DevOpsLinks

Your OS is about to become an age checkpoint. And you don't have to live in the US for it to affect you.

California passed AB 1043: a law forcing every operating system to collect your age at signup and expose it to every app via a real-time API. Windows, macOS, Android, iOS, every Linux distro, SteamOS, and apparently even some firmware projects.

Age is self-reported. A 12-year-old types "1995" and walks right through.

But here's the real problem: Apple, Google, Microsoft, and Canonical don't ship regional OS builds - they ship one global product. They'll implement this for everyone, everywhere. Even if you're not in California, the infrastructure (API, data collection, etc.) will be there even if it's dormant. This can encourage other states and countries to follow suit and implement similar laws.

The law hits OSS hardest precisely because it was designed with big players in mind. Canonical and Red Hat have lawyers. A 3-person volunteer distro doesn't. The "good faith" compliance shield sounds reasonable until you realize small projects can't afford to find out in court whether they qualify.

Beyond resources, there's a precedent problem. If legislators can mandate an age API in an OS today, they can mandate something else tomorrow. The OSS social contract (build what you want, ship what you want) has never had a defense mechanism against that kind of legislative creep.

Then there's fragmentation. Distros that can't comply will geo-restrict or exit the US market entirely.

Also what about Docker images and other containerized environments? Technically, they're operating systems too. Will they need to implement this API? If so, how will that work in practice?

There are many questions and edge cases that can't be easily resolved. This is a perfect example that shows what could happen when legislation tries to regulate a domain they don't fully understand!

Have a great week!
Aymen

This one swings between quietly dangerous and weirdly empowering: a Linux law proposal that could ripple into package managers, plus hardening tactics that only work if you repeat them after the system changes. On the upside, there is a clean path to self-hosting mail, saner Postgres pooling for serverless spikes, and a lightweight way to run agents in MicroVM sandboxes without turning your stack into a science project.

⚖️ California’s AB 1043 Could Regulate Every Linux Command, and the Open Source World Is Too Quiet
🔒 Auditing SUID binaries
📮 How to Host your Own Email Server
🐘 How we fixed Postgres connection pooling on serverless with PgDog
🧱 NanoClaw + Docker Sandboxes: Secure Agent Execution Without the Overhead
🛡️ New Malware Highlights Increased Systematic Targeting of Network Infrastructure
☁️ Rocky Linux 9 on AWS EC2: Best Practices for Production

Steal a few of these ideas now, before they become problems you have to debug later.

Stay safe out there.
FAUN.dev() Team

Most AI workloads run fine in a demo and fall apart in production. GPU scheduling gets expensive, model serving chokes under real traffic, and your pipeline becomes a firefighting exercise. This 4-hour hands-on workshop fixes that. You'll build and deploy AI workloads on Kubernetes yourself. Walk away with a production-ready setup you can use at work on Monday.

FAUN.dev readers get 30% off with code FAUN30

FAUN.sensei() - self-paced courses for developers who don't have time to waste. Git, Docker, Kubernetes, Helm, MCP, Generative AI, and more. Dense, practical, and actually finishable.

Use code SENSEI25 at checkout for an instant 25% off - expires March 24.

NanoClaw fuses with Docker Sandboxes. It lets agents handle live data, run code, install packages, and collaborate inside isolated MicroVMs.

The open-source core spans 15 core files. It uses Claude Agent SDK to orchestrate setup, monitor runs, and tweak code via natural language. All within scoped secure boundaries.

System shift: Agents run in MicroVM Sandboxes and use Claude Agent SDK. Together they push a new pattern for auditable, autonomous agent deployment.

The enterprise attack surface has changed, with threat actors increasingly targeting network infrastructure. Eclypsium recently captured new malware samples, including CondiBot and "Monaco," both impacting network devices such as Fortinet products. The rise in network device attacks poses serious threats to organizations, as seen in recent incidents involving different types of network equipment.

This guide shows how to self-host SMTP on a cheap VPS. It runs Dockerized Postfix and bundles opendkim for DKIM signing.

It skips IMAP and inbound SMTP and relies on registrar email forwarding. It configures reverse DNS plus SPF and DMARC DNS records.

It checks port 25 reachability, maps host port 1587 to container 587, and validates deliverability with Mail Tester and EasyDMARC.

A startup swapped Supavisor and PgBouncer for PgDog on EKS. The swap stopped serverless deploy connection spikes. A multi-threaded, colocated pooler handled the bursty traffic.

PgDog needed fixes for Prisma prepared-statement handling. The team shipped those. PgDog now exports metrics via OpenMetrics to Prometheus/Grafana. It supports health-aware load balancing. That combo let the startup shrink Supabase hosts and cut costs.

California's AB 1043 requires operating systems to collect age/DOB at account setup and expose an API that returns an age bracket signal. Apps must request that signal on launch and restrict access by bracket. Effective Jan 1, 2027, vague definitions could sweep apt, flatpak, snap, and package managers into enforcement. Violations carry fines up to $7,500.

System shift: The law moves age gates to an OS-level API. That forces decentralized package ecosystems to adopt identity signals or seek carve-outs. Expect friction.

Rocky Linux 9 pairs RHEL-9 binary compatibility and modern kernels with AWS EC2 features: cloud-init, ENA, NVMe, gp3.

The guide recommends M6i/M7i for general servers. It favors C‑series for heavy compute and io2 for databases. Prefer XFS. Keep SELinux enabled. Use immutable AMIs. Automate with Ansible.

The definitive list of lists (of lists) curated on and elsewhere

Easy self-hosting for Docker-based web apps

A lightweight Linux fingerprinting tool

Ubuntu 26.04 LTS (Resolute Raccoon) Docker container for Ansible playbook and role testing.

Test ping time (latency) for different cloud providers like AWS, Azure, GCP, Digital Ocean from your web browser.

Did you know that the Linux kernel has a facility called Magic SysRq that lets you send low-level commands directly to the kernel as long as it is still scheduling interrupts - even if your SSH session and userspace are completely unresponsive? The classic recovery sequence is REISUB - it unsets raw keyboard mode, sends SIGTERM then SIGKILL to all processes, syncs filesystems to disk, remounts them read-only, and reboots - each step issued as a separate Alt + SysRq + key press. The granularity is controlled via /proc/sys/kernel/sysrq, which accepts a bitmask so you can enable only specific functions - for example, 128 enables reboot only, while 244 enables the full REISUB set.

"The cloud makes capacity cheap and mistakes infinitely scalable; DevOps makes changes cheap and failures faster. SRE is just the discipline of paying those bills in advance with boring limits, not heroic recoveries."

- SenseiOne

Auditing SUID binaries only at install time misses every package update, manual chmod, and compiler toolchain drop that happens afterward - a periodic find / -perm -4000 piped into a diff against a known-good baseline is the difference between a hardened system and one that just started that way.