May 21, 2026

May 21, 2026, 2:19 AM run f2d6629a

Report Summary

7 stories cleared the bar, led by Gemini 3.5 Flash: more expensive, but Google plan to use it for everything, My domain got abused on Github Pages, and How we used Quint to find over 10 bugs in SQLite while hardening Turso.

7 worth-attention items40 digest lines

Worth attention

Gemini 3.5 Flash: more expensive, but Google plan to use it for everything

Gemini 3.5 Flash was released GA at Google I/O 2026—skipping the preview label—and is priced higher than Gemini 2.0 Flash despite being in the 'Flash' (budget) tier. Google has deployed it across most of their key consumer products. If you built cost assumptions on Gemini 2.0 Flash pricing, 3.5 Flash is not a free upgrade—review the pricing page before switching. Simon Willison also draws a pelican with it to confirm quality.

My domain got abused on Github Pages

A developer discovered their custom domain was being served by a stranger's GitHub Pages site without permission. GitHub does not prevent domain takeover if the DNS CNAME is not actively validated against a specific repo. This is a real subdomain takeover vulnerability class that affects anyone with custom domains on GitHub Pages—even if the original Pages site was deleted or the domain was only briefly configured.

How we used Quint to find over 10 bugs in SQLite while hardening Turso

Turso engineers applied Quint (a formal specification and model checking tool) to model SQLite's state machines and uncovered more than 10 bugs in SQLite during the process. This is noteworthy because SQLite has a reputation for extreme reliability, and formal methods finding real production bugs is a strong validation of the technique. If you build on SQLite or libsql, some of these bugs may affect you—and Quint is apparently accessible enough for a small team to use effectively.

GitHub Source Code Breach - TeamPCP Claims Access to Internal Source Code

A threat actor named TeamPCP is claiming to have breached GitHub and obtained access to its internal source code repositories. The claim appears on cybersecuritynews.com and has not been confirmed or denied by GitHub as of this item's publication. If true, the breach could affect the security of GitHub Actions infrastructure, internal tooling, or token handling. GitHub users should watch for an official GitHub Security Advisory and be alert to any unusual activity on GitHub Actions runners.

Never host your app on Vercel or Railway

A developer reports that Vercel exposed environment variables from one project to other projects on the same account, across all 10 of their projects. This is a potential secret leakage scenario if true. Railway is mentioned alongside Vercel. The claim is unconfirmed by Vercel but describes a concrete incident with email evidence cited.

pgBackRest will continue

pgBackRest, a popular open-source PostgreSQL backup and restore tool, has announced it will continue active development after some uncertainty about the project's future. Anyone running self-hosted Postgres—including on VPS setups like Hetzner—can rely on pgBackRest for ongoing support.

Elevated errors on Claude Opus 4.7

On May 19, 2026, the Anthropic status page logged an incident of elevated errors on 'Claude Opus 4.7'—a model version not previously known publicly. The incident was identified at 15:14 UTC, a fix implemented by 15:19, and resolved by 15:40 UTC. This is notable primarily because it implies a Claude Opus 4.7 model exists or is in testing, beyond the known Opus 4/4.5 line.

Full digest

R I/O 2026

Google I/O 2026 collection landing page with no substantive content—just an index of announcements.

google-ai-blog

R How AI Mode is changing the way people search in the U.S.

Google reports that one year after AI Mode launch, users are shifting from keyword to natural language queries.

google-ai-blog

R New ways to create and get things done in Google Workspace

Google Workspace updates from I/O 2026: voice capabilities in Gmail/Docs/Keep, new design tool Google Pics, and AI Inbox updates.

google-ai-blog

R I/O 2026: Welcome to the agentic Gemini era

Sundar Pichai's I/O 2026 keynote summary—positions Google's AI products around agentic capabilities.

google-ai-blog

R Gemini 3.5: frontier intelligence with action

Google's official blog post on the Gemini 3.5 series released at I/O 2026—one sentence of content with no pricing or API details.

