Categories

Jacar categories — explore the topics A rocket whose eyes follow your cursor.
Methodologies

SLSA v1.0: a mature framework for the software supply chain

SLSA v1.0 splits software supply-chain security into three tracks (Build, Source, and Dependencies), of which only Build is stabilized, with three levels: L1, L2, and L3. If you build in GitHub Actions, reaching L2 with Sigstore-signed provenance takes a few hours and is the starting point I recommend to any team.

Artificial Intelligence

How to Evaluate a RAG System Without Fooling Yourself

Measuring RAG quality rigorously takes more than skimming a handful of answers: it requires objective metrics (faithfulness, relevance, context precision, and coverage), a golden set of hundreds of curated questions, and regular human validation of the LLM judge to avoid misleading conclusions.

Methodologies

Green Software Principles: A Checklist for Teams

Software is not immaterial: every request and database query consumes electricity with a carbon footprint. The Green Software Foundation encodes eight practical principles to reduce that footprint without rewriting systems. The result is a more efficient service, a lower cloud bill, and readiness for ESG regulation.

Artificial Intelligence

LLM Observability: Traces, Costs, and Quality

LLM applications need three distinct observability planes: prompt and response traces for debugging hallucinations, per-token and per-feature cost tracking, and response quality evaluation. Mature tools like Langfuse, LangSmith, and Helicone cover all three planes with specific instrumentation.

Architecture

Kubecost and OpenCost: Native FinOps in Kubernetes

Kubecost and OpenCost map real costs to namespaces, deployments, and labels in Kubernetes. OpenCost, the Apache 2.0 open-source core, covers essentials for free. Kubecost adds multi-cluster visibility and advanced cloud billing. For clusters spending over $5,000/month the ROI is clear: identified savings typically exceed software cost within the first month.

Methodologies

Alertmanager: Routing That Doesn’t Wake Your Team at 3am

A badly configured Alertmanager turns every incident into noise: a single unrouted receiver ends with an ignored Slack channel within a week. This article covers, on Alertmanager 0.27 and Prometheus 2.54, how to design the routing tree, inhibition rules, silences and on-call rotations to curb alert fatigue without losing real incidents.

Methodologies

Chaos Engineering in Enterprise: Beyond Chaos for Chaos’s Sake

Chaos engineering is the practice of injecting real-world failures into production in a controlled way to verify that the system responds as expected. It requires prior hypotheses, a minimal blast radius, and mature observability. Open-source tools like Litmus and Chaos Mesh make adoption accessible without commercial spend; the ROI comes as avoided incidents and better-prepared teams.

Methodologies

Ansible and Pulumi: Two Automation Philosophies Coexisting

Ansible and Pulumi solve different problems and are not competitors: Ansible manages configuration inside a server (packages, users, services); Pulumi defines, with real code in TypeScript, Python, Go or .NET, which cloud infrastructure exists (VPCs, instances, databases). Combining them, with Pulumi's dynamic inventory feeding Ansible, is the most productive pattern for automating a stack that includes servers in the cloud.

Artificial Intelligence

Retrieval Evaluation Frameworks: Ragas and Similar

Evaluating a RAG system without metrics is pure guesswork. Ragas measures four core signals: faithfulness, answer relevancy, context precision and context recall, using an LLM as judge. TruLens, DeepEval and other frameworks cover similar ground. Wiring evaluation into CI from day one catches regressions in prompts, chunking or model choice before they reach production.

Methodologies

Sigstore in Image Registries: Adoption and Reality

Sigstore has become the standard signing layer for OCI artefacts. GHCR is the best-integrated registry; Harbor 2.5+ and Quay offer native support; AWS ECR pushes its own KMS scheme. Verification earns its keep at three points: the cluster admission controller, the GitOps layer, and the CI/CD pipeline. The public Rekor has rate limits that force self-hosting past a certain build volume.

Methodologies

Observability and SLOs: Error Budgets That Get Met

SLOs and error budgets only work when the budget drives real decisions. A feature freeze that triggers on exhaustion, deploy velocity that adjusts to consumption. With two or three well-chosen SLIs, a clear freeze policy, and simple tools like Prometheus with Sloth, a team can sustainably balance velocity and reliability in production.

Artificial Intelligence

Choosing an Open LLM for Enterprise in 2024

Choosing an open LLM for enterprise in 2024 is no longer just Llama 2: Mistral, Mixtral, Qwen, Yi, DeepSeek, and Phi-2 all compete with different licences and sizes. The criteria that actually decide are commercial licence, available hardware, language support, and your own evaluation on real use cases, not just the trendy benchmark.

Methodologies

Blameless Post-Mortems: How to Actually Improve

Blameless post-mortems are easy to proclaim but hard to execute well. Without genuine blame-free culture, a factual timeline, honest contributor analysis, and action items with a clear owner and deadline, the exercise degenerates into empty ritual that does nothing to prevent the same incidents from recurring.

Architecture

Backstage, Port and Cortex: Three Paths to the IDP

An Internal Developer Platform (IDP) centralises service discovery, provisioning and observability in a single portal, so developers stop depending on stale wikis and Slack channels. Backstage, Port and Cortex dominate the market: Backstage is open source with a dedicated team, Port is fast low-code SaaS, and Cortex focuses on scorecards for measurable technical discipline based on team size.

Methodologies

SaaS Consolidation: When Lock-In Becomes Risk

The SaaS market is consolidating after years of fragmentation: private equity acquisitions, licence changes, and double-digit price hikes have shifted negotiating power toward vendors. A practical framework to audit your exposure, build credible migration pressure, and design exit strategies that work when you actually need them.