the following code into your browser console or Node shell and behold the results:

function extractABs(text) {
  return text.match(/a+b/g)
}

const a50000 = 'a'.repeat(50000);
const a100000 = 'a'.repeat(100000);
const a150000 = 'a'.repeat(150000);
const a200000 = 'a'.repeat(200000);
const a250000 = 'a'.repeat(250000);

function timeRegex(text) {
  console.time();
  extractABs(text);
  console.timeEnd();
}

timeRegex(a50000);
timeRegex(a100000);
timeRegex(a150000);
timeRegex(a200000);
timeRegex(a250000);

The times I got were 2.112s for 50000 as, 8.451s (4x) for 100000 as, 19.009s (9x) for 150000 as, 33.757s (16x) for 200000 as, and 52.856s (25x) for 250000 as. In other words, execution time is clearly increasing quadratically with the size of the input.

Why is this happening? This is not an example of what many sources call "catastrophic backtracking", which typically happens when you write regexes with nested quantifiers (like (a+)+) and results in exponential time complexity. In fact, the cause of the non-linear time complexity here doesn't involve any backtracking at all.

Instead the problem is simply that, after trying to match the regex at index 0 (the start) of our length-n string, consuming n characters, and failing, the regex engine then moves on to trying to match the regex at index 1 of the string, consumes n-1 characters and fails, then tries to match at index 2 of the string, consumes n-2 characters and fails, and so on. The total number of characters that need to be consumed this way is of course the nth triangular number^[1], (n² + n) / 2, and thus we have quadratic time complexity.

There's a simple fix: use a lookbehind assertion in your regex that says that the sequence of as, a+, must not be preceded by an a:

function extractABs(text) {
  return text.match(/(?<!a)a+b/g)
}

Now the pathological case with 250000 as, that was previously taking a minute to execute, takes a millisecond instead (on my machine). This works because the lookbehind short-circuits the regex engine's attempts to match the pattern in the middle of a substring of as. After failing to match at index 0, the regex engine will still ask "does the pattern match at index 1?", but instead of having to consume 249999 characters to get an answer to that question, it will instead see that there's an a directly before index 1, immediately answer "no", and move on. Thus each such question requires only constant time to answer. And thus we're back to linear time complexity for the whole matching operation.

This tactic seems broadly applicable. In situations where you have a regex that starts with an indefinitely repeated expression (a+, (foo)*, [0-9]+, whatever), if you want to keep the regex's execution time linear, you almost certainly want to precede it with a negative lookbehind ((?<!a)a+, (?<!foo)(foo)*, (?<![0-9])[0-9]+, etc.).

But until today, I didn't know this. I suspect most programmers I've worked with didn't know this. How many quadratic-time regexes have we unwittingly written, to perform what ought to be linear-time operations, due to this trap? I'm sure I've authored a few...

Something curious I noticed today: https://www.cps.gov.uk/legal-guidance/self-defence-and-prevention-crime currently claims that:

Self defence and the prevention of crime originates from a number of different sources. Defence of the person is governed by the common law. Defence of property however, is governed by the Criminal Damage Act 1971. Arrest and the prevention of crime are governed by the Criminal Law Act 1967.

This appears to me to be incorrect as it pertains to defence of property. There is a "defence of property" defence in the Criminal Damage Act 1971, specifically in section 5(2)(b), but it's a defence only to offences defined in that act (i.e. criminal damage and assorted related offences like threats of damage). So that defence would be entirely irrelevant when someone uses force against another person to protect their property.

If you take the CPS's word for it that defence of property is governed by the Criminal Damage Act and not by common law, you would logically conclude from this that there is only a very limited "defence of property" defence in English law and that it does not entitle you to use force against people to protect property (even if, perhaps, some other defence such as prevention of crime might give you such an entitlement). I'm pretty sure, however, that this is wrong.  Contra what the CPS says, there is a common law defence of "defence of property".

This defence is described in the 2003 judgment DPP v Bayer & Ors, where the judge says:

24. This line of authority is concerned with the defence of "private defence" or "protective force" when unlawful force is used or imminently threatened against a person who may use proportionate force to defend persons or property. It is to be distinguished from the line of authority which is concerned with a similar defence against trespassers. In the Law Commission's most recent attempt, following very widespread consultation, to articulate the relevant principles of law in a simple codified form (see Offences Against the Person and General Principles (1993) Law Com No 218, pp 106-110), these defences are set out (so far as they relate to defence of property) in the following terms:

• "27(i) The use of force by a person for any of the following purposes, if only such as is reasonable in the circumstances as he believes them to be, does not constitute an offence –
  • (c) to protect his property … from trespass;
  • (d) to protect property belonging to another from … damage caused by a criminal act or (with the authority of the other) from trespass …
    ...

Additionally, the "defence of property" common law defence is mentioned, and clarified, in statute! The Criminal Justice and Immigration Act 2008 §76 defines "Reasonable force for purposes of self-defence etc.", and subsection (2)(aa) of the act as amended says this applies to "the common law defence of defence of property" - i.e. the common law defence that the CPS states does not exist!

Unless I'm missing some crazy development in the law since 2008 that I can't find any mention of when I google this issue, the CPS guidance on this is therefore very, very wrong! I've duly filled in the feedback form on their website and submitted the following feedback:

It appears to me that there is an error in your guidance about "defence of property" at https://www.cps.gov.uk/legal-guidance/self-defence-and-prevention-crime. There you claim that:

> "Defence of the person is governed by the common law. Defence of property however, is governed by the Criminal Damage Act 1971."

I believe this to be a misstatement of the law. Although there is a defence of property defence defined in the Criminal Damage Act 1971, it is a defence ONLY against charges of criminal damage (and as such is relevant only in situations where a person damages property to defend some other property, not in situations where a person uses force against another person to defend property). For any other charge, the defence of "defence of property" instead comes from common law, as described in e.g. https://www.bailii.org/ew/cases/EWHC/Admin/2003/2567.html. The existence of a common law defence of defence of property is also mentioned in statute, in the Criminal Justice and Immigration Act 2008 section 76(2)(aa).

I suggest reviewing the claims about defence of property on that page and correcting them if you agree that they are in error.

Let's see if anything comes of it!

Spiked magazine have published an article by their chief political writer, Brendan O'Neill, about the ruling against Laurence Fox in his libel case. I've seen it shared by a bunch of Twitter users I follow and by the Free Speech Union. It's a bad article.

