Arkiv

Bugs Rust won’t catch

bugs-rust-won’t-catch

In April 2026, Canonical disclosed 44 CVEs in uutils, the Rust reimplementation of GNU coreutils that ships by default since 25.10. Most of them came out of an external audit commissioned ahead of the 26.04 LTS. I read through the list and thought there’s a lot to learn from it. What’s notable is that all […]

We decreased our LLM costs with Opus

we-decreased-our-llm-costs-with-opus

Last week we wrote about feeding terabytes of CI logs to an LLM. Most of the questions on Hacker News weren’t about the logs. They were about the agent: which models, how they coordinate, and how much it all costs. Today we run Opus 4.6 and pay less than when we ran everything on Sonnet […]

Claude system prompt bug wastes user money and bricks managed agents

claude-system-prompt-bug-wastes-user-money-and-bricks-managed-agents

Regression summary Issue #47027 was closed by @bcherny in February saying ”This was fixed in v2.1.92.” I’m running v2.1.111 (19 versions past the fix) and the exact same behavior reproduces reliably. The below is still injected into every Read and Grep (content mode) tool result, and it’s still causing subagents to refuse legitimate code edits […]

ChatGPT serves ads. Here’s the full attribution loop

chatgpt-serves-ads.-here’s-the-full-attribution-loop

OpenAI’s ad platform has two halves. On the ChatGPT side, the backend injects structured single_advertiser_ad_unit objects into the conversation SSE stream while the model is responding. On the merchant side, a tracking SDK called OAIQ runs in the visitor’s browser and reports product views back to OpenAI. The two are tied together by Fernet-encrypted click […]

Claude for Creative Work

claude-for-creative-work

Creative professionals look to technology to expand what’s possible in their work. Claude can’t replace taste or imagination, but it can open up new ways of working—faster and more ambitious ideation, a more expansive skill set, and the ability for creatives to take on larger-scale projects. AI can also help shoulder the parts of the […]

Carrot Disclosure: Forgejo

Since Fedora moved from Pagure to Forgejo, I finally had an incentive to take a good look at Forgejo’s security posture. The results aren’t pretty to be honest: SSRF in a lot of places, no CSP/Trusted-Types, a bit of ghetto templating in javascript, cryptographic malpractices, overlooks in the authentication mechanisms (OAuth2, OTP, sessions/access handling, post-compromission […]

Before GitHub

before-github

written on April 28, 2026 GitHub was not the first home of my Open Source software. SourceForge was. Before GitHub, I had my own Trac installation. I had Subversion repositories, tickets, tarballs, and documentation on infrastructure I controlled. Later I moved projects to Bitbucket, back when Bitbucket still felt like a serious alternative place for […]

I won a championship that doesn’t exist

i-won-a-championship-that-doesn’t-exist

Or How I Learned To Poison The LLM Supply Chain I am the reigning 6 Nimmt! World Champion. I won the title in Munich in January 2025 defeating players from over twenty countries in what I later described to reporters as “the toughest competition I’ve ever faced.” 6nimmt.com In reality, there is no 6 Nimmt! […]

Ghostty is leaving GitHub

Writing this makes me irrationally sad, but Ghostty will be leaving GitHub1. I’m GitHub user 1299, joined Feb 2008. Since then, I’ve opened GitHub every single day. Every day, multiple times per day, for over 18 years. Over half my life. A handful of exceptions in there (I’d love to see the data), but I […]

OpenAI models coming to Amazon Bedrock: Interview with OpenAI and AWS CEOs

openai-models-coming-to-amazon-bedrock:-interview-with-openai-and-aws-ceos

Good morning, As I noted yesterday, today’s Stratechery Interview is early in terms of my timing — Tuesday instead of Thursday — and late in terms of delivery — 1pm Eastern instead of 6am — because the topic was embargoed. That embargo created a bit of a weird situation for me over the last several […]