Weak RSA keys with sparse bit patterns found in real-world Certificate Transparency logs

Git 2.55, Linux 7.2-rc1, and a real RSA key vulnerability in the wild — a quieter news day with a few sharp edges worth your attention.

// SECURITY FOCUS

Weak RSA keys with sparse bit patterns found in real-world Certificate Transparency logs

This isn’t a theoretical attack — Trail of Bits found factorably weak RSA keys in actual CT logs, TLS/SSH scans, and PGP keystores, meaning keys are already out there that can be broken. The badkeys project now checks for this pattern; if you manage a PKI or issue certs programmatically, your key generation path may be producing sparse keys without you knowing it. Run your existing public keys through badkeys before assuming you’re clean.

What to do: Run your org’s public keys through the badkeys tool this week and audit any programmatic RSA key generation for insufficient entropy or biased bit patterns.

  1. Git 2.55 ships Rust enabled by default, fsmonitor for Linux, and git history fixup — Phoronix · Jun 29
    Git 2.55 ships with Rust support enabled by default at build time – previously opt-in, now opt-out via NO_RUST – though it won’t become mandatory until Git 3.0 or later. The release also adds a git history fixup workflow that merges staged changes directly into an older commit without requiring an interactive rebase, though the git history sub-command remains experimental. Incremental multi-pack index repacking gets further improvements as well. For most distro packagers and CI pipelines building Git from source, expect a Rust toolchain dependency to land quietly unless they explicitly opt out.
  2. Linux 7.2-rc1 on Threadripper: I/O improvements, faster poll, and some regressions — Phoronix · Jun 29
    Early benchmarks of Linux 7.2-rc1 against Linux 7.1 stable on a 96-core AMD Ryzen Threadripper PRO 9995WX show measurable I/O improvements and faster poll performance, alongside some regressions. Testing used a consistent Kconfig across both builds on the same hardware – 4×32 GB DDR5-6400, a 2 TB Corsair MP700 PRO NVMe SSD – so the delta is reasonably clean. Linux 7.2 stable is expected in August and will ship with Ubuntu 26.10 and Fedora 45. The article doesn’t quantify the improvements or regressions numerically in the extracted text, so check the full Phoronix benchmark tables before drawing conclusions about whether the I/O gains outweigh the regressions on your workload.
  3. Kubernetes documents its AI policy: code generation is fast, maintenance isn’t — LWN.net · Jun 29
    The Kubernetes project has published a formal AI policy after repeated PRs derailed into arguments about AI usage. The core tension it addresses: AI makes generating code fast but hasn’t improved the maintenance burden that follows. Contributors must disclose when AI tools helped produce a contribution, but can’t list an LLM as co-author or add ‘assisted-by’ / ‘co-developed’ git trailers. It’s a pragmatic stance – the project isn’t banning AI-assisted contributions, it’s just insisting humans stay accountable for what they submit.
  4. Lessons learned running over 1 million Lambda functions in a multi-account SaaS platform — AWS Architecture · Jun 29
    ProGlove runs a one-AWS-account-per-tenant SaaS platform with over 1 million Lambda functions spread across thousands of customer accounts, and this post walks through what broke at each order of magnitude. The per-account model pays off in quota isolation – each tenant gets independent Lambda concurrency limits and API Gateway throttles, so a noisy tenant can’t cascade failures to others – but it forces you to treat per-account fixed costs with the same scrutiny as compute. Their biggest surprises: synchronized cron schedules across thousands of accounts produced self-inflicted DDoS traffic against internal APIs (fixed with mandatory jitter in a shared library), and observability forwarding nearly doubled the cloud bill until they triaged high vs. low priority telemetry and brought per-account cost from $3 down to roughly $0.70. At scale, SQS polling between EventBridge and Lambda added up enough that they removed the queue entirely, replacing it with metric-driven safety checks on AsyncEventsDropped and concurrent executions. CloudFormation StackSets also hit a performance ceiling at this volume, which led to direct collaboration with the AWS CloudFormation team to influence stability fixes rather than building a full replacement.
  5. bcachefs targets first Rust code inside the kernel module with v1.38.7 — LWN.net · Jun 29
    The Linux 7.2 merge window closed at 13,412 non-merge commits – the busiest since 6.7 in 2024 – and among the highlights is bcachefs moving Rust from userspace tooling into the kernel module itself, one of the first filesystem drivers to do so outside the driver abstractions layer.

// In other news

ai

  • Import AI 463: Self-improving robots; a 10k Chinese GPU cluster; and an elegiac essay for the human era (Import AI) · Jun 29 — Import AI 463 covers a 10k-GPU Chinese training cluster, self-improving robotics research, and a broader essay on what the current transition period actually means for engineering work.
  • Ornith-1.0: Self-Scaffolding LLMs for Agentic Coding (Simon Willison) · Jun 29 — Ornith-1.0 is a new MIT-licensed open-weights model designed to self-scaffold agentic coding tasks, worth watching as a local-runnable alternative to hosted coding agents.
  • Quoting Jon Udell (Simon Willison) · Jun 28 — Jon Udell argues that AI agents producing unreviewable PRs are a workflow antipattern – keep a human in the loop at diff review time, not just at prompt time.
  • AI agents are not your “coworkers” (MIT Technology Review AI) · Jun 29 — MIT Tech Review pushes back on the ‘AI coworker’ framing – agents lack accountability structures that make human colleagues manageable, which matters when you’re assigning them real write access.

cloud

iac

  • What’s new in Git 2.55.0? (GitLab) · Jun 29 — GitLab’s breakdown of Git 2.55.0 highlights the notable changes in plain terms – useful companion to the raw release notes when evaluating whether to roll it out.

k8s

  • OTel and mesh-derived metrics: A 2026 reference (CNCF Blog) · Jun 29 — 2026 reference guide on combining OTel pipeline metrics with service-mesh-derived east-west traffic metrics – useful if you have OTel instrumentation but no visibility into inter-service calls.
  • etcd-operator joins Cozystack with a new v1alpha2 API (CNCF Blog) · Jun 29 — etcd-operator donated to Cozystack ships a ground-up v1alpha2 API rewrite – worth reviewing if you run etcd clusters on Kubernetes before any automated upgrade tooling targets the new API.

linux

obs

sec

  • The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API (Wiz Blog) · Jun 29 — Wiz Red Agent exploited a broken object-level authorization flaw in a GraphQL API to expose an entire airline booking database in 15 minutes – concrete BOLA walkthrough with resolver-bypass detail.
  • Robot Police Officers (Schneier on Security) · Jun 29 — Schneier flags a June 22 demonstration of a drone capable of disarming suspects as a concrete step toward autonomous enforcement – raises immediate questions about accountability and adversarial misuse.

web

  • Everything About the Context Facade (Freek Van der Herten) · Jun 29 — Laravel’s Context facade lets you attach metadata to requests, auto-enrich logs, scope values to closures, and propagate context through queued jobs and scheduled commands – full internals walkthrough.
  • Guidelines for Syncing Code From Gutenberg Into WordPress Develop (Make WordPress Core) · Jun 30 — WordPress core changed Gutenberg sync from npm packages to zip downloads during the 7.0 cycle – new guidelines document the updated process for contributors maintaining that bridge.

Stay skeptical, keep your keys sparse-free, and enjoy the long weekend.

Leave a comment