Monday, 15 June 2026

Rio's government LLM exposed as an unlabeled model merge; curl pauses CVE reporting for a July vacation; why AI still hasn't replaced software engineers

Today's Lead

GitHub

Rio de Janeiro's 'Homegrown' 397B LLM Exposed as an Undisclosed Model Merge

Nex-AGI alleges that Rio-3.5-Open-397B, marketed as an original model by IplanRIO (Rio de Janeiro's city tech arm), is actually a 0.6/0.4 element-wise merge of Nex-AGI's model with Qwen3.5-397B-A17B. When Rio's system prompt is removed, the model identifies itself as Nex 79% of the time and recites Nex's backstory, with consistent blending ratios across all 60 layers pointing to intentional merging rather than independent training. The complaint centers on misrepresentation: Rio marketed the model as original AI without disclosing it was composed from existing open-source models.

Read →

Also today

GitHub

Kage: Shadow Any Website to a Single Binary for Offline Viewing

Kage is an open-source tool that clones websites into offline-browsable copies by rendering pages through headless Chrome and stripping all JavaScript. It supports multiple output formats—browsable folder structures, ZIM archives, and fully self-contained binaries—with features like robots.txt compliance, resumable operations, and smart crawl configuration. Captured pages remain stable and functional offline indefinitely without external dependencies.

Read →

andreklein.net

Your ePub Is Fine; Kobo Disagrees—Blame Adobe

A valid ePub file that passed all standard validation checks silently failed to open on Kobo devices due to their reliance on Adobe's outdated RMSDK rendering engine. The culprit was a modern CSS expression that Adobe's parser, frozen at roughly 2013 standards, could not handle. The case exposes a stubborn gap between EPUB spec compliance and real-world device support driven by Adobe's aging embedded engine.

Read →

daniel.haxx.se

curl Will Pause All Vulnerability Reporting for July

The curl project is suspending vulnerability submissions throughout July 2026 to give its maintainers a genuine rest after four months of intense pressure. The HackerOne submission form and security email will be paused from July 1 to August 2, with the 8.22.0 release pushed back two weeks to September 2. The announcement is a candid reminder that open source security infrastructure runs on human endurance—and that endurance has limits.

Read →

Very Sane AI

Did Anthropic Ask for This?

The article argues that Anthropic's own advocacy for strict AI regulation—with CEO Dario Amodei publicly calling for government oversight—has now returned as export restrictions on their models. By legitimizing government authority to block AI deployment, Anthropic helped build the policy framework it now finds itself subject to. It is a pointed observation about the gap between abstract safety rhetoric and the concrete regulatory consequences that follow.

Read →

Simon Willison

Why AI Hasn't Replaced Software Engineers, and Won't

Arvind Narayanan and Sayash Kapoor argue that AI job losses in software engineering simply have not materialized: in the first full year of New York's AI layoff disclosure requirement, zero companies checked the AI box in over 160 WARN Act filings. The real bottlenecks are not typing speed but deciding what to build, verifying what was delivered, and the deep contextual understanding of codebases and business environments that AI cannot replicate. Simon Willison adds that AI assistance helps him across all phases, but the irreplaceable part remains how deeply he understands the problem.

Read →

iliashaddad.com

Indexing 669 GB of GoPro Videos with Local ML on an M1 Max

The author built a desktop app that runs Whisper for transcription, Qwen2.5-VL for scene descriptions, and face and object detection entirely locally on an M1 Max to index 2,207 GoPro cycling videos totaling 669 GB. The pipeline runs at 4.4x slower than real-time playback and feeds semantic search queries like 'biking with dogs barking' that send clips straight to a DaVinci Resolve timeline. It is a practical demonstration of what on-device ML can now accomplish for personal media at scale.

Read →

Manish Goregaokar

Diplomat: Multi-Language FFI for Rust Libraries

Diplomat is a code generation tool that automates FFI bindings from a single Rust bridge crate to C, C++, JavaScript, TypeScript, Dart, Kotlin, and Python. Developers annotate a thin wrapper crate with special attributes and Diplomat generates idiomatic bindings in all target languages without requiring the underlying library to change. The tool was built to expose ICU4X—a Rust internationalization library—across many language ecosystems while keeping complexity contained to one place.

Read →

PlanetScale

The Only Scalable Delete in Postgres Is DROP TABLE

PlanetScale argues that DELETE in Postgres does not scale: MVCC overhead, replication burden, index maintenance, and dead tuple bloat create compounding costs that vacuum cannot fully keep pace with. The recommended fix is to redesign schemas around DROP TABLE or TRUNCATE—using temporary tables or date-based partitioning to convert delete-heavy workloads into occasional table drops. It is a schema-level solution rather than a tuning knob, which makes it a hard sell but the most honest answer.

Read →