This episode of Ship It Weekly is about the interface layer becoming the story. Brian covers Amazon S3 Files and why it feels more like a managed filesystem layer in front of S3 than “S3 is EFS now,” including how it relates to the old s3fs and FUSE-style approach. He also digs into 36 malicious npm packages posing as Strapi plugins, the uglier follow-on to the Trivy incident he discussed previously, Kubernetes Ingress2Gateway 1.0 and the push toward Gateway API, and Kubernetes Agent Sandbox as a sign that newer AI-style workloads are starting to reshape the platform itself.

Links

Amazon S3 Files

https://aws.amazon.com/blogs/aws/launching-s3-files-making-s3-buckets-accessible-as-file-systems/

Malicious npm packages posing as Strapi plugins

https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html

Trivy follow-on incident discussion

https://github.com/aquasecurity/trivy/discussions/10425

RoseSecurity on Trivy / typosquatting angle

https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html

Earlier episode covering the first Trivy incident

https://www.tellerstech.com/ship-it-weekly/aws-bahrain-uae-data-center-issues-amid-iran-strikes-argocd-vs-flux-gitops-failures-github-actions-hackerbot-claw-attacks-trivy-roguepilot-codespaces-prompt-injection-block-ai-remake/

Kubernetes Ingress2Gateway 1.0

https://kubernetes.io/blog/2026/03/20/ingress2gateway-1-0-release/

Kubernetes Agent Sandbox

https://kubernetes.io/blog/2026/03/20/running-agents-on-kubernetes-with-agent-sandbox/

Fortinet FortiClient EMS emergency patch

https://www.fortiguard.com/psirt/FG-IR-26-099

Karpathy post

https://x.com/karpathy/status/2036487306585268612

ProofShot

https://github.com/AmElmo/proofshot

More episodes and show notes

https://shipitweekly.fm

On Call Briefs

https://oncallbrief.com

This is a guest conversation episode of Ship It Weekly, separate from the weekly news recaps.

In this Ship It: Conversations episode, I talk with David Chute, founder and CEO of Roadie, about internal developer portals, Backstage, automation, and how IDPs may evolve as AI agents become more common in engineering workflows.

We talk about the difference between a platform and a portal, the three common problems IDPs usually try to solve, why discoverability tends to be the first pain teams feel, and why a lot of orgs should start with automation before trying to perfect a service catalog. We also get into self-hosted Backstage vs managed options, and how teams should think about adoption, data models, and time to value.

The bigger theme is the one I found most interesting: IDPs may be shifting away from dashboard-heavy “single pane of glass” thinking and toward becoming context layers for workflows, terminals, and eventually agents.

Highlights

• The difference between an internal developer platform and an internal developer portal

• The three common IDP problem areas: discoverability, automation, and guardrails

• Why discoverability is usually the first pain teams feel

• Why adoption is often more of a human problem than a technical one

• Catalog completeness vs team ownership

• Why a lot of teams should start with automation first

• Self-hosted Backstage vs SaaS tradeoffs: extensibility, control, lock-in, and time to value

• Why IDPs may move from dashboards to context delivery for humans and agents

• Why AI helps teams build faster, but does not solve the problem of building the right thing

• David’s advice for platform and DevEx teams: talk to your internal users first

David’s links

• LinkedIn: https://www.linkedin.com/in/davidtuite/

Roadie / Backstage

• Roadie: https://roadie.io/

• Backstage: https://backstage.io/

Stuff mentioned

• Workday

• Backstage

• GitHub

• GitLab

• Bitbucket

• Azure DevOps

• Argo CD

• LaunchDarkly

• CircleCI

• DORA metrics

• MCP-style context for agents

Our links

More episodes + show notes + links: https://shipitweekly.fm

On Call Brief: https://oncallbrief.com

This episode of Ship It Weekly is about the quiet platform work that keeps things safe before they break. Brian covers GitHub Actions hardening in Kubernetes-related repos, Airbnb’s safer config rollouts, Cloudflare’s zero-downtime Rust restarts, Amazon ECS Managed Daemons, and HCP Terraform access controls with IP allow lists and temporary AWS permission delegation.

Links

GitHub Actions security roadmap

https://github.blog/news-insights/product-news/whats-coming-to-our-github-actions-2026-security-roadmap/

Airbnb config rollouts

https://medium.com/airbnb-engineering/safeguarding-dynamic-configuration-changes-at-scale-5aca5222ed68

Cloudflare graceful restarts for Rust

https://blog.cloudflare.com/ecdysis-rust-graceful-restarts/

Amazon ECS Managed Daemons

https://aws.amazon.com/about-aws/whats-new/2026/04/amazon-ecs-managed-daemons/

HCP Terraform IP allow lists

https://www.hashicorp.com/blog/hcp-terraform-adds-ip-allow-list-for-terraform-resources

HCP Terraform AWS permission delegation

https://www.hashicorp.com/blog/aws-permission-delegation-now-generally-available-in-hcp-terraform

GitHub secret scanning updates

https://github.blog/changelog/2026-03-10-secret-scanning-pattern-updates-march-2026/

GitHub secret scanning for AI coding agents

https://github.blog/changelog/2026-03-31-secret-scanning-extends-to-ai-coding-agents-via-the-github-mcp-server/

Codespaces GA with data residency

https://github.blog/changelog/2026-04-01-codespaces-is-now-generally-available-for-github-enterprise-with-data-residency

Kubernetes v1.36 sneak peek

https://kubernetes.io/blog/2026/03/30/kubernetes-v1-36-sneak-peek/

GKE Inference Gateway

https://cloud.google.com/kubernetes-engine/docs/concepts/about-gke-inference-gateway

More episodes and show notes

https://shipitweekly.fm

On Call Briefs

https://oncallbrief.com