Die neuen Surface-Geräte kosten mindestens 1.600 Euro. Dabei sind Tastatur und Stift beim Surface Pro noch immer nicht im Preis enthalten. (PC & Notebooks, Notebook)
Quelle: Golem
Teils über 40 Prozent Rendite konnten die deutschen Netzbetreiber erwirtschaften. Auch insgesamt sind die Gewinne überdurchschnittlich. (Strom, Bundesnetzagentur)
Quelle: Golem
Im Streit um KI-Klauseln für deutsche Synchronsprecher gibt es eine Reaktion von Netflix, nachdem für erste Filme Stammsprecher ausgetauscht wurden. (Netflix, KI)
Quelle: Golem
Forward Deployed Engineer heißt die neueste Entwicklerrolle, die aktuell angepriesen wird. Eine People-Strategin erklärt in unserem Newsletter, was dahinter steckt. (Arbeit, Softwareentwicklung)
Quelle: Golem
TLDR: Docker Content Trust (DCT) and the Notary v1 service at notary.docker.io are being fully retired (first announced in July of 2025). This blog explains what is changing, who is affected, and how to move to modern alternatives.
Ten years ago, Docker Content Trust (DCT) gave the container ecosystem one of its first ways to verify the integrity and publisher of an image, built on The Update Framework and the Notary v1 project. The upstream Notary v1 codebase is no longer maintained, more modern signing tools have become the standard, and today a very small number (fewer than 0.05%) of Docker Hub pulls rely on DCT.
Last year we began retiring DCT for Docker Official Images, and now we’re completing that work by fully retiring DCT and the Notary v1 service at notary.docker.io. This post covers what’s changing, who’s affected (for most people, nothing), and the modern alternatives that are available to users.
Why are we retiring Docker Content Trust (DCT)?
DCT relies on the upstream Notary v1 server, the original TUF-based implementation that was first released in 2015, and the project is no longer maintained. In the years since, the ecosystem has standardized on OCI-native signing tools such as Sigstore/Cosign and the Notary Project’s Notation, that store signatures alongside the image in any compliant registry, with no separate trust infrastructure to run. The broader ecosystem has been retiring this approach–Microsoft deprecated DCT support in Azure Container Registry some time ago, and Harbor deprecated Notary v1 support too.
Retiring Notary v1 lets us put our investment behind other modern, standards-based tools (described below) that developers are already adopting, and behind making secure defaults first-class citizens on Docker Hub.
Who is affected by this change?
DCT was opt-in, and normal image pulls (docker pull) would not touch the Notary service, so if you’ve never deliberately turned it on, nothing about your workflow changes. You can stop reading here.
The change matters if you configured DCT for use, which usually shows up in one of a few ways:
You have DOCKER_CONTENT_TRUST=1 set in your environment, shell profile, CI pipeline, or Dockerfile.
Your scripts or automation use docker trust sign, docker trust inspect, or docker trust revoke.
Your Kubernetes admission controllers or deployment policies check for DCT signatures.
You publish images to Docker Hub with DCT signing enabled.
If you have never set DOCKER_CONTENT_TRUST and do not use docker trust commands, this change does not affect you.
Pathway to retirement: timeline
We’re winding DCT down in stages rather than all at once. The brownouts are brief, scheduled outages, these are dry runs that flush out any pipeline still leaning on the service while there’s time to fix it. Writes go dark before reads, so signing breaks before verification and publishers can get the earliest heads-up.
Date
What happens
Jul 14, 2026
4-hour write brownout
Jul 15, 2026
4-hour write brownout
Aug 10, 2026
4-hour read brownout
Aug 12, 2026
4-hour read brownout
Dec 8, 2026
Full shutdown
Windows run ~4 hours and begin at 8AM Pacific Time.
Note this only touches DCT trust operations; ordinary docker pull and docker push operations will keep working through these windows.
What to do if you are affected: migration guide and alternatives
If any of the cases above describe your setup, here’s how to move off DCT cleanly. The ecosystem has settled on a handful of strong, widely-adopted tools, so this is as much a menu as a manual. The steps run from the quickest unblock to the most complete setup; pick the leading technology that fits your workflow, and go as far down the list as your situation calls for.
Ensuring image pulls succeed
If your only goal is to ensure that image pulls keep working past the shutdown date, disable DCT. This is the fastest path to unblocking your workflows, but it removes tag-level verification.
