DevOps'ish 307: Copy Fail, GitHub's bad week, Linux on PS5, and more

I spoke at DevOpsDays Raleigh this past week. It’s always good to visit Raleigh; I consider it a second home (sorry I didn’t meet with more friends). The event was incredibly well done. The event staff and volunteers did a fantastic job on all facets of eventing. I took meetings in an old control room for the event space which was a true blast from the past. My notes doc included two interesting stats.

Stat #1: 56% of women leave tech before the age of 35 - This is just sad especially when you consider women comprise a mere 28% of tech in general. This needs to change. It starts with using the privilege of the majority to help out the minority. Those of us in the majority have a duty to advocate for people not in the room.

Stat #2: Google expects 50% of all new code to be written by AI as soon as next year. This accelerates in the following years too. That’s wild to think about. We’ll be managing agents and subagents soon enough it seems to do not just coding but things like my slides from my talk, Open Source Survival Guide: 10 rules to keep you sane in the open source world, this week. I used Claude to restyle the deck from when I gave the talk at All Things Open. Claude did a surprisingly good job at matching the color palette of <shortconsulting.io>.

Run Specialized Agents for Every Part of Your Workflow
Mistral Vibe lets you build dedicated agents for targeted tasks like deploy scripts, PR reviews, and test generation, and invoke them on demand. Subagents run independently, return results asynchronously, and inherit full project context without supervision. Start with Mistral Vibe today! SPONSORED

How is infrastructure keeping pace with AI in 2026?
Managing IaC or leading platform engineering? IaCConf is the “can’t miss” event featuring 20 top IaC leaders across 13 sessions. Join 5,000+ practitioners to share what’s actually working and swap hard-won lessons. Register now! SPONSORED

Cloud Native Days Romania
Two days of cloud native talks, hands-on workshops, and strong community momentum - 18–19 May at the Radisson Blu, Bucharest. Join developers, platform engineers, DevOps practitioners, engineering leaders, and cloud enthusiasts for the 3rd edition of Romania’s community-driven Cloud Native Days, bringing practical Kubernetes use cases and modern cloud native systems to the stage.

Kubernetes v1.36: In-Place Vertical Scaling for Pod-Level Resources Graduates to Beta - In-place vertical scaling of pod-level resource budgets is now beta in Kubernetes v1.36, letting you adjust aggregate CPU and memory allocations for running pods without requiring container restarts in most cases.

Kubernetes v1.36: Mutable Pod Resources for Suspended Jobs (beta) - Also graduating to beta in v1.36, the ability to modify container resource requests and limits on suspended Jobs before they start or resume, giving queue controllers and admins real flexibility over CPU, memory, GPU, and extended resources.

Ghostty Is Leaving GitHub - Mitchell Hashimoto announces the Ghostty terminal project is departing GitHub due to persistent service reliability issues that have become a genuine blocker to productive development.

GitHub is sinking - Post-acquisition degradation in GitHub’s reliability and quality has the author arguing it’s time to seriously evaluate alternative Git hosting platforms.

GitHub RCE Vulnerability: CVE-2026-3854 Breakdown - Wiz details a critical remote code execution flaw in GitHub’s internal git infrastructure that lets authenticated users run arbitrary commands via a single git push exploiting field injection vulnerabilities.

GitHub Actions is the weakest link - A well-argued breakdown of how GitHub Actions’ default design choices like mutable action references, pull_request_target triggers, and overly permissive token defaults have made it the primary attack vector in recent open source supply chain compromises.

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution - CVE-2026-31431 is a critical Linux kernel privilege escalation through a logic flaw in the authencesn crypto template that lets unprivileged users write arbitrary data into page cache, affecting all major distributions.

Trivy, KICS, and the shape of supply chain attacks so far in 2026 - Docker breaks down the supply chain compromise of the Checkmarx KICS container image repository, where stolen publisher credentials were used to push malicious images to Docker Hub, and outlines the broader credential-theft pattern driving attacks this year.

Meta abandons open-source Llama for proprietary Muse Spark - This didn’t last long. Meta is discontinuing Llama in favor of a proprietary model called Muse Spark, a significant reversal of the company’s previous open source AI posture.

