The Git Times

Apache Airflow released version 3.2.1 this week, delivering security refinements and operational fixes to the platform that has orchestrated data workflows at scale since 2015.

The most notable change restricts the /dags endpoint. Users granted only read access to DAG definitions can no longer retrieve aggregated data without explicit permissions for DagAccessEntity.RUN, DagAccessEntity.HITL_DETAIL, and DagAccessEntity.TASK_INSTANCE. Administrators must update custom roles to preserve existing access patterns.

UI customisation gains flexibility. Theme configuration now accepts pure CSS overrides, icon-only definitions, or an empty object to restore OSS defaults; the tokens field is optional. This simplifies branded deployments without forcing full token recreation.

Engineering teams also shipped targeted bug fixes: correct kwargs handling in DEFAULT_LOGGING_CONFIG, prevention of premature zip DAG import error clearing during bundle refresh, proper disposal of async ORM engines on shutdown, and elimination of unintended DAG leakage in the asset graph view.

Airflow lets engineers define workflows as version-controlled Python DAGs, schedule them across workers according to explicit dependencies, and monitor execution through a mature web interface. The 3.2.1 improvements reinforce its position as the standard tool for production data pipelines, where auditability and operational stability matter more than ever.

PyPI, official Docker images, and updated documentation are available immediately.

DeepSpeed v0.18.9 ships targeted improvements for practitioners training frontier-scale models. The update extends Muon optimizer support to ZeRO Stage 3, introduces universal checkpoints for AutoTP, and adds Hugging Face tp_plan compatibility. It respects the $TRITON_HOME variable for autotuning, removes unnecessary shell calls in ROCm detection, and restores backward compatibility for torch.amp.custom_fwd on PyTorch versions before 2.4.

These changes arrive alongside academic validation. The DeepSpeed team’s SuperOffload work received an Honorable Mention for Best Paper at ASPLOS 2026, demonstrating efficient LLM training on superchips. A tutorial at the same conference covered the library’s path from open-source foundations to production systems, referencing recent innovations such as ZenFlow stall-free offloading, Arctic long-sequence training, and DeepCompile compiler optimizations.

The Python library’s established techniques—ZeRO-Infinity, 3D parallelism, Ulysses sequence parallelism, and DeepSpeed-MoE—continue to underpin efficient distribution of computation, memory, and I/O. It powered early trillion-parameter-class models including MT-530B and BLOOM. LinkedIn has since applied ZeRO++ to distill LLMs for recommendation systems at scale.

For teams running multi-node GPU workloads, the incremental fixes reduce configuration friction and improve reliability on both NVIDIA and AMD platforms. As model sizes and sequence lengths keep growing, these engineering refinements keep DeepSpeed central to practical large-scale training and inference.

(178 words)

OpenClaw version 2026.4.21 refines core components of its self-hosted personal AI assistant. The most significant change strengthens owner-enforced command handling. When enforceOwnerForCommands is enabled and commands.ownerAllowFrom remains unset, the gateway now requires an explicit owner identity match or operator.admin privilege. Permissive channel allowFrom settings or empty candidate lists no longer grant access, closing a prior fallback path.

Image generation received parallel attention. The bundled provider and associated smoke tests now default to OpenAI’s gpt-image-2 model. Documentation and tool metadata advertise current 2K and 4K size hints. Failed provider or model candidates log at warning level before automatic fallback, surfacing OpenAI-specific problems in the gateway log even when secondary providers succeed.

Plugin and packaging stability also improved. The doctor utility correctly repairs bundled runtime dependencies, allowing packaged installs to recover missing channel or provider modules without pulling broad core dependencies. Slack outbound messages now preserve thread aliases supplied at runtime. Browser automation rejects invalid ax<N> accessibility references immediately rather than waiting out action timeouts. NPM installs benefit from an added node-domexception override.

These updates increase reliability for users running the gateway daemon—installed via openclaw onboard --install-daemon—across macOS launchd, Linux systemd, or Windows WSL2. The assistant continues to route speech, text and live Canvas output over more than twenty messaging services while keeping all data under owner control.

The ros-perception/image_pipeline project has shipped version 2.1.1, delivering targeted fixes for its image_view visualization tool in the Foxy distribution. Thirteen years after its initial commit, the package continues to occupy a narrow but critical position in the ROS 2 stack: converting raw sensor_msgs/Image streams into rectified, color-corrected, and disparity-ready data that higher-level nodes can trust.

