Allow loading remote contents and showing images to get the best out of this email.FAUN.dev's DevOps Weekly Newsletter
 
🔗 View in your browser.   |  ✍️ Publish on FAUN.dev   |  🦄 Become a sponsor
 
Allow loading remote contents and showing images to get the best out of this email.
DevOpsLinks
 
#DevOps #SRE #PlatformEngineering
 
 
📝 A Few Words
 
 
Your OS is about to become an age checkpoint. And you don't have to live in the US for it to affect you.

California passed AB 1043: a law forcing every operating system to collect your age at signup and expose it to every app via a real-time API. Windows, macOS, Android, iOS, every Linux distro, SteamOS, and apparently even some firmware projects.

Age is self-reported. A 12-year-old types "1995" and walks right through.

But here's the real problem: Apple, Google, Microsoft, and Canonical don't ship regional OS builds - they ship one global product. They'll implement this for everyone, everywhere. Even if you're not in California, the infrastructure (API, data collection, etc.) will be there even if it's dormant. This can encourage other states and countries to follow suit and implement similar laws.

The law hits OSS hardest precisely because it was designed with big players in mind. Canonical and Red Hat have lawyers. A 3-person volunteer distro doesn't. The "good faith" compliance shield sounds reasonable until you realize small projects can't afford to find out in court whether they qualify.

Beyond resources, there's a precedent problem. If legislators can mandate an age API in an OS today, they can mandate something else tomorrow. The OSS social contract (build what you want, ship what you want) has never had a defense mechanism against that kind of legislative creep.

Then there's fragmentation. Distros that can't comply will geo-restrict or exit the US market entirely.

Also what about Docker images and other containerized environments? Technically, they're operating systems too. Will they need to implement this API? If so, how will that work in practice?

There are many questions and edge cases that can't be easily resolved. This is a perfect example that shows what could happen when legislation tries to regulate a domain they don't fully understand!

Have a great week!
Aymen
 
 
🔍 Inside this Issue
 
 
This one swings between quietly dangerous and weirdly empowering: a Linux law proposal that could ripple into package managers, plus hardening tactics that only work if you repeat them after the system changes. On the upside, there is a clean path to self-hosting mail, saner Postgres pooling for serverless spikes, and a lightweight way to run agents in MicroVM sandboxes without turning your stack into a science project.

⚖️ California’s AB 1043 Could Regulate Every Linux Command, and the Open Source World Is Too Quiet
🔒 Auditing SUID binaries
📮 How to Host your Own Email Server
🐘 How we fixed Postgres connection pooling on serverless with PgDog
🧱 NanoClaw + Docker Sandboxes: Secure Agent Execution Without the Overhead
🛡️ New Malware Highlights Increased Systematic Targeting of Network Infrastructure
☁️ Rocky Linux 9 on AWS EC2: Best Practices for Production

Steal a few of these ideas now, before they become problems you have to debug later.

Stay safe out there.
FAUN.dev() Team
 
 
⭐ Patrons
 
eventbrite.com eventbrite.com
 
Build & Scale AI Workloads on Kubernetes, March 28th
 
 
Most AI workloads run fine in a demo and fall apart in production. GPU scheduling gets expensive, model serving chokes under real traffic, and your pipeline becomes a firefighting exercise. This 4-hour hands-on workshop fixes that. You'll build and deploy AI workloads on Kubernetes yourself. Walk away with a production-ready setup you can use at work on Monday.

FAUN.dev readers get 30% off with code FAUN30
 
 
faun.dev faun.dev
 
Keep up without burning out
 
 
FAUN.sensei() - self-paced courses for developers who don't have time to waste. Git, Docker, Kubernetes, Helm, MCP, Generative AI, and more. Dense, practical, and actually finishable.

Use code SENSEI25 at checkout for an instant 25% off - expires March 24.
 
 
👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.
 
ℹ️ News, Updates & Announcements
 
faun.dev faun.dev
 
NanoClaw + Docker Sandboxes: Secure Agent Execution Without the Overhead
 
 
NanoClaw fuses with Docker Sandboxes. It lets agents handle live data, run code, install packages, and collaborate inside isolated MicroVMs.

The open-source core spans 15 core files. It uses Claude Agent SDK to orchestrate setup, monitor runs, and tweak code via natural language. All within scoped secure boundaries.

System shift: Agents run in MicroVM Sandboxes and use Claude Agent SDK. Together they push a new pattern for auditable, autonomous agent deployment.
 
 
👉 Enjoyed this?Read more news on FAUN.dev/news
 
🔗 Stories, Tutorials & Articles
 
eclypsium.com eclypsium.com
 
New Malware Highlights Increased Systematic Targeting of Network Infrastructure
 
 
The enterprise attack surface has changed, with threat actors increasingly targeting network infrastructure. Eclypsium recently captured new malware samples, including CondiBot and "Monaco," both impacting network devices such as Fortinet products. The rise in network device attacks poses serious threats to organizations, as seen in recent incidents involving different types of network equipment.
 
 
blog.miguelgrinberg.com blog.miguelgrinberg.com
 
How to Host your Own Email Server
 
 
This guide shows how to self-host SMTP on a cheap VPS. It runs Dockerized Postfix and bundles opendkim for DKIM signing.

