10 July 2026
freebsd
security
containers
openssh
The third and last of Boring on Purpose. When regreSSHion
landed in July 2024, FreeBSD corrected six branches in
five minutes and forty seconds under one advisory;
Linux fleets got a week of scattered ones. That gap is where
the bug lives too: the November 2025 runc break-outs happened
in the seam between kernel, namespaces and runtime,
each part individually correct. One tree leaves no gap to hide
in. Security Review ⊣ Boring on Purpose, 3 of 3.
8 July 2026
softwarearchitecture
sqlite
unix
freebsd
The fourth and last of the four breaks, and the close of the
diagnosis. Layering was built to bound complexity,
then quietly shifted to postponing the look beneath
it, so the thing below leaks up and you carry the layer and
the thing at once. Lehman's law explains the tower:
complexity accrues, reduction is unfunded. The counter-proof
is the code allowed to finish, SQLite in one file on
four billion phones, plus awk, sed, make and pf. Lean
Software ⊣ How We Got Here, 5 of 18.
6 July 2026
bsd
freebsd
openbsd
netbsd
Second of four portraits of the Unix family. The
certified Unixes shared a word; the BSDs share
a code lineage. Four siblings forked from one Berkeley
source and each stayed whole: FreeBSD, whose
jails shipped containers in 2000; OpenBSD,
which gave the world OpenSSH; NetBSD, which
runs anywhere; DragonFly, with HAMMER2. They
forked without fragmenting because each inherited a
base system, one source tree. Unix Universe
⊣ The Unix Family, 2 of 4.
5 July 2026
philosophy
ai
liability
ownership
First of three Sundays on what we can no longer read. At three
in the morning a service breaks and git blame names a colleague
who only pressed accept. You can read the line, not where it
came from; the model cannot be forked or called to account.
Only 21% think AI will ever write secure code unwatched.
AB 316 and the EU's Product Liability Directive make the shipper
liable regardless. Acceptance is not authorship.
IT Philosophy ⊣ The Weight You Cannot Read, 1 of 3.
3 July 2026
freebsd
security
linux
ebpf
The second of three Fridays on a dependable server OS.
eBPF lets you load a program the kernel runs in
Ring 0; one static analyser, the verifier,
stands guard, and about 68% of eBPF vulnerability
classes are the memory-safety bugs it exists to stop.
The kernel now ships unprivileged eBPF off by default,
its own verdict. DTrace gives the same
trace, built so the dangerous program cannot be formed.
A verifier can have a bug; a missing capability cannot.
Security Review ⊣ Boring on Purpose, 2 of 3.