← 返回

🔥大家都在喷什么(2026-03-25)

最后更新 2026/04/05 08:20:03 大家都在喷RSS技术博客issue radar

大家都在喷什么(2026-03-25)

数据源:68 个 RSS 源,共扫描 1064 条内容,筛出 292 条近 48h 内容。

一、今天值得看的宝藏技术博客

1. Malware Package Firewall: Block Threats Before They Hit Your Code | Blog | Endor Labs

  • 来源:Endor Labs Blog
  • 相关兴趣:software-engineering, open-source, supply-chain-security, ai-ml
  • 链接:https://www.endorlabs.com/learn/best-malware-package-firewall
  • 摘要:恶意软件包防火墙能在安装前阻止恶意开源代码进入系统。本文比较了 5 款主流工具在检测准确率、覆盖范围和开发者适配度方面的表现。

2. Krita 5.3.0 and 6.0.0 released

  • 来源:LWN.net
  • 相关兴趣:software-engineering, ai4se, ai-ml, devops-infra
  • 链接:https://lwn.net/Articles/1064477/
  • 摘要:Krita 项目发布了 5.3.0 和 6.0.0 版本。这是 Krita 开发者多年工作的成果:部分功能从零重写,部分功能首次登场。全新的文本功能支持画布内编辑、完整 OpenType 支持和文字流入形状;创建漫画矢量 panels 比以往更轻松。工具也得到扩展:填充工具现在可以自动闭合间隙,变换工具的液化模式速度大幅提升,并新增了颜色传播和重置等滤镜。

3. Spring News Roundup: Third Milestone Releases of Boot, Security, Integration, AI and AMQP

4. WebAssembly could solve AI agents’ most dangerous security gap

  • 来源:The New Stack
  • 相关兴趣:open-source, supply-chain-security, ai4se
  • 链接:https://thenewstack.io/webassembly-sandboxing-ai-agents/
  • 摘要:AI 代理生成的代码构成一个常被忽视的威胁:代理可能生成未经检查的、潜在致命的命令。WebAssembly 沙箱可以通过将 AI 生成的代码隔离在安全的轻量级环境中执行,从而解决这一最危险的安全缺口。

5. IBM, Red Hat, and Google just donated a Kubernetes blueprint for LLM inference to the CNCF

  • 来源:The New Stack
  • 相关兴趣:ai4se, ai-ml, devops-infra
  • 链接:https://thenewstack.io/llm-d-cncf-kubernetes-inference/
  • 摘要:Kubernetes 与 AI 的结合正式到来—llm-d 是一个可复用的 Kubernetes 蓝图,用于部署任意 LLM 的推理堆栈。IBM、Red Hat 和 Google 已将其捐赠给 CNCF,标志着大规模 AI 推理基础设施的标准化迈出重要一步。

6. TeamPCP Isn’t Done: Threat Actor Behind Trivy and KICS Compromises Now Hits LiteLLM’s 95 Million Monthly Downloads on PyPI | Blog | Endor Labs

  • 来源:Endor Labs Blog
  • 相关兴趣:supply-chain-security, ai4se, devops-infra
  • 链接:https://www.endorlabs.com/learn/teampcp-isnt-done
  • 摘要:这两个被后门植入的 litellm 版本(1.82.7 和 1.82.8)携带了完整的凭据窃取器、Kubernetes 横向移动工具包和持久化后门,构成严重的软件供应链攻击。

7. Helping developers build safer AI experiences for teens

  • 来源:OpenAI News
  • 相关兴趣:software-engineering, open-source, ai-ml
  • 链接:https://openai.com/index/teen-safety-policies-gpt-oss-safeguard
  • 摘要:OpenAI 发布了基于 prompt 的青少年安全策略,面向使用 gpt-oss-safeguard 的开发者,帮助缓解 AI 系统中与年龄相关的特定风险。