google-ai-blog

R A new era for AI Search

Google's I/O 2026 announcement about combining search engine with AI; no specific developer-facing changes in the content.

google-ai-blog

R Everything new in our Google AI subscriptions, fresh from I/O 2026

Google introduces a $100/month AI Ultra subscription tier at I/O 2026 with new consumer features for Plus, Pro, and Ultra subscribers.

google-ai-blog

R It's wild how some ultra-simple iOS apps quietly pull in $50k+/month

Reddit post observing that simple iOS utility apps (habit trackers, PDF scanners, etc.) can generate $50k+/month via strong UX, retention loops, and good ASO.

reddit-saas

P Never host your app on Vercel or Railway

reddit-saas

R $216 in 1 day by listening to a customer

A solo SaaS founder added multi-license billing to close a $216 sale after a customer emailed requesting it.

reddit-saas

R Why is almost everyone right-handed? A new study connects it to bipedalism

Oxford research links human right-handedness to bipedal locomotion; no relevance to software development.

hn-top

R Type out the code

Haskell blog post about manually typing code as a learning technique; minimal content in the summary.

lobsters

R Why Ruby Still Feels Like Home After All These Years

Opinion piece on why Ruby remains a beloved language despite not being trendy.

lobsters

R OpenBSD 7.9 released

OpenBSD 7.9 has been released; not relevant to Fuzzy's Mac/Hetzner Ubuntu stack.

lobsters

R Better generated branch names with jj

A tip for configuring Jujutsu VCS to generate more descriptive branch names on git push.

lobsters

R I am not a Software Engineer

Opinion/personal essay questioning the software engineer label in the context of AI-assisted development.

lobsters

P My domain got abused on Github Pages

lobsters

R What would you want from a forge?

Lobste.rs discussion thread soliciting feature wishes for Git/VCS forges from Jujutsu and Git users.

lobsters

R Pokemon Gen2 compression myth

Reddit debunking of a myth about Satoru Iwata's compression work on Pokemon Gold/Silver.

lobsters

R The Super Tiny Compiler, but in Ada

An Ada port of the well-known educational 'Super Tiny Compiler' project.

lobsters

M pgBackRest will continue

lobsters

P How we used Quint to find over 10 bugs in SQLite while hardening Turso

lobsters

R Software's Centaur Era

Essay arguing that the current era of software development is characterized by human-AI collaboration ('centaurs'), analogous to centaur chess where human+computer beats either alone.

lobsters

R If you're just going to sit there doing nothing, at least do nothing correctly

2024 Microsoft devblog post about correct idle-wait patterns in Windows programming.

lobsters

R Emacs after Magit

A blog post about using Emacs for Git without the Magit package.

lobsters

R The Unreasonable Effectiveness of ProseMirror Model in Rich Text Transformation

Deep-dive on how ProseMirror's document model enables powerful rich text transformations.

lobsters

R Chasing down why installing the kernel segfaulted

A debugging story about tracking down a kernel installation segfault to a specific system configuration issue.

lobsters

R Tonic is joining the gRPC project

Tonic, the popular Rust gRPC library, is being transferred to the official gRPC project under the Cloud Native Computing Foundation.

lobsters

R Everything in C is undefined behavior

Blog post arguing that almost any non-trivial C code invokes undefined behavior and the practical implications.

lobsters

P GitHub Source Code Breach - TeamPCP Claims Access to Internal Source Code

lobsters

R I've built a virtual museum with nearly every operating system you can think of

A YouTube video showcasing a virtual museum containing historical operating systems.

lobsters

R Human Bottlenecks

Essay arguing that as AI handles more code generation, human review, decision-making, and direction become the primary bottleneck in software development.

lobsters

R llm-gemini 0.32

Simon Willison's llm-gemini plugin updated to add gemini-3.5-flash model support for the LLM CLI tool.

simon-willison

P Gemini 3.5 Flash: more expensive, but Google plan to use it for everything

simon-willison

R datasette-llm-accountant 0.1a4

Minor alpha bug fix release for datasette-llm-accountant, fixing chain-of-response tracking.

