Supply-Chain Hazards That Got Real in 2026, and the Fixes
The trivy-action compromise, mutable tags as the root bug, the Rekor v2 rotation that breaks old clients, and why a copy can orphan your attestations.
Robert Allen
Technologist | Regenerative Agriculturist
Passionate about building robust, scalable systems and contributing to open source software. Specializing in backend architecture, API design, and developer tools. Author of open specifications for AI memory interchange and extension packaging.
Recent Posts
Friday Roundup - Week 26: Control Moves From Cooperation to Enforcement
Agent safety research says cooperation is not control, coding tools fenced off what agents can reach, and APIs and farm sensors became evidence surfaces.
Produce a Software Bill of Materials You Can Actually Use
A useful software bill of materials is in a format your tools read, bound to the exact digest that ran, and re-scannable without a rebuild. Produce one anyway.
SLSA Build Level 3 Is an Isolation Property, Not a Project
SLSA Build Level 3 is not a project. It is an isolation property: the platform keeps signing material out of user-controlled build steps and isolates runs.
Friday Roundup - Week 25: Enforced Supply-Chain Controls and Agent Knowledge
GitHub moved Actions security into enforced platform controls, Node and pnpm split supply-chain work between patches and evidence, secret scanning became verification, and Google shipped a knowledge envelope for agents.
Enforce Image Trust at Admission, Not by Convention
A CI signature is a claim, not a guarantee that the signed image is the one running in your cluster. Put a deny-by-default, fail-closed check at admission.
Scaling PostgreSQL: Proxies, Extensions and Managed Platforms
A decision guide for scaling PostgreSQL by where each option places the wire-protocol boundary: proxies, sharding extensions and managed elastic platforms.
Move the Evidence, Not Just the Image, When You Promote
Signatures, SBOMs, and provenance attach to an image as separate referrer manifests, not image layers. A naive copy by digest leaves all of that evidence behind.
Friday Roundup - Week 24: Fable 5, Recursive Agents, and Supply-Chain Threats
Claude Fable 5 launches with silent refusals; sub-agents gain recursive depth; Apple Intelligence 2.0 picks Gemini; Shai Halud targets AI developer repos; npm v12 rewrites security defaults.
Pick GitHub Flow When the Release Is an Attested Digest
For a service that ships one version continuously, the branching model is GitHub Flow and the release candidate is an attested digest, not a release branch.