An AI found 500 open source vulnerabilities in weeks. One NFS bug hiding since 2003. The Linux Foundation's $12.5M fund isn't for fixing them, it's for helping maintainers cope with the volume. The bottleneck was never finding bugs. It was always having people to fix them. #OpenSource #CyberSecurity

One researcher pointed an AI at the Linux kernel like a metal detector at a beach. Found a bug hiding since 2003. Then 499 more across open source. Linux Foundation put up $12.5M. The AI hasn't even finished its first coffee yet.

#OpenSource #Security

An AI Agent Filed a DMCA Takedown. The Rights Holder Had No Idea. An unauthorized AI agent filed a DMCA (Digital Millennium Copyright Act) copyright takedown against gallery-dl, and the rights holder never approved it. Linux 7.0-rc7 confirms April 13 stable release.

There are more for today: www.canartuc.com/an-ai-agent-...

An AI agent filed a DMCA takedown on GitHub against gallery-dl, an open source media downloader. The CEO of the rights holder said the notice was sent "without our approval or permission." The project moved to Codeberg. Who is liable when AI files unauthorized copyright claims?

#OpenSource #FOSS

📬 Linux 7.0's PostgreSQL Crisis, OpenClaw's Triple CVE, TigerFS Linux 7.0-rc7 ships days before stable with PostgreSQL throughput halved on AWS Graviton4 and no fix in sight. OpenClaw collects three critical CVEs in three months. TigerFS mounts PostgreSQL as a fil...

If you are curious about "Elephant in the room": www.canartuc.com/linux-70s-po...

#Linux 7.0 changed how it schedules CPU tasks. #PostgreSQL, a widely deployed open source database, relied on the old behavior. Throughput on AWS ARM servers dropped 49%. No patch before Ubuntu 26.04 LTS ships April 23, locking this into five years of production.

📬 Open Source & Linux Weekly - W142026 European Commission loses 340 GB to supply chain attack, Linux doubles macOS on Steam at 5.33%, PHP ends 26 years of license confusion with a 51-0 BSD vote.

There are more on this week: www.canartuc.com/open-source-...

#Linux is now at 5.33% on Steam, more than double macOS at 2.35% for #Gaming. The 3.10 point monthly gain is the largest in Steam survey history. SteamOS is the driver. One handheld console changed the adoption curve more than years of community effort did. Valve moved the needle.

TeamPCP Trivy Compromise: European Commission AWS Breach Confirmed CERT-EU confirms EC cloud breach via Trivy scanner. OpenClaw: 250K stars, 135K exposed. Sonatype: 454K malicious packages. 65% of CVEs have no severity score.

For more details: www.canartuc.com/teampcp-triv...

The European Commission ran Trivy (a security scanner that checks software for known flaws) inside its cloud build pipeline. Attackers poisoned Trivy itself. The scanner had credentials to everything. 340 GB stolen, 71 clients exposed, data published by an extortion gang.

#SupplyChain #InfoSec

Two concurrent, unrelated supply chain attacks. TeamPCP: 1,000+ SaaS environments, 500,000 machines. Separately, North Korea's UNC1069 pushed trojanized Axios npm packages (100M+ weekly downloads), live under 3 hours. Multiple actors, multiple registries, same window.

#OpenSource #SupplyChain

North Korea Hit Axios npm While TeamPCP Burned 1,000 Environments North Korea's UNC1069 hit Axios npm (183M downloads) while TeamPCP compromised 1,000+ SaaS environments and Lapsus$ claimed 4TB from Mercor AI.

For all the details: www.canartuc.com/north-korea-...

Two concurrent, unrelated supply chain attacks. TeamPCP: 1,000+ SaaS environments, 500,000 machines. Separately, North Korea's UNC1069 pushed trojanized Axios npm packages (100M+ weekly downloads), live under 3 hours. Multiple actors, multiple registries, same window.

#OpenSource #SupplyChain

You never typed pip install litellm. CrewAI did it for you. On March 24, that silent dependency stole AWS keys, SSH creds, and K8s tokens from every Python process for 5 hours. The fix existed since 2023. 95M monthly downloads. Nobody applied it. #OpenSource #Cybersecurity

95 Million Downloads. Poisoned by Its Own Security Scanner. You never installed LiteLLM. CrewAI did. For 5 hours on March 24, every Python process on your machine was stealing your AWS keys, SSH credentials, and Kubernetes tokens.