simon-willison

R llm-gemini 0.32a0

Alpha release of llm-gemini adding streaming reasoning token support, compatible with llm>=0.32a0 alpha.

simon-willison

R datasette-llm 0.1a8

Minor alpha bug fix for datasette-llm, fixing llm_prompt_context() hook chain-of-response collection.

simon-willison

R Widening the conversation on frontier AI

Anthropic announcement or blog post about broadening public discourse on frontier AI development.

anthropic-blog

R KPMG integrates Claude across its core business and workforce of more than 276,000 in strategic alliance

KPMG, a global professional services firm, has signed a strategic alliance to integrate Claude across its 276,000+ person workforce.

anthropic-blog

M Elevated errors on Claude Opus 4.7

claude-status

Original markdown

# Nightly Librarian — Newsletter draft

Run: f2d6629a-80df-4d79-9842-7d86034bea81
Started: 2026-05-21T06:10:02.084Z
Completed: 2026-05-21T06:19:10.550Z

## Worth attention

- **Gemini 3.5 Flash: more expensive, but Google plan to use it for everything**
https://simonwillison.net/2026/May/19/gemini-35-flash/#atom-everything
Gemini 3.5 Flash was released GA at Google I/O 2026—skipping the preview label—and is priced higher than Gemini 2.0 Flash despite being in the 'Flash' (budget) tier. Google has deployed it across most of their key consumer products. If you built cost assumptions on Gemini 2.0 Flash pricing, 3.5 Flash is not a free upgrade—review the pricing page before switching. Simon Willison also draws a pelican with it to confirm quality.
- **My domain got abused on Github Pages**
https://meertens.dev/blog/github-enables-domain-abuse/
A developer discovered their custom domain was being served by a stranger's GitHub Pages site without permission. GitHub does not prevent domain takeover if the DNS CNAME is not actively validated against a specific repo. This is a real subdomain takeover vulnerability class that affects anyone with custom domains on GitHub Pages—even if the original Pages site was deleted or the domain was only briefly configured.
- **How we used Quint to find over 10 bugs in SQLite while hardening Turso**
https://turso.tech/blog/how-we-used-quint-to-find-over-10-bugs-in-sqlite
Turso engineers applied Quint (a formal specification and model checking tool) to model SQLite's state machines and uncovered more than 10 bugs in SQLite during the process. This is noteworthy because SQLite has a reputation for extreme reliability, and formal methods finding real production bugs is a strong validation of the technique. If you build on SQLite or libsql, some of these bugs may affect you—and Quint is apparently accessible enough for a small team to use effectively.
- **GitHub Source Code Breach - TeamPCP Claims Access to Internal Source Code**
https://cybersecuritynews.com/github-source-code-breach/
A threat actor named TeamPCP is claiming to have breached GitHub and obtained access to its internal source code repositories. The claim appears on cybersecuritynews.com and has not been confirmed or denied by GitHub as of this item's publication. If true, the breach could affect the security of GitHub Actions infrastructure, internal tooling, or token handling. GitHub users should watch for an official GitHub Security Advisory and be alert to any unusual activity on GitHub Actions runners.
- **Never host your app on Vercel or Railway**
https://www.reddit.com/r/SaaS/comments/1ti6v5w/never_host_your_app_on_vercel_or_railway/
A developer reports that Vercel exposed environment variables from one project to other projects on the same account, across all 10 of their projects. This is a potential secret leakage scenario if true. Railway is mentioned alongside Vercel. The claim is unconfirmed by Vercel but describes a concrete incident with email evidence cited.
- **pgBackRest will continue**
https://pgbackrest.org/news.html#will-continue
pgBackRest, a popular open-source PostgreSQL backup and restore tool, has announced it will continue active development after some uncertainty about the project's future. Anyone running self-hosted Postgres—including on VPS setups like Hetzner—can rely on pgBackRest for ongoing support.
- **Elevated errors on Claude Opus 4.7**
https://status.claude.com/incidents/f9yk8lqw384x
On May 19, 2026, the Anthropic status page logged an incident of elevated errors on 'Claude Opus 4.7'—a model version not previously known publicly. The incident was identified at 15:14 UTC, a fix implemented by 15:19, and resolved by 15:40 UTC. This is notable primarily because it implies a Claude Opus 4.7 model exists or is in testing, beyond the known Opus 4/4.5 line.

