“For some reason they’re willing to read a 20-page essay from a chatbot when they would never imagine doing it from a colleague.”
For episode 50 Cody, Craig, and Nick are joined by special guests Mark Burgess, progenitor and original creator of CFEngine, Ted Zlatanov, configuration management expert and CFEngine Champion and Igor Aleksandrychev, CFEngine Enterprise developer to talk about AI.
The guests touched on the rapidly evolving landscape of AI code generation, with Ted sharing insights on Glean and Claude, noting impressive speed but requiring substantial rework for production. Mark offered a historical perspective, highlighting his work with AI within his Semantic Space Storytime project SSTorytime. Igor demonstrated a natural language query demo for CFEngine Enterprise. Craig recounted his experience with LLM summarization, admitting to being occasionally overwhelmed by the sheer volume of output. Nick raised concerns about the computational cost and the challenge of balancing efficiency with quality.
Here comes a profoundly belated blog post on a behavior change. Better late than never.
Due to various bugs with the glob engine on Windows, we decided to rewrite it in CFEngine 3.24.0. Not only does the new glob engine resolve these bugs on Windows, but it also adds support for brace expansion on all platforms. E.g.
findfiles.cf bundle agent main { vars: "matches" slist => findfiles("C:/{foo,bar}.txt"); reports: "$(matches)"; } command & 'C:\Program Files\Cfengine\bin\cf-agent.exe' -Kf C:\findfiles.cf output R: C:\bar.txt R: C:\foo.txt The introduction of brace expansions will probably not break your policy unless you have files with brackets in their names. But what may break your policy is the fact that the new glob engine outputs the matched paths with the system separator (i.e., $(const.dirsep)). E.g., given the following policy, you can see how the output with the matched files changed from having forward slashes in CFEngine 3.21 to having backslashes in CFEngine 3.24 on Windows.
No more default passwords! CFEngine 3.26.0 (“admin”) forces you to create an admin user from scratch.
Cody, Craig, and Nick take a look at the latest CFEngine release, 3.26.0, the “admin” release. After showing the new setup process to create an initial privileged user and highlighting cfbs and cf-remote updates and separate release schedule the majority of the conversation centered around new functions that were introduced.
findlocalusers() Stop parsing /etc/passwd in policy, let the C do it. getbundlemetatatags() More introspection capabilities from within policy. hostswithgroup() Generate lists of hosts that are in a group from policy on the hub (Enterprise Hub only). is_type() Ensure the data you are looking at is what you expect it to be. isconnectable() Speed up policy by probing a port to see if it’s even connectable. useringroup() Stop parsing /etc/group in policy, let the C do it. The audience chimed in with some ideas for new and existing functions:
Today, we are pleased to announce the release of CFEngine 3.26.0! Being a non-LTS (not supported) release, this release allows users to test the new functionality we’ve been working on before it arrives in an LTS release later this year. The codename for this release is a bit different, as it is named after a new feature introduced, and what it eliminates - the default admin user.
What’s new In recent releases, we’ve made important security improvements like stricter password policies, 2FA support, audit logs, and more. We’re continuing down this track of improving the overall account and login security of CFEngine Enterprise by eliminating the default admin user and introducing a much more secure first time setup feature to create your own user with administrative rights.
We are pleased to announce two new patch releases for CFEngine, version 3.21.7 and 3.24.2! These patch releases contain bug fixes and dependency updates.
Changes As these are patch releases for long term supported (LTS) branches of CFEngine, there are no new major features included.
Complete changelogs As always, you can see a full list of changes and improvements in our changelogs:
3.24.2 Changelog for CFEngine Community 3.24.2 Changelog for CFEngine Enterprise 3.24.2 Changelog for Masterfiles Policy Framework 3.21.7 Changelog for CFEngine Community 3.21.7 Changelog for CFEngine Enterprise 3.21.7 Changelog for Masterfiles Policy Framework Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.
Disclaimer: This post focuses on Debian-based and Fedora/RHEL-based distributions and packaging.
Everybody using a GNU/Linux distribution most likely knows that packages used by the given distribution are somehow signed and such signatures are somehow verified. Usually, this knowledge comes with the first requirement to import some key when an extra package repository is being added to the system (the standard repositories of a distribution use keys that are present and trusted by default). While users don’t usually pay much attention to the key import process and the particular key used, these keys and signatures are actually parts of the critical security mechanisms in their systems.
Manage your phone like a server. In this episode, Craig brings CFEngine to Android with custom package modules and creative hacks.
Cody and Herman join Craig while he shares his journey of integrating CFEngine into a Fairphone 4 running /e/OS (a privacy-focused Android fork), using Termux to enable a Unix-like environment, and extending CFEngine’s capabilities to manage and inventory Android applications.
He talks about running Termux on Android to create a CFEngine-compatible environment, a custom package module to install APKs from GitHub, enabling inventory collection and version tracking via ADB. Craig showed how the collected data is displayed in Mission Portal, offering visibility into Android environments.
The latest release of cfbs (4.4.0 released April 4th, 2025) introduces the analyze command.
Last time I used this (Show notes: The agent is in - Episode 47 - Preview of cfbs analyze) I had installed it from a git clone, now I want to go back to regular install
command pipx uninstall cfbs pipx install cfbs output uninstalled cfbs! ✨ 🌟 ✨ installed package cfbs 4.4.0, installed using Python 3.12.3 These apps are now globally available - cfbs Now, cfbs help should have our new cfbs analyze option:
Is your CFEngine policy set a Frankensteinian monster of outdated files and custom tweaks? Take a look at tooling we have in development (cfbs analyze) to help shed light on the makeup of your policy set.
In this episode the team showcases a new tool for analyzing CFEngine policy sets. Learn how to identify modifications, missing files, and stale policies from old MPF versions and hear about additional features we can look forward to when it’s fully released.
In the latest version of the CFEngine network protocol (filestream - v4), we leveraged librsync for efficient file copying using their Streaming API.
While implementing the file streaming in CFEngine, I found that the documentation on the Streaming API was a bit unclear. Thus, I created two example programs to experiment with how it works. I thought I’d share them in this blog post as a tutorial to help other developers get up to speed faster.