Written primarily in performant C++ with supporting Python bindings, the pipeline supplies standardized operations including debayering, mono rectification using camera_info intrinsics, and stereo processing. It frees robotics teams from rewriting camera geometry math for every new application.

Core packages handle distinct stages:

• image_proc performs single-camera rectification and color conversion
• stereo_image_proc generates disparity maps and point clouds
• depth_image_proc registers depth images to RGB frames

Documentation lives in the current ROS 2 API reference, though some supplementary detail remains on the older wiki. Developers targeting Nvidia Jetson hardware are advised to combine it with Isaac Image Proc for GPU-accelerated versions of selected image_proc kernels.

In an era of proliferating warehouse robots, last-mile delivery vehicles, and research platforms, reliable early-stage image handling matters more than ever. The 2.1.1 release demonstrates that even mature infrastructure components require ongoing maintenance to remain compatible as the surrounding ROS ecosystem advances. Rather than chase novelty, the project quietly keeps the first link in the perception chain dependable.

The GoPiGo3 codebase has received a significant refresh with the release of GoPiGo OS, the new primary operating system for the Raspberry Pi robot platform. DexterOS is now deprecated, and the updated image delivers JupyterLab 2 alongside the latest Bloxter visual programming environment. Users gain full SSH access to Linux and VNC connectivity to the Raspberry Pi Desktop, removing previous restrictions that limited system-level changes.

The Python library remains the core interface, providing classes to drive motors, read encoders, and integrate Dexter sensors including the line follower, ultrasonic distance sensor, THP environmental sensor, and IMU. The quick-install command curl -kL dexterindustries.com/update_gopigo3 | bash handles both initial setup and updates. An additional update_sensors script installs support for the full sensor suite. A virtual-environment flag (--user-local --bypass-gui-installation) allows installation on custom Linux distributions without the desktop components.

Raspbian for Robots images continue to be available for teams preferring a complete SD-card solution with every library preloaded. The transition reflects nine years of iterative development since the project's 2017 launch, now maintained by Modular Robotics following its acquisition of Dexter Industries.

These changes matter because robotics education and prototyping increasingly demand both beginner-friendly tools and production-grade Linux access on the same hardware. GoPiGo OS meets that requirement without forcing users onto proprietary ecosystems.

The DAXXMUSIC project has issued a new release simply tagged “Music,” bringing measurable improvements to its core queue management engine. Created in 2023 and still actively maintained by DAXXTEAM, the Python bot streams audio directly into Telegram group voice chats with minimal latency even under heavy concurrent requests.

Developers have tightened the playback pipeline, reducing buffering when tracks are added or reordered mid-session. The update also expands the AI components listed among its topics, enabling more accurate automatic queue curation and conflict resolution when multiple users submit songs simultaneously. These changes address real-world friction points that emerge in large Telegram communities during extended listening sessions.

Setup follows the project’s long-standing pattern. Contributors edit reload.py to insert their numeric ID, then deploy through Heroku using the documented method. The all-in-one design means group administrators gain full control without bolting on secondary services.

As remote events and online communities continue to rely on voice chat infrastructure, DAXXMUSIC’s combination of high-performance streaming, persistent queues, and lightweight AI management keeps it relevant. The latest iteration sharpens existing strengths rather than adding surface-level novelty, giving maintainers a more stable foundation for customization.

Recent technical gains include:

• Faster queue state handling for groups larger than 200 members
• Improved recovery after network interruptions during streaming
• Refined AI logic for music-management suggestions

Four years after launch, edoardottt/awesome-hacker-search-engines continues receiving regular maintenance. The April 2026 update added dedicated entries for cryptocurrency transaction monitoring and internet-connected camera enumeration, matching shifts in attacker focus toward financial assets and physical devices.

The Shell-based repository organizes search platforms into 20 functional categories. The Servers section lists Shodan, Censys, ZoomEye, GreyNoise, FOFA and Netlas.io for internet asset mapping. Vulnerabilities directs users to NIST NVD, MITRE CVE, GitHub Advisory Database, osv.dev and Vulners.com for exploit intelligence.