It skips IMAP and inbound SMTP and relies on registrar email forwarding. It configures reverse DNS plus SPF and DMARC DNS records.

It checks port 25 reachability, maps host port 1587 to container 587, and validates deliverability with Mail Tester and EasyDMARC.
 
 
circleback.ai circleback.ai
 
How we fixed Postgres connection pooling on serverless with PgDog
 
 
A startup swapped Supavisor and PgBouncer for PgDog on EKS. The swap stopped serverless deploy connection spikes. A multi-threaded, colocated pooler handled the bursty traffic.

PgDog needed fixes for Prisma prepared-statement handling. The team shipped those. PgDog now exports metrics via OpenMetrics to Prometheus/Grafana. It supports health-aware load balancing. That combo let the startup shrink Supabase hosts and cut costs.
 
 
shujisado.org shujisado.org
 
California’s AB 1043 Could Regulate Every Linux Command, and the Open Source World Is Too Quiet
 
 
California's AB 1043 requires operating systems to collect age/DOB at account setup and expose an API that returns an age bracket signal. Apps must request that signal on launch and restrict access by bracket. Effective Jan 1, 2027, vague definitions could sweep apt, flatpak, snap, and package managers into enforcement. Violations carry fines up to $7,500.

System shift: The law moves age gates to an OS-level API. That forces decentralized package ecosystems to adopt identity signals or seek carve-outs. Expect friction.
 
 
techbullion.com techbullion.com
 
Rocky Linux 9 on AWS EC2: Best Practices for Production
 
 
Rocky Linux 9 pairs RHEL-9 binary compatibility and modern kernels with AWS EC2 features: cloud-init, ENA, NVMe, gp3.

The guide recommends M6i/M7i for general servers. It favors C‑series for heavy compute and io2 for databases. Prefer XFS. Keep SELinux enabled. Use immutable AMIs. Automate with Ansible.
 
 

👉 Got something to share? Create your FAUN Page and start publishing your blog posts, tools, and updates. Grow your audience, and get discovered by the developer community.

 
⚙️ Tools, Apps & Software
 
github.com github.com
 
jnv/lists
 
 
The definitive list of lists (of lists) curated on and elsewhere
 
 
github.com github.com
 
basecamp/once
 
 
Easy self-hosting for Docker-based web apps
 
 
github.com github.com
 
0xjet/tuxid
 
 
A lightweight Linux fingerprinting tool
 
 
github.com github.com
 
geerlingguy/docker-ubuntu2604-ansible
 
 
Ubuntu 26.04 LTS (Resolute Raccoon) Docker container for Ansible playbook and role testing.
 
 
github.com github.com
 
VarunAgw/CloudPingTest
 
 
Test ping time (latency) for different cloud providers like AWS, Azure, GCP, Digital Ocean from your web browser.
 
 

👉 Spread the word and help developers find and follow your Open Source project by promoting it on FAUN. Get in touch for more information.

 
🤔 Did you know?
 
 
Did you know that the Linux kernel has a facility called Magic SysRq that lets you send low-level commands directly to the kernel as long as it is still scheduling interrupts - even if your SSH session and userspace are completely unresponsive? The classic recovery sequence is REISUB - it unsets raw keyboard mode, sends SIGTERM then SIGKILL to all processes, syncs filesystems to disk, remounts them read-only, and reboots - each step issued as a separate Alt + SysRq + key press. The granularity is controlled via /proc/sys/kernel/sysrq, which accepts a bitmask so you can enable only specific functions - for example, 128 enables reboot only, while 244 enables the full REISUB set.
 
 
🤖 Once, SenseiOne Said
 
 
"The cloud makes capacity cheap and mistakes infinitely scalable; DevOps makes changes cheap and failures faster. SRE is just the discipline of paying those bills in advance with boring limits, not heroic recoveries."

- SenseiOne
 

(*) SenseiOne is FAUN.dev’s work-in-progress AI agent

 
⚡Growth Notes
 
 
Auditing SUID binaries only at install time misses every package update, manual chmod, and compiler toolchain drop that happens afterward - a periodic find / -perm -4000 piped into a diff against a known-good baseline is the difference between a hardened system and one that just started that way.
 
Each week, we share a practical move to grow faster and work smarter
 
😂 Meme of the week
 
 
 
 
❤️ Thanks for reading
 
 
👋 Keep in touch and follow us on social media:
- 💼LinkedIn
- 📝Medium
- 🐦Twitter
- 👥Facebook
- 📰Reddit
- 📸Instagram

👌 Was this newsletter helpful?
We'd really appreciate it if you could forward it to your friends!

🙏 Never miss an issue!
To receive our future emails in your inbox, don't forget to add community@faun.dev to your contacts.

🤩 Want to sponsor our newsletter?
Reach out to us at sponsors@faun.dev and we'll get back to you as soon as possible.
 

DevOpsLinks #521: California’s AB 1043 Could Regulate Every Linux Command
Legend: ✅ = Editor's Choice / ♻️ = Old but Gold / ⭐ = Promoted / 🔰 = Beginner Friendly

You received this email because you are subscribed to FAUN.dev.
We (🐾) help developers (👣) learn and grow by keeping them up with what matters.

You can manage your subscription options here (recommended) or use the old way here (legacy). If you have any problem, read this or reply to this email.