Mitchell Hashimoto, GitHub user #1299 since February 2008, announced Ghostty will leave GitHub due to near-daily outages that block his team from working. He describes GitHub as profoundly personal — he credits it with shaping his career, started Vagrant partly hoping it would get him hired there, and has spent much of his daily life on the platform. Over the past month he tracked outages in a journal, finding nearly every day marked with an "X" for service disruption, including a two-hour GitHub Actions failure on the day he wrote the post. He clarifies the decision predates the large April 27, 2026 Elasticsearch outage and was months in the making. Ghostty plans an incremental migration while keeping a read-only GitHub mirror; the final destination — commercial or FOSS — is still being finalized. His personal projects will remain on GitHub for now, and he expressed hope GitHub will eventually improve.

Open source hosting evolved from personal Trac/Subversion setups and SourceForge to GitHub's centralized dominance, now facing fragmentation. Pre-GitHub, dependencies carried real commitment — projects had known maintainers, release processes, and reputation weight; micro-dependency culture didn't exist. GitHub eliminated publishing and consumption friction and accidentally became a long-term archive where abandoned projects and discussions stayed discoverable. Today it faces criticism for product instability, Copilot AI noise, absent leadership, and maintainer-hostile workflows; Ghostty, Strudel, and Tenacity are migrating to Codeberg. Decentralization risks losing fragile social context — issues, reviews, and design discussions disappear far more easily than code. Google Code and Bitbucket show how corporate-tied project homes fail. The author calls for a publicly funded, endowment-backed archive so open source memory doesn't depend on GitHub's continued health.

A security researcher fabricated a "6 Nimmt! World Championship" via a $12 domain and one Wikipedia edit, tricking multiple frontier LLMs into confidently repeating the false claim. The circular citation exploit places a fake press release on a custom domain, cites it from Wikipedia, and LLMs interpret two apparently corroborating sources that are actually one. Three stacked failure modes amplify the risk: retrieval (LLMs inherit search-result trustworthiness), training corpus (Wikipedia edits absorbed permanently into future model weights), and the agent layer (agents acting on poisoned sources can trigger harmful real-world actions). The attack took only twenty minutes—far cheaper than training-time poisoning. Scaled by state actors, coordinated campaigns across low-traffic articles could corrupt narratives on politics, health, or survival. Proposed mitigations include provenance-first UX, heuristic filters for Wikipedia edits citing freshly registered domains, and updated Wikipedia policy on single-source citations. The Wikipedia edit was removed within minutes of publication, but models trained before the revert permanently retain the fabricated fact.

Warp, an agentic development environment born from the terminal, has open-sourced its client codebase under a dual license: the UI framework crates (warpui_core and warpui) under MIT, and the remainder under AGPL v3. OpenAI is the founding sponsor of the new repository, with agentic management workflows powered by GPT models. Users can bring their own CLI agents, including Claude Code, Codex, and Gemini CLI. The contribution workflow uses readiness labels — ready-to-spec and ready-to-implement — to guide community contributors from issue triage through code submission. Building from source requires three scripts: bootstrap for platform setup, run for building, and presubmit for formatting, linting, and tests. Warp highlights several open-source dependencies that helped it launch, and maintains a Code of Conduct enforced via email reporting.

Intel's Arc Pro B70 doubles the B50's Xe2 cores and VRAM to 32 GB at $950, targeting AI inference with 230W TDP and 608 GB/s bandwidth. It undercuts AMD's R9700 by ~30% while matching its 32 GB VRAM, and beats NVIDIA's RTX 2000 Blackwell on VRAM at $200 more. In most professional workloads—Premiere, DaVinci Resolve, Blender, Unreal Engine—it outperforms the 2000 Blackwell but trails the R9700, fitting its price tier. NVIDIA leads in After Effects and Lightroom Classic; the B70 leads in Revit and dominates MLPerf inference, beating R9700 and 4000 Blackwell by 7% and the 2000 Blackwell by 98% in token generation. Intel's Xe2 architecture (SIMD16, next-gen XMX engines) and driver work contribute measurable gains over Alchemist. The card includes ECC memory, dual 8K media engines, and certified drivers for Adobe, Autodesk, and Dassault Systèmes ISVs. Reviewers note the B70 is "unbalanced" for general use—VRAM exceeds raw compute for many workloads—but 32 GB makes it compelling for multi-GPU inference workstations targeting 70B+ models at 96–128 GB pooled VRAM.