Red team operators rely on the Attack surface, DNS, and Certificates sections during initial reconnaissance. Bug bounty researchers use the Leaks, Credentials, and Email addresses categories to locate exposed data. Blue teams consult Threat Intelligence entries such as Onyphe.io and Hunter to measure organizational exposure.

WiFi network locators, hidden service directories, web history archives and people-search engines complete the collection. Community contributions keep links current, preventing the obsolescence common in security tool lists. As cloud adoption and IoT deployment accelerate, the curated directory cuts reconnaissance time for both offensive and defensive security work.

**

OpenCTI version 7.260422.0 delivers concrete engineering improvements to a platform security teams have relied on since 2018 for structuring cyber threat intelligence.

The release adds STIX 2.0 converters for infrastructures, indicators and observables, closing previous translation gaps with external systems. Observability gains include deeper logs that pinpoint work started by ingest nodes. A longstanding settings-page failure when the RabbitMQ API is unreachable has also been corrected.

Bug fixes address daily friction. Software observables now deduplicate under a case-insensitive name policy. Individual entities can be created with single-character names. Corrections also restore proper user visibility for authorized members outside organizational segregation, fix notifier creation when connectors are selected, and ensure knowledge views appear from the Country menu.

The platform continues to map both technical elements—TTPs, observables—and non-technical context—attribution, victimology—to primary sources using a STIX2 schema. First and last seen dates, confidence scores and inferred relationships turn raw data into a navigable knowledge graph. Imports and exports remain straightforward in CSV and STIX2 bundle formats.

Connectors keep data flowing to MISP, TheHive and the MITRE ATT&CK framework. Enterprise Edition capabilities can be switched on directly in settings without separate deployment. These incremental changes matter to SOCs and intelligence units now handling higher volumes of multi-source data that must remain traceable and queryable.

Osquery maintainers shipped version 5.22.1 to correct a signing certificate mismatch that left 5.22.0 macOS binaries non-executable. The release refreshes the Apple provisioning profile and updates the osquery-toolchain to LLVM 11 with zlib 1.2.13.

Several functional improvements accompany the fix. The escapeNonPrintableBytes function is now UTF-8 aware, so query results that previously rendered raw bytes now display their proper characters. Virtual SQL functions support multiple constraints, enabling queries such as SELECT * FROM vscode_extensions WHERE uid in (SELECT uid FROM users WHERE include_remote = 1) that join or subquery against the users table for remote sessions.

The carver gains retry logic and preserves original file metadata inside archives. On Windows the programs table now surfaces machine-wide provisioned MSIX packages.

These changes matter for a project that has turned operating systems into high-performance relational databases since 2014. Security and operations teams continue to write SQL against tables representing processes, network sockets, launchd entries, ARP caches, and file hashes across Linux, macOS, and Windows fleets. The latest enhancements reduce friction in complex queries and improve reliability of forensic carving without altering osquery’s core plugin-based table architecture.

After more than a decade of steady development the framework remains a standard component in monitoring, compliance, and intrusion-detection pipelines.

Meilisearch v1.42.1 ships targeted fixes for its legacy settings indexer, particularly benefiting teams experimenting with the multimodal experimental feature. The update corrects internal errors that occurred when removing or modifying fragments, ensures the regenerate: false flag is respected on embedder changes, and properly indexes nested fields declared searchable even when parent fields are not.

These corrections matter because hybrid search—blending semantic vectors with full-text matching—now runs more reliably at scale. Written in Rust, the engine returns results in under 50 ms, powers search-as-you-type interfaces, and ships typo tolerance, faceted navigation, custom sorting, synonym support, and geosearch with zero additional configuration. Language coverage spans dozens of alphabets, with tuned stemming for Chinese, Japanese, Hebrew, and Latin-script texts.

The release also adds a CI pipeline validating the stable settings indexer, an incremental step toward retiring legacy code. For an eight-year-old project, the focus remains pragmatic: give developers a lightweight, self-hosted API that competes with hosted services while supporting both traditional keyword queries and modern vector embeddings.

Production teams report fewer indexing surprises when tuning embedders or updating document fragments, allowing tighter iteration on AI-augmented search experiences.

