MinIO archived, kernel hardening incoming, Podman 6 out — a solid infrastructure day under all the AI noise.
// SECURITY FOCUS
LWN: Kernel 7.2 gets allocation tokens and boot-time structure-layout randomization
Two mitigations land in the 7.2 merge window: allocation tokens make it harder to overwrite adjacent heap objects, and bootpatch-SLR randomizes struct layout at boot rather than compile time – meaning the same binary gets a different layout each boot. Fleets running upstream kernels should expect these in 7.2; distro backports are likely months away, so grsec/KSPP users will want to track the delta.
What to do: Track linux-kernel and your distro’s security tree for 7.2 backport status; no immediate action needed but audit any out-of-tree modules that rely on fixed struct offsets.
- MinIO archived: LWN looks at Ceph and Garage as S3-compatible replacements — LWN.net · Jun 25
MinIO went maintenance-only in December 2025 and is now fully archived – LWN walks through Ceph’s RGW gateway and the lighter-weight Garage as operational replacements for teams still running self-hosted S3-compatible storage. - Podman 6.0 released: multiple static IPs, improved Docker compatibility, Quadlet changes — LWN.net · Jun 25
Podman 6.0.0 ships with multiple static IP support per container, tighter network isolation aimed at closing Docker compatibility gaps, and a rewrite of configuration file handling. Quadlet command behavior has changed, and the release carries a substantial list of breaking changes – worth reviewing the release notes before upgrading anything production-facing. Lots of new options across existing commands round out the release, but the breaking changes are the real story here. - How Netflix simplified batch compute with Kueue — Netflix TechBlog · Jun 22
Alvin Bao and team describe replacing Netflix’s bespoke batch scheduler with upstream Kueue, covering queue hierarchy design, gang scheduling tradeoffs, and the migration path from their internal system – concrete numbers on queuing latency and cluster utilization included. - How Cloudflare built saga-style rollbacks into Workflows — Cloudflare Blog · Jun 25
Cloudflare Workflows now supports saga-style rollback handlers defined directly inside each step.do() call, so compensation logic travels with the forward step rather than piling up in a separate try/catch block. When any step fails terminally, Workflows automatically runs registered rollback handlers in reverse step-start order – not completion order, which matters for parallel steps. The failed step itself is also rollback-eligible if it registered a handler, since it may have partially interacted with an external system before returning. Rollback handlers get the step’s persisted output (or undefined if the step failed before persisting), must be idempotent, and support their own retry and timeout config via rollbackConfig. The API design post is candid about why fluent and builder alternatives were rejected – both introduced ambiguity around when a step actually starts, which conflicts with Workers’ promise-pipelining model. - A German court ruled Google liable for errors in its AI search summaries — Schneier on Security · Jun 25
A German court ruled Google liable for errors in its AI search summaries, rejecting the defense that users should know AI can’t be trusted and holding that the summaries are an expression of Google’s own business activity. Bruce Schneier uses the ruling to argue that AI outputs are legally indistinguishable from the work of human agents: if a company hired writers, lawyers, or doctors to produce the same content, it would own the liability, and AI doesn’t change that calculus. The stakes are concrete – Google’s AI Overviews produce errors roughly 10% of the time, which at 5 trillion searches per year works out to around 16,000 wrong summaries per second, some of which are defamatory (Ashley MacIsaac’s ongoing Ontario lawsuit being one example). Schneier’s conclusion is that liability is the correct mechanism to force accuracy, and if that makes some AI use cases commercially unviable, that’s a feature rather than a bug.
// In other news
ai
- [AINews] OpenAI reports median internal Codex output tokens grew 56x in Research, 32x in Customer Support, 27x in Engineering, and 13x in Legal since November 2025. (Latent Space) · Jun 26 — OpenAI’s internal Codex usage shows median output tokens up 56x in Research and 32x in Customer Support since November 2025 – the token growth curves are the concrete signal here, not the hype.
- Which tokens does a hybrid model predict better? (Hugging Face Blog) · Jun 25 — AllenAI’s analysis of hybrid models (diffusion + autoregressive) shows which token types each approach predicts better – useful grounding before choosing an architecture for structured-output tasks.
- Run a vLLM Server on HF Jobs in One Command (Hugging Face Blog) · Jun 26 — HuggingFace Jobs now lets you spin up a vLLM inference server with a single CLI command, lowering the ops overhead for teams that want managed GPU scheduling without writing their own job manifests.
