Posts

Most people know BuildKit as the thing that makes docker build fast. But BuildKit is a general-purpose build framework with a programmable architecture that can produce any artifact, not just container images. Here's how it works and how I used it to build Alpine APK packages.

The kernel CNA now assigns CVEs to almost every bug fix but refuses to score them. Manual triage can't scale; blind patching causes update fatigue. bootc (bootable containers) reconciles both: atomic updates, environmental triage by design, and patch-as-policy.

Agents are non-deterministic. Security assumed determinism. Sandboxing and isolation aren't just for AI; they're the only path when we can't policy our way out.

In the age of AI agents, we're not just shifting left for humans. We're shifting left so agents can run and trust CI themselves. That means local CI that's fast enough to iterate on.

Why the shift to 'post-agentic' workflows is inevitable, and how the economics of cheap intelligence is fundamentally changing how we build software.

Reflecting on my initial assumptions about AI agent security, filesystem isolation, and why simplicity often beats over-engineering.