Explore the latest engineering posts and summaries

Search by topic, company, or concept and scan results quickly.

Posts indexed584

Last indexedApr 30, 2026

GitHub EngineeringApr 1, 2026

Securing the open source supply chain across GitHub

Why it matters: Supply chain attacks are evolving to target CI/CD pipelines. By adopting OIDC-based trusted publishing and rigorous workflow scanning, engineers can eliminate long-lived secrets and protect their projects from automated credential exfiltration and malware propagation.

Attackers are increasingly targeting GitHub Actions workflows to exfiltrate secrets and propagate malicious packages across the open source ecosystem.
Engineers should use CodeQL to review workflow implementations and pin third-party Actions to full-length commit SHAs to prevent unauthorized code execution.
Avoid using pull_request_target triggers and implement strict checks against script injection when referencing user-submitted content.
Replace long-lived secrets with OpenID Connect (OIDC) tokens for 'trusted publishing' to cloud providers and package repositories like npm, PyPI, and RubyGems.
GitHub is scaling automated malware detection for npm, scanning over 30,000 daily package versions to identify and remove malicious code before propagation.
A revamped security roadmap for GitHub Actions and npm is underway to accelerate the rollout of mandatory security features and hardened publishing workflows.

#security

Read original

GitHub EngineeringApr 1, 2026

Run multiple agents at once with /fleet in Copilot CLI

Why it matters: /fleet significantly boosts productivity by moving from sequential to parallel AI-assisted coding. It allows engineers to automate complex, multi-file refactors and documentation tasks simultaneously, drastically reducing the time spent waiting for AI responses on large-scale changes.

The /fleet command introduces an orchestrator that decomposes complex tasks into independent work items for parallel execution by multiple subagents.
The orchestrator manages task dependencies, polling for completion of prerequisite items before dispatching subsequent waves of agents.
Users can optimize parallelization by providing structured prompts that map tasks to specific files, modules, or deliverables.
Supports custom agents defined in .github/agents/, allowing specific models and instructions for different task types like documentation or refactoring.
Includes a non-interactive mode via the --no-ask-user flag for terminal-based automation and CI/CD integration.
Real-time monitoring of background subagent activity is available through the /tasks command.

#mlp #culture

Read original

Cloudflare BlogApr 1, 2026

Introducing EmDash — the spiritual successor to WordPress that solves plugin security

Why it matters: EmDash modernizes CMS architecture by replacing insecure PHP-based plugin hooks with isolated serverless environments. This shift to capability-based security and modern TypeScript tooling solves decades-old security vulnerabilities while maintaining the extensibility of the WordPress model.

EmDash is an open-source, MIT-licensed CMS built from scratch using TypeScript and the Astro framework.
It addresses WordPress's fundamental security flaws by sandboxing plugins within isolated Dynamic Workers.
Plugins utilize a capability-based security model, requiring explicit declarations of permissions like database access or network calls in a manifest.
The architecture is serverless-first but portable, allowing deployment on Cloudflare, Node.js, or private hardware.
By using static declarations for plugin needs, administrators can audit and restrict plugin behavior at install time rather than relying on allowlists.

#security #frontend #dist

Read original

Cloudflare BlogApr 1, 2026

Our ongoing commitment to privacy for the 1.1.1.1 public DNS resolver

Why it matters: DNS is a critical internet protocol that can leak significant user behavior data. Cloudflare's independent audit provides a rare, verifiable guarantee of privacy in a space where 'trust us' is the norm, setting a technical and ethical benchmark for infrastructure providers.

Cloudflare completed its second independent privacy examination of the 1.1.1.1 public DNS resolver, conducted by a Big 4 accounting firm.
The review confirms that Cloudflare does not sell personal data, use it for ad targeting, or retain identifying information.
Source IP addresses are anonymized and deleted within 25 hours, maintaining strict user privacy.
The resolver now runs on a new technical platform, which was included in the scope of the latest rigorous audit.
A small fraction of traffic (0.05%) is sampled for network troubleshooting and DDoS mitigation purposes.
Anonymized transaction logs are utilized for research and services like Cloudflare Radar without compromising individual user privacy.

#security #dist #culture

Read original

Salesforce EngineeringApr 1, 2026

Inside Informatica’s Spark-Based Data Integration Platform: Running 250K Enterprise Pipelines Daily

Why it matters: This article details how to scale legacy data integration systems to modern cloud-native standards. It highlights the importance of backward compatibility, the use of Spark for distributed processing, and how FinOps automation can optimize infrastructure costs for massive enterprise workloads.

Informatica transitioned its Cloud Data Integration (CDI) from a single-node engine to a distributed Spark-based architecture on Kubernetes to handle petabyte-scale data.
The platform maintains backward compatibility by preserving logical abstractions, automatically converting graphical mappings into distributed Spark execution plans.
Engineers developed 'Spark++' to extend open-source Spark with enterprise-grade features like lineage tracking, deep connector support, and governance.
Reliability is achieved through row-level data tracking for error isolation, strict tenant isolation within VPC boundaries, and multi-zone high availability.
Integrated FinOps logic automates infrastructure scaling and instance selection, balancing cost and performance based on user-defined goals.

