Alvaro Lopez Ortega / 2025-04-22 Briefing

Created Tue, 22 Apr 2025 22:33:05 +0000 Modified Sun, 18 May 2025 18:47:07 +0000
9295 Words

Valkey replaces Redis in Arch Linux following license changes; web infrastructure faces increased bot traffic and security concerns; Gemini introduces Veo 2-powered video generation for AI Premium subscribers; Google’s Gemma 3 models now optimized for consumer GPUs; US electricity milestone as fossil fuels fall below 50% for first time; and TLS certificate lifetimes will reduce to 47 days by 2029.

▶️ Internet Infrastructure

Arch Linux - News: Valkey to replace Redis in the [extra] Repository

Key Facts

  • Valkey, a high-performance key/value datastore, will replace Redis in the extra repository
  • The change follows Redis’s license modification from BSD-3-Clause to RSALv2 and SSPLv1 on March 20, 2024
  • Arch Linux package maintainers will support the redis package for approximately 14 days from April 17, 2025, after which it will be moved to the AUR and no longer receive updates

Summary

Arch Linux announced that Valkey, a high-performance key/value datastore, will replace Redis in the extra repository due to Redis changing its license to RSALv2 and SSPLv1 on March 20, 2024. The redis package will be supported for about 14 days from April 17, 2025, allowing users to transition smoothly to Valkey; after this period, the redis package will be moved to the AUR and considered deprecated with no further updates. Users are advised to begin migrating their Redis usage promptly to avoid issues post-transition.

Man who built ISP instead of paying Comcast $50K expands to hundreds of homes - Ars Technica

Key Facts

  • Jared Mauch received $2.6 million in government funding to expand his fiber-to-the-home ISP in rural Michigan.
  • The project will extend his network by 38 miles, serving approximately 596 addresses, with a total funding of $2,618,958.03.
  • Mauch’s service offers 100 Mbps symmetrical internet for $55/month and 1 Gbps for $79/month, with installation fees around $199; he participates in the FCC’s Affordable Connectivity Program.

Summary

Jared Mauch, who built a fiber-to-the-home ISP after being dissatisfied with poor broadband from AT&T and Comcast, is expanding his network in rural Michigan with $2.6 million from the US government’s American Rescue Plan funds. The project, contracted by Washtenaw County, aims to wire approximately 596 addresses across four townships, adding 38 miles of fiber to his existing 14-mile network. The county allocated $71 million for broadband infrastructure, with Mauch’s project being one of four selected through a competitive RFP process that prioritized wireline speeds of at least 100 Mbps symmetrical. Mauch’s service costs $55/month for 100 Mbps unlimited, and $79/month for 1 Gbps, with a typical installation fee of $199. The project must be completed by the end of 2026, but Mauch aims to finish half by the end of 2023. Previously, he faced high costs from major providers—Comcast demanded $50,000 for line extension, and AT&T offered only 1.5 Mbps DSL. Mauch also provides free 250 Mbps service to a local church and fiber backhaul to cell towers. His network management has been stable, with traffic around 500 Mbps, scalable to 4 Gbps. The expansion is part of a broader effort by Washtenaw County to connect over 3,000 households, with a focus on underserved, lower-income areas.

Botnet Part 2: The Web is Broken - Jan Wildeboer’s Blog

Key Facts

  • Companies like Infatica monetize network bandwidth via SDKs embedded in iOS, Android, MacOS, and Windows apps, enabling web crawling and scraping using infected devices.
  • These SDKs sell access to millions of residential, static, and mobile IP addresses, facilitating large-scale AI web scraping and brute-force attacks.
  • Trend Micro’s 2023 research confirms malicious repacking of freeware/shareware to conduct drive-by downloads of these proxy services, contributing to increased bot traffic and server overloads.

Summary

Jan Wildeboer highlights the proliferation of shady business models where app developers embed SDKs, such as Infatica’s, into their applications to monetize users’ network bandwidth. These SDKs enable the creation of botnets that leverage infected devices to perform web crawling, brute-force mail server attacks, and AI-driven web scraping, often using millions of residential, static, and mobile IP addresses. Trend Micro’s 2023 investigation confirms malicious repacking of freeware/shareware to facilitate drive-by downloads of these proxy services, exacerbating botnet activity. Wildeboer argues that this business model effectively causes DDoS-like traffic surges, impacting small web services and increasing the difficulty for server administrators to detect and block such malicious activity. He advocates that all web scraping should be considered abusive and recommends blocking such traffic, emphasizing that inclusion of SDKs for profit in apps makes developers complicit in malware distribution and botnet formation. The market for residential proxies, driven by AI web scraping demands, is expanding rapidly, with many providers relying on SDK injection into third-party apps. Wildeboer concludes that this trend undermines the web’s foundational integrity, urging webmasters and admins to remain vigilant against these evolving threats.

Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security

Key Facts

  • A whistleblower from the National Labor Relations Board (NLRB) alleges that DOGE employees transferred gigabytes of sensitive case data in early March using short-lived accounts with restricted logging.
  • The data exfiltration involved approximately 10 GB from the NxGen case management system, with suspicious activity including creation of high-privilege accounts and use of containers to obfuscate activity.
  • The whistleblower reports blocked login attempts from a Russian IP address shortly after account creation, along with unauthorized download of code libraries used for web scraping and brute-force attacks. The NLRB investigated but was reportedly instructed to cease reporting to US-CERT, and the agency’s control was later removed from all employee accounts.

Summary

A security architect at the NLRB, Daniel J. Berulis, alleges that employees from Elon Musk’s Department of Government Efficiency (DOGE) siphoned sensitive case data in early March by creating high-privilege accounts with logging restrictions and using containerized environments to conceal activities. The incident involved transferring approximately 10 GB of data from the NxGen system, which contains confidential information on unions, legal cases, and corporate secrets. Suspicious activity included multiple blocked login attempts from a Russian IP address (83.149.30.186) shortly after account creation, with attempts to use valid credentials, and the download of code libraries designed for web scraping and brute-force attacks from GitHub. Berulis observed that network logs for recent resources went missing, and Microsoft Azure monitoring was turned off during the incident. Despite raising alarms and reporting to US-CERT, the NLRB was allegedly ordered to halt further investigation, and control over its systems was later revoked from staff. The whistleblower’s disclosures, supported by internal documentation and expert review, highlight potential security breaches involving high-level access and covert data exfiltration, amid broader political tensions and legal disputes involving Musk’s companies and government agencies.