Background

The case is certainly interesting if you care about libel law, freedom of speech, or the culture war. If you're unfamiliar, a quick summary of the background to the case is as follows:

1. in October 2020, apropos of nothing in particular, Sainsbury's posted a bizarrely combative tweet about Black History Month, inviting customers who don't "want to shop with an inclusive retailer" to shop elsewhere
2. Laurence Fox responded to that post with a now-deleted Tweet calling on people to boycott Sainsbury's for promoting racial segregation. Fox's post included a link to a separate announcement by Sainsbury's that they had introduced "safe spaces" for black employees, which was the basis for Fox's accusation of segregation.^[1]
3. three woke Twitter users responded by calling Fox a racist
4. Fox responded by calling those three critics paedophiles. (It's the done thing...)
5. the three woke critics responded to that by suing him for libel
6. ... and finally Fox responded by countersuing them for libel for having called him a racist in the first place.

Even without digging further into the factual details, this summary raises, I think, some interesting questions of principle:

• How should the law evaluate accusations of "racism", given that our society's current understanding of what that even means is bitterly divided? Should the contested nature of "racism" in the context of western society's current culture war over race mean that such a claim basically lacks any substantial meaning and can't be defamatory? (One can imagine similar questions over all sorts of vague, opinion-based accusations - for instance, what if someone were to publicly denounce you as "immoral", or "intellectually dishonest", or "a pervert"?)
• How should rhetoric be handled? It seems obvious that a false accusation of paedophilia could be libellous in principle, and typically would be, but how should the law deal with the scenario where the speaker says that accusation wasn't actually intended to be believed by the reader? (For this was Fox's contention here: that the accusations of paedophilia were meant to be obviously false, and thus to highlight the nastiness and unfairness of flinging baseless accusations at people - which is, of course, how he sees the accusations of racism against him.)
• Should there be any kind of principle that retaliation is fair game, and if so how far should that go?

Most coverage I've seen of the case, including that of the BBC, is disappointingly shallow, not exploring the legal details or implications for free speech at all. Brendan O'Neill's article in Spiked is the sole exception. The trouble is, it repeatedly makes seriously false claims about what the judgment actually says.

No defence of rhetoric in UK libel law?

A key implication in the Spiked article is that the courts simply ignored entirely Fox's claim to have been using the counter-accusation of paedophilia as a rhetorical device, and instead, robotically, took it as literally true. Consider the following passages, spread over a few paragraphs in the Spiked article:

It was a rhetorical game. A verbal stunt. A drawing of linguistic daggers. ...

And yet, the High Court has found against Fox. Taking literalism to dizzying new heights, the judge criticised him for failing to show that his allegations were true – yes, because they weren’t! I know judges are out of touch, but surely they’ve heard of rhetoric and humour. ...

... At an earlier stage of the Fox libel clash, the Court of Appeal ‘did not accept that the ordinary reasonable reader would obviously understand Fox’s complex rhetorical point that he was no more a racist than they were paedophiles’, as one legal observer summarised it. ...

‘The law affords few defences to defamation of this sort’, decreed the High Court. And that’s the problem. That the defence of rhetoric is not permissible under our libel laws is dreadful.

I will grant Spiked that they do at least note that the court opined on whether an ordinary reader would understand Fox's point is rhetorical. My beef is with the assertions that the judge acted as if she had not "heard of rhetoric and humor" and that "the defence of rhetoric is not permissible under our libel laws". That's just objectively not what happened.

In fact, though you'll find no hint of this in the Spiked article, Fox actually won his defence against one of the three claimants, Nicola Thorp, on precisely the grounds that the accusation against her was rhetorical! It was not the case that the courts acted as if it had not "heard of" rhetoric; rather, they simply judged that the "natural and ordinary meaning" of two of the tweets was to literally accuse the claimant of paedophilia. From part 44 of the judgment, summarising previous findings from the court of appeal:

i) The ‘single natural and ordinary meaning’ of Mr Fox’s tweets responding to Mr Blake and Mr Seymour (‘Pretty rich coming from a paedophile’ and ‘Says the paedophile’) was that ‘each of these Claimants was a paedophile, someone who had a sexual interest in children and who had or was likely to have engaged in sexual acts with or involving children, such acts amounting to serious criminal offences’. This was an allegation or imputation of fact. The imputation was ‘of defamatory tendency at common law’ – that is, in the meaning determined, it would ‘substantially affect in an adverse manner the attitude of other people towards a claimant, or have a tendency to do so’ ...
ii) Mr Fox’s tweet responding to Ms Thorp was different. He had quote-tweeted her allegation, and reproduced it simply substituting ‘paedophile’ for ‘racist’. ‘Mr Fox was not using the word ‘paedophile’ literally, to accuse Ms Thorp of being a paedophile; he was using that word rhetorically as a way of expressing his strong objection to being called a racist. Used in that way it was not defamatory’.... Ms Thorp had originally claimed in libel against Mr Fox on the basis of his tweet to her, but since it was found not to have any defamatory tendency, no tort could have been committed, and her claim was dismissed on that basis.

Later, when commenting more on how readers might have interpreted Fox's tweets, the judgment has more to say about this:

As a rhetorical device – even to the extent Mr Fox subsequently took pains to spell it out as being one – it was not well-calculated to be effective. It relied on a reader recognising both imputations – ‘racist’ and ‘paedophile’ – as immediately and equally incredible. But the context, for the readership, was first Mr Fox’s ‘boycott Sainsbury’s’ tweet, then the ‘racist’ tweets, and only then the (unexpected and unexplained) ‘paedophile’ tweets. The call to boycott Sainsbury’s was itself startling but evidently intended to be taken wholly literally, and the ‘racist’ responses were apparently heartfelt; any reader pondering the exchanges (and especially if they did not click through to the website) might be as likely to think (a) the ‘racist’ jibe had hit home and been met with an equivalently devastating counterblow against these particular individuals, since others had questioned or protested the boycott tweet without getting the same response, as they were to think (b) both jibes were patent nonsense.

You can certainly reasonably disagree with this, but hopefully this makes clear that Spiked is not merely steamrolling over nuances but peddling some outright falsehoods. Contra Spiked, the defence of rhetoric is available in our libel laws; the court simply wasn't persuaded that these particular statements were correctly understood as rhetorical, and outlined why this was so, in great detail!

