Practical insights on platform engineering, developer experience, and building teams that ship. Each issue is written to be useful, actionable, and applicable. No filler, no promotions-only emails. Enter your email and sign up for free right now.
Weekly Reflection #17 - Trust Chains
|
Each week, I share one insight. One piece of wisdom. One question to reflect on. (and a little Lagniappe) InsightThis week LiteLLM, the most popular open-source LLM proxy in the python ecosystem, was hit by a really gnarly software supply chain attack. The awful part was that the attack vector was through Trivy, a security scanner LiteLLM trusted to help protect its code. Attackers compromised Trivy's GitHub Actions and used that to steal LiteLLM's PyPI publishing credentials, and used them to push backdoored packages that harvested secrets from anyone running LiteLLM in their Python stack. Moments like these are important reminders of how vulnerable we all are if we get sloppy with our trust models. Every dependency is a trust decision, and trust is transitive. It builds a chain of trust, and like any chain, it is only as strong as its weakest link. LiteLLM trusted Trivy. When Trivy fell, everything downstream fell with it. Now, what can we learn from this? We must use defense-in-depth. We must pin dependencies to immutable hashes. We must scope credentials narrowly. We must filter network egress in build environments. And finally, we must regularly take the time to think through our trust models. Wisdom"The best way to find out if you can trust somebody is to trust them." — Ernest Hemingway ReflectionHow would you triage an incident like LiteLLM? Lagniappe
|
Weekly Reflections Newsletter
Practical insights on platform engineering, developer experience, and building teams that ship. Each issue is written to be useful, actionable, and applicable. No filler, no promotions-only emails. Enter your email and sign up for free right now.
Each week, I share one insight. One piece of wisdom. One question to reflect on. (and a little Lagniappe) Insight In Will Larson's book, Crafting Engineering Strategy, he nails why so many executives fail at executing on strategy. However, my experience is that engineering strategies fail for very mundane reasons—the most common of which is that executives assume their strategy will roll itself out. The second most common reason is forgetting to spend time validating the details. Both are...
Each week, I share one insight. One piece of wisdom. One question to reflect on. (and a little Lagniappe) Insight It is easy to treat Change Management as a means of controlling the change itself, as if changes were discrete events you could shove into a box on a specific timeline. But change is continuous, it's fluid, and it's much more powerful than any of us can truly control. Systems were changing long before we intervened, and they will continue to change long after we are gone. Surfers...
Each week, I share one insight. One piece of wisdom. One question to reflect on. (and a little Lagniappe) Insight Platform engineering boils down to consistently delivering positive results on high impact internal projects. Good platform engineering initiatives are measurable and improve the wellbeing of the team (and by extension the organization). To pull this off platform engineers follow a process. Observe and identify real problems Develop a hypothesis Execute on a plan that includes...