An Intro to DeepSeek’s Distributed File System | Some blog

Key Facts

  • 3FS (Fire-Flyer File System) is an open-source distributed filesystem released by DeepSeek on April 15, 2025
  • Core components include Meta, Mgmtd, Storage, and Client nodes, with Mgmtd managing node registration and cluster configuration
  • Utilizes CRAQ (Chain Replication with Apportioned Queries) protocol for strong consistency, with write throughput limited by the slowest node in the chain and performance affected by workload types

Summary

DeepSeek introduced 3FS, a distributed filesystem designed to abstract data across multiple machines, enabling applications to interact with it as if it were a local filesystem. It consists of four primary node types: Meta (manages file metadata stored in inodes and DirEntries within FoundationDB), Mgmtd (controls cluster configuration and node health via heartbeats and node discovery), Storage (handles physical data chunks using a Rust-based ChunkEngine, with metadata stored in LevelDB), and Client (interfaces with other nodes for file operations and data transfer). The system employs CRAQ for fault-tolerant, strongly consistent data replication, where write operations propagate from head to tail nodes, marking entries as “dirty” until committed, with read operations querying the tail for the most recent clean data. CRAQ’s performance varies with workload, offering scalable, low-latency reads but higher write latency, especially under zipfian access patterns. The architecture emphasizes fault tolerance, scalability, and simplicity, with detailed design notes available here. Future analyses aim to benchmark 3FS performance, evaluate bottlenecks, and compare it with other distributed filesystems.

Update on Spain and LALIGA blocks of the internet - Vercel

Key Facts

  • Spanish court authorized LALIGA to block IP addresses associated with unauthorized football streaming, affecting Vercel infrastructure since December 2024.
  • IP addresses 66.33.60.129 and 76.76.21.142 are no longer blocked as of April 18, 2025, following Vercel’s cooperation to remove illegal content.
  • Broad IP-wide blocks are enforced during LALIGA matchdays, impacting legitimate websites and services that share IP addresses, with no distinction between infringing and lawful content.

Summary

A Spanish court granted LALIGA authority in December 2024 to require ISPs, including Movistar, Vodafone, and Orange, to block IP addresses linked to unauthorized football streaming, a ruling upheld in March 2025. Enforcement has expanded to affect Vercel-hosted sites, resulting in indiscriminate IP blocking that impacts legitimate services such as Tinybird and Hello Magazine, which operate on shared IPs like 66.33.60.129 and 76.76.21.142. Unlike targeted domain blocking via SNI inspection, ISPs are blocking entire IP ranges without differentiation, causing collateral damage to infrastructure, developers, and businesses during LALIGA matchdays. Vercel actively monitors and removes illegal content, maintaining a zero-tolerance policy, and is working with LALIGA to mitigate the impact. The company advocates for targeted, transparent enforcement and is exploring strategies to restore access for affected users in Spain, emphasizing the importance of an open, permissionless web.

▶️ Open Source

15,000 lines of verified cryptography now in Python | Jonathan Protzenko

Key Facts

  • Python’s hash and HMAC algorithms are now fully implemented using HACL*, a verified cryptographic library, replacing previous implementations.
  • The transition, completed after 2.5 years of work, includes 15,000 lines of verified C code integrated into Python without loss of functionality.
  • Upstream updates from HACL* are automated via a script, ensuring maintainability and consistency.

Summary

Python has integrated HACL*, a verified cryptographic library, to implement all default hash and HMAC algorithms, following a GitHub issue opened in November 2022 addressing cryptographic verification after a SHA3 CVE. This integration adds approximately 15,000 lines of verified C code, enabling features such as additional Blake2 modes, a comprehensive SHA3 API covering all Keccak variants, strict abstraction patterns for build system compatibility, proper error handling including allocation failures, and optimized HMAC implementations maintaining two hash states simultaneously. The process involved extensive low-level technical work, including generic streaming API verification using dependent types, handling complex buffer management, and refactoring C code to abstract structs for compatibility with older compilers. The build system’s CI coverage uncovered corner cases, notably with AVX2-specific code, requiring careful refactoring to ensure cross-platform compatibility. Memory allocation failures are now propagated through the verification framework via option types, enhancing robustness. Upstream HACL* updates are managed through a shell script that fetches, refines, and integrates code changes, simplifying maintenance. This milestone demonstrates verified cryptography’s maturity and readiness for real-world deployment in critical software like Python.

A New Form of Verification on Bluesky - Bluesky

Key Facts

  • Bluesky introduces a new, user-friendly blue check for verified accounts, launched on April 21, 2025
  • Over 270,000 accounts linked their domain as their username since the 2023 launch of domain handle verification
  • Verified accounts now display a blue check, with additional verification via trusted verifiers—organizations that can directly issue blue checks, marked by scalloped blue checks

Summary

Bluesky announced a new verification layer on April 21, 2025, featuring a recognizable blue check to indicate authentic and notable accounts. Building on the initial domain handle verification launched in 2023, which linked over 270,000 accounts to their websites, the platform now offers a visual trust signal through a blue check. This check is issued either automatically for verified accounts or through trusted verifiers—organizations like The New York Times that can directly verify accounts within the app, with moderation reviews ensuring authenticity. When users tap on a verified account’s blue check, they can see which organization granted the verification. Users can also hide verification signals via Settings. Self-verification remains encouraged by setting a domain as the username; however, Bluesky is not accepting direct verification applications during this phase. Future plans include a request form for notable accounts and trusted verifiers once the feature stabilizes. The initiative aims to enhance trust and authenticity in decentralized social conversations, aligning with Bluesky’s broader goal of transitioning the social web from platform-centric to protocol-based systems.

I left Spotify. What happened next?

Key Facts

  • The author transitioned from Spotify to self-hosted Jellyfin for music management
  • Built a web-based music player using htmx to stream music locally and remotely
  • Uses apps like Finamp (link) to download music for offline listening
  • Purchased a mini PC to self-host Jellyfin and other apps like Immich for photo management
  • Emphasizes ease of setup without advanced technical skills, using existing hardware like an old computer
  • Highlights potential for future digital autonomy by self-hosting media services

Summary

After leaving Spotify, the author explored various local music players such as Winamp, VLC, and foobar2000, but found them inadequate for browsing and managing large libraries. They developed a web-based music streaming solution using htmx, enabling remote access to their library via a local server, though this approach lacked offline functionality. Switching to Apple’s Music app provided reliable offline access but required managing storage across devices, which was cumbersome. Inspired by a YouTube video, they adopted Jellyfin, an open-source media server that can replace Spotify, Netflix, and other streaming services. Self-hosting Jellyfin on an old computer or mini PC allows full control over media libraries and offline access through apps like Finamp and Fintunes. The author now runs Jellyfin and Immich for photo management, emphasizing that self-hosting is accessible without advanced technical skills and promotes digital autonomy. They advocate for open-source solutions to reduce dependence on commercial platforms and envision a future where users fully control their media content.