Less consequential, but also untrue, is Spiked's claim that the court "criticised" Fox for failing to show that his accusation was true.^[2] There's simply nothing like this in the judgment. The judgment does acknowledge the fact that Fox didn't attempt to show the accusation was true; for instance, in paragraph 166, near the end:

Mr Fox did not attempt to show these allegations were true, and he was not able to bring himself on the facts within the terms of any other defence recognised in law.

... but it strikes me as nonsense to characterise that passage, or any of the similar ones in the judgment, as "criticising" Fox for "failing" to show that the claimants were paedophiles.

Why no ruling on whether Fox is a racist?

O'Neill distorts other elements of the judgment, too. When it comes to Fox's counterclaim of libel for the claimants calling him racist in the first place, the Spiked article has this to say:

The court refused to make a ‘determination’ as to whether the accusation that Fox is racist is ‘substantially true’. That is not a question that can be ‘resolve[d] within the framework of this litigation’, the ruling weirdly says. What does this mean? Why can the High Court decree that it is defamatory to refer to three non-paedophiles as paedophiles, but it cannot decide if it’s defamatory to refer to a non-racist as racist? Do our libel laws only protect certain people against certain accusations? Seems iffy to me.

It looks to some of us as though this ruling implicitly upholds the right to call people racist. Or at least, the courts will not treat an unprovable accusation of racism as seriously as they will an unproveable accusation of paedophilia.

Contra O'Neill's implication here, the reason that the court doesn't evaluate whether Fox is racist is in fact clearly explained in the ruling. For a statement to be defamatory, it needs to both cause serious harm to the claimant's reputation and be untrue. The court found that Fox, whose views on race were already controversial and who had already been called a racist on Twitter before October 2020 (I observe that simply searching for the complete phrase "laurence fox is a racist", filtered to results before October 2020, finds dozens of tweets), did not suffer any serious reputational harm from a few extra tweets callng him a racist. Therefore it was moot whether or not he is a racist; there was simply no need for the court to rule on that question.

There are a few further things the judge noted in her ruling that I'd like to note here, though. One is that, had things gone differently, one of the defendants against Fox's counterclaim might indeed have faced the task of proving that Fox is a racist. From paragraph 58:

Because of the preliminary issues ruling that subsection (3) was not satisfied in her case, [the defence of honest opinion] is not available to Ms Thorp. Instead, she relies, if necessary, on being able to prove that the ‘imputation conveyed by the statement complained of is substantially true’ (Defamation Act 2013, section 2). ... It requires her to establish that it is substantially, objectively, true that Mr Fox is, in fact, a racist.

Also, the choice of what order to evaluate the elements of the tort of libel in is, to some degree, at the discretion of the court. Paragraph 163:

Cases turn on their facts. There are certainly examples in the authorities of cases disposed of on alternative bases of failure to establish serious harm and success on a defence. It may for example be that a case can be swiftly and efficiently disposed of where a strong and straightforward defence appears, but where the serious harm element is more complex, by concentrating on the former, even though the latter is a logical precedent stage. But this is not a case of that sort.

And finally, the court should, in the opinion of the judge, avoid opining on culturally controversial matters where it's irrelevant to the ultimate resolution of the legal matter before the court. From section 164:

I am very much aware that Mr Fox would have liked to leave court with a clear determination that he ‘is not a racist’, Ms Thorp with a determination that it is substantially true that he is, and Mr Blake and Mr Seymour with an endorsement that at least they genuinely thought so and an honest person could have thought so too. But the entire case is, in that sense at least, all about contested views of what does and does not amount to being ‘a racist’. ... Courts do not shy away from difficult assessments of contemporary cultural standards where the law requires them to. But where, as I have concluded, the law does not so require, because, by operation of statute and application of the serious harm test, an opinion on such a matter must in law be regarded as ‘not defamatory’, then courts must be properly circumspect about wading unnecessarily into such territory.

I've not seen it articulated before, but this seems like a good principle, to me! If it's not going to affect who wins the case, a judge shouldn't use a judgment as a soapbox from which to decree officially correct and incorrect positions on matters disputed in the culture war (such as whether Laurence Fox's stridently anti-woke views constitute "racism"). Brendan O'Neill bemoans this, but would he really want it otherwise?

I found it interesting that the judge chose to note the court's discretion about the order in which to consider each element of the definition of libel immediately before this paragraph. It seems to me that she means to imply - though she stops short of outright saying it - that where the opportunity arises, the courts should even evaluate elements of a tort or crime in an unconventional order if doing so will potentially allow them to dodge the need to directly rule on the merits of opposing views in the culture war.

But anyway, the answer to O'Neill's rhetorical question about why Fox and his opponents were treated differently is right there in the ruling: the court would have evaluated whether Fox was a racist, and issued a ruling one way or the other, if the case had depended upon that. But it didn't, essentially because the pre-existing controversy around Fox meant that no additional harm to his reputation from a few more tweeters calling him a racist was possible. None of that constitutes a "right to call people racist" or a different standard for accusations of racism versus paedophilia, as alleged by O'Neill.

(Aside: it's not a falsehood, but I want to note the irony of the fact that the paragraph discussed above, bemoaning a supposed judge-created "right to call people racist", appears immediately after a paragraph praising the more liberal libel laws in the USA, and asserting that due to our lack of a defence of rhetorical hyperbole, we "lag in liberty behind our American cousins". Unlike the UK, the US really does have a right to call someone racist! Such an accusation will basically always constitute "opinion" under US law, and statements classified as "opinion" cannot be libellous in the US. This protection of "opinion" statements is absolute; unlike in the UK, there are no further elements to the defence. You can call anyone you like a racist over there, with absolutely no factual basis for doing so whatsoever, even if you don't actually believe they are racist at all and you are consciously lying, and it's still perfectly legal. To the American mind, the right to do this is part of the fundamental right to free speech guaranteed by the First Amendment. I guess O'Neill is particular about which liberties he wants to copy from our American cousins. In fairness, on this point, I partially agree with him.)

Was there injustice here, then? Where was it?

All the above said, I think you can still very reasonably take issues with aspects of the ruling. The complaints I'd potentially make are just different to, or at least more nuanced than, those made in Spiked.

