France draws a hard line on post-quantum by 2027, AMD ships its own Linux distro for the AI dev platform nobody saw coming, and OpenSSH 10.4 now fails loud if your kernel is missing SECCOMP — quieter weeks exist.
// SECURITY FOCUS
OpenSSH 10.4: sandbox now fails hard on Linux systems missing SECCOMP or NO_NEW_PRIVS
Prior to 10.4, sshd silently degraded when sandbox support was unavailable — now it refuses to start. Container images and custom-kernel hosts missing SECCOMP or NO_NEW_PRIVS will have sshd fail at service restart, not at compile time, so upgrade automation will produce outages before anyone reads the changelog.
What to do: Before upgrading, run `grep CONFIG_SECCOMP /boot/config-$(uname -r)` on every sshd host and audit container-based sshd deployments where seccomp profiles may be stripped.
- France’s ANSSI to stop certifying products without post-quantum encryption — Schneier on Security · Jul 6
France’s cybersecurity agency ANSSI will stop certifying security products that lack post-quantum encryption starting in 2027, with full commercial adoption expected by 2030. Because ANSSI certification is mandatory for French government agencies and critical infrastructure operators, this is effectively a forced phase-out of classical encryption in those sectors – not just a recommendation. Vendors selling into French government or critical infrastructure markets have roughly two years to get compliant products certified before the window closes. - Ryzen AI Developer Platform: AMD’s Own Linux Distribution Built Atop Debian — Phoronix · Jul 6
AMD shipped its Ryzen AI Halo developer PC with a custom Debian-based Linux distro called the Ryzen AI Developer Platform 1 “Rex” – not the Ubuntu-plus-ROCm install most would expect. The OS boots to a GNOME desktop with an AMD-built GUI app center that manages ROCm 7.0 (specifically ROCm 7.13 preview), Llama.cpp, vLLM, ComfyUI, PyTorch, VS Code installs, SSH access, telemetry toggles, and even the chassis LED strip. It’s a more considered out-of-the-box Linux experience than AMD typically ships, aimed at developers who’d rather not spend day one configuring an AI stack from scratch. Whether the Debian base and AMD’s own tooling layer hold up under sustained workloads remains to be seen – the hardware review is embargoed-lifted today for the Ryzen AI Max+ 395 “Strix Halo” unit. - Enforce least-privilege authorization in multi-agent AI chains using Cedar — AWS Security · Jul 6
AWS Security published a reference implementation for enforcing least-privilege authorization across multi-agent AI delegation chains using Cedar, the open-source policy language, deployed on AWS. The core problem is privilege scope creep: without explicit controls at each hop, a downstream agent can act beyond what the originating user authorized, a risk OWASP’s Agentic Application Top 10 classifies as ASI03. The architecture uses three sequential Cedar policy layers – agent-to-tool constraints (trust score 1-5, namespace, lifecycle stage), agent-to-agent delegation limits (hard cap at 5 hops), and originating-user authorization checks (role, MFA status) – evaluated by a Lambda function that halts on the first deny. Identity integrity across hops is maintained via HMAC-SHA256 context signing and OAuth 2.0 Token Exchange (RFC 8693) on-behalf-of tokens, so each downstream agent only inherits the delegated task’s scope rather than the full original token. The implementation deploys five CloudFormation stacks via CDK and works with any OIDC-compliant IdP, though the article’s own caveat is worth keeping: the reference implementation accepts agent trust attributes from the request payload for simplicity, which a production deployment must not do. - Shift into high gear with agents: Securing the software-defined vehicle — Google Cloud Blog · Jul 6