Using ~/.ssh/authorized keys to decide what the incoming connection can do – Dan Langille’s Other Diary

Key Facts

  • Demonstrates using ~/.ssh/authorized_keys to assign specific commands for incoming SSH connections on FreeBSD 14.2
  • Configures SSH keys with command restrictions, such as running rrsync in read-only mode for backups
  • Shows how multiple SSH keys can be used for different tasks by specifying distinct commands in authorized_keys

Summary

The article explains how to leverage the ~/.ssh/authorized_keys file to control the actions of incoming SSH connections by associating specific commands with SSH keys on FreeBSD 14.2. It illustrates configuring a key to run /usr/local/sbin/rrsync -ro /path/ to restrict an SSH session to a read-only rsync operation, enhancing security for database backup transfers. The author demonstrates managing multiple tasks by adding separate SSH keys with different command directives, such as initiating a script to pull database backups from another host. The setup involves specifying the from attribute to restrict access to particular hosts and embedding the command directly within the authorized_keys entry. The approach ensures that each SSH key is tied to a precise, limited operation, preventing unauthorized actions. The article emphasizes the importance of using distinct SSH keys for different tasks, simplifying access management and maintaining security boundaries for critical systems like database backups.

Python’s new t-strings | Dave Peck

Key Facts

  • Python 3.14, featuring t-strings, will be released in late 2025
  • T-strings are a generalization of f-strings, evaluating to string.templatelib.Template objects
  • T-strings improve safety by requiring explicit processing before use, preventing injection vulnerabilities

Summary

Python’s PEP 750 introduces t-strings (template strings) as a new feature in Python 3.14, arriving in late 2025. T-strings extend the capabilities of f-strings by evaluating to string.templatelib.Template objects rather than immediate strings, enabling safer and more flexible string processing. Unlike f-strings, which can be dangerously misused with user input (e.g., SQL injection or XSS), t-strings require explicit processing before conversion to a string, allowing developers to implement safe escaping functions such as html(). T-strings provide access to their components via .strings and .values properties, supporting complex manipulations and custom processing, including iteration and detailed interpolation analysis. They can be instantiated with literal syntax (t"...") or directly through the Template constructor with Interpolation objects. An example demonstrates converting a template into pig Latin by processing each interpolation. The feature aims to enhance string safety and flexibility in Python libraries and frameworks, especially those handling user input, and is expected to influence tooling support like code formatters and IDEs.

Defold - Official Homepage - Cross platform game engine

Key Facts

  • Defold is a free, production-ready, cross-platform game engine supporting major platforms including PlayStation®5, PlayStation®4, Nintendo Switch, Android, iOS, macOS, Linux, Windows, Steam, HTML5, Facebook, and Q3 2024 XBox.
  • Comes fully featured out of the box with visual editor, code editor, Lua scripting, Lua debugger, scene, particle, tilemap editors, supporting both 2D and 3D development.
  • No setup required; offers zero-config cloud build, native code extension, and integration with tools like Atom, VS Code, Spine, TexturePacker, and Tiled.

Summary

Defold is a free, open-source, cross-platform game engine designed for high-performance game development, supporting platforms such as PlayStation®5, PlayStation®4, Nintendo Switch, Android, iOS, macOS, Linux, Windows, Steam, HTML5, Facebook, and expected Q3 2024 XBox release. It provides a comprehensive, ready-to-use environment with features including a visual editor, code editor, Lua scripting, Lua debugger, scene, particle, and tilemap editors, supporting both 2D and 3D game creation. The engine requires no initial setup, offering a zero-configuration cloud build system and native code extension capabilities. It integrates with popular development tools like Atom, VS Code, Spine, TexturePacker, and Tiled, enabling customization and extension. Defold is supported by a broad community, with active development releasing updates approximately monthly, and includes support contracts for enterprise use. Notable projects include the game Family Island, which has over 50 million downloads on Google Play as of September 2023. The engine emphasizes accessibility, with no licensing fees, royalties, or runtime costs, and is governed by the Defold Foundation (source).

GitHub - The-Pocket/Tutorial-Codebase-Knowledge: Turns Codebase into Easy Tutorial with AI

Key Facts

  • The project automates turning codebases into beginner-friendly tutorials using AI analysis.
  • It crawls GitHub repositories or local directories, analyzing core abstractions and interactions.
  • Built on Pocket Flow, a 100-line LLM framework, it generates tutorials in multiple languages, with commands like python main.py --repo URL --include "*.py" "*.js".

Summary

The system enables AI-driven transformation of complex codebases into easy-to-understand tutorials by crawling GitHub repositories or local directories. It leverages Pocket Flow, a minimalistic 100-line LLM framework, to analyze code structure, identify core abstractions, and visualize interactions. Users can specify repositories, file inclusion/exclusion patterns, maximum file size, and output language via command-line arguments such as --repo, --include, --exclude, and --language. The tool then generates comprehensive tutorials that explain how the code works, suitable for beginners. It supports setup with API keys for models like Gemini Pro 2.5 and can be customized for different models and languages. The project has gained notable attention, including front-page Hacker News coverage in April 2025, and provides example tutorials for repositories like AutoGen Core, Browser Use, and Celery. It emphasizes rapid development through agentic coding paradigms and visualizes code interactions, making complex repositories accessible. The system is open-source under the MIT license, with detailed setup instructions and resource links for further learning.

GitHub - ericjenott/Evertop: E-ink IBM XT clone with solar power, ultra low power consumption, and ultra long battery life.

Key Facts

  • Evertop is a portable IBM XT clone powered by an 80186 microcontroller, with 1MB RAM, running DOS, Minix, Windows up to 3.0, and other 1980s OS.
  • Features include a 5.83-inch 648x480 e-ink display, built-in keyboard, external PS/2 ports, full graphics support (CGA, Hercules, MCGA, partial EGA/VGA), audio outputs, serial ports, USB flash drive, Ethernet, WiFi, LoRA radio, Bluetooth (planned), and multiple charging options.
  • Power management enables 200-500 hours of continuous use on a single charge in power-saving mode, with a 6V, 6W solar panel capable of producing up to 700mA in full sunlight, supporting indefinite off-grid operation.

Summary

Evertop is an ultra low-power, solar-powered portable PC emulating an IBM XT with an 80186 processor, 1MB RAM, and a 648x480 e-ink display, capable of running DOS, Minix, Windows 3.0, and other 1980s operating systems. It integrates extensive peripherals, including a built-in keyboard, external PS/2 ports, full CGA, Hercules, MCGA graphics, partial EGA/VGA support, audio outputs (PC speaker, Adlib, Covox, Disney Sound Source), serial ports, USB flash drive, Ethernet, WiFi, and LoRA radio, with Bluetooth planned. Power options include a detachable 6V, 6W solar panel, internal buck/boost circuit accepting 2.5-20V DC, and micro USB, with simultaneous charging capability. Power management techniques, such as hibernate, automatic shutdown, and physical switches, enable 200-500 hours of active use per charge, with longer durations possible for dedicated applications like e-readers. The solar panel can generate up to 700mA under full sunlight, providing 10-50 hours of use per hour of sunlight, supporting indefinite off-grid use. Storage is handled via a 256GB SD card, supporting multiple emulated systems with up to 8GB total. The system is based on an Espressif ESP32 microcontroller, with a custom firmware derived from Fabrizio Di Vittorio’s PCEmulator, housed in a 3D-printed matte PETG enclosure. A minimal version, “Evertop Min,” removes the built-in keyboard, serial ports, Ethernet, LoRA, voltmeter, and reduces battery capacity, maintaining core features for lightweight, off-grid computing.

