I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).
Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much
Jobs are trully ridiculous in today's market. Not only you have to be "AI-native" with more years of experience with GenAI code, than the time it started getting popular, but you also get jobs that require you to know Claude Code in'n out, as if no other agent coding exists.
on my data engineering masters the course leader told us about a job advert he’d seen one time. the job needed hadoop experience, like 7 years worth.
hadoop had only existed for 5 years at the time, at most.
he figured that someone in HR got the draft for the job advert and just added in the 7 years as a guess based on another role they were hiring for.
edit — number of years required with specific technology is just a hand wavy estimate of how important it is for the role. never treat the numbers as gospel. that was the lesson he was teaching us.
This can play in your favor if you are experienced enough.
See, it is bullshit, but it is also easy enough. Claude Code is not inscrutable, this is much easier than learning, say, a new programming language. You can meaningfully learn enough to pass an interview in a couple of weeks. It's basically the same amount of information you need to learn to hype AI in HN comment section.
So yeah, I think AI is a deadend technology, far from being as useful as everyone invested on it claims. But I have been using it liberally just so I am on top of this shit, since it is the current hype cycle.
The companies are now so often looking for "AI engineers" or "engineers with AI experience" which is crazy given how current generation of AI tools are in very early stages and spending a lot of time mastering them might be time well wasted if many of them actually believe in any further advances, much less AGI. If what AI overlords promise is to materialize, then all these primitive tools like agents, MCPs, plugins (or "marketplaces" which is crazy that LLMs couldn't help them come up with a better name) and whatnot should be just an insignificant blip in the history of AI evolution.
Companies that care about the 3-15 months of agentic engineering experience you could possibly have (15 months if you count by the launch of Claude Code, 3 months if you count by when that term was coined) don't think about AGI. They think about immediate productivity gains and not working against company culture from the very beginning of their employment.
I remember one job interview where the team lead interviewing me and I had completely different takes on static vs. dynamic typing. It was an awkward moment when we realized we'd never agree, and attempting to cooperate would be very burdensome. Don't hire someone who thinks what you're doing is stupid. AI really divides the waters, better be up front.
Grafana OSS does support SSO out of the box, at least OIDC (which is a technically superior standard to SAML w.r.t. security).
The Enterprise edition seems to focus a lot on meta-information about grafana itself: the most frequently accessed dashboard, who is viewing the current dashboard etc.
Theres also group-sync, I guess, which is useful, but honestly the selling point of enterprise is the support I think.
In fact, I might buy enterprise following this, the fact that so much is in the base product gives me the warm fuzzies.
Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”
I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.
>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.
I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?
you can't just drop in buzzwords willy nilly, they buzz better in the right places.
I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).
Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much
Jobs are trully ridiculous in today's market. Not only you have to be "AI-native" with more years of experience with GenAI code, than the time it started getting popular, but you also get jobs that require you to know Claude Code in'n out, as if no other agent coding exists.
on my data engineering masters the course leader told us about a job advert he’d seen one time. the job needed hadoop experience, like 7 years worth.
hadoop had only existed for 5 years at the time, at most.
he figured that someone in HR got the draft for the job advert and just added in the 7 years as a guess based on another role they were hiring for.
edit — number of years required with specific technology is just a hand wavy estimate of how important it is for the role. never treat the numbers as gospel. that was the lesson he was teaching us.
This can play in your favor if you are experienced enough.
See, it is bullshit, but it is also easy enough. Claude Code is not inscrutable, this is much easier than learning, say, a new programming language. You can meaningfully learn enough to pass an interview in a couple of weeks. It's basically the same amount of information you need to learn to hype AI in HN comment section.
So yeah, I think AI is a deadend technology, far from being as useful as everyone invested on it claims. But I have been using it liberally just so I am on top of this shit, since it is the current hype cycle.
The companies are now so often looking for "AI engineers" or "engineers with AI experience" which is crazy given how current generation of AI tools are in very early stages and spending a lot of time mastering them might be time well wasted if many of them actually believe in any further advances, much less AGI. If what AI overlords promise is to materialize, then all these primitive tools like agents, MCPs, plugins (or "marketplaces" which is crazy that LLMs couldn't help them come up with a better name) and whatnot should be just an insignificant blip in the history of AI evolution.
Companies that care about the 3-15 months of agentic engineering experience you could possibly have (15 months if you count by the launch of Claude Code, 3 months if you count by when that term was coined) don't think about AGI. They think about immediate productivity gains and not working against company culture from the very beginning of their employment.
I remember one job interview where the team lead interviewing me and I had completely different takes on static vs. dynamic typing. It was an awkward moment when we realized we'd never agree, and attempting to cooperate would be very burdensome. Don't hire someone who thinks what you're doing is stupid. AI really divides the waters, better be up front.
Is there anything of value in the internal codebase?
So many companies internal codebases are of approximately zero value to any outsider. The code is only a small proportion of the business.
They killed OSS incident management
Given a lot of their software is OSS or OSS based there's a probable chance non-OSS is runnable and usable outside the company
The product is mostly "standalone" in that it doesn't require integrations with 3rd parties unlike, say, banking software
Maybe some EE stuff like SSO and etc? Unfortunately layering that stuff on is super low effort in these LLM days.
Grafana OSS does support SSO out of the box, at least OIDC (which is a technically superior standard to SAML w.r.t. security).
The Enterprise edition seems to focus a lot on meta-information about grafana itself: the most frequently accessed dashboard, who is viewing the current dashboard etc.
Theres also group-sync, I guess, which is useful, but honestly the selling point of enterprise is the support I think.
In fact, I might buy enterprise following this, the fact that so much is in the base product gives me the warm fuzzies.
AI is actually pretty good at finding vulnerabilities in the codebase.
Critical vulnerability in that source code could enable further access to other production systems or databases.
Edit: typo
[dead]
non-twitter link https://xcancel.com/grafana/status/2055827123236171827#m
Quite funny how they phrase this.
"We recently discovered.." then later "..The attacker attempted to blackmail us"
So, I'd wager they had no idea of the breach until the attacker tried to blackmail them.
Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”
Don't pay the Dane-geld: https://en.wikipedia.org/wiki/Dane-geld_(poem)
All you get is more Danes
"Threat actor"… I love this "security" lingo. Threat actors, attack vectors, state actors :-)
One of the scalars in our feature matrix allowed for an attack vector to move beyond our security barrier causing an incident overflow
Let's hope they don't go kinetic.
I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.
[1] https://youtu.be/4D068lS85NY
aren't they just psql tho? well, i guess we will find out soon.
Their whole repo had been made public !!!!
https://github.com/grafana/grafana
/s
This is worse than the Linux kernel source code leaks of April 1st.
I think they mean grafana cloud.
>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.
I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?
you can't just drop in buzzwords willy nilly, they buzz better in the right places.
Well, "unauthorized party" is a better attention-grabber early on, but then of course it goes into an entirely different direction.