I wrote about the full TeamPCP attack chain, from poisoned Trivy to LiteLLM to credential theft, and what it means for every AI team building with Python: www.canartuc.com/95-million-d...

You never typed pip install litellm. CrewAI did it for you. On March 24, that silent dependency stole AWS keys, SSH creds, and K8s tokens from every Python process for 5 hours. The fix existed since 2023. 95M monthly downloads. Nobody applied it. #OpenSource #Cybersecurity

X11 vs Wayland: The 40-Year Display Server War Explained Your Linux desktop is built on a lie. Not a malicious one. A comfortable one.

You’re right but as these DEs don’t work with macOS or Windows. Linux and DEs are tightly coupled. Any distribution can choose the version. Nothing special. Debian has the same selection structure as CachyOS. For more information how display servers work: canartuc.medium.com/x11-vs-wayla...

Open Source & Linux Weekly - W13_2026 X11 died without a funeral. Canonical bets on post-quantum crypto and Rust. TeamPCP hacks four supply chain targets in ten days. Weekly OSS & Linux roundup.

20+ stories I did not fit into this thread. Including Canonical funding Rust rewrites, NVIDIA killing a 10-year GPU line, and how one email turned a user into the maintainer of a 4M-download project: www.canartuc.com/open-source-...

X11 died this week. No funeral. Ubuntu 26.04, GNOME 50, SteamOS 3.8, CachyOS, and Fedora 44 all shipped Wayland-only within days of each other. Nobody coordinated it. 18 years of 'Wayland isn't ready' just ended. #Linux #OpenSource

X11 died this week. No funeral. Ubuntu 26.04, GNOME 50, SteamOS 3.8, CachyOS, and Fedora 44 all shipped Wayland-only within days of each other. Nobody coordinated it. 18 years of 'Wayland isn't ready' just ended. #Linux #OpenSource

4 Billion Devices Run His Code. He Said He Was Drowning. A Spy Was Already Inside. One spy. 849 days of fake patches. A burned-out maintainer who just wanted help. A backdoor almost opened every Linux server on Earth.

Thank you for asking! Medium: canartuc.medium.com/4-billion-de...

My own web site: www.canartuc.com/4-billion-de...

6/ Three governance fights in one day: Manjaro vs its founder, Mesa still stuck on AI code policy, systemd's age verification field sparking privacy debates. Open source decision-making is under real pressure right now. Which one are you watching closest?

5/ Manjaro's governance crisis hit Phase 3. 19 team members including the CTO declared founder Philip Muller uncooperative after he refused to answer questions about asset transfers. Muller warns of legal consequences. The forum thread passed 200 replies. A fork is on the table.

4/ Linux 7.0-rc5 dropped March 22. Torvalds says the cycle is calming down after three unusually large release candidates. He blames the new major version number for making devs submit more patches early. Mid-April stable release on track for Ubuntu 26.04 LTS and Fedora 44.

3/ Firefox 149 ships today with a free built-in VPN providing 50 GB per month, Split View for side-by-side pages, and granular AI controls users actually asked for. No extra subscription. Available in the US, France, Germany, UK. Mozilla's most aggressive move in years.

2/ Google open-sourced the GKE Cluster Autoscaler, a core provisioning component they kept proprietary for years. Microsoft launched AI Runway, a Kubernetes API for inference workloads. Kubernetes is becoming the default control plane for AI. Both vendors forced into openness.

1/ Big day in open source. KubeCon Day 2 brings major vendor moves, Firefox 149 ships a free VPN, Linux 7.0-rc5 lands, Manjaro's governance crisis escalates to public disclosure, and Mesa still can't agree on AI code policy. Here is what matters. #OpenSource #Linux

OpenAI bought Astral and Promptfoo in one month. Anthropic bought Bun in December. AI labs are not just using open source anymore. They are buying the developer tooling layer. Pay attention to who owns what. More: open.substack.com/pub/canartuc... #OpenSource #Linux

GNOME and X11 were together for 27 years and 50 releases. GNOME 50 Tokyo just ended it. No fallback, no toggle, no legacy mode. Ubuntu 26.04 LTS ships next month with no X11 session. Millions of corporate desktops lose X11 with zero option to keep it. #Linux #OpenSource

6/ If you work at a company shipping software, you already know this. The question is not whether your employer contributes. It is whether you can get procurement to treat open source like vendor software: maintenance contracts, SLAs, liability. Charity scales poorly. Commercial relationships scale.