GitHub - nari-labs/dia: A TTS model capable of generating ultra-realistic dialogue in one pass.

Key Facts

  • Dia is a 1.6 billion parameter text-to-speech (TTS) model developed by Nari Labs, capable of generating ultra-realistic dialogue in a single pass.
  • Supports conditioning on audio for emotion and tone control, and can produce nonverbal sounds like laughter, coughing, and clearing throat.
  • Model weights are available on Hugging Face, supporting only English at present; inference code and pretrained checkpoints are provided for research use.

Summary

Dia is an open-weight, 1.6B parameter TTS model designed to generate highly realistic dialogue directly from transcripts, with the ability to condition output on audio inputs for emotion and tone modulation. It can also synthesize nonverbal cues such as laughter and coughing, enhancing dialogue authenticity. The model is hosted on Hugging Face and supports English language generation exclusively. Researchers can access pretrained checkpoints and inference code to facilitate development, with the model capable of real-time audio synthesis on enterprise GPUs, requiring approximately 10GB VRAM. The model supports dialogue generation via [S1] and [S2] tags, voice cloning, and nonverbal sound production. It is intended for research and educational purposes, with restrictions against identity misuse, deceptive content, and illegal activities. The project is licensed under Apache-2.0, with ongoing plans for Docker support, inference speed optimization, and quantization for memory efficiency. Users can run the Gradio UI for testing or integrate the model as a Python library, with hardware acceleration via torch.compile expected to improve speed.

GitHub - openai/codex: Lightweight coding agent that runs in your terminal

Key Facts

  • OpenAI’s Codex CLI is a lightweight coding agent designed to run in terminal environments.
  • It supports multiple providers, including OpenAI, OpenRouter, Gemini, Ollama, Mistral, DeepSeek, XAI, and Groq, with configurable API keys.
  • The project is licensed under Apache-2.0, with over 19,300 stars and active development on GitHub.

Summary

OpenAI’s Codex CLI is an open-source, terminal-based coding agent enabling developers to generate, modify, and execute code through natural language prompts. It supports various models and providers, allowing flexible integration with different AI backends, such as OpenAI, Gemini, Ollama, and others, with configurable API keys via environment variables or config files. The CLI offers interactive and non-interactive modes, including full auto-approval for code changes, with safety features like sandboxing on macOS (via Apple Seatbelt) and Linux (using Docker). It requires Node.js 22+, operates across macOS 12+, Ubuntu 20.04+, and Windows 11 with WSL2, and manages dependencies with package managers like pnpm, migrated from npm for efficiency. The project includes comprehensive documentation, CLI commands, and configuration options, along with development workflows emphasizing high-quality contributions, testing, and code standards. Recent updates include support for pnpm workspace management, a Nix flake for reproducible environments, a new /diff command, and version check improvements supporting multiple package managers. The repository is actively maintained, with over 80 contributors, and emphasizes responsible AI use, security, and community engagement.

15,000 lines of verified cryptography now in Python | Jonathan Protzenko

Key Facts

  • Python’s hash and HMAC algorithms are now fully implemented using HACL*, a verified cryptographic library, replacing previous implementations.
  • The transition, completed after 2.5 years of development, includes 15,000 lines of verified C code integrated into Python without functionality loss.
  • Upstream updates from HACL* are automated via a script, ensuring maintainability and synchronization with the verified library.

Summary

Python has integrated HACL*, a verified cryptographic library, to implement all default hash and HMAC algorithms, replacing previous code after a GitHub issue was opened in November 2022. This move enhances security by ensuring cryptographic primitives are formally verified, covering algorithms such as SHA3, Blake2, and their variants, with support for additional modes and error management. The integration involved adapting HACL*’s generic streaming API, which uses dependent types for block algorithms, to handle Python’s diverse cryptographic needs, including pre-input handling, variable output lengths, and state retention. Technical challenges included refactoring C code generated from F* to use abstract structs for compatibility across compilers and architectures, and propagating memory allocation failures through the verification model. The process also required refining build systems to handle multiple toolchains, architectures, and compiler behaviors, especially for AVX2-specific code in implementations like Blake2b-256. Upstream updates from HACL* are managed via a shell script, simplifying maintenance. This large-scale adoption demonstrates verified cryptography’s maturity for real-world applications, ensuring cryptographic correctness and robustness in Python’s core infrastructure.

Getting Forked by Microsoft • Philip Laine

Key Facts

  • Philip Laine’s open source project Spegel, a P2P container image sharing tool, was forked and maintained by Microsoft under an MIT license.
  • Microsoft’s Peerd project contains code, test cases, and comments directly copied from Spegel without attribution, leading to confusion among users.
  • Laine’s Spegel has over 1,700 stars and 14.4 million pulls since its release over two years ago; he questions the implications of corporate forks on individual maintainers and open source sustainability.

Summary

Philip Laine’s open source project Spegel, a peer-to-peer container image sharing solution designed to improve scalability and reduce downtime caused by registry outages, was acknowledged by Microsoft during a conference talk. Subsequently, Microsoft developed Peerd, a fork of Spegel, incorporating code, test cases, and comments directly copied from Laine’s project without attribution, despite Spegel being licensed under MIT. This has caused confusion among users and raised concerns about intellectual property and community trust. Laine, who maintained Spegel with community support and over 1,700 stars, felt marginalized as his work was effectively appropriated by a corporate entity. The incident highlights challenges faced by individual open source maintainers when collaborating with or being forked by large corporations, especially amid declining open source investment and licensing complexities. Laine has considered changing Spegel’s license and has enabled GitHub Sponsors to fund ongoing development.

Claude Code Best Practices \ Anthropic

Key Facts

  • Claude Code is a command line tool for agentic coding, released by Anthropic on April 18, 2025
  • Designed as a low-level, unopinionated, flexible, and scriptable system for integrating Claude into coding workflows
  • Emphasizes environment customization via CLAUDE.md files, tool allowlist management, and integration with MCP, GitHub, and other tools

Summary

Claude Code is a research-developed command line tool aimed at agentic coding, providing raw model access without enforcing specific workflows. It allows users to customize their setup through CLAUDE.md files, which document commands, style, and environment specifics, and can be placed in various directory levels or the home folder. Users can tune these files for efficiency and clarity, and curate Claude’s allowed tools, including file system actions, bash commands, MCP tools, and GitHub interactions. Claude Code inherits the user’s shell environment, enabling integration with custom scripts, MCP servers, slash commands, and GitHub. It supports common workflows such as exploration, planning, coding, testing, and iteration, with best practices emphasizing specificity, visual aids, early course correction, and context management via /clear. The system also offers headless mode for automation in CI/CD pipelines, issue triage, linting, and large-scale data processing, with features like -p flag and --output-format stream-json. Multi-Claude workflows involve parallel instances for code generation, verification, and repository management, utilizing git worktrees or multiple checkouts for efficiency. Overall, Claude Code aims to enhance agentic coding productivity through flexible, customizable, and multi-instance workflows, with detailed documentation available at claude.ai/code.