## Full digest

- [R] [google-ai-blog] I/O 2026 — https://blog.google/innovation-and-ai/technology/developers-tools/google-io-2026-collection/ — Google I/O 2026 collection landing page with no substantive content—just an index of announcements.
- [R] [google-ai-blog] How AI Mode is changing the way people search in the U.S. — https://blog.google/products-and-platforms/products/search/ai-mode-us-insights/ — Google reports that one year after AI Mode launch, users are shifting from keyword to natural language queries.
- [R] [google-ai-blog] New ways to create and get things done in Google Workspace — https://blog.google/products-and-platforms/products/workspace/workspace-updates/ — Google Workspace updates from I/O 2026: voice capabilities in Gmail/Docs/Keep, new design tool Google Pics, and AI Inbox updates.
- [R] [google-ai-blog] I/O 2026: Welcome to the agentic Gemini era — https://blog.google/innovation-and-ai/sundar-pichai-io-2026/ — Sundar Pichai's I/O 2026 keynote summary—positions Google's AI products around agentic capabilities.
- [R] [google-ai-blog] Gemini 3.5: frontier intelligence with action — https://blog.google/innovation-and-ai/models-and-research/gemini-models/gemini-3-5/ — Google's official blog post on the Gemini 3.5 series released at I/O 2026—one sentence of content with no pricing or API details.
- [R] [google-ai-blog] A new era for AI Search — https://blog.google/products-and-platforms/products/search/search-io-2026/ — Google's I/O 2026 announcement about combining search engine with AI; no specific developer-facing changes in the content.
- [R] [google-ai-blog] Everything new in our Google AI subscriptions, fresh from I/O 2026 — https://blog.google/products-and-platforms/products/google-one/google-ai-subscriptions/ — Google introduces a $100/month AI Ultra subscription tier at I/O 2026 with new consumer features for Plus, Pro, and Ultra subscribers.
- [R] [reddit-saas] It's wild how some ultra-simple iOS apps quietly pull in $50k+/month — https://www.reddit.com/r/SaaS/comments/1tictlz/its_wild_how_some_ultrasimple_ios_apps_quietly/ — Reddit post observing that simple iOS utility apps (habit trackers, PDF scanners, etc.) can generate $50k+/month via strong UX, retention loops, and good ASO.
- [P] [reddit-saas] Never host your app on Vercel or Railway — https://www.reddit.com/r/SaaS/comments/1ti6v5w/never_host_your_app_on_vercel_or_railway/ — A developer reports that Vercel exposed environment variables from one project to other projects on the same account, across all 10 of their projects. This is a potential secret leakage scenario if true. Railway is mentioned alongside Vercel. The claim is unconfirmed by Vercel but describes a concrete incident with email evidence cited.
- [R] [reddit-saas] $216 in 1 day by listening to a customer — https://www.reddit.com/r/SaaS/comments/1thvdxa/216_in_1_day_by_listening_to_a_customer_here_is/ — A solo SaaS founder added multi-license billing to close a $216 sale after a customer emailed requesting it.
- [R] [hn-top] Why is almost everyone right-handed? A new study connects it to bipedalism — https://www.ox.ac.uk/news/2026-05-15-why-is-almost-everyone-right-handed-the-answer-may-lie-in-how-we-learned-to-walk — Oxford research links human right-handedness to bipedal locomotion; no relevance to software development.
- [R] [lobsters] Type out the code — https://haskellforall.com/2026/05/type-out-the-code — Haskell blog post about manually typing code as a learning technique; minimal content in the summary.
- [R] [lobsters] Why Ruby Still Feels Like Home After All These Years — https://caio.ca/blog/why-ruby-still-feels-like-home — Opinion piece on why Ruby remains a beloved language despite not being trendy.
- [R] [lobsters] OpenBSD 7.9 released — https://www.openbsd.org/79.html — OpenBSD 7.9 has been released; not relevant to Fuzzy's Mac/Hetzner Ubuntu stack.
