Brief items
Security
Rspamd version 4.0.0 released
Version 4.0.0 of the Rspamd spam-filtering system has been released. Notable new features include HTML fuzzy phishing detection, support for up to eight flags with fuzzy hashes, and more. See the changelog for more on improvements, breaking changes, and bug fixes.The telnyx packages on PyPI have been compromised
The SafeDep blog reports that compromised versions of the telnyx package have been found in the PyPI repository:
Two versions of telnyx (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 contain malicious code injected into telnyx/_client.py. The telnyx package averages over 1 million downloads per month (~30,000/day), making this a high-impact supply chain compromise. The payload downloads a second-stage binary hidden inside WAV audio files from a remote server, then either drops a persistent executable on Windows or harvests credentials on Linux/macOS.
Vulnerability Research Is Cooked (sockpuppet.org)
There is a blog post on sockpuppet.org arguing that we are not prepared for the upcoming flood of high-quality, LLM-generated vulnerability reports and exploits.
Now consider the poor open source developers who, for the last 18 months, have complained about a torrent of slop vulnerability reports. I'd had mixed sympathies, but the complaints were at least empirically correct. That could change real fast. The new models find real stuff. Forget the slop; will projects be able to keep up with a steady feed of verified, reproducible, reliably-exploitable sev:hi vulnerabilities? That's what's coming down the pipe.Everything is up in the air. The industry is sold on memory-safe software, but the shift is slow going. We've bought time with sandboxing and attack surface restriction. How well will these countermeasures hold up? A 4 layer system of sandboxes, kernels, hypervisors, and IPC schemes are, to an agent, an iterated version of the same problem. Agents will generate full-chain exploits, and they will do so soon.
Meanwhile, no defense looks flimsier now than closed source code. Reversing was already mostly a speed-bump even for entry-level teams, who lift binaries into IR or decompile them all the way back to source. Agents can do this too, but they can also reason directly from assembly. If you want a problem better suited to LLMs than bug hunting, program translation is a good place to start.
Kernel development
Kernel release status
The current development kernel is 7.0-rc6, released on March 29. Linus said:
Anyway, exactly because it's just "more than usual" rather than feeling *worse* than usual, I don't currently feel this merits extending the release, and I still hope that next weekend will be the last rc. But it's just a bit unnerving how this release doesn't want to calm down, so no promises.
This development cycle has brought in 13,648 non-merge commits from a record-setting 2,247 developers, 436 of whom are first-time kernel contributors. The release history looks like:
RC Date Commits v7.0-rc1 2026-02-22 12468 12468 v7.0-rc2 2026-03-01 434 434 v7.0-rc3 2026-03-08 537 537 v7.0-rc4 2026-03-15 544 544 v7.0-rc5 2026-03-22 391 391 v7.0-rc6 2026-03-29 517 517
See the (subscriber-only) KSDB 7.0 page for lots more information.
Stable updates: 6.12.79 was released on March 27 with a single fix for a LoongArch build regression.
The 6.19.11, 6.18.21, 6.12.80, and 6.6.131 updates are in the review process; they are due on April 2.
Quotes of the week
I prefer someone trying to use their own words to compose a change log and actually learn something on the way over some AI slop that reads nicer any day. Often, when you write a changelog you actually realize which corner cases you might be missing, that the design might be overly complicated, that, maybe, the reasoning or motivation is bad etc. It takes time but you actually learn something and are forced to think (crazy, right?).— David HildenbrandThe same is particularly true when it comes to writing documentation.
Note: setting a birth date that makes the caller appear older than 150 years is rejected with EINVAL, as the kernel does not support vampires or other immortal entities at this time. Patches to add undead process support are welcome but will require a separate Kconfig option.— Christian Brauner
Distributions
The forge is our new home (Fedora Community Blog)
Tomáš Hrčka has announced that the Forgejo-based Fedora Forge is now a fully operational collaborative-development platform; it is ready for use by the larger Fedora community, which means the homegrown Pagure platform's days are numbered:
While pagure.io has been a vital part of our community for many years, the time has come to retire our homegrown forge and transition to this powerful new tool.
The final cutover is planned for Flock to Fedora 2026. We strongly encourage teams to migrate their projects well before the conference to ensure a smooth transition. The pagure.io migration is only the first step in a broader infrastructure modernization effort. By the 2027 Fedora 46 release, we plan to retire all remaining Pagure instances across the project, including the package source repositories on src.fedoraproject.org. Getting familiar with Fedora Forge now will help ensure your team is ready as the rest of the Fedora ecosystem transitions.
There is a migration guide for Fedora community members that own projects hosted on Pagure and need to move to the new forge.
SystemRescue 13.00 released
SystemRescue 13.00 has been released. The SystemRescue distribution is a live boot system-rescue toolkit, based on Arch Linux, for repairing systems in the event of a crash. This release includes the 6.18.20 LTS kernel, updates bcachefs tools and kernel module to 1.37.3, and many upgraded packages. See the step-by-step guide for instructions on performing common operations such as recovering files, creating disk clones, and resetting lost passwords.
Distributions quote of the week
— Ian JacksonThe reason we advise against deleting and recreating tags is simply that we think the existence of multiple different signed tags of the same name, referring to different contents, is confusing and wrong, for both computers and humans.
It's all very well deleting and replacing the tag on Salsa, but anyone who fetches in between will get the old tag. After that, their git won't usually update it to the new one. So some unknown set of users and co-developers (which I guess you are hoping is empty) has wrong information about what your upload was. Wrong information with your PGP signature on it!
IMO such a mess is not worth it, just to make things *look* neat.
But if you want to do things that way we're not stopping you. You and your collaborators and users get to keep all of the pieces.
Development
Servo 0.0.6 released
Version 0.0.6 of the Rust-based Servo web browser rendering engine has been released. This release boasts a long list of new features, performance enhancements, improvements, and bug fixes. Some of the notable changes include layout performance improvements, a servo:config page for setting any preference, and developer tools enhancements.
Development quote of the week
"By Wednesday morning, Anthropic representatives had used a copyright takedown request to force the removal of more than 8,000 copies and adaptations of the raw Claude Code instructions—known as source code—that developers had shared on programming platform GitHub."— Jens Ohlig commenting on a quote from a Wall Street Journal article.Because if there's one thing GenAI companies absolutely don't take lightly, it's copyright.
Miscellaneous
Turbulence at The Document Foundation
Michael Meeks has posted an angry missive about changes at The Document Foundation. What has really happened is not entirely clear, but it seems to involve, at a minimum, the forced removal of all Collabora staff from the foundation. There has been a set of "thank you" notes to the people involved posted in the foundation's forums. The Document Foundation's decision to restart LibreOffice Online almost certainly plays into this as well.Details are fuzzy at best; we will be working at providing a clearer picture, but that will take some time.
Page editor: Daroc Alden
Next page:
Announcements>>