Despite my annoyance at the misrepresentations of the judgement that went along with it, I am at least sympathetic to one part of O'Neill's (and Fox's lawyer's) critiques of the judgments against Fox: the contention that the courts were far too ungenerous to the intelligence of the average Twitter user in finding that an "ordinary reasonable reader" would not understand Fox's tweets to be rhetorical. I certainly wouldn't expect many readers to actually believe the accusation or think that Fox had evidence substantiating it. Even so, I don't think it's obvious that the courts got this wrong; even if readers didn't believe the accusations were true, it doesn't mean they would understand them to be rhetorical, and I can easily imagine that many readers would instead simply think that Fox - perhaps in some kind of unhinged state - was carrying out a deranged act of retaliation by responding with baseless but literal accusations of paedophilia against his enemies. I think it was a genuinely hard call. I think I would've been unsure what the hell was going on if I had read Fox's tweets at the time that he posted them, which in turn makes it hard for me to confidently suggest, in hindsight, what an "ordinary reasonable reader" would've thought about them.

I am even more sceptical of the judgment's assessment of whether the claimants' reputations were caused "serious harm" by the paedo accusations. I note that in the TPI ("Trial of Preliminary Issues") where the courts first decided the "single ordinary meaning" of Fox's tweets, Justice Nicklin noted that it still mattered how people had actually intepreted them, since this would dictate whether "serious harm" had been done to anyone's reputation:

the Court has not resolved the issue of whether the Claimants in their claim, or the Defendant in his counterclaim, can satisfy the requirement to establish serious harm to reputation as required under s.1 Defamation Act 2013. This may well be a significant issue at any trial. For example, if the Defendant can establish that in fact a significant number of readers of his Tweets did understand them simply to be making a rhetorical comment about the baselessness of the Claimants' claims of racism against him, then the Claimants may struggle to demonstrate that they have been caused serious harm to their reputation.

This makes it sound like Fox would win the case as long as he could establish, basically, that nobody believed that what he said was true. Importantly, it seems to me that this could be either because they thought he was being rhetorical or just because they thought he was an unhinged lunatic lashing out with baseless (but literal) claims.

The final ruling against Fox, by Justice Collins Rice, caveats this somewhat:

I observe in this connection that, contrary to some of the submissions made to me on this point, it is not necessary for the claimants to establish the probability of readers being immutably convinced of the truth of an allegation. That is not how reputation works. Serious reputational harm can be caused by a change of view some considerable way short of that. It is often the insidious creation of a ‘bad odour’, together with the difficulty of establishing a negative, that does the most reputational harm. That is particularly apposite to an allegation of paedophilia. But the test does require that people’s minds were probably changed because of these tweets, and to a degree meriting the description of serious harm.

Okay, fair enough; if everyone goes from taking for granted that I'm not a paedo to not knowing who to believe and feeling like it's an open question whether I'm a paedo or not, I think it's still fair to call that serious reputational harm. But then, as evidence that anyone at all gave even partial credence to the accusation, the court relies heavily on the claimants getting abused on Twitter by trolls. The crucial paragraphs are 84-86:

There is certainly evidence of an adverse reaction to both men on Twitter, with paedophilia being cast back in their faces. It was put to me that, carefully read, many of these abusive responses either (a) indicate that the allegation was not in fact taken literally or seriously, or (b) can largely be dismissed as the utterances of deep-dyed Twitter trolls or homophobes who need little excuse.

I am unpersuaded that ‘careful’ reading is necessarily the right approach to the former category ... The probability – and the evidence as I read it – is that published reactions within the readership (at least from those who did not know the claimants) spanned the full spectrum from credulous to dismissive. That is usual in mass publication cases of any sort. I have not been given sufficient reason, from context or from evidence of reaction, to find enough apparent or likely scepticism, as a proportion of the whole readership, to be able to conclude it more probable than not that the seriously harmful potential of these tweets simply failed to be realised.

As regards the trolls and homophobes, those are labels that might be attached to the particularly credulous, hostile and/or responsive. But however little excuse they needed, it is obvious that Mr Fox provided one and set them an example. Online abuse is at least a possible signifier of serious reputational harm... I accept the evidence of it here.

I have not seen all the evidence of what Twitter users said that was put before the judge, and indeed I cannot find any of it on Twitter nor find the accounts of Simon Blake or Colin Seymour. So I concede that I am commentating while in possession of less evidence than the judge. But I note that pretty much any highly-viewed adversarial interaction on Twitter results in abuse; I am a nobody on Twitter and from time to time I trigger a flurry of insulting replies and quote-tweets for expressing even mildly controversial opinions. A vast torrent of abuse directed at the claimants was thus the inevitable consequence of getting into any kind of hostile interaction with Laurence Fox, even if not a single person found the paedophilia accusations even remotely credible. This seems to me like it no more constitutes evidence that anyone believed the paedophilia accusations than does the fact that the sun came up the next day; both are simply something that was inevitably going to happen either way. The court, though, seems to have started from a default presumption that mere existence of online abuse constituted evidence that the paedo accusation was given credence. My instinct is that this presumption is terribly unsound. (It might make more sense if the abuse on Twitter followed an accusation of paedophilia in a totally different venue, like a newspaper article, or even just if the abuse had persisted after the initial exchange between Fox and the claimants, but it doesn't sound like that's the case here. Rather, per the judge's own wording, we're talking about reactions to the Tweet - i.e. people on Twitter piling on to the fight that the parties had just got into on Twitter.)

The judgment gets worse, in my view, in paragraph 86 about "trolls and homophobes". Perhaps I am parsing her words wrongly, but it seems to me that in this paragraph the judge is no longer even using the Twitter abuse as evidence of anyone believing the paedophilia accusation, but rather is saying that people merely using Fox's post as an "excuse" to abuse the claimants can still constitute a serious reputational harm even if they didn't put any credence in Fox's accusation at all. That seems to me like a nonsensical interpretation of the concept of reputational harm; if the mechanism is simply that a bunch of Fox's followers saw Fox being nasty to his critics and thereby perceived that those critics were acceptable targets for further abuse, then - however ignoble that may be and however much Fox may be to blame for it - what does any of it have to do with anyone's reputation? Nothing at all, I would think, yet this scenario is somehow contemplated as a "signifier" of reputational harm in the judgment.

These dubious bases for inferring reputational harm seem to me like bigger problems with the judgment than the interpretation of Fox's meaning. Contra Spiked, declining to treat Fox's tweet as rhetorical doesn't strike me as the core of the unfairness here; certainly it seems to me it was poorly-conceived enough that many readers will have taken it as a literal accusation made out of spite, even if this wasn't intended, and it's fair enough for such a miscalculation to put you at risk of a libel lawsuit if the accusation actually harms the other party's reputation. But to me, common sense would seem to dictate that even people failing to see the rhetorical point in Fox's tweet would still realise it obviously wasn't true; the dilemma of interpretation any sensible reader faced was not between the accusation being a rhetorical device and the accusation being true, but between the accusation being a rhetorical device and the accusation being literal but baseless, cast in spite and anger by Fox in a moment of madness. Nobody reads a totally unexplained accusation of paedophilia cast during a slapfight on Twitter and infers that the accuser must have some secret basis for the claim and that it's totally true - they simply assume the accuser is nuts!

