DevOps’ish

Supply chain security had a rough week. The TeamPCP campaign didn’t just hit Trivy once — it kept going, expanding to compromised Docker images for versions 0.69.4 through 0.69.6, then spreading to LiteLLM and Telnyx. There’s solid coverage across multiple sources in this edition; if you run Trivy in CI/CD, this week is required reading. No exceptions. On the AI governance side, the DOD’s attempt to block Anthropic from federal contracts hit a courtroom wall. A federal judge deemed it to look more like retaliation than policy. Anthropic, meanwhile, is pushing back against separate claims that it could remotely sabotage its own models during a national security event. The gap between what AI companies can actually do and what people think they can do remains impressively wide. Sashiko is worth your full attention. Google engineers built an agentic AI code-review system for the Linux kernel, found 53% of bugs that human reviewers missed, and then handed the project to the Linux Foundation. That’s the right governance move and a genuinely compelling result. More of that, please. ...

It was a big week. NVIDIA’s GTC conference dominated the headlines, with Jensen Huang making the case that your engineers should be spending nearly as much on AI tokens as they earn in salary. Whether that’s visionary or just a really good way to sell more GPUs, remains to be seen. Meanwhile, the U.S. government moved against chip smugglers, charging Super Micro employees with funneling Nvidia silicon to China, in what feels like the opening act of a much longer enforcement saga. Ingress NGINX is dead, y’all. No more patches, no more fixes. If you’re still running it in production, this is your official wake-up call. The Gateway API migration path is real now, and there’s solid coverage in this edition to help you get there. Kenneth Reitz’s essay on open source burnout is worth your full attention. It’s honest in a way that’s rare in this industry. Also, a good reminder that the people behind the tools we all depend on are, in fact, people. Read it, and maybe go thank a maintainer today. ...

I’m starting to get the feeling people need to reframe their thinking about AI and jobs. I know Amazon started to shrink the moment they had to start paying Nvidia and TSMC for chips for AI workloads. The AI frenzy has bled into every facet of tech at this point. The chip buying frenzy has also invaded every nook and cranny of tech company budgets. You’re either spending on tokens or chips. The larger tech employers are doing both. Just the past few weeks Amazon has had another round of layoffs, Block cut 40% of its staff, and others have laid off significant numbers of employees. Meanwhile, Anthropic says their impact on the job market isn’t as dramatic as it seems. Both cannot be true at the same time. Folks are truly missing the big story right in front of them: building AI tooling is causing layoffs to offset dramatic increases in CAPEX spending. The chips cost dramatically more to procure and operate. ...

A lot is going on in the world of tech today. I have to say, of all the boneheaded moves the US government has made in the past couple of weeks, turning away Anthropic, one of the most popular AI companies, because of two very simple asks is not smart. The government’s ask is too broad (anything legal; the definition of legal can change), and Anthropic’s ask is quite narrow (don’t use our AI to kill people unchecked or spy on US citizens domestically). The US already spies on everything we do as citizens indirectly (metadata can be as powerful as the actual data at a sufficient scale). I suspect this is the sticking point for the US government. Like it or not, the world is in a race to integrate and improve AI across all of society. Telling Anthropic that they can’t play in the government space is not going to accelerate anything; quite the opposite. Meanwhile, the rest of the world is using US AI company tooling to speed their delivery of new AI capabilities. Some would argue that China is winning right now, specifically with Qwen (which also had a weird week). ...

This week I was going to dive into the beef between Anthropic and the US government. But, in light of ongoing activities I think it is be better to wish everyone well and to stay safe no matter where you are or what you’re doing. The senseless loss of life is not something any of us should take lightly. No one ever really wins in a war. Secure Access to Cloud Services from Your Cluster with a Security Token Service Securely connect your Kubernetes workloads to cloud services without long-lived credentials using a Security Token Service pattern. This post shows how OpenUnison validates ServiceAccount identity and issues short-lived, service-specific tokens to reduce credential exposure and improve authorization posture. SPONSORED Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know - Five unexpected Ingress-NGINX behaviors folks should understand before migrating to Gateway API, including regex quirks, global annotation effects, and CORS handling differences. Anthropic Refuses Pentagon Demands on Military AI - Anthropic’s CEO refused Pentagon demands to remove AI safety guardrails around mass domestic surveillance and autonomous weapons, leading to the company being designated a “supply chain risk” and losing its $200M military contract—which OpenAI quickly snapped up. I wouldn’t be surprised if this was Sam Altman’s idea. ...