8. Streaming experts

  • 来源:Simon Willison
  • 相关兴趣:software-engineering, open-source, ai4se
  • 链接:https://simonwillison.net/2026/Mar/24/streaming-experts/#atom-everything
  • 摘要:Simon Willison 报道了 Dan Woods 的「流式专家(streaming experts)」实验:通过在 SSD 上按需流式加载每个 token 所需的专家权重,可以在内存不足的硬件上运行大规模 MoE 模型。五天前 Dan 在 48GB RAM 上运行 Qwen3.5-397B-A17B;如今 @seikixtc 在 M2 Max 的 96GB RAM 上成功运行万亿参数的 Kimi K2.5(32B 激活权重)。

9. Four prompt engineering patterns every developer should know - and why “draw a cat” explains them all

  • 来源:The New Stack
  • 相关兴趣:software-engineering, ai4se, ai-ml
  • 链接:https://thenewstack.io/prompt-engineering-for-developers/
  • 摘要:The New Stack 这篇文章通过「画一只猫」的简单示例,系统讲解了四种开发者必须掌握的 prompt engineering 模式,帮助理解如何更有效地与 LLM 协作。

10. Software Supply Chain Security: Why SCA Alone Falls Short | Blog | Endor Labs

  • 来源:Endor Labs Blog
  • 相关兴趣:software-engineering, open-source, supply-chain-security
  • 链接:https://www.endorlabs.com/learn/best-software-supply-chain-security-tools
  • 摘要:软件供应链安全保护整个开发生命周期,防范第三方库、构建工具和 CI/CD 流水线中的潜在 compromise。Endor Labs 从工具对比、风险量化和管理流程三个维度提供了系统方案。

11. Microsoft Xbox One Hacked

  • 来源:Schneier on Security
  • 相关兴趣:software-engineering, open-source, supply-chain-security
  • 链接:https://www.schneier.com/blog/archives/2026/03/microsoft-xbox-hacked.html
  • 摘要:Schneier 报道了 Xbox One(发布于十多年前)被成功破解的案例。由于重置 glitch 不可行,黑客通过电压 glitch 攻击让 CPU 电压轨瞬间崩溃,进而形成 Bliss exploit。整个过程需要在不「看到」硬件内部的情况下开发全新的硬件内省工具,堪称硬件安全研究的里程碑。

12. Software Supply Chain Security: How to Manage Risk at Scale | Blog | Endor Labs

13. Best Software Supply Chain Security Tools for AppSec Teams | Blog | Endor Labs

14. Firefox 149.0 released

  • 来源:LWN.net
  • 相关兴趣:software-engineering, ai4se
  • 链接:https://lwn.net/Articles/1064537/
  • 摘要:Firefox 149.0 发布,带来分屏视图(并排查看两个网页)和仅限浏览器流量的内置 VPN 等新功能。此外,还有更多改进 awaits 用户探索。

15. Sandboxing AI agents, 100x faster

  • 来源:Cloudflare Blog
  • 相关兴趣:ai4se, devops-infra
  • 链接:https://blog.cloudflare.com/dynamic-workers/
  • 摘要:Cloudflare 推出 Dynamic Workers:在安全的轻量级 isolates 中执行 AI 生成的代码。相比传统容器,这种方法快 100 倍,实现毫秒级启动,专为 AI 代理沙箱化设计。

16. Beginner could use some advice, thank you!

  • 来源:Reddit SelfHosted
  • 相关兴趣:open-source, supply-chain-security, ai4se, ai-ml
  • 链接:https://www.reddit.com/r/selfhosted/comments/1s2kbq5/beginner_could_use_some_advice_thank_you/
  • 摘要:一位自托管新手发帖求助:他想摆脱「什么都不拥有但很快乐」的未来,搭建家庭实验室实现影视、音乐、照片的存储与播放(Jellyfin/Plex、Immich)。他需要从零开始的部署指导,尤其是网络与自动化 CI/CD 的配置建议。

17. GitHub Action SSH failed to my Home Server.

  • 来源:Reddit SelfHosted
  • 相关兴趣:software-engineering, open-source, ai4se, devops-infra
  • 链接:https://www.reddit.com/r/selfhosted/comments/1s2hqe9/github_action_ssh_failed_to_my_home_server/
  • 摘要:用户已把产品打包为 Docker 镜像,希望实现「Push → Actions 构建 → 推送 Docker Hub → SSH 到家里服务器 → docker compose up -d」的 CI/CD。但 GitHub Actions 服务器位于外网,无法直接 SSH 回内网,需要寻找可用的穿透方案(例如 Tailscale、Cloudflare Tunnel 或 VPN)。

