Python, Golang, Kubernetes, and DevOps!
Joined May 2007
- Tweets 2,522
- Following 810
- Followers 767
- Likes 535
48 Photos and videos
@ibuildthecloud discobot seems to be the only session manager that takes sandboxing somewhat seriously
2
1
55
sontek retweeted
May 20
Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10 years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored).
If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update!
I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it.
Feeling pretty swell about this mentality with all the supply chain attacks happening.
292
778
8,955
1,184,581
sontek retweeted
May 11
This is crazy. The hacker installed a dead-man's switch that will wipe your computer if you revoke the GitHub token they stole from you. Revoking the token is what triggers the wipe.
May 11
SECURITY ADVISORY — TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
• Rotate cloud, GitHub, and SSH credentials immediately
• Audit cloud audit logs for the last several hours
• Pin to a prior known-good version and reinstall from a clean lockfile
Detection — the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
github.com/TanStack/router/i…
Credit to the security researcher for responsible disclosure.
145
992
9,503
1,719,576
sontek retweeted
May 10
Good companies don't hand their hardest, most critical projects to engineers that just walked in the door with a history of leaving early
If you want to solve those problems (and add them to your resume), you've got to stick around and earn it
8
9
122
13,365
sontek retweeted
May 6
If the EU built Claude
299
1,328
15,570
978,409
sontek retweeted
Mar 25
Here’s what I’d do if I was in charge of GitHub, in order:
1. Establish a North Star plan around being critical infrastructure for agentic code lifecycles and determine a set of ways to measure that.
2. Fire everyone who works on or advocates for copilot and shut it down. It’s not about the people, Im sure theres many talented people, youre just working at the wrong company.
3. Buy Pierre and launch agentic repo hosting as the first agentic product. Repos would be separate from the legacy web product to start since they’re likely burdened with legacy cross product interactions.
4. Re-evaluate all product lines and initiatives against the new North Star. I suspect 50% get cut (to make room for different ones).
The big idea is all agentic interactions should critically rely on GitHub APIs. Code review should be agentic but the labs should be building that into GH (not bolted in through GHA like today, real first class platform primitives). GH should absolutely launch an agent chat primitive, agent mailboxes are obviously good. Etc. GH should be a platform and not an agent itself.
This is going to be very obviously lacking since I only have external ideas to work off of and have no idea how GitHub internals are working, what their KPIs are or what North Star they define, etc.
But, with imperfect information, this is what I’d do.
177
114
2,543
373,502
Working with humans instead of agents is rough.
Asked claude to analyze the last month of PRs for code review comments to find patterns I could write skills on.
"Diagnosis: The cursor-bot caught correctness issues, human reviewers caught taste/hygiene issues"
The humans are focusing on the wrong thing!
1
1
77
sontek retweeted
May 3
Datadog is the only company I know of where everyone who churns loves it and doesn’t want to churn, but is forced to because their biz side insists on absolute extortion.
Engineers usually fight for good tools. But even when they hear the bill $, they go “wait, what?”
OpenAI is transitioning away from Datadog and into ClickHouse services, where $NBIS holds a 25% stake
45
52
1,711
332,376
sontek retweeted
May 1
Writing code is cheap
Maintaining code is not cheap
Anyone who's hired an external contractor knows this
Apr 30
For 50 years, software engineering ran on code rationing. Writing code was expensive, so we rationed it carefully through roadmaps, RFCs, prioritization meetings, and scope reviews.
This created a role: the No Engineer. No, that won't scale. No, we don't have bandwidth. No, that's out of scope. No, we need a design doc first. The No Engineer was valuable for 50 years. Every "no" saved real money. Their judgment was the rationing system.
LLMs will be the end of code rationing. Code is cheap now. And while the No Engineer is explaining why something can't be done, the Yes Engineer has already shipped three versions of it.
If you're a Yes Engineer, the next decade is yours.
84
206
3,033
146,740
sontek retweeted
Apr 28
I told my gf I can't hang out right now
Github is up, so I have to work
don't know when I'll get this chance again
44
392
9,096
185,227
sontek retweeted
Apr 28
Ghostty is leaving GitHub. I'm GitHub user 1299, joined Feb 2008. I've visited GitHub almost every single day for over 18 years. It's never been a question for me where I'd put my projects: always GitHub. I'm super sad to say this, but its time to go. mitchellh.com/writing/ghostt…
548
1,607
16,746
2,913,838
🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised.
If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now.
At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @0.0.1 all the way through @0.34.2. Over 10,000 GitHub workflow files reference this action.
The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s:
- Dumping runner process memory to extract secrets
- Harvesting SSH keys
- Exfiltrating AWS, GCP, and Azure credentials
- Stealing Kubernetes service account tokens
The only unaffected tag right now appears to be @0.35.0.
Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware.
This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents.
The compromised tags are still active. Pin to @0.35.0 or use a SHA reference until this is fully remediated.
Full write-up: socket.dev/blog/trivy-under-…
15
117
379
238,186
sontek retweeted
11 Nov 2025
Multiple, serious security vulnerabilities found in the Rust clone of Sudo — which shipped with Ubuntu 25.10 (the most recent release).
Not little vulnerabilities: We’re talking about the disclosure of passwords and total bypassing of authentication.
In fact, we’re getting new reports of showstopper grade issues every few days on the Rust-based clones (like sudo, du, date, and others) which were forced to ship in Ubuntu before they were fully tested.
Which is, of course, *exactly* what was predicted.
But, never fear! At least these Rust clones are memory safe!
PHEW!
212
408
3,209
554,485
The way people retry CI actions is wrong. You don't want your test runner to retry. Let the pipeline fail and track the failure. Then automate the retry as a new run.
Track how often its failing and get the logs for it. Don't use things like pytest-retry or nick-fields/retry.
1
144
DX isn’t just pretty docs and fast builds. It’s trust. Flaky tests break that trust. You lose all the speed when you are debugging and retrying tests.
Why are all the Developer Experience teams building stuff that doesn't improve the daily life of the people they are serving?
1
1
129
sontek retweeted
22 Sep 2025
PlanetScale for Postgres is now GA.
planetscale.com/blog/planets…
13
45
261
88,103
I'm excited for the future where the LLMs have access to test history/logs/etc. I've already been seeing things like the playwright MCP server that get us closer to that future.
11 Feb 2025
AGI will be achieved when there are no flaky tests.
3
451