DevOpsLinks

Convenience bites back—supply-chain malware rides dev tooling and AI CLIs, and an Electron snapshot bug slips past code signing—while craft pushes toward sanity: .gitignore-first, causal clocks, and boring, blazing Linux monitors. Also on the bench: ESO’s governance reboot, leaner DB pooling with RDS Proxy, AWS cost booby traps, and a Python origin story worth your lunch break—details below.

🐧 24 Best Command Line Performance Monitoring Tools for Linux
🧠 Easy will always trump simple
🧹 .gitignore everything by default
🚢 Paused Kubernetes project finds path forward
🔌 Pooling Connections with RDS Proxy at Klaviyo
🐍 Python: The Documentary | An origin story
🕵️ s1ngularity: supply chain attack leaks secrets on GitHub: everything you need to know
🔓 Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more
💸 The Hidden AWS Cost Traps No One Warns You About (and How I Avoid Them)

⏱️ Why "What Happened First?" Is One of the Hardest Questions in Large-Scale Systems


Ship smarter, spend less, and make your stack a harder target.

Have a great week!
FAUN.dev Team

Code. Game. Flow. This 9"×8" (22.86 x 20.32 cm) Binary Matrix mouse pad gives you smooth precision, durable build, and a design every developer will vibe with. Perfect for work or play.

👉 Get yours today for €12,95 – ships in 2-9 days.

The External Secrets Operator (ESO) is moving again. After hitting pause from maintainer burnout, it’s back under CNCF incubation—with a rebooted structure in place. New governance, clear contributor paths, and support tracks for CI, core dev, and testing are all in.

But don’t expect fresh releases just yet. Updates stay frozen until they iron out a more sustainable workflow and lock down formal policies.

A supply chain attack hit the Nx build system npm package, slipping in post-install malware that scraped tokens, SSH keys, and cloud creds off dev machines and CI pipelines. The malware got clever—parsing GitHub Actions PR titles with zero sanitization, then using AI CLIs like Claude, Gemini, and Q to quietly sneak data out.

Over 5,500 private repos from 400+ users and orgs got popped through stolen GitHub tokens.

System shift: Dev tools, CI workflows, and AI automation just merged into one juicy attack vector. Time to rethink what “secure supply chain” actually means.

A fresh CVE (2025-55305) just put Electron apps in the hot seat. The bug? Chromium-based apps fail to treat V8 heap snapshot files as potential attack vectors. That crack lets unsigned JavaScript slip past code signing and run inside heavyweight targets like Slack, 1Password, and Signal.

The heart of it: heap snapshots aren't flagged as executable, so they dodge integrity checks. And if the app lives in a user-writable path? Congrats—you've got a persistent backdoor.

Klaviyo replaced ProxySQL on EC2 and moved to AWS RDS Proxy. Why? Less overhead. Simpler failovers. Smarter pooling.

RDS Proxy handles multiplexing, packing thousands of client queries into way fewer DB connections. IAM access and built-in failover routing sweeten the deal.

Rich Hickey’s classic “Simple Made Easy” talk is making the rounds again—as a mirror held up to dev culture under pressure. The punchline: we keep picking solutions that are easy but tangled, instead of simple and sane.

The essay draws a sharp line between that habit and a concept from biology: exaptation. In short, systems evolve by bending what’s nearby into something new. That’s Postgres MVCC. That’s SQLite. Not designed for it, but it works.

A fresh look at Linux monitoring tools shows the classics still hold—but the visual crowd’s moving in.

Old-school command-liners like top and vmstat remain go-to’s for quick reads. But picks like Netdata, btop, and Monit bring dashboards, colors, and actual UX. Tools like iftop, Nmon, and Suricata stretch deeper across CPU, disk I/O, network traffic, and even intrusion detection. Bonus points: most spit out web views or CSVs you can wire into your stack.

Calling out five sneaky AWS cost traps—the kind that creep in through overlooked defaults and quiet misconfigs, then blow up your bill while no one's watching.

Logical clocks track event order in distributed systems—no need for synced wall clocks. Each node keeps a counter. On every event: tick it. On every message: tack on your counter. When you receive one? Merge and bump.

This flips the script. Instead of chasing global time, distributed systems lean into causality. Because actual time lies, but cause-and-effect doesn’t.

Flips Git on its head: ignore everything by default, then whitelist only what matters—like go.mod and .gitignore. Keeps stray files (think editor fluff or build junk) out of commits before they ever get in.

Shift in mindset: Tracks less, messes less. Opt-in versioning beats cleanup regret.

This is the story of the world's most beloved programming language: Python. What began as a side project in Amsterdam during the 1990s became the software powering artificial intelligence, data science and some of the world’s biggest companies. But Python's future wasn't certain; at one point it almost disappeared.

This 90-minute documentary features Guido van Rossum, Travis Oliphant, Barry Warsaw, and many more, and they tell the story of Python’s rise, its community-driven evolution, the conflicts that almost tore it apart, and the language’s impact on... well… everything.

A post-modern terminal file manager.

Run Windows apps such as Microsoft Office/Adobe in Linux (Ubuntu/Fedora) and GNOME/KDE as if they were a part of the native OS, including Nautilus integration.

Rotel provides an efficient, high-performance solution for collecting, processing, and exporting telemetry data. Rotel is ideal for resource-constrained environments and applications where minimizing overhead is critical.

Language-agnostic AI auditor that autonomously builds and refines adaptive knowledge graphs for deep, iterative code reasoning.

Did you know Kubernetes sets per-container oom_score_adj based on Pod QoS class so the kernel kills BestEffort pods first under memory pressure? BestEffort Pods get an oom_score_adj of 1000, Burstable Pods are assigned a value between 2–999 proportional to their memory request, and Guaranteed Pods get a very low negative value (around −997). Even if a BestEffort pod is barely using RAM, it's far more likely to be chosen by the OOM killer than a Guaranteed pod under node memory exhaustion. If you're seeing “random” OOM kills during rollouts or load spikes, inspect /proc/<PID>/oom_score_adj and the Pod’s QoS class—the kernel is probably doing exactly what kubelet told it to.

"In the cloud, redundancy turns simple failure into coordinated failure; automation ensures it happens at speed. DevOps accelerates change; SRE makes it survivable; only SLOs give you permission to stop. If your SLOs never halt a release, they're just metrics."
— SenseiOne

This Week’s Human is Gursimar Singh, a Google Developers Educator, Author @ freeCodeCamp, and DevOps & Cloud consultant who makes complex systems teachable. They’ve spoken at HAProxyConf 2022, multiple KCDs, and DevOpsDays Warsaw; reviewed programs for OpenTofu Day and PyCon India; and mentored at IIT Madras while volunteering with EuroPython. Offstage, they’ve published 70+ articles reaching 100k+ readers and contributed 5 project write-ups to the Google Dev Library, covering tools from Kubernetes to Terraform.