AI’s New Training Data: Your Old Work Slacks And Emails - Defunct startups are liquidating their Slack archives, Jira tickets, and email threads as “operational exhaust” that AI labs now treat as premium training data. A new platform called Asset Hub is making it a marketplace.

White House opposes Anthropic’s plan to expand Mythos access to 70 companies, citing compute and security concerns - The Trump administration has blocked Anthropic’s bid to broaden access to its cybersecurity AI model Mythos, citing security risks and insufficient compute infrastructure. It’s not lost on me that Anthropic was criticized for not opening up Mythos to more organizations in the beginning and now they’re being told not to.

Where the goblins came from - OpenAI explains how a reward signal tied to the “Nerdy” personality option during RLHF caused ChatGPT to develop a 3,881% spike in goblin references; a useful case study in how learned behaviors escape their training scope.

Underwhelming or underrated? DeepSeek V4 shows ‘impressive’ gains - DeepSeek’s V4 Pro shows technical improvements over its predecessor but still trails Moonshot AI’s Kimi K2.6 and American closed-source models in head-to-head comparisons.

Pull Request For Linux To Remove Old Network Drivers, ISDN Subsystem Due To AI/LLM Noise - Linux networking maintainers are removing the ISDN subsystem, AX.25, amateur radio, and several legacy Ethernet drivers in 7.1, citing the surge of AI/LLM-generated bug reports against long-orphaned code as a key motivation.

Warp is now open-source - Warp has released its terminal client under an AGPL license, leaning into agent-first development workflows managed through its Oz platform for community contributions.

Zed is 1.0 - The Rust-built, AI-native code editor hits 1.0 and declares it has reached “a tipping point where most developers can quickly feel at home,” with collaborative features and performance as its continued north stars.

How I Use Claude Code - Boris Tane’s disciplined four-phase workflow for AI-assisted development is worth a read: the core rule is “never let Claude write code until you’ve reviewed and approved a written plan.”

I Left Port 22 Open on the Internet for 54 Days. Here’s Who Showed Up - Out of 7,556 attacking IPs logged against an intentionally exposed SSH honeypot, only 0.4% ever opened an interactive shell. The rest were pure automation, fingerprinting, and moving on.

The Unwritten Laws of Software Engineering - Seven hard-learned lessons covering deployment safety, backup reliability, logging practices, data migrations, dependency management, code review discipline, and why “temporary” is forever.

Rural America is resisting the surge in data center construction - Many rural communities are viscerally opposed to AI infrastructure buildout in their backyards, and that resistance is becoming an increasingly organized policy and zoning fight.

Building a PCI-DSS Compliant GKE Framework for Financial Institutions: Data Protection, Governance & Audit Logging - Part four of Mohamed Rasvi’s series covers tokenization, customer-managed encryption keys (CMEK), DLP scanning, and the audit trail a PCI QSA actually wants to see.

Terraform Audit Guide: Monitoring, Logging & Compliance - A systematic walkthrough of reviewing Terraform infrastructure code and operations to ensure compliance with organizational governance and security standards.

Notepad++ finally lands on macOS as a real native app - A native macOS build of the long-running Windows text editor Notepad++ has arrived, built with Apple frameworks rather than compatibility shims. I remember when I was forced to use Windows systems and had to use Notepad++. I can’t say I’m ditching VScode for it though now that it’s on macOS.

Installing vLLM on macOS: A Step-by-Step Guide - Working around CUDA dependencies to get the vLLM inference engine running on macOS, with practical fixes for Python import issues along the way.

trycua/cua - MIT License - Open-source infrastructure for Computer-Use Agents: sandboxes, SDKs, and benchmarks to train and evaluate AI agents that can control full desktops (macOS, Linux, Windows).

skyhook-io/radar - Apache License 2.0 - Modern Kubernetes visibility with topology views, event timelines, service traffic inspection, resource browsing, and Helm management.

ps5-linux/ps5-linux-loader - GNU General Public License v3.0 - Linux payload implementing the HV exploit and a custom bootloader for the PS5.