Over time, many open-source maintainers face the same problem: they lack the time to do all of the work that their project needs, and no one else is stepping up to provide adequate help. Maintainers, though, are often reluctant to throw in the towel. The result is suboptimal all around; the maintainer is stressed out, project quality suffers, and users face security risks that they may not be fully aware of. At the 2026 Open Source Summit North America, Robin Bender Ginn spoke about this problem, when it might be time for maintainers to pass the torch, and the responsibilities of users.
Alexei Starovoitov gave "less of a presentation, more of a scream of realization" at the BPF track of the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit. He shared a set of ideas for how BPF could change to avoid being swept away by the sea-change in programming represented by modern large language models (LLMs) and the coding agents based on them. In a follow-up session, the discussion covered more problems with how coding agents use tools like bpftrace, and the current deluge of patches in need of review in the BPF subsystem.
Andrew Tridgell has written a blog post responding to complaints that he has begun using LLM tools in his work maintaining rsync: Like many developers of open source packages I've been hit by a flood of security reports lately in my role as the rsync maintainer. Many of those reports are AI generated (not all though, there are some notable ones with very careful and high quality manual analysis). As this flood started to get more intense I realised I needed to raise the defences on rsync a lot β we needed much more thorough test suites, code coverage analysis, CI testing on a lot more platforms, deliberate and thorough scanning for possible security issues (so I find at least some of them before other people!) and the addition of a whole lot of defence-in-depth hardening techniques. [...] Now to the future, because we're not done yet by a long shot. The security reports keep rolling in. I'm working on a bunch of CVEs right now. Luckily I've been joined by some other very good developer
Extended attributes (xattrs) provide a way to attach key/value metadata to inodesβfiles, directories, and the likeβin a filesystem. As with many Linux filesystems, the FUSE filesystem supports xattrs. In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, FUSE maintainer Miklos Szeredi led a discussion about caching xattrs in kernel memory; he would like to create some common infrastructure that could be used by FUSE and shared with other filesystems.
Package managers for operating systems and programming languages have been around for decades. Each package manager, and its accompanying packaging format, has been shaped by the needs of its respective ecosystem, but there is a growing need to make use of package metadata for more than software management: for example, in vulnerability scans, software bills of materials (SBOMs), and more. On May 19, DamiΓ‘n Vicino spoke at the Open Source Summit North America 2026 about his experiences in the past year trying to make sense of the varied metadata provided by more than 20 package managers.
Version 8.3 of Vim Classic has been released. This is the first release of the Vim fork since the project was announced in March. This release is based on Vim 8.2.0148, with a number of bug fixes and patches conservatively backported from future versions of Vim upstream. We elected to clean up this version of Vim, prepare it for a release, and imagine an alternate history where Vim 8.3 was released without Vim9 script. The result is Vim Classic 8.3. We chose to take this approach in order to reduce the long-term maintenance burden of Vim Classic, acknowledging that our fork lacks the resources and institutional knowledge available to Vim upstream. However, a consequence is that there are some Vim plugins which are not compatible with Vim Classic. We have made a special effort to assess patches from Vim upstream which mitigate some of the many CVEs affecting Vim which were discovered and fixed between versions 8.2 and modern-day Vim, but we can't be sure we've got all of the security pa
Over on the AboutCode blog, lead maintainer Philippe Ombredanne writes about an agentic LLM system porting the ScanCode Toolkit to Rust. In the process, the LLM (or the people behind it) infringed the ScanCode trademark, stripped copyright and license notices, "and started an outreach campaign, without ever engaging the AboutCode community". Ironically, the toolkit is used to scan source code and binaries in order to figure out licensing and copyright information; it also reports on package dependencies, vulnerabilities, and more. This is worth repeating: A comprehensive test suite, decent documentation, and curated datasets is what makes automated porting possible. It is also what makes a codebase easier to replicate without understanding it. The agent's initial approach, using an existing Rust license-detection library, failed to match ScanCode's output quality. The agent then did what any translator would do when a loose paraphrase fails: it copied the original more closely. The fin
Optimizing compilers can, under some circumstances, infer when a parameter to a function is not needed, and remove it. This is all well and good until the kernel's tracing or BPF subsystems need information on how to call the function or where its arguments are stored. Alan Maguire and Yonghong Song spoke at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit about their work on recording information regarding changed function signatures in the kernel's BTF debugging information, to better support tracing such functions.
Greg Kroah-Hartman has announced the release of the 7.0.11, 6.18.34, 6.12.92, 6.6.142, 6.1.175, 5.15.209, and 5.10.258 stable kernels. As usual, each contains important fixes throughout the tree. Users are advised to upgrade.
The DistroWatch site is celebrating its 25th anniversary. "All in all, it has been an incredible ride. Many of you who read these pages regularly know that downloading and testing distributions is a highly addictive pastime. I have been an avid distro-hopper for the last 25 years and I don't see myself abandoning this activity for many more years to come." Congratulations to Ladislav Bodnar and all the others who have kept that resource going for so long.
The x32 ABI was meant to be the best of both worlds, providing the expanded registers and instruction set of the x86-64 architecture while preserving the lower memory use of 32-bit systems. The Linux kernel has supported x32 since the 3.4 release in 2012. The initial excitement around x32 did not last, though, and kernel developers are considering removing that support β and not for the first time. Even the most unloved features tend to have a few users, though, making removal hard.
StepSecurity is reporting that a number of npm packages in the @redhat-cloud-services scope include malware that runs automatically on every npm install: The payload is a multi-stage credential harvester that sweeps GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built to evade detection, including an explicit attempt to bypass StepSecurity Harden-Runner. StepSecurity analyzed @redhat-cloud-services/host-inventory-client@5.0.3 in full. Its index.js, executed at install time, is 4.2 MB, a file that should weigh a few kilobytes, with the real payload buried under three separate layers of obfuscation. The malware is also a self-propagating worm: using stolen npm tokens and npm's bypass_2fa parameter, it republishes backdoored versions of other packages on its own, even against accounts protected by two-factor authentication, so every infected machine can seed the next wave with no attacker involvement. All affecte
The Fedora Project has published interviews with candidates running for the open seats on the Fedora Council, Fedora Engineering Steering Committee, Fedora Mindshare Committee, and EPEL Steering Committee. Voting is open through Friday, June 12 at 23:59 UTC.
Linux News