Apparently, the Dutch Central Bank is opting for the Lidl cloud instead of a US solution as their cloud provider.

Right now, digital sovereignty may sound like loud promises, but this is one of the main issues the European tech sector will have to solve in the nearest future.

P.S. It’s also a bit funny that a grocery store is completing with a book store in cloud computing.

#cloud #lidl

If you're hosting GitHub Enterprise Server, you need to update to address a recently discovered CVE.

What's interesting about this CVE is that it is a legit CVE that was discovered with AI. As WIZ researchers put it in the related article

Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified.

Security notice from GitHub.

Fixed versions:

- GitHub Enterprise Server 3.14.25 or later
- GitHub Enterprise Server 3.15.20 or later
- GitHub Enterprise Server 3.16.16 or later
- GitHub Enterprise Server 3.17.13 or later
- GitHub Enterprise Server 3.18.7 or later
- GitHub Enterprise Server 3.19.4 or later
- GitHub Enterprise Server 3.20.0 or later

P.S. These news came from our chat (in Ukrainian).

#security #github

https://copy.fail/

Basically, you need to patch/recreate with new version everything that interact with not trusted part of internet.

Bug found was AI-assisted, btw.

#security

An interesting application for eBPF: patching your Kubernetes nodes against CopyFail (see the previous post) with a DaemonSet. It is supposed to work even if the algif_aead module is built into the kernel.

https://github.com/iwanhae/copyfail-ebpf-k8s

#security

​​My friends started a helper jar for two pickup trucks for AFU.

More info: https://www.instagram.com/p/DXpgaaWgH00

Monobank jar: https://send.monobank.ua/jar/3U1hBa5WPp

#donations #Ukraine

Figma has replaced PGBouncer with their own implementation called PGKeeper written in Go as a connection pooler for Postgres.

I really enjoyed this article, because they go into the implementation depths and describe why certain decisions were taken. Unfortunately, it doesn't always happen in such articles. Also, this is a nice reminder that software engineering is not only about writing CRUDs.

Unfortunately, they do not plan to open source it for now, also because it's too tightly coupled with libraries and approaches Figma uses internally. To be honest, it makes sense for in-house software to aim to one's specific needs rather than being generic enough to be open sourced.

#databases #postgres

A book bundle on Linux, shells, and other OPS topics by O’Reilly on Humble Bundle.

Just beware that this is a reoccurring bundle. It was featured before, including on this channel. Double-check before you buy!

#books

You may have heard already that Mitchell Hashimoto plans to move Ghostty away from GitHub.

It could be that you plan such a move yourself for whatever reason, but you're not sure yet. Here's a guide on how to push changes to GitHub and Codeberg simultaneously, so you could still keep the door open.

Codeberg is a non-profit European Git hosting. Although, this guide should work for any provider as long as you can use SSH keys for auth.

#programming #github

​​Remember copy.fail which we all checking a week ago?
Here is a continuation - another Linux 0-day to root.
https://github.com/V4bel/dirtyfrag

Btw, I can recommend to checkout https://xn--r1a.website/setenforce_1 - channel fully dedicated to security, or better say - to vulns that will have real effect on you. No bullshit about "10 common vulns" which you can check on OWASP etc. Love it.

#security #linux

A new issue of the CatOps Digest is here!

https://newsletter.catops.dev/p/catops-digest-2026-05-09

Happy Europe Day! 🇪🇺

#digest #newsletter

​​For today’s Donations Monday, I would like to remind you about one of the smaller fundraisers from the recent digest.

- Radio-electronic equipment for the 25th Brigade.

It’s more than 80% complete, and I’m sure that with your help, we can close it this week.

#donations #Ukraine

​​Enabling horizontal autoscaling with co-operative distributed rate limiting is an old article from Monzo that describes, how they built their internal distributed rate limiting solution.

The interesting part is the reasoning about whether a system works in an adversary environment (public facing) or not (internal system). The main question here: can you trust a client? The answer to this question influences the design a lot!

#system_design

Consistent Hashing in 1 diagram and 198 words is a nice primer on the consistent hashing technique. Obviously, it doesn't go deep on the implementation or examples.

That Substack has some other nice primers as well. Some are good, others are not so much, but all of them could be a good start for a new topic.

#programming #primer

A (now) regular Thursday security advisory rubric.

"Fragnesia" is a newly discovered local privilege escalation kernel CVE from the same family of CopyFail and DirtyFrag.

It looks like the Dirty Frag mitigation (disabling the kernel modules esp4, esp6, and rxrpc) should help here as well.

#security

Continuing with security advisory.

NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945.

~
NGINX Plus and NGINX Open Source have a vulnerability in the *ngx_http_rewrite_module* module. This vulnerability exists when the *rewrite* directive is followed by a *rewrite*, *if*, or *set* directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. (CVE-2026-42945)

Don't confuse the F5's NGINX Ingress Controller with the community-led ingress-nginx, that is deprecated now.

In any case, though, if you're using the ngx_http_rewrite_module (and it's widely used!), you are likely vulnerable.


#security

An interesting point of view on reliability through the prism of everyday work and experience from other industries.

The normal work of creating reliability is an article by Lorin Hochstein, that asks: what instead of thinking of how an incident could have been prevented, we ask: what do we do daily to avoid having incidents constantly.

P.S. "Invert, always invert" - Carl Jacobi

#sre #reliability #culture

​​What’s the difference between picking up litter after yourself and donating to the AFU's pickup trucks?

You're right — donating is easier, as you don't need to spend energy producing waste beforehand!

So, here's the link: ​​https://send.monobank.ua/jar/3U1hBa5WPp

More info: https://www.instagram.com/p/DXpgaaWgH00

#donations #Ukraine

A nice article about chaos engineering that was shared in our chat.

The author uses some overly fluffy sentences, but the core of the article holds strong: in many cases, you don't need chaos engineering, and there are things that have better ROI, unless you have them already.

Personally, I'd also like to add that chaos engineering is not simply about breaking things - it's about experimentation. You don't just randomly switch off things, you build hypotheses and validate them. This is the boring, yet crucial part, that many oversee.

#chaos

​​Today CatOps became 9 years old 🎉

You can send us a birthday present by donating to our current fundraiser!

https://send.monobank.ua/jar/3U1hBa5WPp

​​For today’s Donations Monday, let’s finally close the fundraiser for two trucks that’s been going on for some time already.

​​​​https://send.monobank.ua/jar/3U1hBa5WPp

More info: https://www.instagram.com/p/DXpgaaWgH00

#donations #Ukraine