The judge doesn't seem to have contemplated this point - that even people who didn't understand Fox's rhetorical point still generally would not have believed the accusation to be true or even credible. I view that as a huge mistake of reasoning, and suspect that it, in combination with the dubious approach of treating a pile-on on Twitter as evidence that people believed Fox's accusation, has led the judge to hallucinate reputational harm to the claimants that simply doesn't exist, seems rather implausible, and doesn't really have any evidence to support its existence.

Elements of how the counterclaim got handled seem problematic too

Though Fox was the overall loser of the case (all his counterclaims failed and two out of three of the original claims against him succeeded), there was one detail in the courts' handling of his counterclaims that I think is worth highlighting. Two out of three of the people who called Fox a racist did so in quote-tweets; the other, Nicola Thorp, did not. As a consequence of this, she lost her ability to use UK law's "honest opinion" defence. The trouble is that the statute codifying the defence requires that your statement indicate the basis of your opinion in order for the defence to apply. So you can say "based on this tweet, Laurence Fox is a racist", and the defence will apply (as long as you also convince the court of some other, easier elements about holding the opinion honestly). You can quote-tweet something race-related that Laurence Fox has posted and say "Laurence Fox is a racist" and the defence will likewise apply. But if you just say "Laurence Fox is a racist", without indicating your basis for this belief, then you can't use this defence. This is why, had the court ruled that Fox's reputation was damaged by the tweets calling him racist, Thorp - and Thorp alone - would've been dragged into the farce of having to establish:

that it is substantially, objectively, true that Mr Fox is, in fact, a racist.

This is probably a correct application of the law as it is written. But it seems manifestly silly. The basis for Thorp's opinion was not indicated in her tweet but could be easily guessed at from the context; who cares that she didn't explicitly indicate it?

I understand the motivation behind the requirement to indicate your basis. Forget Fox, for a moment, and suppose that you were to label some random person who has never publicly said anything contentious about race in their life a "racist". The accusation - even if you think it is properly understood as a statement of opinion - surely implies the existence of some kind of scandalous non-public facts that serve as a basis for the accusation - it's just not clear exactly what they are. If you're not required to articulate any basis for such an opinion, you can damage reputations by insinuating that some such scandalous facts exist, through statements of opinion that the reader assumes surely must have some basis, all without ever alleging any specific defamatory facts as a justification for your opinions. US libel law, as I understand it, permits precisely this tactic; I'm not persuaded that's a good thing, or that it's wrong for us to want to be stricter in this area.

But it seems to me that we're too strict, and the results can easily be absurd when the target is a public figure like Laurence Fox. If I say that Boris Johnson is dishonest, that Jeremy Corbyn is a terrorist sympathizer, or that Tiger Woods was a bad husband, people with some basic knowledge of those individuals are aware of facts that might lead me to say such a thing, and are capable of inferring that my opinion (which they may or may not agree with) is probably based on those widely-known facts. The same is true if I say that Laurence Fox is a racist; he has notoriously said controversial things about race and you will implicitly understand these to be the basis of my opinion, whether you agree with it or not. (This is even more true if I call him a racist minutes after he's said his latest controversial thing about race on Twitter, like Thorp did!)

If we don't want our libel law to be quite as liberal about opinion as that of our American cousins, we ought to at least tweak our more limited opinion defence to also cover cases like this - where the factual basis for the opinion isn't indicated but rather is already widely known due to the claimant being a public figure. But, unfortunately, no such defence currently exists in UK law.

Conclusions

My thoughts on all this, in summary:

• Brendan O'Neill's article in Spiked is bad. It misleads, and sometimes states outright untruths, about what the judgment said.
• Inferring that an adversarial exchange with a high-profile account on Twitter caused someone reputational harm because it triggered an influx of abuse on Twitter seems completely unreasonable to me, yet the judgment against Fox seemed to rely on such an inference.
• The rules protecting expression of opinion should be more robust. If well-known facts about a public figure provide an obvious, salient basis for some negative opinion about them, it should simply be legal to voice that opinion - even without spelling out your reasoning. Right now, this is not necessarily so.

Even though the culture war is a societal cancer, reporting on cases like this ought to be an opportunity to leverage it for good; they are a good opportunity for journalists to educate the public about how our laws work, and for activists to argue for improvements to them. Alas, nobody in a position to put such an analysis before a mass audience seems to have seized the opportunity.

Any security-related use of X-Forwarded-For (such as for rate limiting or IP-based access control) must only use IP addresses added by a trusted proxy. Using untrustworthy values can result in rate-limiter avoidance, access-control bypass, memory exhaustion, or other negative security or availability consequences.

-- MDN's X-Forwarded-For article

Short version:

• Do not take the first IP address listed in an X-Forwarded-For header, assume it's the public IP of the end user who sent you a request, and use it for rate limiting. An attacker can usually set it to whatever they like, and bypass your rate limiting.
• If you're going to use the end user's IP address for anything security-related, like rate limiting, and you want to get that IP address from X-Forwarded-For, then your application needs to know how many reverse proxies it is running behind (and there mustn't be a way for the end user to bypass any of those reverse proxies).
• If your web server framework provides some function that purports to get the end user's IP address by parsing the X-Forwarded-For header, but doesn't require you to tell it how many reverse proxies it's running behind, don't trust it. It is basically guaranteed to be vulnerable to spoofing.
• If you're behind a single reverse proxy, you want to use the last IP address listed in X-Forwarded-For. If you're behind two reverse proxies, you want the second-last IP, and so on.

Long version:

There is an irksome mistake I've seen colleagues make a couple of times in my career now: adding an IP-based rate limiter to a web application that any attacker can trivially bypass by simply adding an X-Forwarded-For header with a randomly-generated IP address to each HTTP request they send. I'm writing this blog post to explain the problem and to give me something to link to next time I inevitably see the same mistake.

Suppose you have a web application running on servers behind some sort of load balancer (or perhaps behind multiple layers of load balancers and reverse proxies, but for the sake of simplicity, let's say there's just one). You want to implement an IP-based rate limiter in the application itself^[1]. For instance, let's say you want to make it so that a given IP address can only make 10 login attempts per 5 minute interval, as a way to make it harder for attackers to brute-force users' passwords.

