Brief items
Security
A GitHub Issue Title Compromised 4,000 Developer Machines (grith.ai)
The grith.ai blog reports on an LLM prompt-injection vulnerability that led to 4,000 installations of a compromised version of the Cline utility.
For the next eight hours, every developer who installed or updated Cline got OpenClaw - a separate AI agent with full system access - installed globally on their machine without consent. Approximately 4,000 downloads occurred before the package was pulled.The interesting part is not the payload. It is how the attacker got the npm token in the first place: by injecting a prompt into a GitHub issue title, which an AI triage bot read, interpreted as an instruction, and executed.
Huston: Revisiting time
Geoff Huston looks at the network time protocol, and efforts to secure it, in detail.
NTP operates in the clear, and it is often the case that the servers used by a client are not local. This provides an opportunity for an adversary to disrupt an NTP session, by masquerading as a NTP server, or altering NTP payloads in an effort to disrupt a client's time-of-day clock. Many application-level protocols are time sensitive, including TLS, HTTPS, DNSSEC and NFS. Most Cloud applications rely on a coordinated time to determine the most recent version of a data object. Disrupting time can cause significant chaos in distributed network environments.While it can be relatively straightforward to secure a TCP-based protocol by adding an initial TLS handshake and operating a TLS shim between TCP and the application traffic, it's not so straightforward to use TLS in place of a UDP-based protocol for NTP. TLS can add significant jitter to the packet exchange. Where the privacy of the UDP payload is essential, then DTLS might conceivably be considered, but in the case of NTP the privacy of the timestamps is not essential, but the veracity and authenticity of the server is important.
NTS, a secured version of NTP, is designed to address this requirement relating to the veracity and authenticity of packets passed from a NTS server to an NTS client. The protocol adds a NTS Key Establishment protocol (NTS-KE) in additional to a conventional NTPv4 UDP packet exchange (RFC 8915).
Kernel development
Kernel release status
The current development kernel is 7.0-rc3, released on March 8. Linus said: "So it's still pretty early in the release cycle, and it just feels a bit busier than I'd like. But nothing particularly stands out or looks bad."
This release, as of -rc3, has brought in 12,419 non-merge changes from 2,031 developers, 361 of whom are first-time kernel contributors. The release history looks like:
RC Date Commits v7.0-rc1 2026-02-22 12468 12468 v7.0-rc2 2026-03-01 434 434 v7.0-rc3 2026-03-08 537 537
See the (subscriber only) KSDB 7.0 page for a lot more details.
Stable updates: 6.12.76, 6.6.129, and 6.1.166 were released on March 5. The 6.18.17 update is in the review process; it is due on March 12.
Distributions
Introducing Moonforge: a Yocto-based Linux OS (Igalia Blog)
Igalia has announced the Moonforge Linux distribution, based on OpenEmbedded and Yocto.Moonforge is an operating system framework for Linux devices that simplifies the process of building and maintaining custom operating systems.
It provides a curated collection of Yocto layers and configuration files that help developers generate immutable, maintainable, and easily updatable operating system images.
The goal is to offer the best possible developer experience for teams building embedded Linux products. Moonforge handles the complex aspects of operating system creation, such as system integration, security, updates, and infrastructure, so developers can focus on building and deploying their applications or devices.
OpenWrt 25.12.0 released
Version 25.12.0 of the OpenWrt router distribution is available; this release has been dedicated to the memory of Dave Täht. Changes include a switch to the apk package manager, the integration of the attended sysupgrade method, and support for a long list of new targets.SUSE may be for sale, again
Reuters is reporting that private-equity firm EQT may be looking to sell SUSE:
EQT has hired investment bank Arma Partners to sound out a group of private equity investors for a possible sale of the company, said the sources, who requested anonymity to discuss confidential matters. The deliberations are at an early stage and there is no certainty that EQT will proceed with a transaction, the sources said.
SUSE has traded hands a number of times over the years. Most recently it was acquired by EQT in 2018, was listed on the Frankfurt Stock Exchange in 2021, and then taken private again by EQT in August 2023.
Distributions quotes of the week
The key problem is, how do we decide whether to package something or not? We definitely don't have the capability of inspecting whatever crap upstream may be committing. Of course, that was always a risk, but with LLMs around, things are just crazy. And we definitely can't stick with old versions forever.— Michał GórnyThe other side of this is that I have very little motivation to put my human effort into dealing with random slop people are pushing to production these days, and reporting issues that are going to be met with incomprehensible slop replies.
— Morten LinderudI don't think we can reasonably argue that Linux is not free software, and I don't think we can argue for forking Linux to remove llm generated code.
My take on this is mostly apathy. I don't think we can reasonably challenge the use in the FOSS community. The productivity boost of experienced developers using these is too appealing when we are looking at overburdened FOSS maintainers.
We've already been repeatedly DDoSed by these companies. Spending hundreds of volunteers hours keeping our services running while the companies extract the labour to sell back to the FOSS community, using their standing in the Linux Foundation to further cement their usage in our communities.
Then the FOSS communities use these models without any care of the ethical considerations.
Is this depressing? Yes.
Development
Buildroot 2026.02 released
Peter Korsgaard has announced version 2026.02 of Buildroot, a tool for generating embedded Linux systems through cross-compilation. Notable changes include added support for HPPA, use of the 6.19.x kernel headers by default, better SBOM generation, and more.
Again a very active cycle with more than 1500 changes from 97 unique contributors. I'm once again very happy to see so many "new" people next to the "oldtimers".
See the changelog for full details. Thanks to Julien Olivain for pointing us to the announcement.
digiKam 9.0.0 released
Version
9.0.0 of the digiKam photo-management system has been
released. "This major version introduces groundbreaking
improvements in performance, usability, and workflow efficiency, with
a strong focus on modernizing the user interface, enhancing metadata
management, and expanding support for new camera models and file
formats.
" Some of the changes include a
new survey tool, more advanced search and sorting options, as well
as bulk
editing of geolocation coordinates.
Rust 1.94.0 released
Version 1.94.0 of the Rust language has been released. Changes include array windows (an iterator for slices), some Cargo enhancements, and a number of newly stabilized APIs.Development quote of the week
— Mike Hoye on the relicensing of chardet.For whatever my opinion's worth, I think that at least part of our collective thinking about this question needs to be grounded in the fact that this one developer has been working on this codebase almost entirely alone, without support or funding, for at least twelve years.
And I have to ask you, I am begging you, to think about where we've heard a story like that recently, and maybe about how close we came to the brink.
As gross as I think Claude is, as dubious as I think this relicensing exercise is, I also think that if the end state of open source projects is that devs are left to work alone for years on the keystone projects of this jenga tower we're calling modern infrastructure, and then we collectively jump all over them when they turn to the kind of help that, however reprehensible it might be, actually shows up to help, then this entire FOSS project is just a popularity contest where the losers join a slow, lonely suicide pact.
We have to find a better way to do this.
Page editor: Daroc Alden
Next page:
Announcements>>