- [R] [lobsters] Better generated branch names with jj — https://ddbeck.com/notes/jj-git-push-bookmark-template/ — A tip for configuring Jujutsu VCS to generate more descriptive branch names on git push.
- [R] [lobsters] I am not a Software Engineer — https://huronbikes.mataroa.blog/blog/i-am-not-a-software-engineer/ — Opinion/personal essay questioning the software engineer label in the context of AI-assisted development.
- [P] [lobsters] My domain got abused on Github Pages — https://meertens.dev/blog/github-enables-domain-abuse/ — A developer discovered their custom domain was being served by a stranger's GitHub Pages site without permission. GitHub does not prevent domain takeover if the DNS CNAME is not actively validated against a specific repo. This is a real subdomain takeover vulnerability class that affects anyone with custom domains on GitHub Pages—even if the original Pages site was deleted or the domain was only briefly configured.
- [R] [lobsters] What would you want from a forge? — https://lobste.rs/s/wed6lj/what_would_you_want_from_forge — Lobste.rs discussion thread soliciting feature wishes for Git/VCS forges from Jujutsu and Git users.
- [R] [lobsters] Pokemon Gen2 compression myth — https://www.reddit.com/r/TruePokemon/comments/hwluk9/while_it_is_true_that_iwata_did_write_a_new/ — Reddit debunking of a myth about Satoru Iwata's compression work on Pokemon Gold/Silver.
- [R] [lobsters] The Super Tiny Compiler, but in Ada — https://github.com/tomekw/stcc — An Ada port of the well-known educational 'Super Tiny Compiler' project.
- [M] [lobsters] pgBackRest will continue — https://pgbackrest.org/news.html#will-continue — pgBackRest, a popular open-source PostgreSQL backup and restore tool, has announced it will continue active development after some uncertainty about the project's future. Anyone running self-hosted Postgres—including on VPS setups like Hetzner—can rely on pgBackRest for ongoing support.
- [P] [lobsters] How we used Quint to find over 10 bugs in SQLite while hardening Turso — https://turso.tech/blog/how-we-used-quint-to-find-over-10-bugs-in-sqlite — Turso engineers applied Quint (a formal specification and model checking tool) to model SQLite's state machines and uncovered more than 10 bugs in SQLite during the process. This is noteworthy because SQLite has a reputation for extreme reliability, and formal methods finding real production bugs is a strong validation of the technique. If you build on SQLite or libsql, some of these bugs may affect you—and Quint is apparently accessible enough for a small team to use effectively.
- [R] [lobsters] Software's Centaur Era — https://twitchard.github.io/posts/2026-05-18-softwares-centaur-era.html — Essay arguing that the current era of software development is characterized by human-AI collaboration ('centaurs'), analogous to centaur chess where human+computer beats either alone.
- [R] [lobsters] If you're just going to sit there doing nothing, at least do nothing correctly — https://devblogs.microsoft.com/oldnewthing/20240216-00/?p=109409 — 2024 Microsoft devblog post about correct idle-wait patterns in Windows programming.
- [R] [lobsters] Emacs after Magit — https://sdf.org/~pkal/blog/emacs/sans-magit.html — A blog post about using Emacs for Git without the Magit package.
- [R] [lobsters] The Unreasonable Effectiveness of ProseMirror Model in Rich Text Transformation — https://smoores.dev/post/unreasonable_effectiveness_of_prosemirror/ — Deep-dive on how ProseMirror's document model enables powerful rich text transformations.
- [R] [lobsters] Chasing down why installing the kernel segfaulted — https://sporks.space/2026/05/19/chasing-down-why-installing-the-kernel-segfaulted/ — A debugging story about tracking down a kernel installation segfault to a specific system configuration issue.
- [R] [lobsters] Tonic is joining the gRPC project — https://luciofranco.com/blog/tonic-joins-grpc/ — Tonic, the popular Rust gRPC library, is being transferred to the official gRPC project under the Cloud Native Computing Foundation.