# Remove from your current shell session
unset DOCKER_CONTENT_TRUST
# Or explicitly disable it
export DOCKER_CONTENT_TRUST=0
Search your environment for anywhere this variable might be set, including shell profiles, CI/CD configuration, Compose files, and K8s manifests. Once DCT is disabled, all pulls continue to work normally.
Ensuring pulls are repeatable
Tags on image registries can change when an image is updated. Pulling by digest guarantees that you get the exact image content you expect, regardless of whether a tag has been moved or overwritten. Digests are immutable.
# Find the digest of an image you have pulled
docker pull busybox:latest
docker images –digests busybox
# REPOSITORY TAG DIGEST IMAGE ID
# busybox latest sha256:f85340bf… abc123def456
# Pull by digest
docker pull busybox@sha256:f85340bf…
Use digests in dockerfiles for reproducible builds, and in Kubernetes manifests or Compose files to ensure predictable deployments.
Digest pinning verifies content integrity (you get exactly what you asked for), but it does not by itself prove publisher identity. For that, you need cryptographic signatures, which is where Sigstore/Cosign and Notation come in.
Proving publisher identity
Two mature, actively maintained signing projects have replaced DCT’s signing capabilities in Hub. Both store signatures alongside the image in OCI-compliant registries.
Option A: Sigstore / Cosign
Cosign is part of the Sigstore project and supports identity-based signing using short-lived certificates tied to an OIDC identity. It stores signatures as OCI artifacts in the same registry, alongside the image.
Sigstore quickstart: https://docs.sigstore.dev/quickstart/quickstart-cosign/
Cosign on GitHub: https://github.com/sigstore/cosign
Option B: Notation
Notation is the CLI for the Notary Project. It uses a certificate-based PKI model and stores signatures as OCI reference artifacts.
Notation quickstart: https://notaryproject.dev/docs/quickstart/
Notation on GitHub: https://github.com/notaryproject/notation
Enforcing verification in production
Signing images is only half the story. To get full security benefits, you need to enforce that only signed images can be deployed.
Kyverno (works with Cosign)
Kyverno can verify Cosign signatures before pulling into a cluster. See the documentation for details.
Ratify + Gatekeeper (works with Notation)
Ratify can verify Notation signatures before admitting pods. See the Ratify quickstart for setup instructions.
Use Docker Hardened Images as a built-in replacement
If you currently rely on DCT to verify base images from Docker Hub, switching to Docker Hardened Images (DHI) is a free and secure path forward. Every DHI comes with cryptographic signatures, provenance attestations, and SBOMs already built in.
This means the integrity checks you relied on with DCT are guaranteed, and then some. DHI images are minimal by design and continuously rebuilt when new CVEs appear. You are not just replacing a verification mechanism, you are getting a more secure base image to begin with.
Read more here: https://docs.docker.com/dhi/
Or view the free catalog at dhi.io
Need help?
A couple of things worth knowing as you plan your move.
If you are a Docker Hub publisher currently signing images with DCT, Docker cannot provide replacement signatures on your behalf. You will need to adopt Cosign or Notation to sign your own images.
If you are a consumer of third-party images that were signed with DCT, contact those publishers directly to determine whether they plan to adopt modern signing.
For questions or issues related to the shutdown, or if you want to work more directly with us on a migration plan, contact Docker support.
Quelle: https://blog.docker.com/feed/
Amazon CloudWatch now natively supports OpenTelemetry metrics. You can send metrics via the OpenTelemetry Protocol (OTLP) and query them using Prometheus Query Language (PromQL), with per-GB ingestion pricing and 15 months of storage included.
This allows you to consolidate custom application metrics and AWS vended metrics from more than 70 services in a single solution, queryable together in PromQL. CloudWatch exposes a Prometheus-compatible query API, so teams already using OpenTelemetry, Prometheus, or Grafana can use CloudWatch as a destination that fits seamlessly with their existing tools.
Available in all commercial AWS Regions except Middle East (UAE), Middle East (Bahrain), and Israel (Tel Aviv). For pricing details, see the Amazon CloudWatch pricing page. To get started, see the Amazon CloudWatch metrics documentation.
