Weeknotes 2026.20 and 2026.21
Posted on Mo 25 Mai 2026 in Blog
I've been to the black forest, and that is the reason I didn't publish last week's weeknotes. I thought let's try this week one more double-entry bookkeeping. Due to a long weekend here in Austria, the weeknotes are published on a Monday.
The time at the black forest and the Lake Constance was quite interesting, but a litte bit short.
As far as I can tell, the last two weeks were very intense and a lot of things happened.
Content:
Story of the week
CISA credentials leaked
Brian Krebs reported that a CISA contractor leaked a lot of secrets. The contractor committed a lot of sensitive information to GitHub.
- CISA Admin Leaked AWS GovCloud Keys on Github
- Lawmakers Demand Answers as CISA Tries to Contain Data Leak
- ‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub
pgBackRest
As mentioned in Weeknotes 2026.19 the development of pgBackRest will continue. It seems like there will be a couple of companies sponsoring the development. I think it is a good sign of the Postgres ecosystem that a couple of companies stepped up. On the other hand, it is a little bit disappointing that it took a shutdown notice for them to step up.
- pgBackRest Will Continue!
- Backrest's back, alright!
- Keeping pgBackRest Open, Healthy, and Community Driven
Postgres and the world of data
Postgres release
The PostgreSQL Global Development Group announced a release of all supported versions. The release fixes 11 security issues and over 60 bugs.
PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released!
SQL: order by
Markus Winand has written about the history of ORDER BY in SQL.
Lætitia Avrot has read the write-up as well and did some research why Postgres hasn't implemented some details of the SQL standard.
Multigres
Multigres has published a series of articles about their design decisions. The first article is about why they use their own connection pooler.
Two jobs, two processes: why Multigres has its own connection pooler
Postgres 19
Christophe Pettus has written about some changes in Postgres 19 that can cause some operational headaches.
PostgreSQL 19 Beta: The Four Features You’ll Actually Feel
JSONB in Postgres
Richard Yen has published a blog post about JSONB and performance. He tested three approaches: GIN Indexes, Expression Indexes and Generated Columns.
Making JSONB More Queryable with Generated Columns
TOAST
Radim Marek took a look at the TOAST feature in Postgres. With some examples, he showed how the feature works.
TOAST: Where PostgreSQL hides big values
SQL Queries
There is a nice article about SQL queries that can be used to detect fraud.
Six SQL patterns I use to catch transaction fraud
Postgres Release Monitor
- pgFormatter v5.10 has been released
- PgBouncer 1.25.2 released
- pgAdmin 4 v9.15 Released
- Ajqvue Version 3.6 Released
- CloudNativePG 1.29.1 and 1.28.3 released: critical CVE fix
- pg_sorted_heap 0.14.0 released
- Barman 3.18.0 Released
- plpgsql_wrap v1.0 released
- Release: check_pgactivity 2.10
- pg_statviz 1.0 released with AI-powered analysis
- pg_mentat 1.3.0 released -- Datomic-compatible Datalog inside PostgreSQL
- pg_infer 1.0.0 released -- transformer model knowledge as SQL relations
- pg_tre 1.1.1 released -- an approximate-REGEX index AM for PostgreSQL 18+
- pg_clickhouse 0.3.0
Security and Privacy
GitHub got breached
GitHub probably got compromised through a malicious VSCode extension, and the attackers managed to access around 3.800 GitHub internal repositories.
GitHub confirms breach of 3,800 repos via malicious VSCode extension
Linux
There have been a lot of nasty kernel vulnerabilities in the last few weeks. A lot of the vulnerabilities are discovered with the help of LLMs. Another side effect is that the Linux security mailing list is becoming a bit unmanageable.
- How Fedora is responding to recent Kernel vulnerabilities
- Linux bitten by second severe vulnerability in as many weeks
- AI eyes scanning for bugs create a worrisome Linux security trend
- Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’
- 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Mullvad
The exit IPs of Mullvad VPN users can be used to fingerprint the VPN users. Mullvad is working on a solution to this.
Digital sovereignty
Another article that explains how European teach can be used instead of the big cloud providers. And which problems still exist.
How I Moved My Digital Stack to Europe
reCAPTCHA
The next-generation reCAPTCHA-system is on Android tied to Google Play Services. This means that de-googled Android users will have trouble with reCAPTCHA.
Google Broke reCAPTCHA for De-Googled Android Users
There is a Mastodon-thread where GrapheneOS explains the Google and Apple expanding their use of the hardware-based attestation.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
https://grapheneos.social/@GrapheneOS/116550899908879585
Bitwarden
There are more and more signs that Bitwarden is not getting better. It seems like the company and the development are not moving in the right direction.
- The Quiet Renovation at Bitwarden
- Bitwarden scrubs ‘Always free’ and ‘Inclusion’ values from its website as longtime execs step down
- I Do Not Recommend Bitwarden
The "Don't be evil" part of Google is obviously not there anymore. API fraud is a big problem. Or a big money printing mechanism for the big cloud providers. And Google announced a new search UI.
- Google users fight for refunds as unauthorized API usage bills soar
- Google Search as you know it is over
Data breach ticker
- 7-Eleven confirms breach after ShinyHunters claims
- Hackers steal patient and billing data from German hospitals via third-party provider
- Foxconn confirms cyberattack claimed by Nitrogen ransomware gang
- Grafana breach caused by missed token rotation after TanStack attack
AI
Emmi AI joins Mistral
A success for the Austrian AI ecosystem. The Linz-based company Emmi AI joins Mistral.
Emmi AI Joins Mistral AI to Redefine Manufacturing and Industrial Engineering
Project Glasswing
Anthropic has written an update about the project Glasswing. They presented a lot of numbers of the vulnerabilities they found with Mythos.
Another write-up thinks that the real reason for Anthropic to hide its AI is that it is too expensive.
And Microsoft is on the pace to break the annual vulnerability record. Thanks to AI.
- Project Glasswing: An initial update
- “Too Dangerous to Release” — Or Just Too Expensive? The Real Reason Anthropic Is Hiding Its Most Powerful AI
- Microsoft on pace to break annual vulnerability record as AI-driven patch wave takes hold
AI race
Anton Krylov has written about why he thinks the US is winning the AI race. The broader ecosystem is where the US is winning the race. Although Chinese models are impressive, the commercialization of AI is more or less completely in the hands of the big US companies.
Local AI
There is a plea that using local models should be the default.
Andrej Karpathy
One of the big names in AI has a new job. Andrej Karpathy joins Anthropic. He worked previously at OpenAI and Tesla.
OpenAI co-founder Andrej Karpathy joins Anthropic
Around the world
Vivaldi 8 released
Vivaldi announced the release of version 8 of their browser. The browser now has a new UI.
Vivaldi 8.0: our biggest design overhaul, ever
OpenBSD 7.9 released
The OpenBSD project announced the release of version 7.9 of their operating system.
OpenBSD 7.9 arrives, a diamond in the rough proud of every sharp edge
Kagi
Veronica Lewis wrote about her experience using Kagi search with low vision.
My Experience Using Kagi Search With Low Vision
KDE
The KDE project got €1,285,200 from Germany's Sovereign Tech Fund.
KDE bags €1.3M as Europe realizes it might need an OS of its own