- [R] [lobsters] Everything in C is undefined behavior — https://blog.habets.se/2026/05/Everything-in-C-is-undefined-behavior.html — Blog post arguing that almost any non-trivial C code invokes undefined behavior and the practical implications.
- [P] [lobsters] GitHub Source Code Breach - TeamPCP Claims Access to Internal Source Code — https://cybersecuritynews.com/github-source-code-breach/ — A threat actor named TeamPCP is claiming to have breached GitHub and obtained access to its internal source code repositories. The claim appears on cybersecuritynews.com and has not been confirmed or denied by GitHub as of this item's publication. If true, the breach could affect the security of GitHub Actions infrastructure, internal tooling, or token handling. GitHub users should watch for an official GitHub Security Advisory and be alert to any unusual activity on GitHub Actions runners.
- [R] [lobsters] I've built a virtual museum with nearly every operating system you can think of — https://www.youtube.com/watch?v=jqcuqWTxTNw — A YouTube video showcasing a virtual museum containing historical operating systems.
- [R] [lobsters] Human Bottlenecks — https://borretti.me/article/human-bottlenecks — Essay arguing that as AI handles more code generation, human review, decision-making, and direction become the primary bottleneck in software development.
- [R] [simon-willison] llm-gemini 0.32 — https://simonwillison.net/2026/May/19/llm-gemini-2/#atom-everything — Simon Willison's llm-gemini plugin updated to add gemini-3.5-flash model support for the LLM CLI tool.
- [P] [simon-willison] Gemini 3.5 Flash: more expensive, but Google plan to use it for everything — https://simonwillison.net/2026/May/19/gemini-35-flash/#atom-everything — Gemini 3.5 Flash was released GA at Google I/O 2026—skipping the preview label—and is priced higher than Gemini 2.0 Flash despite being in the 'Flash' (budget) tier. Google has deployed it across most of their key consumer products. If you built cost assumptions on Gemini 2.0 Flash pricing, 3.5 Flash is not a free upgrade—review the pricing page before switching. Simon Willison also draws a pelican with it to confirm quality.
- [R] [simon-willison] datasette-llm-accountant 0.1a4 — https://simonwillison.net/2026/May/19/datasette-llm-accountant/#atom-everything — Minor alpha bug fix release for datasette-llm-accountant, fixing chain-of-response tracking.
- [R] [simon-willison] llm-gemini 0.32a0 — https://simonwillison.net/2026/May/19/llm-gemini/#atom-everything — Alpha release of llm-gemini adding streaming reasoning token support, compatible with llm>=0.32a0 alpha.
- [R] [simon-willison] datasette-llm 0.1a8 — https://simonwillison.net/2026/May/19/datasette-llm/#atom-everything — Minor alpha bug fix for datasette-llm, fixing llm_prompt_context() hook chain-of-response collection.
- [R] [anthropic-blog] Widening the conversation on frontier AI — https://www.anthropic.com/news — Anthropic announcement or blog post about broadening public discourse on frontier AI development.
- [R] [anthropic-blog] KPMG integrates Claude across its core business and workforce of more than 276,000 in strategic alliance — https://www.anthropic.com/news — KPMG, a global professional services firm, has signed a strategic alliance to integrate Claude across its 276,000+ person workforce.
- [M] [claude-status] Elevated errors on Claude Opus 4.7 — https://status.claude.com/incidents/f9yk8lqw384x — On May 19, 2026, the Anthropic status page logged an incident of elevated errors on 'Claude Opus 4.7'—a model version not previously known publicly. The incident was identified at 15:14 UTC, a fix implemented by 15:19, and resolved by 15:40 UTC. This is notable primarily because it implies a Claude Opus 4.7 model exists or is in testing, beyond the known Opus 4/4.5 line.