Since the requests to your application are coming via the load balancer rather than directly from the user's computer, the client IP address as seen by the application will be the IP address of the load balancer. Obviously, that's no good. Load balancers and reverse proxies try to solve this problem for you by sticking the the client's original IP in a header in the HTTP request, which is almost always called X-Forwarded-For.^[2]

Because some applications have multiple reverse proxies in front of them (e.g. requests might first go through a load balancer, then through a caching reverse proxy like Varnish, and only then reach the actual web application), the X-Forwarded-For header can actually contain a comma-separated list of IP addresses, and when a proxy receives a request that already has an X-Forwarded-For header it's supposed to append the IP address it received the request from to the end of the header. That means that in typical circumstances, where the end user sends a request from their browser to your domain with no X-Forwarded-For header, the first (leftmost) element in that comma-separated list will be the public IP of the end user's computer. But you can't trust this! A malicious user can send a request that already has an

X-Forwarded-For: 123.123.123.123

header, and if your load balancer behaves in the normal way, it will append the actual public IP after that, and your application will receive something like this:

X-Forwarded-For: 123.123.123.123, 94.6.194.169

If you're naively treating the first element of the list as the user's IP address, and using that for rate limiting, then you've just allowed an attacker to trick you into seeing their address as 123.123.123.123 when that's not really the address the request came from. By changing the X-Forwarded-For header to a random IP address on each successive request, an attacker can totally circumvent your rate limiting.

What you need to do instead, if you have exactly one reverse proxy (such as a load balancer) in front of your application, is look at the last element of the X-Forwarded-For list, since that will be the one your reverse proxy set. If you have two layers of reverse proxies, you want the second-last IP address in the list (and if you have three layers of reverse proxies, you look at the third-last, and so on).

Note that this fundamentally requires that your application knows how many reverse proxies are sitting between it and the public internet.^[3][4] If your application does not know this, it cannot determine, in a way that an attacker can't spoof, the public IP address from which the request was originally sent.

A corrolary of this is that if a web application framework purports to expose some method of getting the end user's IP address that magically parses headers like X-Forwarded-For, without having first to be configured in some way to tell it how many layers of reverse proxies it's running behind, then you should view that method with extreme scepticism, because it is almost guaranteed to be vulnerable to spoofing.

For example, consider Micronaut's HttpClientAddressResolver, recent use of which by a colleague of mine inspired this blog post. At the time that I write this post, its docs say:

You may need to resolve the originating IP address of an HTTP Request. Micronaut includes an implementation of HttpClientAddressResolver.

The default implementation resolves the client address in the following places in order:

• The configured header

• The Forwarded header

• The X-Forwarded-For header

• The remote address on the request

If you're planning on using the client's IP address for rate limiting or some other security-related purpose, then as soon as you read the documentation I quote above, alarm bells should go off! There's no hint of a way to configure Micronaut to know how many reverse proxies it's behind, so we can only assume that when it looks at the X-Forwarded-For header, it simply takes the first element in the list - the one the attacker can control - and sure enough, it does. (The fact that it will try multiple headers is also a problem, of course! If your reverse proxies only set X-Forwarded-For, an attacker can set Forwarded and your Micronaut app will give that priority over the X-Forwarded-For set by your reverse proxies.)

For an example of a framework that at least makes it possible to get this right using its built-in functionality, see Werkzeug, which requires you to configure it with an x_for parameter that tells it how many proxies it's behind. That's okay to use when you need an IP for rate limiting. Anything that just magically gets an IP address without needing such configuration categorically isn't okay to use.

A final note: although I'm writing this blog post in response to multiple colleagues getting this wrong at work, I want to be clear that it wasn't unusual for them to make that mistake. If you do a Google search for bypass rate limit x-forwarded-for, you will find multiple pages of results listing blog posts, articles, and LinkedIn posts by pentesters and other people whose job is to hack web applications, all advising that you try setting an X-Forwarded-For header to bypass rate limits... and you'll also find lots of publicly disclosed reports on HackerOne from bounty hunters who discovered such bypasses in applications they were testing. I find the existing writeups I've seen a bit frustrating because they just present setting X-Forwarded-For as a magical incantation you should try as an attacker and don't explain what mistake the defender must have made to be vulnerable to it, nor what the defender should've done instead; hopefully this post, written from a developer's perspective instead of a hacker's, can fill that void. But those search results do make a couple of important facts clear: developers of web application are screwing this up constantly in exactly the same way my colleagues did, and the bad guys are absolutely aware of it and will routinely try exploiting precisely this weakness to bypass your rate limits.

Stop letting them!

Why Ghost?

I considered a few possible alternatives to Ghost, and ruled them out:

• I considered Substack, given its current popularity, but at least when I played around with Substack a few months ago, it had absolutely no support for syntax highlighting within code blocks. Since I'm a web developer, I'm probably going to want to post code on my blog at some point, and I'd like to use a system that just gives me nice syntax highlighting out of the box.
• I considered Wordpress, but decided against it due to its terrible reputation for security vulnerabilities. Maybe this is an outdated prejudice on my part and things are much better now. Maybe. But I preferred to give a competitor a chance.
• I considered a self-hosted Jekyll website. Jekyll is somewhat unlike typical blogging platforms in that it's a static site generator and doesn't use a database. Rather than providing a WYSIWYG editor in an admin section of the site where you draft and publish posts, instead you write Markdown files in an editor, push them to a Git repo or something, and let Jekyll generate the site HTML from them. This is an elegant paradigm that has the nice side effect that if you put your blog in a public GitHub repo, you get a publicly-accessible revision history on your posts for free.
  
  However, the thing I dislike about this paradigm is that it's inherently incompatible with allowing comments on your posts, at least as a properly integrated part of the blog; for that, you absolutely need some sort of database for the comments to get stored in, and some kind of admin panel (to let you log in and moderate comments, unless you fancy doing that via direct database edits or just doing without moderation and letting your comment section be a free-for-all for spammers, pornographers, and bitcoin scammers). Jekyll bloggers who want to allow comments get around this by doing something like including a Disqus widget on their blog, but I kind of hate that; it means that your comments are being hosted on a third-party platform separate from the rest of your blog content and might vanish one day based on that third party's whims and moderation policies. Seems bad. I'd like the ability to host my own comments (eventually, when I get round to turning that on), and that means I need a traditional blogging platform with a database - like Ghost.

