SoftwareEngineeringLinks

For 25 years, a small group of humans found vulnerabilities in open source, and a small group of humans fixed them. Both moved at the same pace. Debian backports, LTS kernels, enterprise support contracts, and vendored forks were all priced on that balance. AI broke one side!

• The Linux kernel security team went from 2-3 reports a week to 5-10 a day. Greg Kroah-Hartman called it: "Something happened, and the world switched."
• Firefox shipped around 500 above-baseline CVEs in three months.
• curl expects 3x more confirmed vulnerabilities in 2026 than in any previous year.

The number of people who can write a correct backport patch did not triple. Maintainers can't 10x their throughput with a tool. Each fix needs a human who understands the code, the threat model, the affected versions, the blast radius of the patch.

Two camps come out of this, and the bill is very different for each:

• You track upstream closely: Rolling distros, mainline kernels, evergreen well-maintained registries. When AI finds a bug, the fix lands in the version you actually run. The discovery wave works for you.
• You ship a frozen, forked, or backported version: Long-term stable distros, vendored libraries in enterprise monorepos, embedded firmware on 10-year contracts, every "we're on version X until 2028" deal. When AI finds a bug, somebody has to hand-port the fix into your old code. Nobody has the throughput for that anymore. You take on security debt you can't pay down.

The business under the most pressure is the one that sold stability on top of open source. Red Hat, Canonical LTS, Oracle, anyone paid to maintain old versions. The cost side of that contract went up by an order of magnitude this year, but the revenue side did not.

Have a great day,
Aymen.

One team formatted 25 million lines of Ruby in a single morning, another shrank a 3 GB search index into 10 MB, and GitHub is feeling the strain of AI-driven traffic in ways that are hard to ignore. If you like big swings, hard constraints, and the tradeoffs behind them, this one is worth lingering on.

🧱 Formatting an entire 25 million line codebase overnight: the rubyfmt story
🛠️ Making your own programming language is easier than you think (but also harder)
🗜️ Replacing a 3 GB SQLite database with a 10 MB FST (finite state transducer) binary
📈 The Pulse: AI load breaks GitHub – why not other vendors?
🏛️ Why I'm leaving GitHub for Forgejo

Steal the patterns, skip the scars.

Take care!
FAUN.dev() Team

Most engineers can run helm install. Far fewer can explain why their upgrade half-applied at 3 AM.

A practical course on what Helm actually does: state, releases, rendering, hooks, dependencies, rollbacks, GitOps integration, and the failure modes nobody writes blog posts about.

For engineers tired of treating Helm like a black box.

[Start the course →]

Are Your APIs Ready for AI Agents? A Hands-on Workshop on May 23rd

AI agents are beginning to autonomously call APIs, chain services, and create integrations that most platforms were never designed to handle. This hands-on masterclass on Designing AI-ready APIs helps architects and developers build governed, predictable API ecosystems using OpenAPI, Overlay, and Arazzo.

Learn how to add guardrails, improve discoverability, and safely evolve existing APIs for automated consumption.

FAUN.dev readers get an exclusive 40% discount using code FAUN40.

Stripe's Developer Productivity team rolled out rubyfmt, a Rust-based zero-config Ruby autoformatter, across 25 million lines of Ruby in one Saturday morning in 2024, after the project had been in flight since 2018 as Fable Tales's personal OSS work.

The hard parts were Ruby itself (no Ruby parser existed outside the VM, so early rubyfmt linked a full Ruby VM into a Rust binary and taught serde to walk Ruby VALUE objects in memory to hit a 100ms format-on-save budget) and the rollout (per-file opt-in, ripper-tree diffing to catch correctness regressions, then a single big-bang commit so large GitHub rendered it as files changed: infinity).

Today 100% of Stripe's 42M Ruby lines are formatted by rubyfmt, and the recent migration from ripper to Prism removed the need for an embedded Ruby VM entirely, shrinking the binary by megabytes and making it noticeably faster.

The Dutch Ministry of the Interior launched code.overheid.nl, a self-hosted Forgejo instance for government source code. This move was driven by the need to own and control the platform where code is published. Forgejo was chosen over GitLab for its open-source nature and alignment with the ministry's digital autonomy goals.

GitHub leaders created the reliability problems through weak capacity planning. As AI-agent users drove heavier traffic, GitHub engineers found migration risk and engineering debt that teams had allowed to build up.

A game developer explains how he built a low-level modding language, including sandbox constraints, an AArch64 JIT, and a small C++ compiler.

Andrew Quinn shipped Taskusanakirja (tsk), a Finnish-English pocket dictionary with search-as-you-type, originally backed by a trie for ~400k base words plus a 3 GB SQLite FTS database to cover the 40-60M inflected forms that Finnish's agglutinative morphology demands. Reaching for BurntSushi's Index 1,600,000,000 Keys with Automata and Rust, he rewrote the index as a finite state transducer using the Rust fst crate, which compresses both prefixes and suffixes, exactly what you want when 100k words all end in the same dozen inflection patterns. The 3 GB SQLite blob collapsed to about 10 MB, a roughly 300x reduction, and the broader lesson he leans on is that the only reason this clean second pass was even possible was because nine months earlier he shipped the ugly SQLite hack instead of waiting for the right answer.

Modern platform teams are under pressure to scale cloud-native systems faster while improving reliability, security, developer experience, and operational efficiency. AI is changing how platforms are designed and operated — from intelligent automation and observability to AI-native developer platforms and autonomous operations.

Join leading experts from WSO2, CNCF, cloud-native, and DevSecOps communities for a practical workshop focused on building scalable, secure, and intelligent AI-native platforms.

Register Here: Building AI-Native Platform Engineering Systems Tickets, Saturday, May 30 • 7 PM - 11:59 PM GMT+5 | Eventbrite

CLI proxy that reduces LLM token consumption by 60-90% on common dev commands. Single Rust binary, zero dependencies

Manage multiple Claude Code, OpenCode agents from either TUI or Web for easy access on mobile. Also supports Mistral Vibe, Codex CLI, Gemini CLI, Pi.dev, Copilot CLI, Factory Droid Coding. Uses tmux and git worktrees.

AI-guided self-hosting for 950+ open-source apps on any cloud. Works with Claude Code, Codex, Cursor, Aider, OpenClaw, Hermes — catalog self-improves from user feedback.

Use Claude Code's autonomous agent loop with DeepSeek V4 Pro, OpenRouter, or any Anthropic-compatible backend. Same UX, 17x cheaper.

A programming language for libraries translated to all the others

Did you know that Chrome's memory allocator, PartitionAlloc, deliberately crashes the browser the instant it spots heap corruption instead of trying to recover? That fail-fast behavior is the security feature: it converts many use-after-free and overflow bugs into a plain crash rather than letting attackers turn them into working exploits. PartitionAlloc also splits allocations into separate "partitions" by object type and size, so a corrupted buffer cannot easily reach into memory holding a different kind of object, which is how Chrome blunts most type confusion attacks on the heap.

"Every dev tool that promises to remove friction is also a new surface area you have to debug. The fastest teams don't have fewer tools, they have fewer ways to be surprised by them."
— SenseiOne