sontek

2.5K posts

sontek banner
sontek

sontek

@sontek

Python, Golang, Kubernetes, and DevOps!

Puerto Rico Katılım Mayıs 2007
788 Takip Edilen767 Takipçiler
sontek retweetledi
Feross
Feross@feross·
🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…
English
10
92
290
87.5K
sontek
sontek@sontek·
@zeeg /autoresearch fix all the bugs should do the trick
English
0
0
1
188
David Cramer
David Cramer@zeeg·
can someone fork sentry and go fix all our bugs ty
English
40
2
622
32.5K
sontek
sontek@sontek·
@ibuildthecloud I went 100% server side rendered with HTMX and AI is *amazing* with it. In my CLAUDE.md I say "Avoid JS at all costs. Only use it when using server side rendering isn't an option. IF we need JS it should be HTMX or Alpine.js and be as minimal as possible". Works great.
English
1
0
5
368
Darren Shepherd
Darren Shepherd@ibuildthecloud·
This is not what I wanted to do. I have to dump react. I just can't take it anymore. The reason I went with React was the idea that I could delegate more to AI and pay less attention to it. And that has failed miserably. I really have to keep close tabs on what AI is doing and if that's the case I'm not going to use React.
English
14
0
15
4.2K
sontek
sontek@sontek·
@zeeg @simonw He should’ve handed the plan off to someone else to prompt with. Him doing all the prompting makes it a very dirty room implementation
English
0
0
1
98
David Cramer
David Cramer@zeeg·
@simonw IP is IP. I’m court you’d have to prove how you built it and if you just put an agent on rewriting the source the court is going to side that you have to follow the original license terms. Very confident in that.
English
8
0
19
3.5K
Simon Willison
Simon Willison@simonw·
The chardet open source library relicensed from LGPL to MIT two days ago thanks to a Claude Code assisted "clean room" rewrite - but original author Mark Pilgrim is disputing that the way this was done justifies the change in license - my notes here: simonwillison.net/2026/Mar/5/cha…
English
43
39
307
79.3K
sontek
sontek@sontek·
@zeeg Some of us still have to work on systems that have it :( I have daily reminders why it was a bad idea
English
0
0
0
29
David Cramer
David Cramer@zeeg·
Its amazing how hard it is to build a good TUI. Guess I should just use Ink for eveything, even the smallest ones?
English
8
0
20
5.6K
sontek
sontek@sontek·
@ibuildthecloud Never heard of prek, I think everyone is still using the python official version
English
0
0
2
95
Darren Shepherd
Darren Shepherd@ibuildthecloud·
I want to get on the pre-commit train. Is prek the thing that everyone is doing these days?
English
6
0
1
1.9K
sontek
sontek@sontek·
@zeeg I still haven't seen an LLM one-shot a change yet. It always needs a little feedback. I don't know why people are blindly trusting it. Its not that hard to do a code review.
English
2
0
0
62
David Cramer
David Cramer@zeeg·
How did you verify your code worked before AI? You still need to do that.
English
40
11
164
16.2K
sontek
sontek@sontek·
@zeeg I'm using an AWS VM with ssh port forwarding via SSM. Not the fanciest thing in the world but it works. Its been on my list to throw tailscale on there but SSM "just works" out of the box with a tiny bit of terraform
English
0
0
0
59
David Cramer
David Cramer@zeeg·
Probably going to just move all dev to a remote vm and just /teleport if I need something in the cloud
David Cramer@zeeg

has anyone built a great solution for taking a vm (or entire desktop) and turning it into a dedicated cloud dev environment thats agents-first? i want to setup my linux desktop as a dedicated dev env, remote ssh et all, but i also want a clean way to run e.g. claude code sessions on it via web/mobile web, but not via jank terminal emulation

English
5
0
20
5.2K
sontek
sontek@sontek·
@zeeg @opencode Are you using any continuous/autonomous tricks or just prompting manually and having it do its thing? Did it one-shot it or did you have a lot of iteration?
English
1
0
0
727
sontek
sontek@sontek·
@zeeg My opinion is the current review tools are focusing on the wrong thing. They catch things but rarely things that would take a long time. The code review tool I'm working on focuses on integration with test history and coverage to catch the hard stuff like flakey tests.
English
0
0
0
35
David Cramer
David Cramer@zeeg·
This Christmas I learned there are dozens of "AI code review" tools Anyone building one want employment?
English
15
2
102
17.9K
sontek
sontek@sontek·
@ibuildthecloud Developers are the worst but its also solving your own needs so it always seems like a good idea
English
0
0
0
91
Darren Shepherd
Darren Shepherd@ibuildthecloud·
I really struggle with the idea of building a product for developers. Why does anyone choose to do that? Developers are the worst.
English
27
0
49
9.6K
sontek
sontek@sontek·
@bentlegen We had the same thing at Zapier when I started there but the practice got lost during our growth stages and I think it hurt the culture a bit. I think every company would be better off getting developers close to the customer
English
0
0
1
41
Ben Vinegar
Ben Vinegar@bentlegen·
When I left FreshBooks (not a dev tool), nobody had the title PM. We had a culture of “everyone must do support”. Even phone calls - you had to talk to customers. That’s it. That’s the trick. You just need developers to understand who they’re building for.
Aakash Gupta@aakashgupta

