PostgreSQL 19 adds Property Graph DDL: CREATE PROPERTY GRAPH with vertex/edge labels backed by tables/views, properties mapped from columns/expressions, plus indexes & constraints. Graph model becomes schema-managed in SQL—useful for relationship-heavy data and KG/RAG stores.

“iOS 27 system prompts” — extracted assistant instruction templates from dyld_shared_cache. Includes HomeKit summarizer, Wallet pass extractor, call-intelligence schemas, and other on-device directives. Useful for prompt design patterns + auditing privacy/attack surface.

Apple’s `container` repo documents “macOS Container Machines” — CLI-managed, container-capable VMs on macOS with details on networking, filesystem sharing, and limitations. A Docker Desktop alternative that makes the VM boundary explicit and scriptable.

Vincent Bernat documents a blogging pipeline that uses LLMs for copyediting/translation with explicit disclosure per post (icons + notes). Uses Claude Sonnet 4.5, DeepL, and Kagi, with concrete before/after edits and a year-by-year tool log.

GitHub/npm v12 (July 2026) tightens install defaults: lifecycle scripts blocked unless explicitly approved (`allowScripts`), and git/remote URL dependencies blocked unless allowed. Upgrade to npm 11.16.0+, run installs to see warnings, use `npm approve-scripts` and commit the allowlist.

EU Open Source Strategy: full-lifecycle OSS plan for “tech sovereignty” — procurement guidance, an Open Internet Stack catalogue, and a maintenance instrument for critical dependency mapping + mirroring. Focus is on keeping deps buildable/patchable, not just funding repos.

“AI is slowing down” argues the drag isn’t benchmarks — it’s ops: inference cost, latency, GPU limits, safety/regulation, and product integration. Useful framing for leaders shipping LLM features with real SLAs, not demoware.

Signal’s PDF warns the UK’s proposed age-verification + automated nudity scanning would require client-side content inspection on everyone’s devices. That creates a permanent, updateable surveillance mechanism at the OS/app layer—easy to expand beyond the original scope.

Jimmy Koppel’s “Software Design in the Age of AI” argues LLMs will automate low-level coding but amplify the need for explicit design intent. Focus: removing hidden coupling, human-led refactoring, and tools/agents that assist understanding vs “dark factory” automation.

“AI rockstar dev” failure mode: lots of LLM-generated code from ephemeral sessions → inconsistent patterns, naming, logging, retries, config schemas. The post argues for small guided snippets, slower architecture choices, and human curation to avoid unpayable tech debt.

Apple Core AI: framework + tooling (coreai-torch, coreai-build) to compile and run .aimodel assets on-device across iPhone/iPad/Mac/visionOS. Includes debugging/profiling and fine-grained memory control. Zero server dependency, optimized for Apple silicon.

0xsid documents a patched Instagram account takeover via Meta’s AI support flow: attacker gets support to change the linked email, then runs a standard password reset. 2FA is bypassed because account recovery becomes the new auth path.

“AI job grief” essay: argues AI disruption triggers a distinct grief pattern (identity loss + anticipatory mourning) because the threat is ongoing. Proposes an AIRD framing, pulls from clinical literature + Reddit incidents, and notes HR lacks rituals/language for it.

Many of you forgot too fast the insane amount of shitty software we had to see and suffer in the pre-AI era.

DBOS shows durable workflow execution on Postgres: job tables + `FOR UPDATE SKIP LOCKED`, advisory locks, LISTEN/NOTIFY, transactional retries, idempotent handlers. Fewer moving parts than a workflow engine, with trade-offs in long-running state machines + observability.

Walkthrough: patching a Yamaha THR10c guitar amp firmware via UART/JTAG. Uses FT2232H + OpenOCD to dump flash, disassemble, relink, patch, and reflash. A practical embedded RE pipeline from soldering pads to rebuilding images.

