Brief items
Security
Firefox: The zero-days are numbered
This Firefox blog post reports that the Firefox 150 release includes fixes for 271 vulnerabilities found by the Claude Mythos preview.
Elite security researchers find bugs that fuzzers can't largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise. Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't.This can feel terrifying in the immediate term, but it's ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker's long-term advantage by making all discoveries cheap.
Security quote of the week
An Anthropic researcher used Claude to find Apache ActiveMQ flaw CVE-2026-34197. Maintainers shipped the fix in seven days. CISA added the CVE to its federal exploited-vulnerability list. The same week, Cal.com closed source citing AI scanners as the reason. I have run defender-side tooling rollouts for 20 years. Every wave gets framed as attacker-only for six months first. One team shipped the patch. The other shipped the excuse.— Can Artuc
Kernel development
Kernel release status
The 7.1 merge window remains open; it can be expected to close on April 26.Stable updates: 6.19.13, 6.18.23, 6.12.82, 6.6.135, 6.1.169, 5.15.203, and 5.10.253 were released on April 18. The 7.0.1, 6.19.14, 6.18.24, and 6.12.83 updates were released on April 22.
Kernel code removals driven by LLM-created security reports
There are a number of ongoing efforts to remove kernel code, mostly from the networking subsystem, as an alternative to dealing with the increase in security-bug reports from large language models. The proposed removals include ISA and PCMCIA Ethernet drivers, a pair of PCI drivers, the ax25 and amateur radio subsystem, the ATM protocols and drivers, and the ISDN subsystem.
Remove the amateur radio (AX.25, NET/ROM, ROSE) protocol implementation and all associated hamradio device drivers from the kernel tree. This set of protocols has long been a huge bug/syzbot magnet, and since nobody stepped up to help us deal with the influx of the AI-generated bug reports we need to move it out of tree to protect our sanity.
Quotes of the week
We've always had to contend with people putting up outdated or just wrong information on web pages, and there's little we can do about it. Witness all the outdated information about [transparent huge pages] that's based on code that's been deleted for over a decade.— Matthew WilcoxBut now we've got AI trained on all this wrong/ out of date information, and, er, "enthusiasts" who are trying to change the correct information in the kernel to match what the deluded AI "thinks" should be true.
Let that sink in.
Free software people: A major goal of free software is for individuals to be able to cause software to behave in the way they want it to— Matthew GarrettLLMs: (enable that)
Free software people: Oh no not like that
I wish to start unwinding my MM involvement. Because I'd like to be able to retire one day. And because things feel excessively concentrated - I'm doing too much stuff, others have valuable views. I'm healthy (enough), plenty motivated and my mind is still sharp (shaddup) but bad things happen to 67 year olds and they can happen swiftly.— Andrew MortonI want this this transition to be gradual, orderly and incremental - no sudden changes.
Distributions
Arch Linux now has a reproducible container image
Robin Candau has announced the availability of a bit-for-bit reproducible container image for Arch Linux:
The bit-for-bit reproducibility of the image is confirmed by digest equality across builds (podman inspect --format '{{.Digest}}' <image>) and by running diffoci to compare builds. We provide documentation on how to reproduce this Docker image (as we did for the WSL image as well).
Building the base rootFS for the Docker image in a deterministic way was the main challenge, but it reuses the same process as for our WSL image (as both share the same rootFS build system).
[...] This represents another meaningful achievement in our "reproducible builds" efforts and we're already looking forward to the next step!
Debian Project Leader Election 2026 results
Debian Project secretary Kurt Roeckx has announced the Debian Project Leader (DPL) election results: the winner of the election is Sruthi Chandran. She will replace two-term DPL Andreas Tille.
Fedora Verified: a proposal to recognize Fedora contributor status
The Fedora Project has been wrestling with the question of who should be able to vote in Fedora elections recently, with project membership being a major topic at the Fedora Council face-to-face held in early February. Now the project is considering a new contributor status, "Fedora Verified", and is looking to get input on the idea from the community.
What are the proposed benefits? The primary motivation behind "Fedora Verified" is to build trust-based recognition that grants elevated, privileged rights within the project. Most notably, this status would determine eligibility for strategic governance activities, such as:
- Voting in Fedora community elections.