Developer built a playable DOOM MCP app rendering inline in ChatGPT and Claude, with a plain URL fallback for unsupporting clients. It uses cloudflare/doom-wasm for the runtime and Freedoom Phase 1 to stay redistributable. The architecture is lean: a TypeScript MCP server with two tools—create_doom_session for inline hosts and get_doom_launch_url for fallback—a /doom/play browser shell, a signed-token session, and Netlify hosting. The main challenge was session compatibility across clients with different iframe, CSP, and UI rules; the solution was running the DOOM canvas directly in the host iframe rather than nesting iframes, eliminating a class of frame-src and CSP failures. Debugging involved WAD path resolution, blob-backed preload issues, and Netlify packaging; the blob preload was replaced by writing WAD/config directly into the Emscripten filesystem. Features like save/load and screenshots were cut in favor of a leaner, more stable design. The project partially works on ChatGPT and Claude iOS apps as well.

CJIT is a tiny, portable C compiler and interpreter—under 2MB in a single binary—built by Jaromil and the Dyne.org crew, inspired by Terry Davis's HolyC and based on Fabrice Bellard's TinyCC. It targets Windows, macOS, and Linux without requiring a license agreement or IDE, and supports hooking into any dynamic library for rapid C development. The project supports graphical apps via SDL (originally by Sam Lantinga, 1998), with batteries-included demos. Linux compatibility is limited to Ubuntu 24.04 specifically; the binary fails on Arch due to a missing libgcc_s.so.1 path seemingly loaded via dlopen. TUI demos work but SDL examples have unresolved symbol issues. The website has UX rough edges including a broken tutorial nav link and a visually compressed font. The hello-world example uses fprintf(stderr,...) rather than stdout, which diverges from convention.

Wiz Research discovered CVE-2026-3854, a critical RCE flaw in GitHub's git infrastructure affecting GitHub.com and GitHub Enterprise Server. The flaw is in babeld, the git proxy, which embeds push option values (git push -o) verbatim into the X-Stat header — a semicolon-delimited key=value protocol — without sanitization. The header's last-write-wins semantics mean an injected semicolon creates attacker-controlled fields. Chaining three injections (rails_env, custom_hooks_dir, repo_pre_receive_hooks) bypasses the pre-receive sandbox, redirects hook lookup, and executes arbitrary binaries as the git user. On GitHub.com, injecting an enterprise-mode flag completed the chain on shared storage nodes hosting millions of cross-tenant repositories. Wiz confirmed the git user's permissions would expose any repository on a compromised node, validating with only their own test accounts. GitHub fixed GitHub.com within 6 hours of the March 4 report and released GHES patches March 10, but 88% of instances remain unpatched at disclosure. The find was enabled by AI-augmented reverse engineering via IDA MCP, one of the first critical CVEs uncovered in closed-source binaries using AI.

Google announced in August 2025 that starting September 2026, all Android developers globally must register with Google, pay a fee, submit government ID, and list signing keys — covering every distribution channel, not just the Play Store. This threatens F-Droid, hobbyist projects, corporate internal apps, and open-source tools. Over 69 organizations from 21 countries signed an open letter opposing it, with F-Droid calling it an "existential" threat. Google offers an "advanced flow" opt-out, but critics note the 9-step process includes a mandatory 24-hour wait and runs through proprietary Play Services, allowing Google to silently revoke it. The EFF and Cory Doctorow argue certifying developers rather than code does nothing for security but creates an identity database governments can exploit to target privacy-tool developers and activists. Developers from sanctioned countries, minors, and pseudonymous contributors face systematic exclusion. EU regulators are examining potential Digital Markets Act violations, while critics frame the move as Google consolidating monopoly control following its loss in the Epic Games antitrust case.

