DEVOPS WEEKLY ISSUE #650 - 11th June 2023
Developer platforms, AI hallucination, open source, portable development environments and a new SBOM-related tool I’ve been hacking on recently.
StackHawk sponsors Devops Weekly
Heading to AWS Re:Inforce? Stop by the Snyk booth #110 to see how StackHawk and Snyk correlate results to inform you which security bugs need to be fixed first and where to find them in your code.
News
An interesting side effect of LLMs hallucinating. A new attack vector. LLMs can suggest the use of non-existent packages, attackers can register those packages.
https://vulcan.io/blog/ai-hallucinations-package-risk
What is an internal developer platform? This post discusses 7 elements covering secrets management, version control, CI/CD pipelines, portals and more.
https://thenewstack.io/7-core-elements-of-an-internal-developer-platform/
A post on the asymmetry of open source, between producers and users. Given the importance of open source tools to software and infrastructure development it’s important to understand for those involved with devops.
https://matt.life/writing/the-asymmetry-of-open-source
Another open source post, this one on the need for a new licensing framework for neural net weights. These are critical for AI, and for useful open source implementations.
https://heathermeeker.com/2023/06/08/toward-an-open-weights-definition/
Continuing this series of what operators on earth can learn from incidents in space, this post looks at balancing what went right with failure, technical and process failures related to measurement and more.
https://flyingbarron.medium.com/how-can-you-land-5-kilometers-above-the-moon-799002ffb615
A fun build engineering post. Want to bootstrap an end-to-end build of the latest version of the JVM? You need to go back to Java 1.5.0.
https://www.chainguard.dev/unchained/fully-bootstrapping-java-from-source-in-wolfi
A post on portable development environments using Nix, Cloud9 and DevBox.
https://www.buildon.aws/livestreams/build-on-weekly/2023-06-01
Tools
Bias warning as this is something new I’ve been working on.
Parlay is a new tool for enriching SBOMs. Add extra information about the source location, licences, maintainers and vulnerabilities. The post contains some examples of why this is powerful.
https://github.com/snyk/parlay
https://snyk.io/blog/introducing-parlay/
https://snyk.io/blog/parlay-quickstart-guide/
Regal is a new linter for Open Policy Agent’s rego language. It covers lots of various bugs, style and best practice issues.
https://github.com/StyraInc/regal