Ollama v0.21.1 introduces first-class support for the Kimi CLI, letting developers run Kimi K2.6 models through a single command.

ollama launch kimi --model kimi-k2.6:cloud installs and launches the multi-agent system, which coordinates specialized agents for long-horizon execution tasks that previously required complex external orchestration.

The MLX runner receives substantial upgrades. Logprobs are now available for compatible models. Sampling is faster after fusing top-P and top-K into a single sort pass while applying repeat penalties inside the sampler. Tokenization moved into request handler goroutines, and array management gained stronger thread safety.

GLM4 MoE Lite inference improved with a fused sigmoid router head. The macOS app no longer displays stale models after switching chats, and structured outputs for Gemma 4 now function correctly when think=false.

These changes sit alongside Ollama’s established REST API, Python and JavaScript libraries, and integrations with Claude Code, OpenClaw and Copilot CLI. The Go codebase continues to leverage the llama.cpp backend while expanding model coverage to include Gemma 3, DeepSeek, Qwen and MiniMax variants.

The release prioritizes practical performance and reliability for developers already running local models at scale.

Pointify v2.7.0 refines how developers track Claude consumption alongside hardware metrics on physical analog gauges. The update unifies the Claude metric selector with target sub-options and adds dedicated gauges for Claude Sonnet and Claude Design, streamlining configuration for users who run multiple models daily.

The Rust application drives up to eight retro-style meters that twitch in real time. Supported readings include CPU utilization, temperature, clock frequency and power; GPU metrics; RAM, swap, network RX/TX speeds; and disk usage with read/write throughput. On the AI side it surfaces five-hour session limits with reset times, weekly quotas, daily token totals broken down by input, output, cache read/write, and exact cost in dollars. Claude Code statistics are read from local logs; usage limits pull directly from the Claude website using credentials stored only on the local machine.

Pointify Desktop runs on macOS, Windows and Linux. Software-only gauges work without hardware, yet the project’s appeal lies in watching actual needles respond. Installation remains unchanged: Homebrew taps on Unix systems or manual download on Windows. Platform notes persist—CPU temperature and power are unavailable on Windows, AMD GPUs lack support, and Apple Silicon omits VRAM readings.

For builders whose workflows now revolve around large language models, the tighter integration makes usage visible at a glance without leaving the desk. The release demonstrates the project’s continued focus on blending nostalgic hardware with modern AI observability.

Project Aura's v1.1.3 release, issued on April 8, delivers practical upgrades for builders already running the ESP32-S3 air-quality station. The firmware now auto-detects both Sensirion SFA30 and DFRobot Gravity SFA40 HCHO sensors, correctly managing the SFA40's warmup cycle and startup behavior. This removes manual configuration steps when swapping formaldehyde modules.

A more significant addition is mean sea-level pressure support. Users set station altitude once through the LVGL touchscreen; the device then calculates and displays corrected pressure values suitable for direct comparison with weather reports. The update publishes a new pressure_absolute MQTT entity to Home Assistant while retaining the original pressure entity, giving integrators cleaner data options.

UI and workflow refinements reduce friction. CO2 calibration now presents a confirmation dialog and live progress indicator. The 12-hour clock format drops leading zeros (3:00 PM), settings screens show BACK when unchanged and SAVE & BACK only when needed, and night-mode readability has been adjusted. Brisbane timezone support arrives with a fixed UTC+10 offset.

Bug fixes address OTA restore behavior after failed uploads and eliminate a runtime error in the local web dashboard's live-state banner. The release maintains the project's offline-first design: full local web UI, Wi-Fi captive portal, and Home Assistant discovery continue to function without internet.

These changes tighten an already polished open-hardware platform that pairs the SEN66 sensor suite with LVGL, MQTT, and PlatformIO-based firmware.

The Button2 library has received a targeted maintenance update in version 2.5.0 that corrects several defects affecting long-term reliability in production embedded systems.

The most significant change addresses a critical integer overflow in long-click counter arithmetic on AVR platforms. On boards such as the Arduino Nano and Uno, the expression longclick_time_ms * (longclick_counter + 1) previously exceeded 16-bit limits, producing incorrect timing. The fix applies explicit casting to eliminate these errors. Additional patches resolve ambiguous empty enum references that surfaced when projects import using namespace std;, ensure all timing and state variables are properly initialized at construction, and correct resetPressedState() and operator== behavior.

