This Week #3: Devbox Templates, Identity Federation, Secrets

This week we finished most of our work on Devbox Templates, making it easy to start new projects from the website using a ready-made template. We also continued exploring how identity federation can work and how we could integrate that with our secrets functionality.


Returned Tuesday from a vacation trekking around Mont Blanc. I spent some time getting caught up on our current cycle’s progress, and then partnered with Greg + Savil on debugging and reproducing an incompatible glibc version issue in a customer’s Python + Postgres project.

I also reviewed Lucille’s work on Devbox Templates + the template submission flow, added up-to-date READMEs for the current templates, and published them on the Devbox site. I’m excited for how these templates will make it easier for users to spin up a new Devbox project, and I hope to add some new templates to the page next week!


After wrapping up last week’s work on Devbox templates, I shifted my focus to authentication. For most people, their first impression with our managed services often starts with a good and painless login experience. While authentication on single users or multiple teams should ideally be straightforward, setting it up correctly with Auth0 has been a struggle.

This week I spent most of my time working on an MVP using Stytch’s magic link authentication flow. It already looked way more promising than our current setup! Looking to hook it up with Daniel’s oauth flow on the CLI side next week. I’m hoping we can bring this to production soon.


Worked on envsec pretty much all week. Worked with Mohsen on AWS identity federation, implemented authentication in evnsec CLI and got a prototype service running to back the envsec CLI. Learned more about Supabase and wrote some painful graphql queries in go. Looking forward to dogfooding envsec in about a week!


This week was a fun challenge.

I spent a good amount of time wrestling with AWS authentication services and permissions. The work was a small part of a bigger project we call envsec which is a tool that lets you manage your environment secrets for a given project. My portion of the work was to figure out and setup AWS behind the scenes so that after authentication, we can fetch secrets saved under the organization name and project. So I setup the changes required on AWS side of things as well as the CLI to talk directly to AWS as a federated user. It was challenging to make everything work end to end but rewarding now that it works!

Next week I’m hoping to finish up the changes on the cloud side and focus more on refining the user experience on the CLI.


This week I spent most of my time exploring GCP Cloud Run and AWS Lambda, to see how we might leverage them to help us expand/improve the launchpad experience. While doing that, I also explored how feasible it is to move where we host our blog so we can avoid some third-party hosting costs.

Lastly, I also sent a couple PRs to fix bugs related to nix profile management when devbox is adding/removing packages without needing to download nixpkgs.


This week was high on learning via debugging, but short on building.

For a long while users have complained about hitting issues with incompatible versions of GLIBC. It had been hard to get a clear repro when I looked at this a few weeks ago. This time though, I was able to construct a repro with a couple of issues that users filed. While we could unblock them, the fix was ugly. To understand what's happening Greg and I dug into it. And this was a great learning experience to understand the ELF file format and how linkers interact with them, and using tools like ldd, readelf and patchelf. Greg did a fantastic job figuring out the exact cause, and explaining in great detail what was happening. Now, I think we understand why these incompatibilities arise, and now we need to prototype a few potential fixes so we can evaluate which of them would be optimal to actually implement.

We also very close to wrapping up our perf project to reduce the need for users to download nixpkgs, saving them 30-40 seconds. Rodrigo uncovered a couple of issues with how we were handling the nix profile, and then sent fixes for them. Hoping to do some QA on this next week and release it!