28. April 2026 1 min read

Kai Ole Hartwig

Web development, DevSecOps, and entrepreneurship. 23+ years' experience.
Founder of Moselwal Digital Agency and OnlyOle.

Düsseldorf · vineyard on the Mosel

Blog

Archiv →

12.05.2026Mini Shai-Hulud, CVE-2026-45321, npm, supply chain, SLSA provenance, Sigstore, pull_request_target, OIDC, manifest diff, pipeline hardening

Why a valid signature is no longer enough in 2026 — an honest note after Mini Shai-Hulud

An honest note from the workshop after 11 May 2026 — the day on which the structural assumption “validly signed means content-trustworthy” was publicly broken.

06.05.2026AI company, agentic engineering, Y Combinator, Diana Hu, private AI, open-weight models, customer-owned, Moselwal, uncommon service, queryable organization

Rebuilding Moselwal as an AI company — what Y Combinator says and what I'm doing with it

A reflection on Diana Hu's AI-company thesis and my plan to rebuild Moselwal in that direction.

05.05.2026Care, Schulbegleitung, Inclusion, UN-CRPD, Human rights

Human rights are not negotiable. Not in the budget either.

5 May 2026: Why the motto “human rights are not negotiable” matters now — about Schulbegleitung cuts and the income-loss trap for caregiving parents.

03.05.2026DevSecOps, SBOM, SLSA, OCM, Open Component Model, NixOS, Podman, Supply Chain Security, OpenVEX, Sigstore, Cosign, Composition, Bill of Delivery

Bill of Delivery

An engagement with the concept of a Software Bill of Delivery: a critical look at the OCM approach, a comparison with the composition layer in NixOS+Podman setups, and which DevSecOps building blocks (SLSA provenance, OpenVEX, Cosign, verify-on-deploy) remain relevant in both worlds.

02.05.2026IPv8, IPv6, IETF, Internet Draft, networking, DevSecOps, OAuth2, JWT, Zone Server, WHOIS, BGP, RPKI, Bill Buchanan

IPv8 — a late April Fool's joke?

Hot take on the IPv8 Internet Draft: 64-bit addresses with IPv4 notation sound reasonable, but the rest of the spec — central Zone Server, OAuth2 at the network layer, WHOIS egress validation, mandatory NIC firmware — is a complete rebuild with built-in surveillance.

27.04.2026

Summer 2024

End of the summer holidays, a service station, one sentence: “Dad, I can't get out, my leg hurts too much.” Notes from two years with a chronically ill child — between operations, bureaucracy and the realisation of how little the system actually carries you.

24.04.2026[Translate to English:] Bitwarden, Checkmarx, Supply Chain, npm, Renovate, Vaultwarden, DevSecOps

Close call: The Bitwarden CLI incident and what we should take from it

[Translate to English:] Einordnung des Bitwarden/Checkmarx-Supply-Chain-Vorfalls vom 22. April 2026 und warum Moselwal dank boringer Build-Pipelines nicht getroffen wurde.

22.04.2026

DevSecOps is often misunderstood

Why DevSecOps isn't a tool problem, but a decision problem. And why I'm starting OnlyOle exactly there.

21.04.2026

690 downloads, no big show

[Translate to English:] 690 Podcast-Downloads seit Januar. Ein kleiner Meilenstein und eine ehrliche Zwischenbilanz zu unserem Gründer-Podcast.

01.04.2026

When will I become X?

[Translate to English:] Wer ständig fragt, wann er etwas wird, ist selten bereit dafür. Eine unpopuläre Beobachtung aus 23 Jahren Selbstständigkeit.

01.04.2026

AI pentester vs. AIS-1: two worlds on a Monday

One side is celebrating AI agents that run pentests. The other is busy building a standard that lets you identify those agents in the first place.

25.03.2026

AI startup is the new 'we have an app too'

[Translate to English:] AI-Startup klingt nach Zukunft. Ist oft nur Verpackung. Warum das Label gerade inflationär missbraucht wird.

22.03.2026

Upgrading with an AI agent: Rector yes, the rest no

I let an AI agent upgrade a smaller project. Rector delivered. Everything else got left lying. An honest field report.

22.03.2026

Almost a year now: daily error reports from a former client

[Translate to English:] Ein Kunde hat uns vor fast einem Jahr verlassen. Seine Systeme schicken mir weiter jeden Tag Fehlermeldungen. Niemand reagiert. Außer mir.

22.03.2026

Two podcasts a week: how I suddenly ended up in front of two mics

[Translate to English:] Seit ein paar Wochen nehme ich jede Woche zwei Podcasts auf. Über Unternehmertum und Security. Warum das Sinn ergibt und mich selbst überrascht.

22.03.2026

Your AI didn't 'learn to learn' on its own

No, your AI didn't learn by itself. You told it what to do. Why this distinction matters so much right now.

22.02.2026

THIS is the killer for any business

[Translate to English:] Der Fehler, den fast jedes Unternehmen einmal macht. Einfach zu vermeiden, wenn man ihn ernst nimmt. Meine Beobachtung aus 23 Jahren.

