Linkblog/2025/03/27

TL;DR

Google has confirmed to Android Authority that development of the Android operating system will soon fully happen in private.

Currently, Google shares some of the work it does on the public AOSP Gerrit, but moving forward, this work will all be done in private.

The goal for this privatization is to simplify Android OS development and not to hinder external developers, which is why Google remains committed to publishing source code to AOSP after each release.

I’m not close enough to this space to know if this will actually affect anything.

This change will also have minimal impact on most developers. App developers are unaffected, as it pertains only to platform development. Platform developers, including those who build custom ROMs, will largely also see little change, since they typically base their work on specific tags or release branches, not the main AOSP branch. Similarly, companies that release forked AOSP products rarely use the main AOSP branch due to its inherent instability.

This is hopefully the case.

But still, building in open is cool.

Praise Kier.

Seen on Tao of Mac.

MCP 🤝 OpenAI Agents SDK

You can now connect your Model Context Protocol servers to Agents: https://openai.github.io/openai-agents-python/mcp/…

We’re also working on MCP support for the OpenAI API and ChatGPT desktop app—we’ll share some more news in the coming months.

This is really cool to see!

MCP reaching OpenAI was something I hoped to see when the spec first came out, even though Anthropic were the ones to plant the seeds, seeing OpenAI start to adopt it is nice.

From Simon Willison’s Webblog.

We’re Fly.io, a security bearer token company with a public cloud problem. You can read more about what our platform does (Docker container goes in, virtual machine in Singapore comes out), but this is just an engineering deep-dive into how we make our security tokens work. It’s a tokens nerd post.

[…]

Can I sum up Macaroons in a short paragraph? Macaroon tokens are bearer tokens (like JWTs) that use a cute chained-HMAC construction that allows an end-user to take any existing token they have and scope it down, all on their own. You can minimize your token before every API operation so that you’re only ever transmitting the least amount of privilege needed for what you’re actually doing, even if the token you were issued was an admin token. And they have a user-serviceable plug-in interface! You’ll have to read the earlier post to learn more about that.

I’ve never needed to reach for Macaroons for applications I’ve built, but I really like the idea of them.

Feels like pledge for JWTs.