18. [NousResearch/hermes-agent] [Feature]: /Personality doesn’t show currently selected personality

  • 来源:GitHub Trending Issues
  • 相关兴趣:software-engineering, open-source, ai4se
  • 链接:https://github.com/NousResearch/hermes-agent/issues/2887
  • 摘要:NousResearch/hermes-agent 提出功能改进建议:输入 /personality 不带参数时,当前只显示可用人格列表,但不能明确哪一个是当前激活的。用户体验细节待优化。

19. [NousResearch/hermes-agent] [Bug]: ?[1;31m’NoneType’?[0m?[1;31m object has no attribute ?[0m?[1;31m’strip’?[0m

  • 来源:GitHub Trending Issues
  • 相关兴趣:software-engineering, open-source, ai4se
  • 链接:https://github.com/NousResearch/hermes-agent/issues/2886
  • 摘要:hermes-agent 0.40 更新后,本地模型和 OpenRouter 模型全部停止工作,错误为 'NoneType' object has no attribute 'strip'。这是一个阻塞性回归,需要尽快修复。

20. [supermemoryai/supermemory] Dashboard: JSON parse error on ‘Total memories stored’ display

  • 来源:GitHub Trending Issues
  • 相关兴趣:software-engineering, open-source, ai4se
  • 链接:https://github.com/supermemoryai/supermemory/issues/802
  • 摘要:Supermemory 仪表盘「Total memories stored」卡片出现 JSON 解析错误(Unexpected non-whitespace character after JSON)。此 bug 影响数据可视化,定位到后端返回格式问题。

二、今天大家都在喷什么

1. 360 billion tokens, 3 million customers, 6 engineers

  • 来源:Vercel Blog
  • 吐槽热度分:22
  • 链接:https://vercel.com/blog/360-billion-tokens-3-million-customers-6-engineers
  • 摘要:Vercel 客座文章:Durable 在一天内向客户交付新的生产级 agents。AI 功能每天处理约 11 亿 tokens(全年 3600 亿),每位工程师、产品经理和设计师获得 10 倍杠杆,基础设施成本比自建低 3-4 倍。Durable 的目标是让「拥有企业比打工更容易」,因为阻碍不是野心而是摩擦。

2. Cybersecurity statistics of the week (March 16th - March 22nd)

3. Meet the 2026 Vercel AI Accelerator Cohort

  • 来源:Vercel Blog
  • 吐槽热度分:17
  • 链接:https://vercel.com/blog/2026-vercel-ai-accelerator-cohort
  • 摘要:Vercel AI Accelerator 2026 选出 39 支早期团队,在美国、欧洲、亚洲和拉丁美洲开展六周建设。新一代 AI 初创企业正基于 Vercel 的自驾基础设施构建,这些团队覆盖多个行业,都对新事物存在的必要性和紧迫性有清晰看法。

4. SERHANT.’s playbook for rapid AI iteration

  • 来源:Vercel Blog
  • 吐槽热度分:15
  • 链接:https://vercel.com/blog/serhants-playbook-for-rapid-ai-iteration
  • 摘要:SERHANT. 的工程 VP 分享 rapid AI iteration 策略:基于 Vercel Next.js 快速扩展到 React Native iOS 应用,工程师专注 AI 设计而非平台管线;按任务编排 OpenAI、Claude、Gemini 以优化成本/产出比;从内部试点扩展到 800-900+ 房地产经纪人,无需重写后端。

5. Chat SDK brings agents to your users

  • 来源:Vercel Blog
  • 吐槽热度分:15
  • 链接:https://vercel.com/blog/chat-sdk-brings-agents-to-your-users
  • 摘要:Vercel 内部挑战:如何倍增产出?员工创建了大量 agent—最初为每个 agent 单独构建界面,但很快遇到限制:用户希望在 Slack 等现有工具中直接与 agents 交互。Chat SDK 因此诞生,让 agents 直接触达用户的工作流程。