GitHub exposes mail-style patch exports at .patch URLs, and a security researcher discovered that GNU patch cannot reliably distinguish between the actual diff exported from a commit and diff-shaped text embedded in the commit message. Using a public demo repo, the real commit changes only readme.md, but a fake unified diff embedded in the commit message creates SHOULD_NOT_BE_HERE.md — and running wget plus patch -p1 on the exported .patch file applies both silently. The researcher also tested targeting .git/hooks/post-applypatch locally, which patch accepted without complaint. git apply and git am behaved slightly better by rejecting .git/... paths, but both still accepted injected diffs for ordinary working-tree files. The vulnerability is noteworthy because wget/curl plus patch is a common, decades-old workflow for moving patches between machines. Responsibility for the flaw is unclear — it could belong to GNU patch, GitHub's .patch export format, or the broader patch-format contract itself.

Waymo has announced expansion to Portland, Oregon, beginning with manually-driven mapping operations before autonomous deployment. The company cites a 13x reduction in serious injury crashes in existing markets and has secured support from Mayor Keith Wilson and MADD, framing the service as a tool for Portland's Vision Zero traffic fatality goals. The announcement lands as TriMet faces a $300M budget shortfall—cutting staff, routes, and light rail service—while a state payroll tax repeal ballot measure threatens further funding losses. Portland's city council is simultaneously debating driver pay caps for Uber and Lyft. The city's mix of streetcars and light rail raises operational concerns, given a 2026 Phoenix incident where a Waymo became stuck on tracks. Privacy worries surround in-car cameras despite Waymo's stated "no plans" for ad targeting. Critics also challenge the blog post's characterization of Portland as "always a pioneer in urban design," citing the city's documented history of explicitly racist planning and segregation.

Anthropic's Claude services suffered a 78-minute outage on April 28, 2026, from 17:34 to 18:52 UTC, affecting claude.ai, Claude Console, the Anthropic API, Claude Code, Claude Cowork, and Claude for Government. The incident began as an inability to access Claude.ai, escalated to include elevated API errors and authentication failures on login paths for Claude Code, and was fully resolved by 18:52 UTC. Anthropic identified the root cause during the incident and posted status updates at roughly 10–20 minute intervals. All services were confirmed returned to normal with continued monitoring after resolution.

The author officially retired from Emacs after 20 years, completing a gradual transition to Vim and modal editing. To fully cut ties, he built two native C++ GUI applications with wxWidgets: stackcalc (a replacement for M-x calc using GMP and MPFR for multi-precision arithmetic) and Elfeed2 (a rewrite of his popular RSS reader Elfeed, maintained for 13 years). The Emacs Calculator lacked any suitable external replacement, so his clone covers personal usage but omits esoteric features like symbolic processing. Elfeed2, completed in just a couple of days with AI assistance, already surpasses the original despite not yet hitting 1.0. He chose wxWidgets over Qt (lighter weight, CMake FetchContent compatible) and Dear ImGui (unsuitable for passive-rendering apps left running all day), noting wxWidgets works better than expected despite character encoding issues and accidental quadratic-time operations. Both projects build with just a C++ toolchain and CMake on Windows, macOS, and Linux. He is seeking new maintainers for his remaining active Emacs packages; if none step forward, projects will be archived but not deleted.

LocalSend is a free, open-source cross-platform file transfer app that operates without internet by communicating over a local network using a REST API with HTTPS encryption and on-the-fly TLS/SSL certificates per device. It supports Windows, macOS, Linux, Android, iOS, and Fire OS, distributed via Winget, Homebrew, Flathub, Play Store, F-Droid, and others. It communicates over port 53317 (TCP/UDP) and requires AP isolation to be disabled on the router for device discovery; Windows users must set their network to "Private." Built with Flutter and Rust, it offers a portable mode via a settings.json file placed alongside the executable, and a --hidden flag for tray-only startup. Minimum platform versions include Android 5.0, iOS 12.0, macOS 11 Big Sur, and Windows 10 (v1.15.4 is the last release supporting Windows 7). The LocalSend protocol is publicly documented, and contributions are welcomed via Weblate for translations or GitHub pull requests for bug fixes.