Everyone’s taking the wrong lesson from this. Cursor scaled to $29B without traditional PMs because they’re building a developer tool for developers. Ryo can walk through the entire product with engineers because engineers are the customer, the user, and the builder. The feedback loop is immediate and everyone speaks the same language. That model breaks the second you’re building for non-technical users. Product decisions require understanding customer jobs, translating between technical constraints and user needs, prioritizing across conflicting stakeholder demands, and maintaining strategic coherence as the team grows past 50 people. Cursor gets away with fuzzy roadmaps and fluid roles because every person in those concentric circles (staff, beta users, early adopters, enterprises) can evaluate a live prototype and tell you exactly what’s wrong. They’re not guessing about user behavior because the users are technical enough to articulate precise feedback. Most companies don’t have that luxury. Your users can’t code. Your stakeholders don’t understand API latency. Your go-to-market team needs a roadmap that sales can commit to. Your support team needs documentation. Your compliance team needs audit trails. The Cursor model works when the product is the development environment. For everything else, you need someone translating between what’s technically possible, what’s commercially viable, and what customers actually want. That’s the PM role. Copying Cursor’s structure without Cursor’s context is how you end up with features nobody asked for and engineers burned out from scope creep.

English
3
1
23
3.8K
sontek
sontek@sontek·
@kellabyte They all are running MySQL anyways
English
0
0
0
20
Kelly Sommers
Kelly Sommers@kellabyte·
This is a 2010 take. There are many distributed SQL databases these days. The fallacy of the 2010’s was that you needed NoSQL to scale. Things are WAY easier these days. These days NoSQL offers different access patterns but scalability is a cluster away for both SQL and NoSQL
Rezi@rqobela

Name one major tech company still using SQL in 2025. You can't. They all migrated to NoSQL because the scaling problem is unsolvable with relational databases. MongoDB handles what PostgreSQL chokes on.

English
34
18
520
58K
sontek retweetledi
The Lunduke Journal
The Lunduke Journal@LundukeJournal·
Multiple, serious security vulnerabilities found in the Rust clone of Sudo — which shipped with Ubuntu 25.10 (the most recent release). Not little vulnerabilities: We’re talking about the disclosure of passwords and total bypassing of authentication. In fact, we’re getting new reports of showstopper grade issues every few days on the Rust-based clones (like sudo, du, date, and others) which were forced to ship in Ubuntu before they were fully tested. Which is, of course, *exactly* what was predicted. But, never fear! At least these Rust clones are memory safe! PHEW!
The Lunduke Journal tweet mediaThe Lunduke Journal tweet media
English
218
419
3.3K
553.2K
Chris Griffing
Chris Griffing@cmgriffing·
@enunomaduro Agreed. A double shot of whiskey is way better. Less trips to the toilet
English
4
0
8
509
nunomaduro
nunomaduro@enunomaduro·
i genuinely don't understand why/how people drink full pints of beer at airports before their flights at 10 am..
English
20
0
52
10.4K
sontek
sontek@sontek·
@tnm I think agile methodology is still sound: Deliver small, working increments of software quickly and improve them continuously based on feedback The problem was turning the management of the process into a job (project manager). I also like XP. Scrum was never good.
English
0
0
0
25
Ted Nyman
Ted Nyman@tnm·
once-good dev methodologies (agile, scrum, kanban, extreme, whatever) are silly now. but none of us *doing* new work have a minute to sit down and properly explain what’s next. void is being filled by charlatans with newsletters to sell. don’t listen to them yet! wait a little
English
7
0
30
3.1K
sontek
sontek@sontek·
@awesomekling I still have fond memories of my SOAP XML API and XSLT UI. We thought we were so clever
English
0
0
0
59
Andreas Kling
Andreas Kling@awesomekling·
I don't have a strong keep/yeet opinion on XSLT, but it's fascinating to see people get worked up about deprecation of ancient stuff they don't actually use. Reminds me of when Linux was removing 80386 support. "Well no, *I* don't use it, but.. you can't just remove things!!"
English
31
1
153
22.2K
sontek
sontek@sontek·
@zeeg brokk.ai seems to be the only one that gets this right. They are using joern.io and treesitter to understand the code and provide better context to the LLM. Only issue it has is its not built on top of VSCode 😅
English
0
0
0
184
David Cramer
David Cramer@zeeg·
it turns out that running find and grep on every single thing you need to do isnt a good solution. news at 11 no shots at Cursor, but this is obvious af. the people who keep arguing against the ample prior art of systems design frankly need to step out of the conversation
Cursor@cursor_ai

Semantic search improves our agent's accuracy across all frontier models, especially in large codebases where grep alone falls short. Learn more about our results and how we trained an embedding model for retrieving code.

English
25
3
220
52.2K

Keşfet

@zeeg @ibuildthecloud @simonw @opencode @elonmusk @BarackObama @taylorswift13 @cristiano