Sign in Subscribe
Self-Hosted Weekly

Self-Hosted Weekly: Week 14, 2026. Gemma 4 Goes Apache 2.0, Ingress NGINX Is Dead, and Docker Gets Patched

Michael Soto

4 min read
Self-Hosted Weekly: Week 14, 2026. Gemma 4 Goes Apache 2.0, Ingress NGINX Is Dead, and Docker Gets Patched

Welcome back to Self-Hosted Weekly, your Friday roundup of everything that matters in open-source and self-hosting. This was a big one — Google dropped its most capable open models ever, Kubernetes lost its most popular ingress controller, and Docker shipped a critical security patch. Let's get into it.

1. Google Releases Gemma 4 Under Apache 2.0

Google just released Gemma 4, a family of four open-weight models spanning edge devices to data centers — all under the Apache 2.0 license. That means no MAU caps, no acceptable-use restrictions, full commercial freedom.

The lineup includes E2B, E4B, 26B-A4B (MoE), and 31B (Dense) variants. The 31B model currently sits at #3 globally on the Arena AI text leaderboard. All models natively process video and images, and the smaller ones even handle audio input.

Hot take: This is Google saying "we'll give away frontier-level models to win the ecosystem war." If you're self-hosting AI with Ollama or Open WebUI, Gemma 4 just became your best option for a locally-hosted powerhouse.

2. Ingress NGINX Is Officially Dead

The Kubernetes community officially retired Ingress NGINX in March 2026. No more releases, no bug fixes, no security patches. Done.

This is a big deal — Datadog's research shows roughly 50% of cloud-native environments rely on this controller. The project died because, despite its massive adoption, it was maintained by one or two people in their free time. Nobody stepped up.

Hot take: This is the open-source sustainability problem in a nutshell. Half the internet depends on software that volunteers maintain in their spare time. If you're still running Ingress NGINX, migrate to Gateway API or a third-party controller now — not next quarter, now.

3. Docker/Moby AuthZ Bypass — Patch Immediately

CVE-2026-34040 dropped this week — a CVSS 8.8 vulnerability in Moby (Docker Engine) that lets attackers bypass authorization plugins using oversized request bodies. The daemon forwards the request without the body, and the AuthZ plugin approves what it normally wouldn't.

This is an incomplete fix for CVE-2024-41110. Patch to Docker Engine v29.3.1 immediately if you use AuthZ plugins.

Hot take: If you're running Docker on Elestio, automatic updates have you covered. If you're managing your own infrastructure — go patch. Right now.

4. Payload CMS Critical Account Takeover (CVSS 9.1)

CVE-2026-34751 is a nasty one. Payload CMS had a critical flaw in its password recovery flow that combined Host header injection with weak token validation to enable full account takeover — unauthenticated. Anyone who initiates a password reset becomes a potential target.

Fixed in Payload 3.79.1. Update immediately if you're running Payload.

Hot take: Two root causes, both textbook mistakes — trusting the Host header and using partial token matching. This is why security reviews of auth flows should never be optional.

5. OpenAI's Open-Source Shopping Spree

OpenAI has made six acquisitions in 2026 already, nearly matching all of 2025. The notable ones: Astral (the creators of Ruff and uv, Python's fastest tooling), Promptfoo (open-source AI testing), and an acqui-hire of OpenClaw's creator Peter Steinberger.

Meanwhile, Anthropic has made just one acquisition (Vercept).

Hot take: OpenAI is systematically buying the open-source developer tooling ecosystem. Astral's Ruff and uv are used by millions of Python developers. When the company that builds closed models buys the tools that open-source developers depend on, it's worth paying attention.

6. Kubernetes v1.36 Coming April 22

The Kubernetes v1.36 sneak peek is out. Notable changes include the deprecation of externalIPs in Service spec (full removal planned for v1.43) and the usual batch of enhancements. Documentation freeze is April 9.

Hot take: The externalIPs deprecation is going to catch some teams off guard. If you're using direct external IPs instead of LoadBalancer services, start planning your migration path now.

7. Open Source Endowment: First Grants Coming Q2 2026

The Open Source Endowment — backed by former GitHub CEO Thomas Dohmke, HashiCorp founder Mitchell Hashimoto, Supabase's Paul Copplestone, and creators of Vue.js and cURL — has raised over $750K and is targeting $100M within seven years.

First grant round is planned for Q2 2026, focusing on critical projects that aren't already well-funded.

Hot take: After watching Ingress NGINX die from maintainer burnout, this endowment couldn't come at a better time. Whether $750K scales to real impact depends on how fast they can get capital deployed. The plan is ambitious — let's see if the money follows.

8. AI Can Now Strip Open-Source Licensing Automatically

Researchers revealed that AI can quickly and legally recreate entire open-source projects, stripping away attribution and copyleft licensing. The technique is simple: feed a GPL codebase to an AI, have it rewrite the logic, and the output isn't technically a derivative work under current copyright law.

Hot take: This is going to be the open-source legal battle of the decade. Copyleft licenses only work if "derivative work" means something. If AI can launder code past licensing requirements, the entire foundation of reciprocal open-source licensing is at risk.

What We're Watching Next Week

  • Kubernetes v1.36 doc freeze (April 9) — final feature list locks in
  • Open Source Endowment grant criteria announcement expected
  • Gemma 4 benchmarks from the self-hosting community as people deploy on local hardware
  • Payload CMS 3.79.1 adoption rate — how fast does the ecosystem patch?

The Bottom Line

This week's theme? Consequences. The consequences of not funding maintainers (Ingress NGINX). The consequences of trusting Host headers (Payload CMS). The consequences of AI eating the open-source licensing model. And on the bright side — the consequence of Google deciding to compete on openness (Gemma 4 under Apache 2.0).

The self-hosting ecosystem keeps getting more powerful and more fragile at the same time. Stay patched, stay informed, and we'll see you next Friday.

Thanks for reading ❤️ See you in the next one 👋

Sign up for more like this.

Enter your email
Subscribe