22.02.2026

The IT industry is toxic and dishonest

[Translate to English:] Unsere Branche hat viele Probleme, über die niemand redet. Ein ehrlicher Blick nach innen, mit 23 Jahren Perspektive.

22.01.2026

Caring parents drowning in paperwork

[Translate to English:] Eine einfache Leistung wird zum Papierkrieg. Warum müssen pflegende Eltern alles beweisen, während das System nichts halten muss?

22.01.2026

I'd rather have automation than people

[Translate to English:] Klingt hart, ist aber so: Ich arbeite lieber mit Automatisierungen als mit Menschen. Warum, liegt weniger an den Menschen als an der Zeit.

22.12.2025

"In a bit" is not a time

[Translate to English:] „Gleich“ ist kein Zeitpunkt. Es ist ein Warnsignal für Chaos und fehlenden Respekt vor Zeit. Warum mich dieses Wort so zuverlässig nervt.

24.10.2025

Day of caring parents: why visibility is the first step

[Translate to English:] Am 24. Oktober 2025 gab es erstmals den Tag der pflegenden Eltern. Warum dieser Tag wichtig ist – aus der Sicht eines Vaters, der selbst pflegt.

22.09.2025

The first day of autumn caught me

[Translate to English:] Montage sind schwer. Der erste echte Herbsttag war für mich 2025 härter als erwartet. Ein ehrlicher Text über Körper, Kopf und kleine Schritte.

22.09.2025

The AI hype is annoying — especially when basic features are missing

Every tool gets an AI label, but the CSV export is broken. Why that gets on my nerves — and what software vendors should learn from it.

22.08.2025

White toaster bread, Galetta and still a six-pack: a small fitness biography

I used to eat a whole loaf of white toaster bread after training — and still had a six-pack. An honest look back at sport, food and getting older.

22.07.2025

Software can do anything — but should it be allowed to do anything?

I write code almost every day. An honest reflection on where technical feasibility stops and responsibility starts.

22.07.2025

What drives me: durable solutions, not quick money

Since founding my company, quality has mattered to me more than quick deals. Why that still shapes my decisions today.

22.07.2025

PMO is dead — development teams don't need control from outside

Why classic PMO no longer works in modern development teams — and what helps instead. A clear, provocative take.

10.04.2025

Is OpenShift more secure than Kubernetes? An honest look at SCC, SELinux and PSP

OpenShift is widely considered more secure than Kubernetes. I look at Security Context Constraints, SELinux and the reality of operations — with a clear take.

08.04.2025

When did technology last actually make your life easier?

Good technology works for people, not the other way round. A calm reflection on what tools really need to deliver — and what they don't.

01.01.2025

New year's resolution 2025: do more, experience more

[Translate to English:] Ich habe mir doch noch einen Vorsatz für 2025 gefasst: Mehr unternehmen, mehr erleben. Raus aus dem Alltagstrott, rein ins Leben.

31.12.2024

The last morning — a new year's eve reflection

[Translate to English:] Heute beginnen viele den Tag langsam. Morgen vielleicht mit Kater und großen Plänen. Warum die Veränderung nicht am 1. Januar wartet – ein ruhiger Silvester-Text.

02.11.2024[Translate to English:] DevOps

AWS CloudFront and S3: setting Content-Security headers

[Translate to English:] Wie man Content-Security-Header korrekt über AWS CloudFront und S3 konfiguriert, um die Sicherheit seiner Webanwendungen zu erhöhen.

01.11.2024[Translate to English:] DevOps

AWS Route 53: SVCB, TLSA and SSHFP DNS records

[Translate to English:] Ein Überblick über die neuen DNS-Record-Typen SVCB, TLSA und SSHFP in AWS Route 53 und wie man sie sinnvoll einsetzt.

26.10.2024[Translate to English:] Web-Entwicklung

Part 1: From TYPO3 container hosting to a hardened TYPO3 cluster

[Translate to English:] Der Weg von einem einfachen Container-Hosting zu einem hochverfügbaren TYPO3-Cluster – Herausforderungen, Architektur und Sicherheitskonzepte.

Projects

OnlyOle

Exclusive DevSecOps consulting. 1:1 sessions, maximum five customers per month. Discreet, no references.

Remote · 23+ years

Moselwal Digital Agency

Web development, DevOps, and digital solutions. My agency.

Agency · moselwal.com

Podcasts

Tech talks, interviews, and conversations about development and entrepreneurship.

Audio interviews

About Me

23+ years of experience in web development, DevOps, and security. Owner and founder of Moselwal Digitalagentur and OnlyOle — exclusive DevSecOps consulting for teams that want to make the right decisions before they get expensive.

I live in Düsseldorf, am a father of two, and work with web technologies, cloud infrastructure, security, and open source. On the side, I tend a vineyard on the Moselle river.

One of my children lives with a rare condition — here I also occasionally write about everyday life as a caregiving parent, alongside topics like AWS, TYPO3, container hosting, and DevSecOps.

DevSecOpsWeb-EntwicklungAWSTYPO3SecurityOpen SourceWeinbauPflege & Familie