After ruling out the options above, Ghost seemed like the next-most-famous option - at least, the only remaining option I could recall having heard of - and I didn't see any major problem with it, so I settled for Ghost. I decided to set up Ghost myself in an AWS instance instead of signing up for Ghost Pro, the paid version that Ghost (the company) will manage for you, because, for goodness' sake, I'm a web developer, and it'd be embarrassing not to self-host. Besides, how hard could it be?

The answer, it turned out, was "somewhat harder than I expected".

Fighting with MySQL - and with terrible documentation

First I registered the domain markamery.com in Route 53, created an Ubuntu t2.small EC2 instance to run the blog (I tried a t2.micro first, but it was so feeble it hung forever when ghost-cli was trying to install Ghost's dependencies), created an Elastic IP and associated it with the EC2 instance, and set up an A record to point markamery.com at that IP address.

Next I set about simply getting Ghost running, both on my local machine (by following the instructions at https://ghost.org/docs/install/local/, and on my newly-created EC2 instance by following the instructions at https://ghost.org/docs/install/ubuntu/. The local setup went fine. The production one derailed frustratingly when trying to figure out how to configure MySQL. Here are the pertinent bits of what Ghost's docs, linked above, currently say:

Prerequisites

...

• ...
• MySQL 8
• ...

Install MySQL

Next, you’ll need to install MySQL to be used as the production database.

...

# Install MySQL
sudo apt-get install mysql-server

...

Run the install process

Now we install Ghost with one final command.

ghost install

Install questions

During install, the CLI will ask a number of questions to configure your site.

...

MySQL hostname

This determines where your MySQL database can be accessed from. When MySQL is installed on the same server, use localhost (press Enter to use the default value). If MySQL is installed on another server, enter the name manually.

MySQL username / password

If you already have an existing MySQL database, enter the the username. Otherwise, enter root. Then supply the password for your user.

...

Set up a ghost MySQL user? (Recommended)

If you provided your root MySQL user, Ghost-CLI can create a custom MySQL user that can only access/edit your new Ghost database and nothing else.

So - the recommended approach is to specify root as your MySQL username when asked by the CLI's setup wizard, and then tell it to create a custom MySQL user that Ghost will use. But what are we supposed to enter as the password? The docs say to "supply the password for your user" - for the root user, presumably - but what is that? They don't say.

Well, actually, there isn't one. Since at least as far back as MySQL 5.7, released in 2015, the root user created by the MySQL installer gets configured with the auth_socket "plugin" (authentication methods, even default ones, are "plugins" in MySQL lingo, for some reason). The auth_socket plugin lets you authenticate over a Unix socket instead of over the network, and simply confirms that the Unix user you're connecting as has the same name as the MySQL user you're trying to authenticate as. So, if the root MySQL user has auth_socket auth set up, only the root Unix user (or someone with sudo privilege who runs sudo mysql) will be able to authenticate as the root MySQL user.

There doesn't seem to be any way to get the Ghost CLI to attempt to connect to MySQL using the root user when you run ghost install (which you'll note the docs do not instruct you to run with sudo!). Leaving the password blank doesn't do it and there's no way to skip the question. So if you follow Ghost's docs as written, you're guaranteed to hit an error like this:

ubuntu@ip-172-31-25-1:/var/www/marks-blog$ ghost install

Love open source? We’re hiring JavaScript Engineers to work on Ghost full-time.
https://careers.ghost.org



✔ Checking system Node.js version - found v16.19.1
✔ Checking current folder permissions
✔ Checking memory availability
✔ Checking free space
✔ Checking for latest Ghost version
✔ Setting up install directory
✔ Downloading and installing Ghost v5.42.2
✔ Finishing install process
? Enter your blog URL: https://markamery.com
? Enter your MySQL hostname: localhost
? Enter your MySQL username: root
? Enter your MySQL password: [hidden]
? Enter your Ghost database name: marks_blog_prod
✔ Configuring Ghost
✔ Setting up instance
+ sudo chown -R ghost:ghost /var/www/marks-blog/content
✔ Setting up "ghost" system user
? Do you wish to set up "ghost" mysql user? Yes
✖ Setting up "ghost" mysql user
Nginx configuration already found for this url. Skipping Nginx setup.
ℹ Setting up Nginx [skipped]
Nginx setup task was skipped, skipping SSL setup
ℹ Setting up SSL [skipped]
Systemd service has already been set up. Skipping Systemd setup
ℹ Setting up Systemd [skipped]
+ sudo systemctl is-active ghost_markamery-com
+ sudo systemctl reset-failed ghost_markamery-com
? Do you want to start Ghost? Yes
+ sudo systemctl start ghost_markamery-com
+ sudo systemctl stop ghost_markamery-com
✖ Starting Ghost
One or more errors occurred.

1) CliError

Message: Error trying to connect to the MySQL database.
Help: You can run `ghost config` to re-enter the correct credentials. Alternatively you can run `ghost setup` again.


2) GhostError

Message: Ghost was able to start, but errored during boot with: Access denied for user 'root'@'localhost'
Help: Unknown database error
Suggestion: journalctl -u ghost_markamery-com -n 50

Debug Information:
    OS: Ubuntu, v22.04.2 LTS
    Node Version: v16.19.1
    Ghost Version: 5.42.2
    Ghost-CLI Version: 1.24.0
    Environment: production
    Command: 'ghost install'

Additional log info available in: /home/ubuntu/.ghost/logs/ghost-cli-debug-2023-04-11T11_45_48_981Z.log

Try running ghost doctor to check your system for known issues.

You can always refer to https://ghost.org/docs/ghost-cli/ for troubleshooting.

Aggravating! Okay, I thought: I'll try rerunning the installer, but first I'll explicitly set a password for the root MySQL user. How do I do that?

A quick google finds the MySQL docs page on resetting the root user's password, which warns that the root user having no password is insecure and links to another page that suggests setting an initial password with:

ALTER USER 'root'@'localhost' IDENTIFIED BY 'root-password';

So I tried that. But wait; nothing changes, and I can't connect using the password I just "set". What's going on?

The answer is that in order to set a password on a MySQL user, you need to change the auth plugin used by the root user, as well. Otherwise, MySQL just totally ignores your command. The right incantation to use to give the root user a password isn't the one indicated by the docs pages specifically about giving the root user a password; rather, it's this:

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'my-new-password';

The IDENTIFIED WITH clause there changes the auth plugin to one that actually supports password auth. Once we do that, Ghost is finally able to complete its setup.