New research backs up what gamers have thought for years: cozy video games can be an antidote to stress and anxiety.

Key Facts

  • Recent research supports that cozy video games can reduce stress and anxiety.
  • Studies indicate that playing such games increases mental well-being, with an extra hour of gameplay linked to higher life satisfaction.
  • The genre, originating with titles like Harvest Moon (1996) and popularized by Animal Crossing: New Horizons (2020), emphasizes relaxation, community-building, and non-violent challenges.

Summary

New research confirms that cozy video games can serve as effective tools for alleviating stress and anxiety. These games, characterized by their relaxing gameplay, community focus, and non-violent mechanics, attract both long-time gamers and newcomers. The genre gained prominence with titles like Harvest Moon (1996) and surged in popularity after Animal Crossing: New Horizons launched on March 20, 2020, coinciding with COVID-19 lockdowns, and sold over 13 million units within six weeks. Studies, including Hiroyuki Egami’s 2022 research in Japan, show that owning a game console and increasing gameplay time by one hour daily correlates with reduced psychological distress and enhanced life satisfaction. Other research, such as Michael Wong’s 2021 survey at McMaster University, found no significant difference in stress reduction between casual gaming and mindfulness meditation. Therapeutic applications are emerging, with video games being explored as interventions for ADHD and as tools for emotional processing, exemplified by Spiritfarer, which helps players explore death and grief. These games often feature inclusive design, customizable characters, and tasks like gardening and house decoration, fostering a sense of comfort and community. Developers like Dorian Signargout emphasize promoting inclusivity through diverse character representations. Overall, cozy games are increasingly recognized for their mental health benefits, offering a sanctuary of simplicity and connection amid a complex world.

Building a Website Fit for 1999 - Wesley Moore

Key Facts

  • Wesley Moore built a retro-themed website in HTML4, hosted at home.wezm.net/~wmoore/, inspired by Ruben’s Retro Corner and a Raspberry Pi project.
  • The site was developed to run on old hardware and browsers, tested in IE 4.01 and Netscape Navigator 3.01 in Mac OS 8.1 via Basilisk II emulator.
  • The website uses static HTML generated with MiniJinja, jaq, and make, with dynamic content updated every 5 minutes via a Rust server using Axum, served through Nginx reverse proxy with Tailscale for network access.
  • Static content is stored on a Qotom mini PC running Chimera Linux, with deployment via git pull and make, and the Rust binary managed as a systemd-like process with Dinit.
  • The site includes static pages with animated GIFs, pixel icons, and server stats, emphasizing minimal CSS and table-based layouts for compatibility with legacy browsers.

Summary

Wesley Moore created a retro-styled website emulating the 1999 web aesthetic, implemented entirely in HTML4 and served over plain HTTP to ensure compatibility with outdated browsers like IE 4.01 and Netscape 3.01, tested in Mac OS 8.1 emulation. The site features static pages generated with MiniJinja, jaq, and make, with dynamic content such as server uptime, memory, and energy data refreshed every five minutes via a Rust server built with Axum, reverse-proxied through Nginx and connected over Tailscale. Hosting is on a Qotom mini PC running Chimera Linux, with deployment managed through git and a custom package build process. The website emphasizes minimal CSS, table-based layouts, and direct HTML4 coding, including animated GIFs and pixel icons, to preserve authenticity and functionality on legacy hardware. The project code is available on GitHub, with future plans to expand content on additional pages.

I thought I bought a camera, but no! DJI sold me a LICENSE to use their camera 🤦‍♂️ - YouTube

Key Facts

  • The YouTube video titled “I thought I bought a camera, but no! DJI sold me a LICENSE to use their camera” was uploaded by Louis Rossmann on April 17, 2025, with 416,986 views.
  • The content highlights that DJI sells users a license to operate their cameras rather than the camera hardware itself.
  • The video has received 28K likes and discusses issues related to proprietary licensing models in consumer electronics.

Summary

Louis Rossmann’s video critiques DJI’s business model, revealing that purchasing a DJI camera does not grant ownership of the hardware but instead provides a license to use the camera. This licensing approach implies that users do not own the device outright, but are granted permission to operate it under specific terms. The video emphasizes the technical and legal implications of this model, suggesting it shifts ownership rights and control from consumers to the manufacturer. The discussion underscores broader concerns about proprietary licensing in consumer electronics, where users may face restrictions on repair, modification, or resale. The video’s key data points include the date of upload (April 17, 2025), view count (416,986), and the focus on the distinction between hardware ownership and licensing rights in DJI products.

▶️ Software Development

Pipelining might be my favorite programming language feature | MOND←TECH MAGAZINE

Key Facts

  • The article advocates for pipelining as a programming language feature that allows passing previous values as arguments, enhancing code readability and editing ease.
  • Pipelining enables method chaining and function composition, exemplified by Rust’s trait-based approach, Haskell’s & and $ operators, and SQL’s pipe syntax.
  • Benefits include improved code discovery, simplified refactoring, better IDE support, and clearer data flow, reducing nested parentheses and complex variable tracking.

Summary

The article presents pipelining as a highly valued programming language feature that simplifies code structure by passing previous values directly into subsequent functions or methods. It contrasts traditional nested or imperative code with pipelined syntax, emphasizing how the latter improves readability, ease of editing, and IDE support, especially in languages like Rust, Haskell, and SQL. Rust’s trait-based method calls exemplify effective pipelining without requiring higher-kinded types, while Haskell’s & and $ operators demonstrate functional composition that enhances clarity. SQL’s proposed pipe syntax reduces nested queries into linear, line-by-line transformations, aligning with LINQ-style readability. The article also discusses the builder pattern as a form of pipelining for object construction, and critiques Haskell’s complex operator ecosystem, advocating for more approachable, pipeline-friendly syntax. Overall, pipelining is praised for enabling modular, understandable, and maintainable code, with a focus on top-to-bottom data flow and minimal parentheses or variable tracking.

▶️ Management and Leadership

Android phones will soon reboot themselves after sitting unused for 3 days - Ars Technica

Key Facts

  • Android devices will automatically reboot after being locked and unused for 3 consecutive days via a Google Play Services update (version 25.14), rolling out gradually from April 14, 2025.
  • The feature enhances security by encrypting data in the “Before First Unlock” (BFU) state, making data retrieval more difficult, especially after prolonged inactivity.
  • The update is part of a broader set of improvements, including UI enhancements, better connectivity with cars and watches, and content previews in Quick Share.