- Running for leadership or decision-making roles within the project (i.e., Fedora Council, FESCo, Mindshare Committee, EPEL Steering Committee).
- (Potential, unplanned) Accessing specific shared project resources or educational opportunities (e.g., Red Hat training credits).
The blog post includes a list of proposed baseline metrics for "Verified" status as well as open questions to be decided. A survey on the topic will be open until May 5.
Distributions quote of the week
Personally, as a Debian Developer I feel awkward when seeing people relate what we do in Debian to any kind of anarchy. To me, it means, that you know only little of the Debian project and its community. A project like Debian would not have been able to exist based on anarchy for so many years. It is rather based on personal initiatives, a great portion of do-ocrarcy and well-elected leadership and task delegations to people wisely picked from our community.— Mike Gabriel
Development
Firefox 150 released
Version
150 of the Firefox web browser has been released. Notable changes
include local-network-access
restrictions being turned on for all users, the ability to
reorder, copy, delete, paste, and export pages from a PDF using
Firefox's built-in viewer, as well as improvements in its split
view feature, and more. See also the release
notes for developers and list
of security fixes in this release.
(Update: Mozilla seems to have removed the local-network-access restrictions information since the release was published yesterday.)
Forgejo 15.0 released
Version 15.0 of the Forgejo code-collaboration platform has been released. Changes include repository-specific access tokens, a number of improvements to Forgejo Actions, user-interface enhancements, and more. Forgejo 15.0 is considered a long-term-support (LTS) release, and will be supported through July 15, 2027. The previous LTS, version 11.0, will reach end of life on July 16, 2026. See the announcement and release notes for a full list of changes.
Git 2.54.0 released
Git maintainer Junio Hamano has announced
Git 2.54.0, which includes contributions from 137 people; 66 of those
people are first-time contributors to the project. Changes include the
addition of Git history rewriting, Git's web interface (gitweb)
"has been taught to be mobile friendly
", and much more. See the
announcement for all improvements, additions, and bug fixes. Hamano
is now taking a short break:
I will go offline for a couple of weeks starting this evening, hopefully after updating 'next' and possibly also pushing out the first batch of the new cycle. There is no designated interim maintainer this time, but I trust that the community can self organize during my absense, if the shape of the release and the tree turns out to be super bad ;-).
See this GitHub blog entry for highlights from this release.
KDE Gear 26.04 released
Version 26.04 of
the KDE Gear collection of applications has been released. Notable changes
include improvements in the Merkuro
Calendar schedule view and event editor, support for threads in the NeoChat Matrix chat client, as well as
the ability to add keyboard shortcuts in the Dolphin file manager "to nearly any
option in any menu, plugin or extension
". See the changelog for
a full list of updates, enhancements, and bug fixes.
LilyPond 2.26.0 released
Version 2.26.0 of the LilyPond music-engraving program has been released. Major changes include the ability to use the Cairo library to generate output and improvements in spacing between clefs and time signatures. See the release notes for a full list of miscellaneous improvements as well as what's new with musical and specialist notation.
Rust 1.95.0 released
Version 1.95.0 of the Rust language has been released. Changes include the addition of a cfg_select! macro, the capability to use if let guards to allow conditionals based on pattern matching, and many newly stabilized APIs. See the release notes for a full list of changes.
Development quote of the week
— Dawid CiężarkiewiczI really appreciate that you're enjoying the software I'm maintaining and want to help. But we need to rethink this collaboration, because I feel like we're increasingly wasting each other's time.
Since I don't really know you, I always have to assume that you might be trying to sneak in something malicious along with your changes, which makes reviewing and merging them riskier than implementing them myself.
On top of that, there are a lot of personal and subjective aspects to code. You might have certain preferences about formatting, style, structure, dependencies, and approach, and I have mine.
Then we often need to synchronize with respect to review, CI runs, merge conflicts, etc.
And then there's this common back-and-forth round-trip between the contributor and maintainer, which is just delaying things.
Even before LLMs, writing the code was not the main bottleneck for me. But writing code did take time, so a solid, working, easy-to-review PR was often worth the small extra risk and inconvenience.
With LLMs becoming quite good at implementing things, that tradeoff is almost never true anymore.
Page editor: Daroc Alden
Next page:
Announcements>>