- Quoting Tom MacWright (Simon Willison) · Jun 24 — Tom MacWright notes LLM-generated portfolios now link to LLM-generated writing, creating a recursion problem for hiring – a short but pointed observation for anyone reviewing engineering candidates.
cloud
- STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus (Google Cloud Blog) · Jun 25 — Google Threat Intelligence details STOCKSTAY, a new backdoor linked to Turla, the Russian APT group – covers C2 mechanics and detection signals worth adding to your SIEM rules.
dev
- The many journeys of learning Rust (Rust Blog) · Jun 25 — The Rust team’s Vision Doc series surfaces recurring friction points for learners – the patterns identified are actionable for teams deciding how to onboard engineers onto Rust codebases.
iac
- Boundary 1.0 releases RDP session recording and improved management (HashiCorp Blog) · Jun 25 — Boundary 1.0 ships RDP session recording as a GA feature – if you’re auditing privileged Windows access, this removes a common gap in zero-trust access logs.
- Deploy Boundary on Kubernetes with official Helm charts (HashiCorp Blog) · Jun 25 — HashiCorp now ships official Helm charts for Boundary controllers and workers, replacing the previous DIY deployment approach and giving Kubernetes-native teams a supported path.
k8s
- Blog: Spotlight on WG Device Management (kubernetes.dev) · Jun 24 — The Kubernetes WG Device Management spotlight covers progress on hardware resource APIs beyond CPU and memory – directly relevant if you’re scheduling GPUs, FPGAs, or telecom NICs on-cluster.
- Announcing Istio 1.30.2 (Istio) · Jun 24 — Istio 1.30.2 is a robustness patch release over 1.30.1 – check the changelog if you hit intermittent control-plane issues after the 1.30 upgrade.
linux
- MGLRU Improvement Yielding Nice Gains On Linux 7.2: MongoDB 30~100% Higher Throughput (Phoronix) · Jun 24 — MGLRU improvements merged into Linux 7.2 deliver 30-100% higher MongoDB throughput in benchmarks – the workload-specific gains suggest meaningful wins for memory-intensive database servers.
- DXVK 3.0 Released With DXBC-SPIRV For Shader Compilation, Descriptor Heaps By Default (Phoronix) · Jun 25 — DXVK 3.0 switches to DXBC-SPIRV shader compilation and enables descriptor heaps by default, two architectural changes that should reduce shader stutter for D3D9-11 titles running under Wine/Proton.
- Coreboot 26.06 Brings Support For Intel Nova Lake, AMD Strix Halo & 31 New Boards (Phoronix) · Jun 26 — Coreboot 26.06 adds support for Intel Nova Lake, AMD Strix Halo, and 31 new boards – relevant if you’re building or maintaining open-firmware systems on recent AMD or Intel silicon.
obs
- Grafana 13.1 release: observability as code updates, extending Grafana Assistant across more data sources, and more (Grafana Labs) — Grafana 13.1 ships observability-as-code updates and extends the Grafana Assistant to additional data sources – worth checking if you manage dashboards-as-config.
- How to migrate feature flags without breaking production (Datadog Blog) · Jun 23 — Datadog’s guide to feature flag migrations covers shadow-mode parity validation before cutover – the audit-then-validate pattern is sound regardless of which flag platform you’re on.
sec
- Interesting Paper Exploring Prompt Injection (Schneier on Security) · Jun 25 — New research shows LLMs are vulnerable to prompt injection via stylistic cues rather than just explicit instructions – attackers can craft inputs that exploit the model’s training distribution, not just its context window.
- Uncovering Hidden Attack Paths in Cloud Environments Using Runtime Signals (Wiz Blog) · Jun 25 — Wiz now correlates runtime signals with its Security Graph to surface attack paths that static configuration analysis alone misses – useful if you’re triaging cloud risk posture alerts.
web
- Yammi Audit Log: Track Who Really Made a Change Across Jobs and Queues (Laravel News) · Jun 24 — Yammi Audit Log for Laravel tracks the originating user through queued jobs and background processes, closing the common gap where audit trails lose actor context after dispatch.
- Life is too short for a slow terminal (Freek Van der Herten) · Jun 25 — Practical shell performance tips from Mijndert Stuij – skipping heavy frameworks, caching completions, and lazy-loading slow tools can cut shell startup from seconds to milliseconds.
German court said Google owns the hallucination — worth keeping in mind before you ship summaries without review.
Linkzine 
Leave a comment