Explore the latest engineering posts and summaries

Search by topic, company, or concept and scan results quickly.

Posts indexed431

Last indexedMar 14, 2026

Engineering at MetaMar 2, 2026

Investing in Infrastructure: Meta’s Renewed Commitment to jemalloc

Why it matters: jemalloc is a critical foundation for high-performance systems. Meta's renewed commitment ensures the allocator evolves with modern hardware like ARM64 and complex workloads, reducing technical debt and improving memory efficiency for the entire open-source ecosystem.

Meta is unarchiving and renewing its stewardship of the jemalloc open-source repository to ensure long-term infrastructure health.
The project will prioritize technical debt reduction and refactoring to improve maintainability and ease of use for the community.
A key focus is enhancing the Huge-Page Allocator (HPA) to better utilize transparent hugepages for increased CPU efficiency.
Planned improvements to packing, caching, and purging mechanisms aim to optimize overall memory efficiency and performance.
The roadmap includes specific performance optimizations for the AArch64 (ARM64) platform to ensure high out-of-the-box performance.
Meta is shifting back to principled engineering practices, moving away from short-term hacks that previously accumulated technical debt.

#sre #data

Read original

GitHub EngineeringMar 2, 2026

GitHub for Beginners: Getting started with GitHub Issues and Projects

Why it matters: Mastering GitHub's native project management tools allows engineers to streamline collaboration and maintain task visibility without leaving their version control environment. This reduces context switching and ensures that technical debt and new features are tracked systematically.

GitHub Issues serve as the primary unit for tracking tasks, bugs, and ideas, allowing for detailed descriptions and cross-linking using the # symbol.
Issues can be categorized and managed using metadata such as assignees, labels, milestones, and specific issue types.
GitHub Projects provide a visual dashboard, such as Kanban boards, to group and track issues across a broader team workflow.
Project boards are highly customizable, offering multiple views, custom fields, and granular access control for collaborators.
The Insights feature within Projects enables teams to generate and customize charts to visualize progress and project health.
Workflows in GitHub Projects allow for the automation of task movements and status updates to streamline project management.

#culture

Read original

Cloudflare BlogMar 2, 2026

Beyond the blank slate: how Cloudflare accelerates your Zero Trust journey

Why it matters: Project Helix reduces Zero Trust adoption barriers by replacing manual, error-prone configurations with automated best practices. This allows engineers to deploy secure, optimized SASE environments in minutes while ensuring consistency across complex network architectures.

Project Helix automates the configuration of Cloudflare One to eliminate the 'blank slate' problem and reduce deployment friction.
The system codifies best practices from solutions engineers into reusable Terraform templates for consistent, error-free SASE setups.
Automated policies cover DNS protection, TLS inspection, Remote Browser Isolation, and visibility controls for AI applications.
Helix addresses complex networking tasks like configuring CGNAT ranges for private app routing and managing split-tunneling for real-time apps.
The solution leverages a web-based UI hosted on Cloudflare Workers to trigger infrastructure-as-code deployments via API.

#security #sre

Read original

Cloudflare BlogMar 2, 2026

Modernizing with agile SASE: a Cloudflare One blog takeover

Why it matters: Agile SASE moves security from rigid hardware silos to a programmable, single-pass global network. For engineers, this reduces technical debt, eliminates performance bottlenecks caused by service-chaining, and enables custom security logic via native developer platforms like Cloudflare Workers.

Cloudflare One introduces agile SASE, a composable platform designed to replace fragmented legacy hardware and VPNs with a unified connectivity cloud.
The platform utilizes a single-pass architecture across 300+ cities, eliminating service-chaining bottlenecks by running all security checks on every server simultaneously.
Integration with Cloudflare Workers allows developers to write custom code for real-time security event interception, moving beyond static allow/block rules.
Modernization focuses on five key areas: remote access, AI-powered email protection, DNS filtering, safe AI governance, and simplified branch networking.
Upcoming technical deep-dives will cover identity evolution, AI-driven threat detection, and the engineering behind the autonomous edge for performance-centric security.

#security #dist #sre

Read original

Cloudflare BlogMar 2, 2026

The truly programmable SASE platform

Why it matters: Cloudflare's programmable SASE allows engineers to build context-aware security policies using code. By executing logic at the edge, teams can integrate external data into access decisions in real-time, reducing latency and complexity compared to traditional webhook-based automation.

Cloudflare defines true programmability as the ability to intercept security events, enrich them with external context, and act in real-time.
The platform integrates SASE (Cloudflare One) with the Developer Platform (Workers), allowing security logic to run on the same global edge network.
Engineers can move beyond static 'allow/block' rules by using Workers to inject dynamic headers or query external risk APIs inline.
Managed actions provide templates for common IT and compliance workflows, while custom actions allow for bespoke logic via serverless functions.
This architecture eliminates the latency overhead typically associated with routing traffic to separate cloud environments for policy enforcement.
Real-world use cases include automated device session revocation and context-aware access based on external training or certification databases.

