Coté

Also: Anthropic’s 80% code claim, and Claude’s quiet enterprise share.

As the chart shows, there’s been a huge jump in CVEs for Spring - this is what’s happening everywhere, you know.

My work, Tanzu, has been focusing on this and has changed how they handle these rollouts. Now customers can get early access to the secured builds for Spring so they can deploy them as quickly as possible to fix these security problems. You also get clean-room builds of Spring and the dependencies, which is a big change, for the better:

Furthermore, Broadcom’s Spring engineering team has significantly scaled its investment in advanced AI-assisted security analysis, including frontier model–based scanning and validation workflows to proactively identify vulnerabilities, assess remediation paths, and validate fixes across the Java dependency tree for Spring. Broadcom announced additional R&D investments to extend its proven clean-room build architecture, foundational to Bitnami, to build the Java dependencies for the entire Spring ecosystem. With this expanded investment in securing the Spring ecosystem and its dependencies, Tanzu Spring customers will have access to:

• Secured, SLSA Level 3–validated software supply chain for Java dependencies.
• Coverage that spans the full transitive dependency graph managed by the Spring Boot bill of materials.
• Thousands of secured dependencies, built and tested across every supported Spring version. Spring Boot 4.0 alone manages 1,768 of them; across the full supported portfolio, that totals more than 100,000 validated dependency builds.

Additionally, as members of the open source community for over two decades, the Spring team has broad relationships across adjacent open source technologies and will continue to collaborate and contribute to these upstream community projects.

And, of course, we also offer tools to roll out these changes in Tanzu Spring Advisor. I’ve seen this in action recently when I’ve been messing around with Spring Boot MCP servers, you log in to the dashboard to check it out and it tells you some component deep down in the stack is out of date. Pretty great - something even a dumb developer like me could do something with :)

Check out the Tanzu Spring plan we have, and for a platform-level approach beyond Spring and apps, included with an enterprise AI server for private and public hosted AI hoopla better TryTanzu.ai.

Related to your interests

• Everyone hates frontier AI labs, says Palantir boss - One enterprise harness maker says the competing enterprises harness makers either suck or are non-existent. [BTW, we should start calling it “enterprise harness."]
• The Minimill of AI - Private AI prediction: “Tens of millions of these will proliferate inside companies in the next few years, each one quietly absorbing much of the work that today shows up on a hyperscaler invoice.”
• 🤖 The iPhone’s Last Stand - Siri can’t do agents, but agents serve productivity and consumers want to waste time on short-form video, so the iPhone’s personal-context moat beats agentic horsepower - and Apple skips the capex everyone else is burning.
• Claude is ready for its corporate close-up - “Enterprises, IDC says, remain largely unsold on Anthropic’s Claude models, with only 19 percent using them extensively and 25 percent actively evaluating them.” OpenAI and Google are better represented in enterprises, with about 42 percent and 38 percent of organizations”
• Your company needs agency, not agents. - When management is the bottleneck preventing enterprise AI ROI. Hot take: everything is a bottleneck.
• Why ABN AMRO’s CEO wishes the bank was going further and faster with the AI rollout set to take out a quarter of its headcount - Commentary on rolling out AI at a bank.
• AI Scribes in the Clinic: What Patients Should Know - AI for doctors taking notes, a review of what’s known now.
• 🤖 Forms don’t love you back - AI is about to make us fill out far more forms, but many won’t look like forms - they’ll arrive as chatbots, agents, biometric checks, and one-click services that quietly extract structured data. Old answers persist as “single sources of truth” that follow you around, and the rigid schemas underneath can’t do discretion: you fit the box or you get “computer says no.” // Also, much gig-economy class system discussion.
• Rapid software delivery is possible inside DoW - Software Factory 2.0 shows how - “Replace multi-year forecasts with real-time discovery of operational friction. Instead of a five-year requirement for a ‘targeting system,’ identify the bottleneck–like a three-hour targeting approval process. Set a goal–like reducing the approval process to 30 minutes. And empower a team to solve it. In this Kessel Run example, the requirement was an outcome, not a feature list.” Bryon Kroger
• Institutional challenges in agile adoption: Evidence from a public sector IT project - 2016: “[T]he US has a similar record with 94% of federal government IT projects exceeding their budgets and schedules, and 40% failing to complete”
• Forrester: Capping AI Spend Won’t Fix Your Token Bill
• Doing nothing at work - Avoiding low value work to be ready for high value work. Also, an example of “homework”: work people get you to do that is not your job and often goes nowhere.
• What I think about when I edit - All good advice…and something you could ask the robot to do without it turning your text into copy-slop (you’d have to keep an eye on the adverb stuff. Speaking off: editors hate adverbs!)

AI Summaries

I wanted to read these, but I didn’t make the time, so I asked the robot to summarize them.

• 🤖 Analysis of 25,000 TikTok and YouTube Videos Finds Pro-AI Content Outnumbers Anti-AI 3:1, With Memes and Creative Theft Dominating Over Elite Narratives
• 🤖 How Avocados Became a Year-Round Global Commodity
• 🤖 Kraft, McDonald’s, Whirlpool, Planet Fitness CEOs Sound Simultaneous Alarm as Lower-Income Consumers Spend Down Savings
• 🤖 As AI Pushes More of Life Through Forms, a Self-Described Form Lover Argues They Flatten People, Power an Invisible Underclass, and Should Be Slowed Down
• 🤖 Anthropic ships 80% AI-authored code, says enterprises must rebuild around the agent factory
• 🤖 State AI Rollouts Are Outpacing Their Own Governance

ICYMI

• Observability’s Next Phase - Software Defined Talk #576 - “Brandon talks with OpenObserve’s Prabhat Sharma and Shani Shoham: why observability is still broken, how they fixed it, and where AI takes it next.”
• Deming, DevOps History, AI Risk, and Critical Thinking, with John Willis - Software Defined Interviews #123 - W. Edwards Deming’s quality theories and their influence on the Toyota Production System and DevOps practices, including “Deming’s system of profound knowledge (theory of knowledge, variation, psychology, and systems thinking),” industry misconceptions about AI, and how probabilistic AI systems require different risk frameworks than traditional deterministic approaches.

Logoff

I am thinking about changing the role and format of this newsletter and interested in what you, dear reader, want this newsletter to be. What do you use it for, do you like reading it, what would you like to change? Should it just be a list of links to skim, a round-up of things I’ve posted and want to share - that’s what it’s become. Originally, I made this newsletter because (1) blogs were dead, so I stopped really blogging, and, (2) it seemed wise to build up a “community” that would last, that is an email list. This meant the newsletter was actually frequentish blog posts at the top and then links at the bottom - a blog in one page. I haven’t been doing that - do you wish I still did? Reply back if you’re up for taking the time, I’d appreciate it.

P.S.: it’s exhausting nearing boring that the only conversations out there in tech land are about AI. What’s going on with the entire rest of the stack? Yes, and is that the story: AI touches everything, everything is AI. At least, people are hoping so.

Want to subscribe to this newsletter and get it in your email? Do that here. You’ll just get this type of link and post round-up, not everything posted on the weblog.