Google Cloud and Valtech have released the open-source core of Nexus SDV, a connected vehicle platform targeting fleets of up to 100 million devices, built on GKE, Bigtable, and Gemini models with Android Automotive OS integration. The security model leans on mTLS with Certificate Authority Service for vehicle identity, Keycloak as the OIDC broker issuing short-lived JWTs, Workload Identity Federation to eliminate static credentials, private GKE clusters with no public node IPs, and a custom Data API that constrains Bigtable access to specific vehicle IDs and predefined time windows. The cost angle rests on Arm-based compute and Bigtable-optimized storage – no benchmark numbers are given, just TCO reduction as a claim. If you’re building or evaluating software-defined vehicle infrastructure on Google Cloud, the open-source repo is worth a look for the PKI and IAM patterns alone; the AI capabilities are Gemini-specific and not portable. - Cloudflare Workers Cache: regionally tiered cache in front of Worker entrypoints — Cloudflare Blog · Jul 6
Cloudflare launched Workers Cache, a tiered cache that sits in front of Worker entrypoints, enabled with a single `cache: { enabled: true }` config block in Wrangler. On a cache hit, the Worker doesn’t run and you pay no CPU time; on a miss, the Worker runs once, populates the cache, and subsequent requests are served from cache. It supports standard `Cache-Control` headers, `stale-while-revalidate` (so stale responses never block users), `Vary`-keyed content negotiation, tag- and prefix-based purges via `ctx.cache.purge()`, and per-entrypoint cache control – meaning you can slot cache stages into service-binding chains, not just public-facing routes. Unlike Cloudflare’s zone-level cache config, this cache belongs to the Worker: it follows the Worker across hostnames, works on `workers.dev` and preview URLs, and isolates per-tenant in Workers for Platforms. Available today on all plans. The practical upside for server-rendered Workers apps is that you no longer have to choose between full SSG rebuilds and per-request render cost – you get demand-rendered pages that behave like static output after the first hit.
// In other news
ai
- tencent/Hy3 (Simon Willison) · Jul 6 — Tencent’s Hy3 is a 295B-parameter MoE model released under Apache 2.0 – weight availability and permissive licensing make it worth benchmarking against comparable open models.
- sqlite-utils 4.0rc3 (Simon Willison) · Jul 6 — sqlite-utils 4.0rc3 is out as Simon Willison works toward a stable 4.0 release – if you rely on this tool for local data pipelines, now is a good time to test against the RC.
culture
- AI productivity is burning out your best engineers (LeadDev) · Jul 6 — Senior engineers acting as invisible validators for AI-generated code absorb review load without recognition or relief, a structural problem that throughput metrics won’t surface.
linux
- Security updates for Monday (LWN.net) · Jul 6 — Monday’s security batch covers kernel updates across AlmaLinux, Debian, and others – check your nginx and chromium versions if you’re on any of those distros.
- Linux 7.2-rc2 Raising The Default RISC-V 64-bit CPU Limit To 256 Cores (Phoronix) · Jul 4 — Linux 7.2-rc2 bumps the default RISC-V 64-bit CPU core limit from 32 to 256, a prerequisite for running current and near-future multi-socket RISC-V server hardware.
- Linux 7.3 Expected To “Flatten The Pick” For Better Scheduling While Gaming & More (Phoronix) · Jul 6 — Linux 7.3 will land scheduler patches that flatten cgroup pick decisions, targeting latency on low-end hardware where gaming stutter under cgroup contention has been a known pain point since early 2025.
- DXVK 3.0.1 Released With More Game Fixes, Other Improvements (Phoronix) · Jul 5 — DXVK 3.0.1 ships game-specific fixes on top of last month’s 3.0 rework – worth pulling if you’re running Proton on any titles that regressed after the 3.0 renderer overhaul.
- GNOME Lands ext-background-effect-v1 Support For Background Blur Effect (Phoronix) · Jul 4 — GNOME Mutter picks up ext-background-effect-v1, the Wayland protocol for background blur that was merged in May – initial target is panel/window chrome rather than arbitrary compositing.
web
- UUIDs, ULIDs and Sqids: A Practical Deep Dive (Freek Van der Herten) · Jul 6 — Covers UUID v4/v7, ULID, and Sqid trade-offs across sorting behavior, database index efficiency, and public-ID security – useful reference before picking an ID scheme on a new schema.
Ship fewer abstractions than you added last week.

Leave a comment