Warp, the AI-powered developer terminal, is open-sourcing its client under an AGPL license at github.com/warpdotdev/warp, with OpenAI as founding sponsor. The company's novel approach uses its "Oz" cloud agent orchestration platform—powered by GPT models—to let community members supervise agents rather than write code directly, with humans focusing on product direction and verification. Warp cites competitive pressure from better-funded closed-source rivals and limited internal bandwidth as primary drivers. Alongside the launch, Warp is shipping support for more open models (Kimi, MiniMax, Qwen) with an "auto (open)" routing mode, a programmatic settings file, and UI customization ranging from a minimal terminal to a full agentic development environment (ADE). Public GitHub issues will become the official roadmap, moving product discussions into the open. Warp's founders note the plan to open-source has been in place since the company's founding five years ago, and believe a diverse contributor community plus structured agent orchestration will produce results beyond what an internal team could achieve alone.

VibeVoice is Microsoft's open-source family of frontier voice AI models covering TTS and ASR. The core innovation is continuous speech tokenizers at 7.5 Hz paired with a next-token diffusion framework: a Qwen2.5 LLM backbone handles context while a diffusion head generates audio. The ASR model (7B) processes 60 minutes in a single 64K-token pass, jointly performing transcription, speaker diarization, and timestamping across 50+ languages with custom hotwords — preserving speaker continuity lost by chunk-based models. The TTS model (1.5B), an ICLR 2026 Oral, synthesized 90-minute multi-speaker audio with up to 4 speakers but was removed after misuse for deepfakes. A 0.5B Realtime model remains, offering streaming TTS at ~300ms first-latency with voices in 9 languages. The ASR is now in Hugging Face Transformers with vLLM support. Microsoft warns against commercial use, citing deepfake risks and biases inherited from the Qwen2.5 base model.

Neuroscientists described BTSP (behavioral timescale synaptic plasticity), a newly identified neuroplasticity form enabling single-experience learning. Discovered in 2014 by Jeffrey Magee's team recording hippocampal dendrites in live rodents, a single dendritic plateau potential caused place cells to fire at a location 99.5% of the time after one exposure — previously thought to require repeated Hebbian firing. Unlike Hebbian plasticity (milliseconds), BTSP spans six to eight seconds, better matching real behavioral timescales. The mechanism involves eligibility traces tagging recently active synapses, which are strengthened when a plateau potential spreads voltage across the dendrite; CaMKII protein plays a key molecular role by increasing receptor surface area. BTSP may also solve the credit assignment problem by reinforcing only contextually relevant neurons. Confirmed mainly in the hippocampus, some researchers debate whether it truly differs from a broadly defined Hebbian framework. Most agree BTSP complements rather than replaces Hebbian learning, with Hebbian plasticity dominating early brain development and BTSP more prominent in adult episodic memory formation.

Lumara is a free, privacy-first iOS and Android app built by a solo U.S. Army veteran developer that displays live solar imagery from NASA's Solar Dynamics Observatory — updated every ~15 minutes across 12 wavelengths ranging from the 5,000 K surface to 10 MK flare plasma. It tracks moon phases offline using Jean Meeus's Astronomical Algorithms (accurate to minutes), and monitors solar flares (B–X scale), coronal mass ejections (up to 3,000 km/s), and geomagnetic storms (G1–G5) via NASA's DONKI database in real time. Users select a city from a local list — no GPS, no account, no data transmission — and all solar and lunar images are fetched directly from NASA/ESA servers. The app is completely free with no premium tier, no ads, and no in-app purchases, and is now live on both the App Store (universal iPhone/iPad) and Google Play.

In January 2026, federal agents shot and killed Renee Good, a 37-year-old mother of three, during Minneapolis protests against immigration raids; DHS immediately labeled her an "anti-ICE rioter" who committed "an act of domestic terrorism" before fully gathering facts. Days later, on January 16, DHS expanded no-fly zones to prohibit drones within 3,000 lateral feet and 1,000 vertical feet of federal facilities. Critically, for the first time these zones extended to DHS ground vehicles — even unmarked ones, even while in motion, and even on routes that had not been publicly announced. Government agencies were granted authority to shoot down or seize drones deemed a "credible safety or security threat," with civil and criminal penalties for operators. This created effectively invisible, moving no-fly zones impossible for the public to anticipate or avoid. The policy immediately chilled journalists like Rob Levine, a Minneapolis-based freelance photojournalist with nearly 40 years of experience, who has used DJI quadcopter drones since 2016 to document protests, rivers, and city life, and who stopped flying immediately upon seeing the notice.