Naturally, this is infuriating! The MySQL docs I link to above are outdated to the point that their very existence is harmful; purging them outright would be a good thing. I suspect I am not the only one that they have confused; I have written a related answer on Security Stack Exchange, since these docs currently give wholly incorrect advice about securing the root account.

(12 April 2023 edit: it turns out this isn't entirely fair. If you install MySQL the way the MySQL docs tell you to, instead of just running sudo apt-get install mysql-server like the Ghost docs tell you to, then root doesn't get given the auth_socket auth method and the docs make more sense! The overall situation is still crappy since an ordinary user who just installs MySQL from their OS's default repos is likely to be left confused by the docs, but they're not outright objectively wrong in the way I believed them to be when I wrote this yesterday.)

Bah! How did I end up wrestling with lying MySQL docs and writing SSE answers? I just wanted a blog!

The rest of the setup process

Given my grumbling above, I should give Ghost its due: once I had won my fight with MySQL, I found setting up Ghost to be a fairly painless experience.

I found it pretty neat that the ghost install wizard has an option to set up Let's Encrypt for you to manage your SSL certificates; you simply press Y  when asked if you want this, it works, and you don't need to screw about with SSL certificates at all. Maybe other server software also supports this, these days, but I've never seen it before now; I expected to have to cron certbot manually. As someone who has been in web development just long enough to remember the days before Let's Encrypt - when there was no automated generation of SSL certificates for sites on the public internet, and every year or so you'd have to fork out a load of money to some certificate authority and manually swap out the certificates on your servers for new ones - it's a remarkable improvement in developer experience!

Here's a list of further steps I took, for the sake of anyone interested in replicating my setup (perhaps my future self):

• Visited https://markamery.com/ghost - the URL of the admin UI - and created a user with a password.
• Went to Settings -> Design and selected the Journal theme. (Its styling is the most appealing to me of the build-in themes, although it's ostensibly a theme for a "newsletter" rather than a "blog" which leads to some annoying issues I address below...)
• Went to Settings -> Membership and changed Subscription access from "Anyone can sign up" to "Nobody" ("Disable all member features, including newsletters"). I might turn this back on at some point - perhaps to allow commenting - but disabling it was the easiest way to turn off this annoying pink banner asking people to "subscribe":

• Went to Settings -> Navigation and deleted the "Sign up" link from the "Secondary navigation" section; otherwise, this shows up in the site footer, and is just a broken link with Subscription access turned off.
• Deleted the autogenerated "Coming soon" post that comes with the blog, as well as the News tag, and updated the About this site page, which by default begs people to subscribe to allow the site to continue to exist.

• Modified the theme to change the word "topics" to "tags" and "issues" to "posts". (The docs I've been able to find on this aren't great, but the process is fairly simple: you run Ghost locally and configure it to use the Journal theme, which creates a copy of the theme in the /content/themes/journal directory, and then you modify the HTML templates in there, export your own modified theme via Settings -> Design -> Change theme -> Advanced -> journal -> Download, then import it on the live site via the "Upload theme" button on that same Design page.

Finally, I set up a Diary tag, which I'll put on posts that are just my record of stuff I've worked on but which I don't expect to be of interest to most of the world. I wanted these to be hidden from the homepage, and found some promising-sounding advice on how to achieve this on Ghost's forum at https://forum.ghost.org/t/filter-out-posts-by-tag-on-homepage/14913/4. The instructions weren't quite complete as given, but I figured out how to get them working - see my post there.

And that's it! I have a working blog, and here is my first post! There might be some more tweaks I want to make to it in due course, like enabling comments and setting up backups somehow, but this should get me started. Along the way, I've found several things broken in the world that need fixing:

Things to fix

Below is my To Do list of things I've discovered along the way to creating this blog that I'm going to go and either fix or ticket.

1: The MySQL docs

As I describe above, the docs at https://dev.mysql.com/doc/refman/8.0/en/resetting-permissions.html and https://dev.mysql.com/doc/refman/8.0/en/default-privileges.html are  almost a decade out of date and need either deleting outright or updating to reflect the fact that the root user on a new MySQL install uses auth_socket authentication these days. I'm also a little suspicious about the whole mysql_secure_installation utility, now. None of the four things the docs say it does need doing at all on a fresh install of MySQL on Ubuntu!

(12 April 2023 edit: I dug into this more. See MySQL docs bugs weren't really bugs in my diary.)

2: Ghost's handling of the root user using auth_socket

ghost-cli should be made compatible with the root MySQL user being created with auth_socket auth, since that's MySQL's default behaviour, and the docs at https://ghost.org/docs/install/ubuntu/ should be updated to indicate what you should enter as the MySQL password if your root user uses auth_socket auth.

(12 April 2023 edit: I ticketed this at https://github.com/TryGhost/Ghost-CLI/issues/1759?ref=markamery.com)

3. Ghost's WYSIWYG editor should support headings inside quotes

An annoyance I discovered in Ghost's editor: if you try to format some text as a heading inside a blockquote (either by selecting text and formatting as a heading via the formatting bar that appears when you select text, or by writing a # symbol at the start of a line within a quote), the blockquote disappears, and similarly if you try to quote an existing heading, it ceases to be heading. The only way to quote content that includes headings - like I did earlier when quoting from the Ghost docs - is to insert a "raw HTML card" and write in HTML instead of using the WYSIWYG editor. This seems crappy and might be easily fixable.

(12 April 2023 edit: per https://forum.ghost.org/t/paragraphs-inside-blockquotes-koenig-editor/4351/2, this is working as designed, and the Ghost devs suggest inserting a Markdown "card" to do blockquotes. I hadn't noticed those; that would've been more convenient than HTML. I still think this is sucky UI, but it's tolerable.)

4. The initial request to /ghost/api/admin/authentication/setup/ appears to fail

Specifically, the request that gets made when you click the "Create account & start publishing" button during setup times out after 1 minute with a 504 response from Nginx. The setup still actually works and a user gets created you can log in is, but something at the end of the process is hanging for a minute.

I didn't capture a screenshot of this when I was setting up this blog, so I made another one just to show this:

(My best guess - without having looked at the code at all yet - would be that it's trying to send an email to the address I entered, and failing because there's no email provider configured yet - that's not part of the setup process at https://ghost.org/docs/install/ubuntu/.)

(12 April 2023 edit: My guess above was right. See https://github.com/TryGhost/Ghost-CLI/issues/1760.)