Summary

A silent update to Google Play Services (version 25.14), released on April 14, 2025, introduces an auto-restart feature for Android devices, activating after three days of inactivity when the device remains locked. This feature aims to improve security by encrypting all data in the BFU state, where biometrics and location-based unlocking are disabled, and access is limited to PIN or passcode. The automatic reboot makes data extraction significantly more difficult, aligning with similar features like Apple’s Inactivity Reboot introduced in iOS 18.1. The update is delivered automatically to certified devices over the next week or more, with no user intervention required. This mechanism leverages Google Play Services’ background update system, which has been central to Android’s system update strategy, allowing Google to enhance security and functionality remotely. The broader update includes UI improvements, enhanced device connectivity, and content sharing features.

Deciphering Glyph :: Stop Writing __init__ Methods

Key Facts

  • The article critiques the widespread use of custom __init__ methods in Python classes, especially before dataclasses (introduced in Python 3.7), highlighting their drawbacks.
  • It presents a structured approach: using @dataclass for attribute management, @classmethod factory methods for object creation, and typing.NewType for enforcing constraints on primitive types.
  • This methodology ensures valid object construction, improves discoverability, and enhances testability without relying on side-effect-laden __init__ methods.

Summary

The article argues that defining custom __init__ methods in Python classes is an anti-pattern, historically used to facilitate object instantiation with attributes like x and y in data structures such as 2DCoordinate. Prior to Python 3.7’s @dataclass, developers resorted to complex alternatives like factory functions or attribute defaults, which had significant drawbacks. Using __init__ for side-effect-laden setup, such as opening file descriptors in a FileReader class, introduces problems including reduced testability, increased complexity, and potential invalid object states. The proposed solution involves leveraging @dataclass to automatically generate attribute assignment, replacing __init__ with @classmethod factory methods (e.g., FileReader.open) for flexible, asynchronous, or context-specific instantiation, and employing typing.NewType to enforce constraints on primitive types like file descriptors. This approach ensures objects are always valid, simplifies testing, and makes object creation more discoverable and future-proof, aligning with Python’s idiomatic practices.

Fossil fuels fall below 50% of US electricity for the first month on record | Ember

Key Facts

  • In March 2025, fossil fuels accounted for 49.2% of US electricity, the first month below 50%, surpassing the previous record low of 51% in April 2024
  • Clean energy sources generated 50.8% of US electricity in March 2025, driven by record-high wind and solar power
  • Wind and solar reached a combined 24.4% of US electricity, with solar increasing 37% (+8.3 TWh) and wind increasing 12% (+5.7 TWh) compared to March 2024; total wind and solar generation hit 83 TWh, an 11% rise over April 2024

Summary

In March 2025, the US experienced a historic shift as fossil fuels contributed only 49.2% to electricity generation, marking the first month on record below the 50% threshold, according to Ember. This milestone reflects a long-term decline in fossil fuel reliance, with wind and solar power reaching a record 24.4% of the energy mix—solar alone increased by 37% (+8.3 TWh) and wind by 12% (+5.7 TWh) year-over-year. Combined, wind and solar generated 83 TWh, an 11% increase from April 2024, while fossil fuel generation decreased by 2.5% (-4.3 TWh). Since March 2015, when fossil fuels accounted for 65% and solar just 1%, the share of wind and solar has more than quadrupled, with solar expected to constitute over half of new US capacity in 2025. The rapid growth of renewable energy signifies a pivotal transition toward a cleaner power system, with wind and solar increasingly displacing coal and gas, and signals a potential approaching tipping point where clean energy surpasses fossil fuel reliance in the US electricity sector. More details are available at Ember.

GitHub - LukasOgunfeitimi/TikTok-ReverseEngineering

Key Facts

  • The project reverse engineers TikTok’s custom virtual machine (VM) used for obfuscation and security.
  • It includes tools for deobfuscating webmssdk.js, decompiling VM bytecode, injecting deobfuscated scripts, and generating signed URLs.
  • Bytecode is stored as a long string XOR-encrypted with a key embedded within the string; decryption involves base64 decoding, XOR with a key derived from the string, and leb128 decoding for compression.

Summary

The repository provides tools to reverse engineer TikTok’s sophisticated VM-based obfuscation system. It deobfuscates heavily encrypted webmssdk.js by reversing bracket notation encoding, replacing function arrays with standard functions, and reconstructing the VM’s bytecode execution logic. The bytecode is stored as a long base64-encoded string, XOR-encrypted with an embedded key, and leb128 compressed, which is decoded to extract functions, strings, and metadata. The VM supports scopes, nested functions, and exception handling, indicating a complex, custom bytecode interpreter. Decompilation involves analyzing VM switch-case structures, with manual and AI-assisted efforts to produce readable code snippets. The system also includes a URL signing mechanism that replicates TikTok’s request signatures (msToken, X-Bogus, _signature) by executing specific VM functions, enabling authenticated requests such as posting comments. The project emphasizes that TikTok’s VM is subject to frequent updates, requiring ongoing reverse engineering efforts. It leverages browser extensions like Tampermonkey and CSP bypasses for debugging and script injection, facilitating real-time analysis and testing.

GitHub - humanlayer/12-factor-agents: What are the principles we can use to build LLM-powered software that is actually good enough to put in the hands of production customers?

Key Facts

  • The project outlines 12 core principles for building reliable, scalable, and maintainable LLM-powered software suitable for production deployment.
  • These principles include owning prompts, controlling context windows, structuring tool outputs, unifying execution and business state, and owning control flow.
  • The guide emphasizes integrating modular concepts from agent design into existing products rather than relying solely on frameworks, to accelerate deployment of high-quality AI features.

Summary

The “12-factor agents” framework, inspired by the 12 Factor Apps, provides foundational principles for developing production-ready LLM-powered software. It addresses common challenges such as managing prompts, context windows, structured tool outputs, and control flow, advocating for ownership and modularity in these areas. The approach discourages building from scratch with full frameworks; instead, it recommends incorporating small, modular agent concepts into existing products to improve reliability, scalability, and maintainability. The twelve factors include transforming natural language into tool calls, owning prompts and context, unifying execution and business state, enabling simple APIs for launching and pausing agents, and designing small, focused agents that can trigger from anywhere and act as stateless reducers. The guide also discusses the historical evolution from DAG-based orchestrators to agent loops, highlighting the limitations of purely loop-based agent architectures. It emphasizes that core engineering techniques, rather than frameworks alone, are key to deploying effective AI agents in customer-facing environments. Additional resources and related frameworks are linked throughout, supporting developers in applying these principles across various languages and platforms.