6. Malicious litellm_init.pth in litellm 1.82.8 - credential stealer

  • 来源:Simon Willison
  • 吐槽热度分:14
  • 链接:https://simonwillison.net/2026/Mar/24/malicious-litellm/#atom-everything
  • 摘要:Simon Willison 紧急通告:PyPI 上的 LiteLLM v1.82.8 被植入后门,利用 litellm_init.pth 文件在 base64 中隐藏凭据窃取器,仅安装便触发(无需 import)。1.82.7 也存在类似漏洞。该攻击针对开发者环境,属于严重供应链安全事件。

7. MailVoyage: Open-Source Privacy-First Email Client with Local-Only Operations (Self-Hostable Alternative to Gmail, Proton Mail & Thunderbird)

8. What COVID did to our forecasting models (and what we built to handle the next shock)

9. Build knowledge agents without embeddings

  • 来源:Vercel Blog
  • 吐槽热度分:12
  • 链接:https://vercel.com/blog/build-knowledge-agents-without-embeddings
  • 摘要:Vercel 提出「无 embedding」的知识 agent 架构:传统流程(向量库 + chunking + embedding + 调参)往往导致不可解释的检索结果。新方案利用更细粒度的索引和结构化数据,让 agent 能精确提取特定值而非仅语义相似。

10. Nextcloud desktop client has been a nightmare on macOS - looking for alternatives

11. Need some help deploying qBittorrent+VPN for my arr setup

12. This Trivy Compromise is Insane.

  • 来源:Reddit DevOps
  • 吐槽热度分:11
  • 链接:https://www.reddit.com/r/devops/comments/1s1ygvn/this_trivy_compromise_is_insane/
  • 摘要:Reddit DevOps 深入分析 Trivy 供应链攻击:攻击者提交了一个看似无害的 CI 工作流修改(仅 14 行,大部分是引号和空格改动),其中两行偷偷将 actions 从「checkout」替换为「run: bash -c ’…”」,从而在 CI 阶段执行恶意代码。这是典型的「代码审查疲劳」攻击。

13. mcp-scan: open-source security scanner for MCP (Model Context Protocol) server configs

  • 来源:Reddit cybersecurity
  • 吐槽热度分:10
  • 链接:https://www.reddit.com/r/cybersecurity/comments/1s2r0w1/mcpscan_opensource_security_scanner_for_mcp_model/
  • 摘要:MCP 服务器拥有完整的文件系统和网络访问权限,但大多数人在安装时并未审计其实际运行内容。mcp-scan 可检测 10 款 AI 工具客户端中的 MCP 配置,并运行 13 个安全扫描器:泄漏密钥和 API keys(正则+熵分析)、已知 CVE、危险权限模式、传输安全(HTTP vs HTTPS)、供应链风险(typosquatting、注册验证)、tool poisoning 和 capability injection。

14. Security updates for Tuesday

  • 来源:LWN.net
  • 吐槽热度分:10
  • 链接:https://lwn.net/Articles/1064474/
  • 摘要:Security updates have been issued by Debian (strongswan and vlc), Fedora (cmake, giflib, and python-diskcache), SUSE (curl, docker-stable, freeciv, freerdp, freerdp2, freetype2, go1.25-openssl, go1.26-openssl, GraphicsMagick, gvfs, harfbuzz, kernel, lemon, libpng16, librsvg, libsodium, libsoup, net-snmp, protobuf, python-Authlib, python-maturin, python-tornado6, python310, python311-pypdf, python311-PyPDF2, python314, python39, rust-keylime, strongswan, systemd, ucode-intel, util-linux, and vim), and Ubuntu (gvfs, linux-aws-6.8, linux-azure, linux-azure, linux-azure-4.15, linux-azure-fips, lin

15. Spotting issues in DeFi with dimensional analysis

  • 来源:Trail of Bits Blog
  • 吐槽热度分:10
  • 链接:https://blog.trailofbits.com/2026/03/24/spotting-issues-in-defi-with-dimensional-analysis/
  • 摘要:Page content Using dimensional analysis, you can categorically rule out a whole category of logic and arithmetic bugs that plague DeFi formulas. No code changes required, just better reasoning! One of the first lessons in physics is learning to think in terms of dimensions . Physicists can often spot a flawed formula in seconds just by checking whether the dimensions make sense. I once had a teacher who even kept a stamp that said “non-homogeneous formula” for that purpose (and it was used a lot on students’ work). Developers can use the same approach to spot incorrect arithmetic in smart cont