#security #dist #sre

Read original

Netflix Tech BlogFeb 28, 2026

Mount Mayhem at Netflix: Scaling Containers on Modern CPUs

Why it matters: Rapidly scaling containers with many layers can trigger kernel VFS lock contention when using idmap mounts for security. Understanding how hardware architecture, like NUMA domains and cache line bouncing, impacts system-level locks is crucial for high-density container orchestration.

Netflix identified a container startup bottleneck where nodes stalled for 30+ seconds due to kernel-level VFS mount lock contention.
The issue was triggered by the new container runtime's use of idmap mounts for unique user namespaces, which significantly increased mount operations.
Container images with many layers (50+) exacerbated the problem, requiring thousands of mount/unmount operations during rapid scale-up events.
Performance analysis using Intel's TMA revealed that 95.5% of pipeline slots were stalled on contested accesses and cache line bouncing.
Older multi-socket hardware (r5.metal) suffered more than newer single-socket instances (m7i, m7a) due to NUMA-related latency in lock acquisition.
The investigation highlights the critical intersection of container runtime security features, kernel lock management, and modern CPU architecture.

#sre #security

Read original

Pinterest EngineeringFeb 27, 2026

Bridging the Gap: Diagnosing Online–Offline Discrepancy in Pinterest’s L1 Conversion Models

Why it matters: This case study highlights that even mathematically superior models fail if serving infrastructure lacks feature parity with training. It provides a blueprint for diagnosing ML system discrepancies by auditing the entire pipeline from embedding generation to funnel alignment.

Pinterest investigated why L1 conversion models with 20-45% offline LogMAE gains failed to produce online CPA improvements during A/B testing.
The team ruled out offline evaluation bugs, exposure bias, and serving latency, focusing instead on structural discrepancies between training and inference.
A critical root cause was feature disparity: high-impact signals like targeting specs and conversion counts were available in training logs but missing from the L1 embedding builder.
Temporal misalignment between query and Pin tower embeddings further degraded online performance, as the two towers were not synchronized during real-time serving.
The investigation highlights the necessity of a full-stack diagnosis framework covering model evaluation, serving pipelines, and funnel utility to isolate ML system failures.

#mlp #data

Read original

GitHub EngineeringFeb 27, 2026

From idea to pull request: A practical guide to building with GitHub Copilot CLI

Why it matters: Copilot CLI bridges the gap between terminal workflows and AI assistance. It keeps engineers in their flow state by handling scaffolding, debugging, and mechanical changes without context switching, while ensuring safety through mandatory manual approval of all suggested actions.

GitHub Copilot CLI translates natural language intent into reviewable diffs and commands directly in the terminal.
The /plan mode allows developers to outline architectural steps and project structures before any code is generated.
It automates project scaffolding and boilerplate generation while requiring explicit user approval for all file changes.
Engineers can debug in real-time by asking the CLI to explain test failures and suggest fixes based on terminal output.
The tool handles tedious, repo-wide mechanical changes like refactoring or updating tests with high speed and visibility.
A clear handoff point exists where developers move to an IDE for fine-grained design decisions and API refinement.

#mlp #culture

Read original

Cloudflare BlogFeb 27, 2026

Toxic combinations: when small signals add up to a security incident

Why it matters: Engineers often overlook minor anomalies, but their convergence signals sophisticated attacks. Understanding toxic combinations helps teams move beyond signature-based defense to intent-based security, identifying breaches that lack obvious exploit payloads.

Toxic combinations are security incidents where attackers exploit multiple minor misconfigurations or anomalies that appear harmless in isolation.
Cloudflare identifies these by intersecting bot traffic data, sensitive application paths (e.g., /wp-admin, /debug), and request anomalies like geo jumps or identity mismatches.
Traditional point defenses like WAFs often focus on individual requests, whereas toxic combination detection analyzes the broader context and intent of multiple signals.
Analysis shows that while only 0.25% of non-WordPress hosts are susceptible, these represent high-risk vulnerabilities to compromise.
Engineers can use tools like Cloudflare Log Explorer to run queries that identify automated probing of administrative endpoints and debug flags.

#security #data

Read original

Cloudflare BlogFeb 27, 2026

ASPA: making Internet routing more secure

Why it matters: BGP route leaks cause major outages and security risks. ASPA extends RPKI to verify the entire routing path, not just the destination. For network engineers, this standard is a critical step toward a more secure and predictable Internet by cryptographically preventing unauthorized traffic detours.

ASPA (Autonomous System Provider Authorization) is a new cryptographic standard designed to prevent BGP route leaks by validating the entire network path.
While RPKI and ROAs verify the destination of traffic, ASPA verifies the sequence of Autonomous Systems (AS_PATH) it traverses.
ASPA allows network operators to publish a list of authorized upstream providers within the existing RPKI infrastructure.
Validation follows valley-free routing principles, ensuring traffic moves up to providers and down to customers without unauthorized lateral or downward-then-upward shifts.
Cloudflare Radar has introduced a monitoring tool to track ASPA adoption trends across Regional Internet Registries and individual Autonomous Systems.

#security #dist

Read original

Page 6 of 44

Prev 1...4 5 6 7 8...44 Next