Things Zig comptime Won’t Do

Key Facts

  • Zig’s comptime is designed to be restrictive, preventing host architecture leakage, dynamic code evaluation (#eval), DSL creation, RTTI, API extension, and IO operations
  • Comptime code observes the target architecture, not the host, ensuring cross-compilation correctness
  • Zig lacks facilities for dynamic source code generation, custom syntax extension, runtime type information, and input/output during compilation

Summary

Zig’s compile-time evaluation (comptime) features are intentionally limited to maintain safety, portability, and simplicity. Comptime code executes in the target environment, not on the host machine, preventing host architecture leakage, as demonstrated by examples showing architecture-dependent behavior during cross-compilation. Zig does not support dynamic source code injection or evaluation (#eval), relying instead on partial evaluation and specialization, such as marking function parameters with comptime to generate optimized code paths. It also lacks support for custom syntax DSLs, as all code operates on Zig values, with embedded DSLs like print using format strings. Zig does not include runtime type information (RTTI), requiring users to implement manual reflection for dynamic data handling, exemplified by a custom RTTI union and print_dyn function. Additionally, Zig types cannot be extended with methods post-generation; API modifications are limited to reflection-based internal logic. Finally, Zig’s compile-time evaluation is hermetic, with no I/O capabilities, ensuring reproducibility and safety, though build systems can invoke external programs for code generation.

matthewsinclair.com · Intelligence. Innovation. Leadership. Influence.

Key Facts

  • Author used Claude Code to develop approximately 30,000 lines of code across backend and frontend projects within weeks
  • AI tools function as amplifiers (“mech suit”) rather than replacements, requiring human oversight and architectural judgment
  • Vigilance is necessary due to AI’s tendency to make bewildering or inappropriate decisions, necessitating constant review and control

Summary

The article argues that LLM-powered programming tools like Claude Code serve as amplifiers—“mech suits”—that enhance developer capabilities rather than replace humans. The author built two applications totaling around 30,000 lines of code in weeks, demonstrating significant acceleration in development speed. These tools provide tremendous “lifting power,” but require developers to maintain constant vigilance, guiding the AI and correcting its often bewildering or biased decisions, similar to piloting an aircraft. The process shifts focus from coding to designing, reviewing, and maintaining architectural integrity, emphasizing the importance of experience and domain knowledge to recognize when AI output is flawed. The author highlights the “centaur effect,” where human-AI collaboration outperforms either alone, with AI handling pattern recognition and tactical execution, and humans providing strategic oversight. The article stresses that effective use of these tools demands new skills—particularly in delegation, ruthless discarding of suboptimal solutions, and clear problem understanding. While some fear AI will replace programmers, the author sees the future as augmentation, where mastery of AI tools becomes a core skill, transforming the role of developers into strategic operators of powerful systems. The key to success lies in balancing delegation with control, leveraging AI for speed while applying human judgment to ensure quality and direction.

TLS Certificate Lifetimes Will Officially Reduce to 47 Days | DigiCert

Key Facts

  • CA/Browser Forum voted to reduce TLS certificate lifetime to 47 days, with implementation starting March 15, 2026
  • Maximum TLS certificate validity decreases from 398 days (current) to 200 days (2026), then to 100 days (2027), and finally to 47 days (2029)
  • Reuse period for domain/IP validation info drops from 398 days to 10 days by March 15, 2029; SII reuse in OV/EV certificates reduces from 825 days to 398 days

Summary

The CA/Browser Forum has officially amended the TLS Baseline Requirements to progressively shorten TLS certificate lifetimes, with the maximum validity decreasing from 398 days to 47 days by March 15, 2029. The schedule begins with a reduction to 200 days in 2026, then to 100 days in 2027, and finally to 47 days in 2029. Concurrently, the reuse period for domain and IP address validation information will decline from 398 days to 10 days, and validation of Subject Identity Information (SII) in OV and EV certificates will be limited to 398 days, down from 825 days. The rationale emphasizes increased trustworthiness of certificate data and mitigates reliance on unreliable revocation systems like CRLs and OCSP. Apple justified the change by highlighting the necessity of automation for managing shorter-lived certificates, with DigiCert supporting this transition through solutions like Trust Lifecycle Manager and CertCentral, including ACME support for automated issuance and renewal. The move aims to enhance security, reduce outages, and promote widespread adoption of automation in certificate management.

Why I Cannot Be Technical

Key Facts

  • Author asserts she cannot be truly “Technical” due to structural and social barriers within tech systems
  • “Technical” is a legitimacy-based, exclusionary label rooted in social hierarchies and identity policing
  • The essay critiques how tech systems perpetuate dehumanization, inequality, and reinforce boundaries based on gender, race, class, and ideology

Summary

Cat Hicks argues that she cannot genuinely be “Technical” because the label functions as a structural designation that enforces legitimacy through social exclusion, rather than problem-solving ability. She emphasizes that “Technical” operates outside of actual problem-solving, serving to uphold hierarchies, policing boundaries, and perpetuating systemic inequalities based on gender, race, class, and social location. Hicks highlights how the social and political context of tech creates unearned privileges and unwarranted exclusions, making it impossible for her to be recognized as legitimate within that framework despite her expertise in psychology and her impactful work. She critiques the hierarchical, hierarchical, and geo-located nature of tech, which maintains a culture of dehumanization and marginalization of those deemed “not-Technical.” Hicks advocates for recognizing the full humanity of all individuals, emphasizing that true work involves caring, safety, and community rather than perpetuating the “hamster wheel” of performance and exclusion. She calls for a space of rehumanization and honest conversation about the systemic issues within tech, emphasizing that “Technical” is a social construct that cannot be earned or bestowed but is maintained through systemic reinforcement. Hicks urges a focus on collective healing, shared storytelling, and challenging the structural barriers that devalue human connection in technology.

America Underestimates the Difficulty of Bringing Manufacturing Back — Molson Hart

Key Facts

  • President announced tariffs on imports ranging from 10% to 49% on April 2, 2025, aiming to revive U.S. manufacturing
  • The article presents 14 reasons why these tariffs will not succeed in bringing manufacturing back and may worsen economic decline
  • Expert with 15 years in manufacturing argues that tariffs are insufficient due to supply chain weaknesses, high costs, lack of knowhow, infrastructure deficits, and complex policy environment

Summary

The April 2025 U.S. tariff policy, imposing import taxes between 10% and 49%, aims to restore domestic manufacturing but is fundamentally flawed. Key issues include tariffs being too low to offset higher U.S. production costs, as manufacturing in the U.S. remains more expensive than in Asia even with tariffs. The U.S. supply chain for industrial components is weak, relying heavily on Asian factories, making local production uncompetitive. The country lacks essential manufacturing knowhow, such as moldmaking and semiconductor fabrication, which cannot be quickly or easily developed. Labor costs in the U.S. are higher not only due to wages but also because of lower productivity, work ethic, and infrastructure quality compared to China. Infrastructure deficits, including electricity generation and transportation networks, further hinder manufacturing revival. The lengthy process to build and operationalize new factories (minimum two years) and the uncertainty caused by fluctuating tariffs discourage investment. Complex and inconsistent tariff enforcement, along with a litigious business environment, exacerbate risks. The policy risks causing a recession, as supply chain disruptions and increased costs lead to inflation or deflation. The article predicts that unless policies change, globalization will bypass the U.S., with manufacturing shifting to countries like Vietnam and Mexico. To genuinely rebuild manufacturing, the U.S. must address fundamental social, infrastructural, and educational issues, implement gradual tariff increases, and incentivize high-end production, rather than relying solely on tariffs.