1. [NousResearch/hermes-agent] [Bug]: Local STT crashes with RuntimeError on systems without system-wide CUDA 12 libs (WSL2, venv-only CUDA)

2. [FujiwaraChoki/MoneyPrinterV2] Bare except clause in YouTube upload_video() swallows all errors

3. [aquasecurity/trivy] bug(misconf): panic in Terraform Plan JSON parser when resource changes are missing

4. [pascalorg/editor] Problems encountered during Gable Roof drawing

5. [Crosstalk-Solutions/project-nomad] [Bug]: Dependency mysql failed to start

6. [Crosstalk-Solutions/project-nomad] [Bug]:

7. [supermemoryai/supermemory] Dashboard: JSON parse error on ‘Total memories stored’ display

  • 来源:GitHub Trending Issues
  • 链接:https://github.com/supermemoryai/supermemory/issues/802
  • 细节:comments=1; labels=(none)
  • 摘要:Supermemory 仪表盘「Total memories stored」卡片出现 JSON 解析错误(Unexpected non-whitespace character after JSON)。此 bug 影响数据可视化,定位到后端返回格式问题。

8. [hsliuping/TradingAgents-CN] [BUG]

9. [aquasecurity/trivy] bug: SeveritySource is empty when severity falls back to top-level Severity field from trivy-db

10. [Crosstalk-Solutions/project-nomad] [Bug]: gpg as a dependency to install the NVIDIA container toolkit

四、严重产品事故 / issue 雷达

1. Network Performance Issues in Osaka, Japan datacenter (KIX)

  • 来源:Cloudflare Status
  • 链接:https://www.cloudflarestatus.com/incidents/bt3kxrzssk2h
  • 摘要:Mar 24 , 18:32 UTC Resolved - This incident has been resolved. Mar 24 , 18:13 UTC Identified - Cloudflare is investigating issues with Network Performance in Osaka, Japan datacenter (KIX). We are working to analyze and mitigate this problem. More updates to follow shortly.

2. Disruption with some GitHub services

  • 来源:GitHub Status
  • 链接:https://www.githubstatus.com/incidents/kp06czybl7dw
  • 摘要:GitHub Octicon logo Subscribe to Updates Subscribe x Get email notifications whenever GitHub creates , updates or resolves an incident. Email address: Enter OTP: Resend OTP in: seconds Didn’t receive the OTP? Resend OTP By subscribing you agree to our Privacy Policy . This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Get text message notifications whenever GitHub creates or resolves an incident. Country code: Afghanistan (+93) Albania (+355) Algeria (+213) American Samoa (+1) Andorra (+376) Angola (+244) Anguilla (+1) Antigua and Barbuda (+1) Argenti

3. Trivy supply chain compromise: What Docker Hub users should know

  • 来源:Docker Blog
  • 链接:https://www.docker.com/blog/trivy-supply-chain-compromise-what-docker-hub-users-should-know/
  • 摘要:Trivy supply chain compromise: What Docker Hub users should know Posted Mar 23, 2026 Mark Lechner We wanted to provide you information about a security incident that we became aware of that affects customers who use the Aqua Security Vulnerability scanner (Trivy) across multiple distribution channels including Docker Hub, GitHub, and npm. Between 18:24 UTC on March 19, 2026 and 01:36 UTC on March 23, 2026, Docker Hub customers who pulled the Trivy images with the 0.69.4 , 0.69.5 , 0.69.6 , and latest tags may have had their CI/CD secrets, cloud credentials, SSH keys, and Docker configurations

4. Teams Github Notifications App is down

  • 来源:GitHub Status
  • 链接:https://www.githubstatus.com/incidents/z7gsp4wd05c5
  • 摘要:GitHub Octicon logo Subscribe to Updates Subscribe x Get email notifications whenever GitHub creates , updates or resolves an incident. Email address: Enter OTP: Resend OTP in: seconds Didn’t receive the OTP? Resend OTP By subscribing you agree to our Privacy Policy . This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Get text message notifications whenever GitHub creates or resolves an incident. Country code: Afghanistan (+93) Albania (+355) Algeria (+213) American Samoa (+1) Andorra (+376) Angola (+244) Anguilla (+1) Antigua and Barbuda (+1) Argenti

