Devops

Ubuntu 26.04 LTS (“Resolute Raccoon”) shipped on April 24, 2026. Most of the coverage has focused on the desktop and the new Security Center UI, but I work almost exclusively on the server and infrastructure side, so I want to look at what actually matters for the teams I work with: those running Ubuntu Server as a base for VMs, bare-metal nodes, Kubernetes workers, and golden master images. My customers are split between RHEL and Ubuntu. The ones on Ubuntu are typically on 22.04 (few) or 24.04 LTS (most). The question I always get after a new LTS is the same: “Do we need to move now, or can we sit on the current version for another year?” This post is my attempt to give a structured answer, focused on security and container workloads, which is where I can actually add value. ...

It Happened Again On April 22, 2026, the official Bitwarden CLI npm package (@bitwarden/cli) was compromised. For roughly 90 minutes, between 5:57 PM and 7:30 PM ET, anyone who ran npm install @bitwarden/cli received a malicious package. Around 334 developers did exactly that. The attackers did not break into Bitwarden’s npm account directly. Instead, they hijacked a GitHub Actions workflow in Bitwarden’s CI/CD pipeline and weaponised npm’s Trusted Publishing mechanism to push a poisoned release. Trusted Publishing is OIDC-based and requires no stored credentials: it was introduced as a hardening measure after credential-based attacks. It became the entry point. ...

Introduction Tomorrow, April 22, 2026, Kubernetes 1.36 will be officially released. As a team leader working in security, part of my job is reading release notes to understand what is coming and, more importantly, to track the direction the developers are moving in. Some releases are routine progress; others signal a shift in priorities. This is one of those. Kubernetes 1.36 will be remembered as the release that formalized the end of Ingress NGINX. That alone would make it memorable; Ingress NGINX is too big and too deeply embedded in the ecosystem to ignore, and I will dedicate a section to it. But the focus of this post is security: alongside the NGINX retirement, 1.36 delivers meaningful hardening through the graduation of user namespace isolation to GA, faster SELinux volume labeling reaching GA, the stable release of external ServiceAccount token signing, and the permanent removal of features that have been known security liabilities for years. ...

Introduction I have been experimenting with Spec-Driven Development for a while now. If you are not familiar with the approach, I have a few articles tagged spec-kit that cover the theory and a real hands-on walkthrough where I built a Go TUI for Apple Container management. The short version: instead of vibe-coding with an LLM and hoping for the best, you invest upfront in a structured specification, then let the AI work against that spec. The results are measurably different. ...

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...

Introduction Trivy, the widely adopted open-source security scanner from Aqua Security, is a cornerstone of modern CI/CD pipelines and container security. With over 33,000 stars on GitHub as of March 2026, its footprint spans across Docker images, Homebrew, and countless developer machines. This ubiquity, however, made the supply-chain compromise discovered between March 19–21, 2026, particularly devastating. The incident was not a single point of failure but a multi-stage attack involving malicious releases, manipulated GitHub Actions, and a self-propagating worm that leveraged decentralized infrastructure. ...

Next week, I’ll be in Amsterdam for KubeCon EU 2026 (you can read my preview here), and my journey starts this Monday with the GitHub Social Club: Amsterdam. I was lucky enough to snag an invitation via LinkedIn and jumped at the chance to join. As someone who has used GitHub for years (both for personal projects and corporate needs) I’ve always appreciated the platform’s reliability. However, after a month of putting GitHub Copilot Pro through its paces, I’m genuinely surprised it isn’t even more ubiquitous. If you aren’t a “super heavy” coder but want access to the best tools, this is arguably the highest value-for-money platform in the AI space right now. ...

Quick Follow-Up After publishing the initial ACTUI article, I kept developing the tool. I started using it regularly and shared it with my team. Some feedback came in, and I naturally improved things during my free time. This is a quick update on what changed. What Changed Submenu Structure The original flat menu worked for a demo but felt cluttered with more features. I restructured the interface into three main sections: ...

The path into platform engineering has changed. Many engineers today start their careers working directly with Kubernetes, writing YAML and managing Helm charts before they ever spend extended time at a Linux terminal. The tooling is so well-abstracted that you can be genuinely productive for months before the underlying system ever becomes relevant. That is a real achievement for the ecosystem. The gap shows up at the worst moments, though: a container crashes with a permission error, a security team flags a pod running as root, a privilege escalation CVE lands and it is not clear whether the cluster is exposed. These are Linux problems, and they are much easier to reason about once you understand what the YAML actually maps to at the kernel level. I have been in those conversations many times, and I always come back to the same set of fundamentals. ...

Introduction: Theory Meets Practice In my previous article about GitHub Spec-Kit, I explored the theoretical foundations of spec-driven development: why structured AI workflows matter for compliance, auditability, and team collaboration. I discussed the high-level concepts of audit trails, liability, and how spec-kit transforms “vibe coding” into a rigorous, documented process. Today, I’m sharing something different: a raw, unfiltered hands-on experience building a real tool from scratch using spec-kit. This is a chronological journey documenting what actually happened when I let spec-kit drive the development process from constitution to working code. ...