Since its introduction in 2017, Button2 has offered a concise C++ API for physical and virtual inputs. It supplies callback handlers for single, double, triple and long clicks while managing debouncing internally, eliminating the need for hand-written state machines in the main loop. The library defaults to INPUT_PULLUP but accepts custom pin modes and alternative handlers for capacitive touch or I2C-sourced events. It remains compatible with Arduino, ESP8266, ESP32 and mbed targets.

These updates require no API changes yet materially improve stability on resource-constrained devices now entering sustained field use. For builders shipping hardware that depends on precise button input, the new release removes previously hidden failure modes.

The godotengine/godot-demo-projects repository has issued its first release compatible with version 4.2 of the popular open source game engine. Optimized specifically for 4.2.1, the collection adds several new demonstrations that highlight key features in 2D and 3D game development.

Developers can now explore dynamic TileMap layers in 2D alongside an array of 3D examples covering anti-aliasing methods, constructive solid geometry, decals, customizable graphics settings, 3D labels and text rendering, lighting and shadow techniques, occlusion culling paired with mesh level of detail optimization, particle systems, and physical light and camera unit calibration.

The project maintains separate branches for different Godot versions. The master branch tracks the latest development code while other branches correspond to stable releases. This organization allows teams to access relevant examples regardless of which engine version they target.

Importing the demos into Godot's project manager is simple. After cloning the repository, users scan the root folder to load all contained project.godot files at once. Many demos also run directly in web browsers via GitHub Pages, providing quick access though with reduced performance compared to desktop.

As an MIT licensed resource that has evolved alongside Godot since 2016, these templates offer concrete implementations rather than abstract theory. They matter now as developers adopt Godot 4 for its enhanced rendering and physics. The new content equips them with tested patterns.

EnTT v3.16.0 focuses on practical performance and API refinement rather than new headline features. The headline internal change delivers substantial speed-ups to the entt::any class through extensive rewrites that leave the public interface unchanged. Developers should update calls from the deprecated basic_any::type() and basic_sparse_set::type() to the new info() equivalents.

Core utilities now include typed data overloads, has_value checks, smoother self-assignment for any, and a full_type_name function. The configuration system has been simplified by merging attribute.h into config.h. Hashed string conversion operators are now explicit, and stripped_type_name returns empty views when names are unavailable.

Container improvements target real usage patterns. dense_map::at gains transparent lookup support, while both dense_map and dense_set see modest gains on all constrained_find operations. In the entity module, runtime views now have complete swap-only policy support, registries can have their contexts cleared on demand, and entity storage objects can be swapped directly. A const registry is no longer treated as a synchronization point by basic_organizer.

These changes matter for teams already shipping with EnTT. The library's pay-for-what-you-use policy, unconstrained component types, optional pointer stability and storage customization hooks remain intact. Header-only with zero dependencies, it continues to serve production codebases at Mojang on Minecraft and Esri in the ArcGIS Runtime SDKs. The update keeps the 9-year-old project aligned with C++17 and C++20 idioms without breaking existing integration.

Tiled remains the standard open-source tool for creating tile maps in 2D games. Version 1.12.1, released this week, delivers four targeted fixes that eliminate friction for daily users rather than adding new capabilities.

The Properties view no longer flickers when switching between objects or files. The selection mode indicator has been corrected so it no longer toggles on Alt presses that should simply move objects. Status-bar pixel coordinates now floor values instead of rounding them, giving accurate readouts at sub-pixel positions. On macOS the dialog for choosing property types when adding new data works reliably again.

These changes matter because Tiled routinely handles maps with dozens of layers, multiple tilesets and thousands of custom properties. Its TMX format stores all data in readable XML, allowing engines to load maps without custom parsers. Tilesets can be swapped at any time, and every map element accepts arbitrary key-value data for gameplay logic.

The editor is written in C++ atop the Qt framework and builds with Qbs. Official signed installers are provided for Windows and macOS; Linux users are advised to use the AppImage, Flatpak or snap packages to bypass outdated distribution builds. Source compilation needs Qt 5.12 or newer plus Python headers for the scripting plugin.

Fifteen years after its first commit, the project’s steady maintenance keeps it viable for both solo developers and small studios who depend on predictable, cross-platform map creation.