may 7, 2026
5 links from the engineering internet.
chrome silently installs a 4 gb local llm on your computer
google chrome is deploying a 4 gb on-device model named optguideondevicemodel to users without notification; it ships with chrome 136 and appears as weights.bin in your profile, with no clean removal path short of blocking updates.
cloudflare publishes postmortem on .de tld dnssec outage
denic pushed a broken zone signing key into the .de tld on may 5, triggering servfail across every validating resolver; cloudflare deployed a negative trust anchor under rfc 7646 and restored resolution within 90 minutes while the iana suspension process was still pending.
rubber duck in github copilot cli now supports more models
copilot cli's rubber duck feature now dispatches cross-family critic agents: gpt-orchestrated sessions can invoke a claude-powered reviewer, and claude-orchestrated sessions can pair with gpt-5.5 as the rubber duck, enabling cross-vendor second opinions from the cli.
github repository rulesets add user bypass and branch renaming
org admins can now add individual users as bypass actors in repository rulesets, and rulesets now follow branches when they are renamed, closing the gap where renaming a protected branch let contributors sidestep enforcement.
cloudflare details how it mitigated the copy fail linux kernel exploit
cloudflare walks through their response to cve-2026-31431 (copy fail), a linux kernel privilege escalation via the authencesn crypto template; covers how their fleet was protected and the timeline from public disclosure to full remediation.