Bryce2 (1996)

Research shows a new web side‑channel: JavaScript can infer SSD I/O timing/patterns to fingerprint or track users without network beacons. It relies on storage access latency signals and could be mitigated via browser timer fuzzing, cache partitioning, or OS/firmware changes.

mlsu.io “Can we have the day off?” argues AI productivity gains should convert into shorter workweeks (e.g., Fridays off). It’s a management/redistribution take — automation savings get reclaimed by humans, not just more output.

`airtop`: terminal “htop for the airwaves” — live 802.11 dashboard with spectrum, per-station RSSI traces, frame-type activity feed, histogram, and AP list using braille/block graphics. Uses eBPF on mac80211/cfg80211 from a normal connected iface (no monitor mode).

Essay on “package managers that package package managers”: shipping npm/pip/etc inside products to make installs reproducible, at the cost of layered dependency resolution, harder security patching, and more complex upgrade/rollback paths for ops and maintainers.

DoomBench: a reproducible “Can it run DOOM?” benchmark for data stacks. It drives ingest/storage/query behavior with an unusual workload to expose tail latency, throughput limits, and operational failure modes across the full pipeline — not just microbenchmarks.

Starlette CVE‑2026‑48710 (“BadHost”) is an auth bypass via crafted Host header that can influence request.url.path and defeat path-based auth middleware. Affects Starlette <1.0.1 (many FastAPI AI services like vLLM/LiteLLM/MCP). Fix: upgrade to 1.0.1+.

Agent Trace RFC (v0.1.0, Jan 2026): vendor-neutral JSON schema to attribute repo changes to humans + AI agents. Supports file/line ranges, movement-resistant content hashes, VCS metadata, model IDs, and session/conversation URLs. Excludes legal/provenance/quality.

Article argues Wikipedia is drifting toward Big Tech’s anti-labor pattern — privatizing value created by volunteers and weakening the public knowledge commons. Useful lens on platform governance, incentive design, and the hidden supply chain risk of volunteer-run infra.

SignalBloom models when “offshore engineer + local/OSS LLM (DeepSeek as proxy)” beats frontier API economics. Uses token blend + cache-hit assumptions and salary inputs to argue frontier inference is ~10x pricier, and rising token use + better local models cap pricing power.

Qwen3.7-Max (Qwen) is an “agent-first” LLM release focused on tool use and orchestration. The writeup frames production concerns—latency, tool-call reliability, and safety/guardrails—aimed at shipping LLM-driven automation instead of just chat.

“Google Declaring War on the Web” breaks down how AI Overviews + SERP UI shifts cut publisher clicks while increasing crawl/hosting costs. Useful framing for building less search-dependent distribution and instrumenting for zero-click traffic.

Greg Wilson lists 12 ways orgs mis-measure AI-assisted coding: LOC, toy task timing, adoption/acceptance rates, etc. Argues for controlled studies and system-level metrics (review load, security, tech debt, long-term outcomes) instead of short-term output.

Forge: a Python reliability layer for self-hosted LLM tool-calling. Adds rescue parsing, retry nudges, step enforcement, and VRAM-aware context management. Ships an OpenAI-compatible proxy + clients for Ollama, llama-server, Anthropic to boost agent task success.

Un changement de libellé qui en dit plus qu'il n'y parait ...

During the last few weeks, the #Symfony core team has been hard at work fixing a long list of vulnerabilities for both #Symfony and #Twig. Today, we're publishing that work in the biggest security patch releases ever. Bare with us and wish us luck 🍀

OpenCode + llama.cpp + Qwen3.6: a local, self-hosted workflow to scan your repo for likely bugs. Walkthrough covers setup, prompt patterns, and trade-offs (model size vs latency/accuracy). Privacy-friendly LLM-assisted debugging without cloud deps.

FediMeteo runs many snac instances behind HAProxy using two separate caches (media vs ActivityPub JSON). It microcaches AP JSON for ~60s, strips/normalizes headers, reuses connections, and routes hosts via map files to reduce backend thread usage.