#data #dist #finops

Read original

Salesforce EngineeringMar 31, 2026

Inside Informatica’s Spark-Based Data Integration Platform: Running 250K Enterprise Pipelines Daily

Why it matters: This article details scaling legacy data systems to modern distributed environments using Spark and Kubernetes. It demonstrates balancing backward compatibility with massive scalability and using FinOps to manage cost-performance trade-offs when processing petabytes of data daily.

Informatica transitioned its Cloud Data Integration (CDI) from a single-node engine to a distributed Spark-based architecture on Kubernetes to handle petabyte-scale data.
The platform maintains backward compatibility by abstracting Spark execution plans behind existing graphical mappings, allowing legacy pipelines to run on modern infrastructure.
The team developed 'Spark++', extending open-source Spark with enterprise-grade lineage tracking, governance features, and deep connector support.
Reliability is managed through row-level data integrity tracking, VPC-based tenant isolation with ephemeral nodes, and high-availability services across multiple zones.
Integrated FinOps automation allows users to define cost and performance goals, with the platform automatically selecting optimal infrastructure configurations.

#data #dist #finops

Read original

Slack EngineeringMar 31, 2026

From Custom to Open: Scalable Network Probing and HTTP/3 Readiness with Prometheus

Why it matters: As HTTP/3 and QUIC become standard, legacy monitoring tools often fail to provide visibility into UDP-based traffic. Open-sourcing these capabilities into Prometheus BBE enables engineers to monitor modern network protocols without relying on fragmented or proprietary solutions.

Slack faced a critical observability gap when rolling out HTTP/3 because existing SaaS and internal tools lacked support for UDP-based QUIC probing.
An engineering intern developed and open-sourced QUIC support for the Prometheus Blackbox Exporter (BBE) using the quic-go library.
The implementation integrated a new HTTP/3 transport into BBE's client while maintaining existing configuration patterns and composability.
The new probing system enables a unified view of HTTP/1.1, HTTP/2, and HTTP/3 metrics within Grafana for easier correlation and debugging.
Open-sourcing the contribution future-proofs Slack's infrastructure and provides the wider Prometheus community with native HTTP/3 monitoring capabilities.
Future roadmap items include Server Name Indication (SNI) routing validation and hop-by-hop end-to-end network path visualization.

#sre #dist

Read original

Engineering at MetaMar 31, 2026

Meta Adaptive Ranking Model: Bending the Inference Scaling Curve to Serve LLM-Scale Models for Ads

Why it matters: Scaling recommendation systems to LLM-scale is often cost-prohibitive. Meta's approach demonstrates how co-designing hardware and software with intelligent request routing can break the inference trilemma, delivering high-performance AI at global scale with industry-leading efficiency.

Meta's Adaptive Ranking Model (ARM) scales Ads Recommender systems to LLM-level complexity with O(1T) parameters while maintaining sub-second latency.
The system employs intelligent request routing to dynamically match model complexity with user context, ensuring compute resources are used efficiently.
Deep model-system co-design achieved 35% Model FLOPs Utilization (MFU) by aligning model architectures with specific hardware and silicon capabilities.
A reimagined multi-card GPU serving infrastructure was implemented to overcome single-device memory limits for trillion-parameter models.
Real-world deployment on Instagram resulted in a 3% increase in ad conversions and a 5% increase in click-through rates for targeted users.

#mlp #dist #finops

Read original

GitHub EngineeringMar 31, 2026

Agent-driven development in Copilot Applied Science

Why it matters: This article demonstrates how AI agents can automate high-level intellectual toil, not just boilerplate code. It provides a blueprint for agent-first repositories where maintaining clean architecture and documentation becomes the primary driver for massive, automated development velocity.

Automated the analysis of agent trajectories—complex JSON logs of thought processes—using a custom tool called eval-agents.
Leveraged the Copilot SDK and Model Context Protocol (MCP) servers to build agents with access to specialized tools and skills.
Adopted a 'planning before acting' prompting strategy, treating agents like senior engineers through verbose, conversational guidance.
Prioritized architectural health, including frequent refactoring and documentation, as a prerequisite for effective agent-driven contributions.
Shifted from 'trust but verify' to 'blame the process,' focusing on improving system guardrails rather than individual agent outputs.
Achieved high development velocity, creating 11 new agents and 4 skills in three days with a team of five contributors.

#mlp #culture

Read original

Cloudflare BlogMar 31, 2026

Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers

Why it matters: Engineers can now extend Cloudflare's DDoS protection with custom eBPF logic. This is crucial for proprietary UDP-based applications like gaming or VoIP, where generic rate limiting causes collateral damage. It provides granular, stateful control over traffic filtering at the network edge.

Cloudflare launched Programmable Flow Protection, allowing Magic Transit customers to deploy custom DDoS mitigation logic via eBPF.
The system addresses the limitations of generic DDoS protection for proprietary or custom UDP protocols used in gaming, VoIP, and streaming.
Customers can write eBPF programs to define precise 'good' versus 'bad' packet logic, which Cloudflare executes across its global edge network.
To ensure security and flexibility, these programs run in a userspace environment rather than the Linux kernel, using a specialized API for stateful mitigation.
The platform includes helper functions for storing client state, performing cryptographic validation, and issuing challenge packets to mitigate attacks without impacting legitimate users.

#security #dist #sre

Read original

Page 11 of 59

Prev 1...9 10 11 12 13...59 Next