Decreased CO2 saturation during circular breathwork supports emergence of altered states of consciousness | Communications Psychology

Key Facts

  • Circular breathwork induces significant reductions in end-tidal CO2 pressure (etCO2), with active participants reaching levels as low as 10–20 mmHg, compared to 36.7 ± 1.5 mmHg in non-hyperventilating controls
  • Decreases in etCO2 are significantly correlated with the onset and depth of altered states of consciousness (ASCs), resembling psychedelic experiences across domains such as ego dissolution and unity
  • Both Holotropic and Conscious-Connected breathwork produce similar physiological and experiential outcomes, with session durations of approximately 3 hours and 1.5 hours respectively, engaging the same mechanisms

Summary

This study demonstrates that circular breathwork, involving deliberate hyperventilation, can reliably trigger altered states of consciousness (ASCs) akin to those produced by psychedelics, with experience scales (MEQ30 and 11D-ASC) reaching levels comparable to moderate doses of psilocybin, LSD, and MDMA. Physiologically, active participants exhibited a marked reduction in end-tidal CO2 (etCO2), dropping to as low as 10–20 mmHg, which was strongly associated with ASC onset (r = -0.46 to -0.47, p < 0.01). These reductions in CO2 pressure, supported by prior hyperventilation research, appear to serve as a physiological trigger for ASC emergence, with lower etCO2 levels (<35 mmHg) virtually guaranteeing profound experiences when falling below 20 mmHg. The experiential depth correlated with physiological changes and persisted even as etCO2 levels normalized, suggesting a transition into a neuronal state of heightened perception, consistent with the concept of Pivotal Mental States. Both breathwork styles—Holotropic and Conscious-Connected—elicited similar physiological and subjective effects despite differences in session length, indicating shared underlying mechanisms. Post-session assessments revealed sustained improvements in well-being and reductions in depressive symptoms, with deeper ASC experiences predicting greater long-term benefits. Physiologically, breathwork caused a decrease in salivary alpha-amylase (sympathetic activity marker) and an increase in IL-1β (inflammatory marker), with subjective ASC depth inversely related to inflammation. These findings position breathwork as a non-pharmacological tool capable of inducing profound, psychedelic-like states through physiological modulation, with potential therapeutic applications supported by its safety profile and accessibility.

Synology Lost the Plot with Hard Drive Locking Move - ServeTheHome

Key Facts

  • Synology plans to restrict its 2025 Plus NAS models to use only its own branded hard drives
  • This move disables features like volume-wide deduplication, lifespan analysis, and automatic firmware updates for third-party drives
  • The new policy limits maximum raw capacity to 128TB in an 8-bay NAS, compared to 208TB with competing brands like QNAP and TrueNAS using third-party drives

Summary

Synology is moving towards vendor-locking its 2025 Plus series NAS devices to only support Synology-branded hard drives, a shift that restricts compatibility with third-party drives and disables features such as volume-wide deduplication, lifespan analysis, and automatic firmware updates for non-branded drives. This strategy appears to be driven by a desire to increase margins, as Synology’s current drives max out at 16TB (e.g., HAT3310-16T), whereas competitors like WD Red Pro and Toshiba N300 Pro offer drives up to 26TB. Locking drives limits data security options, as users cannot quickly replace failed drives with models from other vendors, which can delay rebuild times and compromise data safety. Additionally, long-term availability of Synology drives is uncertain, raising concerns about future replacements and ecosystem dependence. The move is viewed as a step back in hardware flexibility and could harm Synology’s reputation, especially given the aging hardware and limited hardware refresh cycles. Critics argue that this lock-in reduces consumer choice and may lead to higher costs, as Synology’s drives are priced higher and have slower delivery times compared to third-party options. The industry context shows that vendor lock-in strategies often backfire, and many users prefer building custom solutions or switching to open-source NAS platforms like TrueNAS.

▶️ Technology

Try generating video in Gemini, powered by Veo 2

Key Facts

  • Google has introduced video generation features in Gemini, powered by Veo 2, available to Google One AI Premium subscribers.
  • Users can transform text prompts into high-resolution, eight-second videos at 720p in a 16:9 aspect ratio, with a monthly creation limit.
  • Additionally, Whisk Animate enables turning images into eight-second videos using Veo 2, accessible in over 60 countries.

Summary

Google has launched new video generation capabilities within the Gemini AI platform, utilizing the advanced Veo 2 model to produce high-resolution, cinematic-quality videos from text prompts. Users can generate eight-second videos at 720p resolution in a 16:9 landscape format by selecting Veo 2 from the model dropdown in Gemini. The process involves describing a scene or concept, with more detailed prompts offering greater control over the output. Examples include scenes of a glacial cavern, animated mice reading, coastal landscapes, and voxel-style melting ice cream. The feature is rolling out globally to Gemini Advanced users and Google One AI Premium subscribers, with a monthly limit on video creation. Additionally, Whisk Animate allows users to animate images into short videos, expanding creative possibilities. All generated videos are marked with SynthID watermarks for safety and transparency. The platform emphasizes safety through extensive red teaming and content moderation policies. Users can share videos directly to platforms like TikTok and YouTube Shorts, and the service continues to evolve with UI adjustments and ongoing improvements. More information is available at gemini.google.

Gemma 3 QAT Models: Bringing state-of-the-Art AI to consumer GPUs - Google Developers Blog

Key Facts

  • Google announced quantization-aware training (QAT) optimized versions of Gemma 3 models on April 18, 2025
  • QAT reduces VRAM requirements by up to 4x, enabling deployment of large models like Gemma 3 27B on consumer GPUs such as NVIDIA RTX 3090
  • Quantized models (int4, Q4_0) maintain high accuracy, with perplexity drop reduced by 54% using QAT during training

Summary

Google introduced optimized Gemma 3 models with Quantization-Aware Training (QAT) to enhance accessibility of large language models on consumer-grade GPUs. The original Gemma 3 models deliver state-of-the-art performance, capable of running on high-end GPUs like NVIDIA H100 with BF16 precision. QAT enables these models to be quantized to lower-precision formats such as int4 and Q4_0, significantly reducing VRAM usage—e.g., Gemma 3 27B’s weights decrease from 54 GB (BF16) to 14.1 GB (int4). This reduction allows deployment on GPUs with limited memory, such as NVIDIA RTX 3090 (24GB VRAM) for the 27B model, and NVIDIA RTX 4060 Laptop GPU (8GB VRAM) for the 12B variant. The models are trained with QAT over approximately 5,000 steps, using non-quantized checkpoints as targets, which reduces perplexity degradation by 54%. The quantized models are compatible with inference engines like Ollama, llama.cpp, MLX, Gemma.cpp, and support integration via Hugging Face and Kaggle. Additional community-driven quantization options are available through the Gemmaverse, often utilizing Post-Training Quantization (PTQ). These advancements democratize access to powerful AI models, enabling local deployment on desktops, laptops, and mobile devices.