Anthropic acquired Stainless — a codegen stack that produces SDKs + CLIs across multiple languages and tooling for MCP servers. Goal: reduce integration friction for Claude apps/agents with consistent types, errors, pagination, retries, and connector scaffolding.

Qwen 3.7 preview from Alibaba — another open-weight LLM iteration to benchmark. Relevant if you run RAG/agents: check quality deltas, latency + cost at your real context length, and serve it via vLLM/TGI with quantization options for self-hosted inference.

Mozilla argues UK regulators shouldn’t age-gate or restrict VPNs. VPNs reduce tracking, mask location/IP, and protect high-risk users (journalists/activists). Proposal: focus on platform accountability, parental controls, and digital skills—not undermining privacy tools.

δ-mem: add a tiny 8×8 online associative memory to a frozen full-attention transformer. Update it with a delta-rule, read it out to generate low-rank attention corrections. Reports ~1.10× avg gain; bigger on memory-heavy MemoryAgentBench/LoCoMo. Self-contained “memory” without longer context or fine

AI SaaS per-seat + feature-tier subscriptions create lock-in and cost drift: usage scales with tokens and workflows, not headcount. The piece argues for treating LLMs like infra—gateways, logging, budgets, and swap-friendly model routing over vendor UIs.

Perfetto essay: don’t answer the first user question. Ask “why” to uncover missing context, wrong mental models, and hidden product paths. Concrete examples: trace splitting, plugin API, trace merge—better UX and fewer premature features.

`rk3562deb` documents turning an RK3562 Android tablet into a Debian workstation: bootloader + kernel + rootfs steps, scripts, and hardware/driver workarounds. Practical reference for low-cost ARM edge nodes where mainline support is the real constraint.

`mcusite`: serves a tiny website straight from an 8‑bit AVR. Implements a minimal TCP/IP stack + HTTP server under tight RAM/flash limits—static content, trimmed headers, small buffers, explicit retransmit logic. A clear demo of constrained networking trade-offs.

PVLDB 2026 “How to Write to SSDs”: retrofits LeanStore to use out-of-place writes + page packing/compression + “deathtime” grouping + ZNS/FDP-aligned placement (NoWA pattern). Reports 1.65–2.45× throughput and 6–10× fewer flash writes.

Bitsocial: open-source P2P networking layer for decentralized social apps. Clients discover peers and sync/replicate data without a central server or federation hub. Useful building block to compare with ActivityPub/Matrix when you want resilient, privacy-first sync.

Fits on a Floppy: a manifesto for intentionally small software—tiny binaries, minimal dependencies, low resource use, and designs that survive years of updates. Pushes back on feature bloat and stack sprawl in favor of privacy, simplicity, and longevity.

Semble: local CPU-only code search for LLM agents. Index a repo fast, answer queries in milliseconds, and return concise snippets (not whole files) to cut prompt tokens. Runs as an MCP server or via bash for Claude Code/Codex/Cursor. No API keys/GPU.

Reverse engineering Android malware with Claude Code — a practical APK workflow: jadx/decompile, have the LLM interpret obfuscated Java/Kotlin, extract IOCs, and draft YARA/Sigma detections. Emphasizes verification steps to avoid hallucinated findings.

GenCAD (MIT, MIT license): image-conditioned model that generates full parametric CAD command sequences (editable CAD programs), not meshes. Uses transformer encoders + contrastive multimodal reps + a latent diffusion prior to sample manufacturable CAD artifacts.

I have this old NAS from Buffalo I bought in 2007 (LH-CHL 1.0). Just upgraded to something more moder. I opened the case to see if the controller card can run linux on it's own 🏴‍☠️ Let's investigate 👀 Some note: made in Japan. Also the LED indicator shape is... interesting #linux #oldtech

SecurityBaseline.eu scans ~200k EU government domains (32 countries) and publishes 21 security metrics as traffic-light maps. Findings include 3,081 sites setting tracking cookies, 1,070 publicly reachable phpMyAdmin panels, and ~99% email failing current TLS/mail guidelines.