AISLE, an AI security firm, discovered 38 CVEs in OpenEMR — an open-source EHR platform used by over 100,000 providers and 200 million patients — during Q1 2026, surpassing the 23 vulnerabilities found in its most notable prior 2018 audit. The flaws fall into three categories: authorization failures including IDORs and missing ACL checks (24 CVEs), stored and reflected XSS (9 CVEs), and SQL injection plus path traversal (5 CVEs). Two SQL injection vulnerabilities scored CVSS 10.0: one in the Patient REST API's _sort parameter enabling UNION SELECT attacks, blind SLEEP() injection, and potential RCE via FILE privileges; another in the Immunization module's patient_id field with identical impact. A FHIR CareTeam endpoint exposed all patient records regardless of token scope due to a missing PHP interface declaration. OpenEMR maintainers fixed the bulk of issues in version 8.0.0 on February 11, 2026, with remaining patches landing through March. AISLE has since integrated its commit analyzer into OpenEMR's CI pipeline to catch vulnerabilities at code review before they reach production.

Cua is an open-source Python framework (3.11+) for building AI agents that autonomously control computers — macOS, Linux, Windows, and Android — both locally via QEMU and in the cloud. Its headline feature is a background automation driver for native macOS apps that avoids stealing cursor focus or switching Spaces, even on non-Accessibility surfaces like Chromium web content and canvas-based tools such as Blender and Figma. The unified API exposes shell execution, screenshots, mouse clicks, keyboard input, and multi-touch gestures across all supported platforms. A companion CLI, cuabot, runs agents in sandboxed desktop windows with H.265 video, shared clipboard, and audio. The lume component manages macOS and Linux VMs on Apple Silicon using Apple's Virtualization.Framework for near-native performance. A benchmarking suite, cua-bench, supports evaluating agents on standard datasets like OSWorld and ScreenSpot with trajectory export for RL training. Every session records a replayable trajectory. Integration with Claude Code and Cursor is available via MCP server. The project is MIT licensed, though the optional ultralytics dependency via cua-agent[omni] carries AGPL-3.0 terms.

Supply chain attacks from Nov 2024 through April 2026 trace to GitHub Actions misconfigurations, not maintainer error. The pull_request_target trigger grants full secret access to fork-checkout jobs, enabling the spotbugs breach that cascaded through reviewdog to tj-actions, leaking secrets from 23,000 repos. Ultralytics was hit via cache poisoning through the same trigger, shipping a crypto miner to PyPI. The nx build system fell to template injection when a PR title ran shell code with an npm token in scope, briefly exposing thousands of private repos. Trivy was compromised twice: via pull_request_target, then via force-pushed version tags using harvested credentials. Elementary-data fell in ten minutes via an issue_comment trigger echoing unsanitized input to bash. Common factors: mutable action tags, default write GITHUB_TOKEN, unsafe ${{}} shell expansion, and cross-trust-boundary caches. GitHub's security roadmap adds SHA lockfiles, scoped secrets, and egress firewalls — all opt-in, leaving the long tail of public repos exposed. OIDC trusted publishing now chains registry integrity to GitHub Actions security. Zizmor and SHA pinning are the most actionable immediate defenses.

Researchers introduce talkie-1930-13b, a 13B LM trained on 260B tokens of pre-1931 English text—books, newspapers, patents, journals, case law—to study generalization free from modern contamination. Vintage LMs enable testing whether models predict post-cutoff events, independently derive later discoveries like General Relativity, or learn Python from in-context examples without code in training data. The model underperforms a FineWeb-trained twin on benchmarks, largely due to OCR noise—conventional OCR yields 30% of human-transcribed performance, improving to 70% with regex cleaning. Post-training used historical texts (etiquette manuals, cookbooks, encyclopedias) for instruction pairs, then direct preference optimization with Claude as judge, raising instruction-following from 2.0 to 3.4 out of 5. Despite n-gram anachronism filtering, the model retains WWII and postwar knowledge, indicating incomplete leakage removal. The team plans GPT-3-scale training this summer, a trillion-token multilingual corpus, and a bespoke vintage OCR system. Alec Radford, key to the original GPT models, is among the authors.