5. Elevated Errors Loading Deployments on Dashboard

  • 来源:Vercel Status
  • 链接:https://www.vercel-status.com/incidents/wlpkbhxlkxqf
  • 摘要:Mar 24 , 16:31 UTC Resolved - This incident has been resolved. Mar 24 , 16:14 UTC Monitoring - A fix has been implemented and we are monitoring the results. Mar 24 , 15:19 UTC Investigating - We are currently investigating reports of elevated error rates loading the Deployment Overview on the Vercel Dashboard. Existing deployments and live traffic are not affected by this issue. We will share updates as they become available.

6. Building AI-powered GitHub issue triage with the Copilot SDK

  • 来源:GitHub Blog
  • 链接:https://github.blog/ai-and-ml/github-copilot/building-ai-powered-github-issue-triage-with-the-copilot-sdk/
  • 摘要:Andrea is a Senior Developer Advocate at GitHub with over a decade of experience in developer tools. She combines technical depth with a mission to make advanced technologies more accessible. After transitioning from Army service and construction management to software development, she brings a unique perspective to bridging complex engineering concepts with practical implementation. She lives in Florida with her Welsh partner, two sons, and two dogs, where she continues to drive innovation and support open source through GitHub’s global initiatives. Find her online @acolombiadev.

7. Elevated errors creating Vercel Functions in sin1 (Singapore)

  • 来源:Vercel Status
  • 链接:https://www.vercel-status.com/incidents/p1n63rfd8yvm
  • 摘要:Mar 24 , 05:01 UTC Resolved - This incident has been resolved. Mar 24 , 04:40 UTC Monitoring - A fix has been implemented and we are monitoring the results. Mar 24 , 03:43 UTC Identified - We are observing elevated errors creating Vercel Functions in the sin1 region. To mitigate errors creating deployments, we have temporarily disabled provisioning new Vercel Functions in this region. Existing deployments and live traffic are not affected by this issue. We will share updates as they become available.

8. Increased HTTP 530 Errors in Atlanta (ATL)

  • 来源:Cloudflare Status
  • 链接:https://www.cloudflarestatus.com/incidents/m5zwgfp7yzzf
  • 摘要:Support Log in Sign up Cloudflare System Status Subscribe to Updates Subscribe x Visit our support site . Get the Atom Feed or RSS Feed . Increased HTTP 530 Errors in Atlanta (ATL) Incident Report for Cloudflare Resolved This incident has been resolved. Posted Mar 24 , 2026 - 17:50 UTC Monitoring A fix has been implemented and we are monitoring the results. Posted Mar 23 , 2026 - 15:35 UTC Investigating Cloudflare is investigating an increased rate of HTTP 530 errors specifically affecting “.cloud” and “.tech” traffic routed through our Atlanta (ATL) data center. We are working to identify the

9. Elevated errors on Claude.ai [retroactive]

  • 来源:Anthropic Status
  • 链接:https://status.claude.com/incidents/0kxm85c9w7rw
  • 摘要:Mar 23 , 17:10 UTC Resolved - This incident has been resolved. Mar 23 , 17:03 UTC Investigating - Between 9:10 PT / 16:10 UTC and 9:26 PT / 16:26 UTC users saw an elevated rate of errors on Claude.ai The Claude API was unaffected.

10. HackerOne employee data exposed via 3rd party Navia breach

五、我对今天的判断

  • 如果”大家都在喷”的内容长期集中在 AI coding / agent 平台、RAG 文档链路、推理成本/稳定性、开发者平台变更,那这些方向值得持续跟踪。
  • 如果高质量宝藏博客反复在讲 开源供应链、工程可靠性、评测、工具链摩擦,这些会更贴近你的研究兴趣。
  • 这类日报适合长期积累,后面可以继续抽象出”最近 7 天大家最不满的产品”与”最近 30 天最值得跟的宝藏作者”。

本报告由 RSS 自动汇总。