Quelle: aws.amazon.com
Starting today, AWS Partner Central agents qualify every co-sell opportunity in real time and make recommendations that drive AWS engagement and accelerate deal progression. Building on the AWS Partner Central agents released on March 16, 2026, the agent can act on the partner’s behalf through conversation to enrich the opportunity details. This eliminates waiting for manual review, so partners build a stronger pipeline and progress deals faster. Now, each opportunity is matched to a co-sell motion that determines AWS engagement: AWS field-engaged, where an AWS sales team collaborates directly; Agent-engaged, where the agent strengthens the submission to increase AWS engagement; and Partner-led, where the partner drives the deal with agent support. Across all motions, the agent provides customer insights, recommendations, and sales plays, and each opportunity receives an Opportunity Quality Score that measures co-sell readiness and directly influences how AWS engages. The agent recommends how to improve this score, and as the opportunity improves, the score and motion recalculate in real time, moving it closer to AWS engagement. The new enhanced experience is available today to AWS Partners in all commercial AWS Regions. To get started, log in to AWS Partner Central and access opportunity management. Partners can also use the agentic experience in native AI tools like Amazon Quick and Kiro, or through MCP in their own CRM. See the Partner Central agents MCP server guide to get started.
Quelle: aws.amazon.com
Today, AWS announces the public preview of AWS Blocks, an open-source TypeScript framework for application developers who want backend capabilities on AWS removing the need to learn infrastructure tools. AWS Blocks runs a fully functional local environment with Postgres, authentication, and real-time messaging, no AWS account required. When ready to deploy, the same application code runs on production AWS services with zero changes, and developers can drop into AWS CDK at any point for direct resource configuration.
A developer building a SaaS application can add database tables, user authentication, AI agents, file uploads, and background jobs in a single session, test the full stack locally, and deploy to AWS when ready. Built-in guidance for AI coding tools enables correct architecture without custom configuration, and end-to-end type safety flows from the data schema to the frontend without a code generation step. At preview, supported frontend frameworks include SPAs (e.g. Vite + React) and SSR frameworks such as Next.js, Nuxt, and Astro. AWS Blocks is available at no additional charge. You pay only for the AWS services your application uses.
AWS Blocks deploys to all commercial AWS regions.
To get started, run npx @aws-blocks/create-blocks-app. Read more here:
AWS Blocks product page
Getting started guide in the AWS Blocks Developer Guide
AWS Blocks on GitHub
Quelle: aws.amazon.com
Amazon Redshift is expanding the general availability of RG instances — powered by AWS Graviton processors — to three additional AWS Regions: Africa (Cape Town), Asia Pacific (Bangkok), and Mexico (Central). Amazon Redshift’s new Graviton-based RG instances deliver up to 4.2X better price-performance for data warehouse workloads compared to other data warehouses, run workloads up to 2.4x faster than previous-generation RA3 instances, and cost 30% less per vCPU. Customers in Cape Town (af-south-1), Bangkok (ap-southeast-7), and Mexico Central (mx-central-1) can provision rg.xlarge and rg.4xlarge node types — ideal for a wide range of workloads from smaller development environments to production data warehouse deployments. Customers can upgrade their existing RA3 provisioned instances to RG instances and immediately benefit from improved query performance and reduced compute costs. RG instances come with additional cost savings built in by default. With Amazon Redshift incremental manual snapshots, customers now pay less for backup storage as snapshot costs are metered based on unique data blocks rather than total snapshot size. Additionally, RG instances eliminate Redshift Spectrum scanning charges, meaning customers no longer pay for data scanned in Amazon S3 via Spectrum — further reducing the total cost of running data lake queries. To get started, visit the Amazon Redshift documentation and the RG instances pricing page.
Quelle: aws.amazon.com
AWS Sign-in now supports resource-based policies and resource control policies (RCPs) for the AWS Management Console. You can use these policies to restrict console sign-in to expected networks. Policies are evaluated during sign-in and whenever the console session requests new credentials.
Resource-based policies apply to individual AWS accounts. Resource control policies apply organization-wide through AWS Organizations. You can combine these policies with AWS Management Console Private Access to control both which networks users can sign in from and which accounts they can access.
AWS Sign-in resource-based policies and RCPs are available at no additional cost in all AWS commercial Regions. To learn more, see the AWS Sign-in User Guide. For API details, see the AWS Sign-in API Reference.
Quelle: aws.amazon.com
