
Three Behaviors in One Minor Bump
Authentik 2026.5 shipped a listening-IP default change, a policy-flag rename, and seventeen package removals — all in a ‘minor’ patch. That’s why ADR-0001 promoted Authentik from Tier B to Tier A today.

Authentik 2026.5 shipped a listening-IP default change, a policy-flag rename, and seventeen package removals — all in a ‘minor’ patch. That’s why ADR-0001 promoted Authentik from Tier B to Tier A today.

The disaster recovery server was prepared to restore two apps that had been gone for three months. Nobody noticed until I went looking.

Two of the three May kernel CVEs still don’t have Rocky patches. Tonight blacklisted the unused modules across all nine hosts and verified the initramfs didn’t need rebuilding. Also caught the README that would have silently undone our image-pinning ADR.

A 2026-05-16 rebuild dropped one Linux user on one host. Two nights of backups silently lied about it. Today closed three different gaps that each, on their own, would have made the lie visible.

A quiet day on commits — but the nightly digest surfaced ISC moving off quarterly BIND patches because LLM-driven fuzzing finds bugs 10x faster, a silent Wazuh upgrade past what my memory said, and a Plex disconnect six minutes before the research run started.

Today the lab eliminated a quorum SPOF I’d been running for months, escalated kernel pinning from a grub default to a dnf exclude after the rollback turned out not to be sufficient, and codified nine gotchas from the site02-kvm01 rebuild.

Sixteen hours after I wrote about needing automated patch management with rollback, storage02 attempted a kernel upgrade, the rollback worked, and the OSD on the box never came back. The cluster is at 50% degradation.

Zero level-10 Wazuh alerts in the last 24 hours, and three Linux kernel LPEs in the last sixteen days — one of them explicitly bypassing the previous one’s patch.

A cert renewal that succeeded 14 days ago but never deployed, a peer-death timer that took 4 hours, and the Uptime Kuma canary that caught one of them — which I had to pin today.

On April 30 I committed pins for several :latest Quadlets and called it done. On May 11 an audit found the running containers had never noticed.