C++26's std::define_static_array simplifies the "constexpr two-step" — a workaround needed because constexpr heap allocations can't persist to runtime, barring constinit std::vector globals. The two-step calls a constexpr function twice to get the size, then populate a std::array. define_static_array instead emits a constexpr range as a span<const T> directly into the object file, which is cleaner and more compile-time-efficient. However, it has four limitations over the two-step: it requires structural types (excluding optional, string, span); it can't store pointers to string literals since those aren't valid template arguments; it can't work with move-only types since NTTPs must be copyable; and it only produces const rodata, making mutable static arrays impossible. Array objects from define_static_array are permitted but not required to be coalesced across different element types. Barry Revzin's P3380R1 could resolve the first three by expanding NTTP support to user-annotated types, though with arcane syntax. The author anticipates a future code-generation reflection facility to more fully supersede the two-step.

ASML (spun from Philips in 1984) monopolizes EUV lithography, the only process enabling sub-5nm chip production, with machines priced above $120M and a $400B+ market cap. EUV uses laser pulses on falling tin droplets to generate 13.5nm plasma light, reflected via ultra-precise mirrors to print 3nm-scale features onto silicon wafers. Modular outsourced design enabled fast repairs; US DOE EUV LLC membership and the 2001 acquisition of Silicon Valley Group cemented ASML's IP lead over Nikon and Canon. ASML defeated Nikon's 157nm dry approach via immersion lithography (water-bent 193nm light) and the TWINSCAN dual-stage architecture that eliminated idle machine time. In 2012, ASML sold 23% equity to Intel, TSMC, and Samsung, acquired light-source maker Cymer for $2.5B, and working as "one team" with TSMC achieved 500 wafers/day throughput, enabling commercial EUV by 2019. Decades of tacit knowledge embedded across 5,000+ suppliers — including optics firm Zeiss and laser maker Trumpf — makes replication nearly impossible; China's systematic hiring of former ASML engineers has not closed the gap.

Dominik Behr built an SGI Indy (MIPS R4400) emulator in Rust with heavy AI assistance from Claude and Gemini, framing it as an experiment in "vibe coding." The emulator boots both IRIX 6.5 and 5.3 to multiuser mode with working networking (ping, telnet, ftp), X11/Newport REX3 graphics, and mouse/keyboard input via PS/2 emulation. A three-tier Cranelift-based JIT compiler translates MIPS basic blocks to native x86_64, progressing from ALU-only through loads to full store support based on execution frequency, with hot block profiles persisting across sessions. A separate REX3 graphics JIT compiles specialized per-DrawMode "shaders" for the draw pipeline in the background. Copy-on-write disk overlay protects the base image from corruption during development. Known limitations include failures with old Gentoo MIPS liveCDs and NetBSD hanging on a white screen. The project requires a raw IRIX 6.5.22 disk image (convertible from the MAME IRIX image) and optionally an Indy PROM binary. A rules/ directory documents hard-won JIT and IRIX debugging lessons intended for both humans and AI assistants. The project is BSD 3-Clause licensed and accepts bug reports and merge requests.

GitHub Copilot code reviews will begin consuming GitHub Actions minutes on private repositories starting June 1, 2026, while public repos remain unaffected. The change stems from Copilot's agentic tool-calling architecture running on GitHub-hosted runners, triggering dual billing: Actions minutes drawn from existing plan entitlements plus AI Credits under a new usage-based model. This affects Copilot Pro, Pro+, Business, and Enterprise plans, including reviews from non-licensed users billed via direct org billing. Until June 1, reviews draw only from premium request unit (PRU) allowances and no Actions minutes are charged. GitHub recommends billing managers review current Actions usage, confirm budget and spending limits, and monitor consumption via Copilot metrics, Actions metrics, and Billing Usage Reports. No additional runner setup is required if GitHub-hosted runners are already enabled, and self-hosted runners remain an option. Organizations can set budgets to cap Actions spending beyond included plan entitlements.