GLM-5.2's Open-Weights Lead, DeepSeek Gains Vision & Lore Challenges Git — The Weekly Diff #4

Murtuzaali Surti
Murtuzaali Surti

• 6 min read

web AI sde opinion news mcp opensource weekly-diff

Updated

TL;DR

Table of Contents

Lore: An Open Source Version Control System Built for Scale

Lore, an open-source version control system built for scale

Lore is a new open-source version control system designed for scalability. The idea is simple, handle the things Git handles badly, namely large binary assets and giant monorepos that make git status crawl.

Anyone who has wrangled Git LFS knows the pain, since Git was built for text and the model starts creaking the moment you version large binaries like game assets, design files, or datasets. Git LFS papers over the problem well enough until you cross GitHub's storage limits and it turns into a paid add-on that never quite feels native.

The most important catch is that Lore isn't actually a fully distributed VCS. Because it coordinates with a central server, it undercuts the "drop-in Git alternative" framing for anyone who values Git's offline-first, distributed nature. Several people also pointed out that Perforce is already the de facto standard in AAA game studios for exactly this large-binary use case, so Lore is walking into a space with an entrenched incumbent. Game developers were the most enthusiastic of the bunch, citing years of frustration with Git's handling of binary assets as proof the problem is real.

If you mostly version text, Git isn't going anywhere, and the tooling around it (I've written about Git hooks using Husky before) remains unmatched. Lore earns a spot on your radar mainly if you've felt the binary asset pain firsthand.

Pro Tip

Before migrating any team to a new VCS, weigh the ecosystem, not just the core tool. Git's real moat is decades of CI integrations, hosting, and muscle memory built around it.

Zero-Touch OAuth for MCP: Enterprise-Managed Auth Goes Stable

Zero-Touch OAuth for MCP - enterprise-managed authorization

The Model Context Protocol team shipped Enterprise-Managed Authorization, and it addresses what has arguably been MCP's biggest weak spot, auth. If you've read my MCP explainer, you know how much friction the old per user, per server OAuth dance created.

The new model flips that arrangement entirely. Rather than every employee individually clicking through OAuth flows to link Claude or ChatGPT to their work accounts, an IT admin centrally controls which MCP servers are allowed through the company's identity provider, with Okta as the first supported IdP. It's powered by a new token format called ID-JAG that notably isn't MCP specific and could work anywhere apps share an SSO provider, so the result is meant to be "zero-touch". You join a company and your tools are already wired together, with no re-authentication every 8–12 hours.

Not everyone is convinced this is the right tradeoff. The sharpest dissent on the HN thread called it "bonkers", the worry being that granting a tool access to a sensitive resource such as a bank MCP server almost certainly warrants a per-conversation prompt before it acts, especially given prompt-injection risks. Reducing friction is the whole point of the feature, which is precisely why some argue a little friction belongs here. Defenders countered that the real win is isolating the auth flow outside the agent's context window entirely, a genuine security improvement, and on the practical side one developer detailed that Microsoft Entra ID doesn't support dynamic client registration, so real-world enterprise setups still need workaround shims today.

CAUTION

"Zero touch" auth is convenient, though convenience and least-privilege pull in opposite directions. For anything that can move money or delete data, keep a human in the loop regardless of how seamless the connection is.

GLM-5.2: The New Leading Open-Weights Model

GLM-5.2 leads the open-weights models on the Artificial Analysis Intelligence Index

GLM-5.2 is now the top-ranked open-weights model on the Artificial Analysis Intelligence Index.

Most of the excitement is centered on price-to-performance, and pointing to providers offering near-unlimited tokens for around $50/month. For developers who've watched frontier API bills climb, an open-weights model in that quality tier is a big deal, and another reason the open-source coding agents I covered earlier keep getting more viable.

The most useful critique zeroed in on efficiency, as one hands-on user reported GLM-5.2 spending "over 15 minutes reasoning" and burning ~45k tokens on a small task that GPT-5.5 handled in ~16k tokens total. Raw capability is climbing fast across open models, which makes token efficiency the real differentiator now, something I touched on in why a million-token context window isn't what you think it is. That tradeoff is exactly why a popular workflow emerged, "use GLM for generation and a frontier model for review and debugging, getting you most of the way to a premium plan for a fraction of the cost". If you've been tracking the open-model wave since DeepSeek's R1 release, this is the same story accelerating.

DeepSeek Introduces Vision Capability

DeepSeek introduces vision - image understanding capabilities

DeepSeek added vision support this week, and developers were quick to clarify what that actually means - this is image understanding — describing and reasoning about images — rather than image generation, a distinction worth keeping straight before you get your hopes up about a free image generator.

Vision unlocks the Claude Agents SDK, which requires a vision-enabled API. The takeaway is that "if the DeepSeek API could see, it can fully drive Claude Code". Meaning DeepSeek's cheap inference could now back agentic workflows that previously forced you onto pricier vision capable models like Qwen or Gemini Flash Lite. For a model already known for aggressive pricing, gaining a frontier-tier capability is exactly the kind of thing that creates competition. As one commenter joked on HN, "OpenAI and Anthropic need to get this free foreign competition banned."

I covered getting started with DeepSeek and OpenRouter when R1 launched, and vision is a meaningful step up the capability ladder for an open, low cost model.

AI Demands More Engineering Discipline, Not Less

Charity Majors argues AI demands more engineering discipline, not less

Charity Majors published a piece arguing that AI demands more engineering discipline, not less, and it struck a nerve. Her core idea is that AI lets you produce code faster, so speed without discipline simply gets you to a mess sooner. It pairs neatly with what I've written about the problem with AI-generated code and why vibe coding is the fast food of coding.

The HN thread surfaced three takes worth sitting with. First, a skeptic noted that the "it used to be slop, but now it's fixed" framing has been recycled for every model since GPT-3.5, which makes the capability debate "basically non-falsifiable." Second, and most pointed take is that it's getting genuinely harder to distinguish competent engineers from people slinging "LLM copypasta," because everyone now files perfectly formatted PRs and docs — one commenter predicted "an exotic form of technical debt... remarkable mostly in its enormity." Third, a sympathetic reader mapped the argument onto infrastructure-as-code, says, people dislike systems "where it's hard to tell how it got into its current state," and un-reviewed AI output produces exactly that kind of opaque, hard to reason about codebase.

Pro Tip

The discipline that prevents AI slop is the same discipline that always mattered, which is, clear design upfront, real code review, and the ability to explain how your code got the way it is. AI just raises the cost of skipping those steps.

Related posts ✍️

SpaceX Buys Cursor, The Fable Ban & Apple's Container Machines — The Weekly Diff #3

Previous