Week 2026-17

Companies have so far been protective of their code, but a new era is coming and they’ll have to shift that protectiveness elsewhere. @vlkodotnet

Week’s Highlight: Who owns code generated by Claude Code?

You’ve just wrapped up a workday spent collaborating with Claude Code, and you got a real chunk of work done. Now you’re sitting at home thinking about all of it, when it suddenly hits you: who actually owns the code that came out of today?

Ownership of AI-generated code may not actually be yours. Here in the EU we don’t yet have a case where a question like this has reached the courts, but in the US a court has ruled that without sufficient human creativity, such code isn’t covered by copyright law. Compared to hand-written code, there are several other differences. As an employee, you’re bound by your employment contract, and unless you’ve negotiated otherwise, code created on your work computer using your company’s work tools belongs to your employer. On top of that, AI-generated code can be contaminated with GPL/LGPL code. That doesn’t happen when you write code by hand, but with AI it can.

Anthropic does provide certain guarantees about generated code. Under the Free/Pro plan you fall under the “Consumer terms” and your intellectual property (IP) is protected to a degree, but with Team/Enterprise you get the “Commercial terms,” where Anthropic promises to defend your rights even in court.

It’s strongly recommended to document every human decision that can prove in court that you didn’t just mutely accept the AI agent’s work. But who today actually uses a system that archives prompts and entire conversations?

And against code contaminated with GPL and LGPL there are tools like FOSSA, Snyk, and others — which you’ll have to pay extra for. That stands in contrast to the assumption that you’d save money with an AI agent.

IP is an interesting topic that nobody in the AI frenzy is paying attention to right now, but if at your company nobody lifts a finger anymore without an AI agent, then you should start thinking about the fact that code is no longer your value. The value is starting to be the specs/prompts/whatever else the code is generated from.

Security Insights

Last week was extra rich in security incidents. The biggest one has a simple name — copy.fail — and enables local privilege escalation on Linux. Don’t be misled by the fact that the exploit needs a Python script. That’s just the simplest 732-byte reproduction. If you haven’t updated your Linux machines yet, don’t wait. The exploit does require access to any local account, but that can include a running service.

By complete coincidence, right after this vulnerability was disclosed a DDoS attack hit the servers of a well-known Ubuntu distribution. As if someone wanted to make sure as many machines running this OS as possible stayed unpatched.

The elementary-data package was hit by a successful supply-chain attack. It’s a popular package in the ML community, so if you have version 0.23.3, I recommend starting cleanup.

A nastier supply-chain attack hit Trivy, a vulnerability scanner. It then spread into the company Checkmarx. They even managed to reach into Bitwarden — fortunately only into their CLI tool.

To round things off, attackers also pulled off a supply-chain compromise of PyTorch Lightning.

GitHub managed to fix a critical vulnerability in just 2 hours.

And one more security-related item. BrowserLeaks is a site that tests the best-known vulnerabilities of your browser. But not just those. Canvas Detection, for example, can build a pretty solid unique digital fingerprint of you.

BIZ Insights

Microsoft has a new deal with OpenAI. The AGI clause has been removed, Azure is still the primary cloud partner — but no longer the only one for business customers. Microsoft didn’t gain much: exclusivity on the latest models stays, and it can use the latest OpenAI models without a license until 2032. The deal also lowers the risk of antitrust action.

China blocked Meta’s acquisition of Manus. Manus practically wasn’t operating in China anymore — everything important had been moved to Singapore. It’s also strange that it took 4 months without any prior warning. I’m curious how Meta will handle this, because the original Manus essentially no longer exists.

On top of that, Meta has definitively lost the New Mexico lawsuit over child protection on their platforms. The second phase is starting now and may change how Facebook, Instagram, and WhatsApp operate. On the table: mandatory age verification, no end-to-end encryption for children’s communication, limits on infinite scrolling, and a total cap of 90 hours per month. That’s 3 hours a day, so it’s not really that strict.

The Musk vs Altman case is currently in court. So far it looks like Musk’s biggest enemy is himself.

Google gives you the illusion of choice — that Gemini doesn’t use the content of your emails and documents for training — but in certain cases, when it uses tools to work with them, that doesn’t apply. The opt-out also disables a bunch of unrelated features.

AI Insights

Mistral released the Medium 3.5 model, which is supposed to be the right model for AI agents. It’s open-weight for local use, and the hosted price is also quite reasonable. You can also offload the AI agent’s run to their cloud and turn off your computer, for example.

So that OpenAI wouldn’t look bad next to Anthropic’s Mythos model, they released GPT 5.5 Cyber. Like Mythos, it’s intended for vulnerability discovery, and this one also isn’t for ordinary plebs like me — only for trusted partner companies.

OpenAI also published an interesting case study on why goblins and gremlins kept showing up in its model’s outputs more and more often. The culprit was the Nerdy feature, which rewarded that kind of behavior, and on top of that the behavior compounded with each new version through feedback training.

Quite quietly — if we don’t count Musk’s X account — xAI launched a new model, Grok 4.3. It comes at an aggressively low price and can clone your voice.

.NET Insights

SkiaSharp is getting a new version, 4.0, in Preview 1. SkiaSharp is a cross-platform graphics engine you can use to render anything you need to render. It brings better image downscaling, performance improvements, more security, etc.

Links Drop

Google is introducing the 8th generation of its TPU, this time in two versions: 8t for training models and 8i for inference. Both chips deliver a twofold improvement in performance per watt.

Curious why ASML, as the maker of the machines that produce processors, is such a unique company? The following article describes not only how EUV lithography works but also how the company came to be and what it’s preparing next.

It’s possible to run Linux on the PS5. The Linux installation isn’t permanent — after a console restart, everything reverts to its original state. But on this Linux you can play PC games at surprisingly good quality.

Microsoft dug up the oldest known PC-DOS somewhere and open-sourced it.

An interesting article about the business behind buying fake GitHub stars. Stars like that go for anywhere from 3 to 90 cents apiece. npm downloads and VSCode extensions get inflated in similar ways.

FlipBook is an infinite visual browser that doesn’t generate HTML but instead images from the results of agentic web search. It’s an interesting one — you can start, for example, with your favorite city.

And for your traditional moment of procrastination, you can drop in among cursors from all around the world.

Closing Visual

When even AI doesn’t want your code anymore.