Open-Source

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...

Introduction Trivy, the widely adopted open-source security scanner from Aqua Security, is a cornerstone of modern CI/CD pipelines and container security. With over 33,000 stars on GitHub as of March 2026, its footprint spans across Docker images, Homebrew, and countless developer machines. This ubiquity, however, made the supply-chain compromise discovered between March 19–21, 2026, particularly devastating. The incident was not a single point of failure but a multi-stage attack involving malicious releases, manipulated GitHub Actions, and a self-propagating worm that leveraged decentralized infrastructure. ...

In the last few days, we’ve witnessed a significant milestone for the global software ecosystem. A powerhouse coalition of tech leaders (including Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI) has committed $12.5 million in grant funding to advance open-source security. This isn’t just another corporate donation; it’s a strategic investment in the very foundation of modern technology. Why This Matters Now Open-source software (OSS) is the bedrock of everything from cloud infrastructure to the apps on your phone. However, as the ecosystem grows, so do the threats. We are currently seeing an “unprecedented influx” of security vulnerabilities, many discovered by automated AI systems. ...

The path into platform engineering has changed. Many engineers today start their careers working directly with Kubernetes, writing YAML and managing Helm charts before they ever spend extended time at a Linux terminal. The tooling is so well-abstracted that you can be genuinely productive for months before the underlying system ever becomes relevant. That is a real achievement for the ecosystem. The gap shows up at the worst moments, though: a container crashes with a permission error, a security team flags a pod running as root, a privilege escalation CVE lands and it is not clear whether the cluster is exposed. These are Linux problems, and they are much easier to reason about once you understand what the YAML actually maps to at the kernel level. I have been in those conversations many times, and I always come back to the same set of fundamentals. ...

Introduction: Theory Meets Practice In my previous article about GitHub Spec-Kit, I explored the theoretical foundations of spec-driven development: why structured AI workflows matter for compliance, auditability, and team collaboration. I discussed the high-level concepts of audit trails, liability, and how spec-kit transforms “vibe coding” into a rigorous, documented process. Today, I’m sharing something different: a raw, unfiltered hands-on experience building a real tool from scratch using spec-kit. This is a chronological journey documenting what actually happened when I let spec-kit drive the development process from constitution to working code. ...

Introduction: From Web Chatbots to CLI Tools AI is a powerful tool, and for IT professionals, the most effective way to leverage it is through CLI tools like GitHub Copilot CLI, Claude Code, Gemini CLI, or similar agents. In previous articles like GitHub Spec-Kit, I explored spec-driven development and structured AI workflows, but I realized I skipped fundamental concepts: why CLI tools beat web chatbots and how to standardize your AI setup for portability. ...

The recent Notepad++ supply chain compromise shows how even widely trusted, open-source tools become vectors for state-sponsored espionage when their distribution infrastructure falls into the wrong hands. This was a surgical, six-month operation that bypassed traditional code security controls by exploiting the update mechanism. What Happened and Where the SDLC Failed In 2025, Notepad++, a widely used open-source text editor, suffered a sophisticated supply chain attack. Chinese state-sponsored threat actors compromised the shared hosting provider in June, gaining control of the update distribution system. Even after losing direct server access in September following a kernel update, attackers maintained persistence through stolen credentials until December 2. The fixed version 8.8.9 with hardened update verification was released on December 9. ...

What is ClawdBot/MoltBot/OpenClaw? For those unfamiliar with the project, OpenClaw (formerly MoltBot, previously ClawdBot) is a personal AI assistant platform that integrates with multiple messaging channels including WhatsApp, Telegram, Discord, Slack, Signal, iMessage, and many others. The project is available at github.com/openclaw/openclaw and maintains a website at openclaw.ai. The tool is designed to be a “local-first, single-user assistant” with capabilities that include shell command execution, filesystem operations, browser automation, and integration with various cloud services. It’s essentially a bridge between AI models and your entire digital ecosystem. However, OpenClaw does not provide model access itself; users must configure it with their own API keys from providers like Anthropic, OpenAI, or others. ...

Introduction: Spec-Driven Development vs. Vibe Coding If you’ve been working with AI coding assistants, you’ve probably experienced what some call “vibe coding”, throwing prompts at an LLM and hoping for the best. Sometimes it works brilliantly. Other times, you end up with code that technically runs but doesn’t align with what you actually needed, or worse, introduces architectural decisions that create technical debt down the road. Spec-Driven Development (SDD) flips this approach on its head. Instead of starting with code and documenting later (if at all), you begin with comprehensive specifications that define the what and why before anyone, human or AI, writes a single line of code. The specification becomes the single source of truth, guiding implementation and ensuring alignment across the entire team. ...

I’ve already touched the hardened images theme in the past talking how this theme is important in today’s world. Reducing the attack surface of our containers is not just a “nice to have” anymore; it is a fundamental requirement for a secure software supply chain. In an era where vulnerabilities can be exploited within hours of disclosure, starting with a secure base is half the battle. That is why the recent move by Docker is so significant. ...