What I Wrote this Week

27 Years, 50 Releases, 1 Breakup: How GNOME 50 Just Changed the Way Your Desktop Works

GNOME and X11 were together for 27 years and 50 releases. GNOME 50 Tokyo ended the relationship. Ubuntu and Fedora ship it next month. Here is who gets hurt.

Medium Link | Canartuc.com Link

$10 Trillion in Market Cap. $12.5 Million for Open Source. I Pulled Their Receipts.

Seven companies worth $10 trillion wrote a $12.5M check for open source. I pulled every receipt. The last one involves five million stolen books.

Medium Link | Canartuc.com Link

4 Billion Devices Run His Code. He Said He Was Drowning. A Spy Was Already Inside.

One spy. 849 days of fake patches. A burned-out maintainer who just wanted help. A backdoor almost opened every Linux server on Earth.

Medium Link | Canartuc.com Link

Linux

Linux 7.0-rc4 Drops With a Suspiciously Large Patch Count, and Torvalds Knows Why

Following last week’s rc3, Linux 7.0-rc4 landed on March 15, and Linus Torvalds himself called it “bigger than usual.” A late networking subsystem pull inflated the commit count, but Torvalds suspects the real driver is psychology: developers get excited about a shiny new major version number and submit more patches. Despite the volume, the actual diffs are mostly small and spread out.

The kernel remains on track for a mid-April final release, likely April 12 if the cycle ends at rc7. Key fixes include Rust binder ownership checks, AppArmor security patches, and Spectre-v1 fixes for RISC-V KVM.

systemd 260 Finally Kills SysV Init Support After Years of Warnings

It happened. systemd 260, released March 17, rips out SysV init script compatibility entirely. The systemd-sysv-generator, systemd-sysv-install, and rc-local.service are all gone.

If your service still runs on a SysV init script, it now needs a native systemd unit file or it simply will not start.

The minimum kernel requirement also jumped to 5.10, with glibc 2.34 and OpenSSL 3.0 as new baselines. There is also a new mstack tool for managing OverlayFS configurations and documentation specifically addressing AI agent interaction. The Register compared the effort to King Canute ordering the tide not to rise, given AI’s documented history of ignoring such directives.

Debian 13.4 “Trixie” Lands With 111 Bug Fixes and 67 Security Updates

The fourth maintenance release for Debian 13 “Trixie” shipped on March 14, packing 111 bug fixes and 67 security patches. This is a standard point release (not a new Debian version), but it matters for anyone deploying fresh Debian installs because the updated ISOs save you from downloading hundreds of megabytes of updates immediately after installation. If you are already running Trixie, a simple apt upgrade gets you there.

Canonical Brings NVIDIA DOCA-OFED Into Ubuntu’s Archives, Ending Driver Install Pain

Announced at GTC 2026, Canonical will integrate NVIDIA’s DOCA-OFED networking stack directly into Ubuntu’s package repositories. For anyone running HPC clusters or AI training infrastructure, this is a big deal.

DOCA-OFED enables RDMA, GPUDirect, and ultra-low latency networking on NVIDIA BlueField DPUs and SuperNICs, and until now installing it meant fighting kernel drift, driver incompatibility, and CI breakage after every kernel upgrade. The new approach promises single-command installation and automatic updates through Ubuntu’s standard package management.

glibc Gets a 35% Faster cosh() on Modern x86-64 via FMA Optimization

Adhemerval Zanella of Linaro landed an FMA-optimized hyperbolic cosine function in glibc for the x86-64-v3 micro-architecture level. The result: roughly 35% faster cosh() on modern Intel and AMD processors that support fused multiply-add instructions.

This kind of low-level math library optimization is invisible to most developers but directly impacts scientific computing, machine learning preprocessing, and any code path that touches hyperbolic functions. These are the patches that make the entire stack faster without anyone changing a line of application code.

Multiple Ubuntu Kernel Security Advisories: io_uring and File System Vulnerabilities Patched

Canonical published multiple security advisories in March covering both newer Ubuntu editions and older LTS releases. USN-8094 through USN-8096 addressed io_uring vulnerabilities, while USN-8112-1 and USN-8112-2 patched flaws across BTRFS, HFS+, network drivers, and other subsystems.

If you are running Ubuntu in production, check all recent advisories and update your kernels. The io_uring attack surface has been a recurring concern since its introduction, and every patch cycle seems to bring new fixes for it.

Brazil’s New Digital Law Triggers Linux Distro Access Restrictions

Brazil’s Federal Law No. 15.211/2025 (the “ECA Digital”) took effect on March 17, requiring age verification for software distributed electronically. Several projects, including Arch 32, Bazzite, and MidnightBSD (a FreeBSD derivative), have responded by blocking access from Brazilian IP addresses entirely. The law bans self-declaration as a verification method and imposes fines up to R$50 million per infraction.

The scope is vague enough that hosting downloadable Linux ISOs could theoretically be considered a regulated digital service. Brazil’s own Internet Bill of Rights favors “preferential adoption of open and free technologies,” which makes this conflict particularly absurd.

SparkyLinux 2026.03 Ships Linux 6.19.6, Offers Optional 7.0-rc Kernels

SparkyLinux 2026.03 “Tiamat” dropped with Linux 6.19.6 as the default kernel, based on Debian testing “Forky.” For the adventurous, 7.0-rc3, 6.19.8, 6.18.18-LTS, and 6.12.77-LTS are all available in Sparky’s repositories.

The release also ships Firefox 140.8.0esr, Thunderbird 140.8.0esr, and GCC15. Available with KDE Plasma, Xfce, LXQt, MATE, Openbox, or text-mode editions.

CIQ Launches Rocky Linux Self-Service Portal as Enterprise Linux Competition Heats Up

CIQ launched a self-service portal (portal.ciq.com) on March 19, letting organizations access, evaluate, and deploy Rocky Linux and its variants without talking to a sales team first. Meanwhile, Oracle Linux (which first shipped in late 2006) continues investing in OpenELA, the Open Enterprise Linux Association it co-founded with CIQ and SUSE. The enterprise Linux space keeps fragmenting in interesting ways since Red Hat changed its source code policies.

Linux Gems

openSUSE’s New Cockpit Launcher Turns a Multi-Step Headache Into One Click

If you have ever struggled to get Cockpit running on openSUSE (localhost:9090 not responding, systemd service not enabled, firewall blocking the port), this new cockpit-client-launcher package fixes all of that. It provides a desktop entry point with a YaST-inspired icon that automates systemd service activation and firewall configuration on first launch.

Available on both Tumbleweed and Leap. Small quality-of-life improvement, but exactly the kind of polish that makes sysadmins’ lives easier.

openSUSE Tumbleweed Catches Up: Kernel 6.19.3, systemd 259.3, PipeWire 1.6.1

The latest Tumbleweed snapshots landed kernel 6.19.3, systemd 259.3, PipeWire 1.6.1, and KDE Frameworks 6.23.0. The new cockpit-client-launcher mentioned above is part of this batch.

Marknote gained a code editing mode, and Dolphin expanded its S3 support. If you are running Tumbleweed, you probably already have most of this.

Can’s Take: Linux This Week

The systemd 260 release is the biggest Linux story this week. SysV init support has been deprecated for years, but removing it entirely is the kind of clean break that forces the whole stack forward.

If you are still running services that depend on SysV init scripts in 2026, you have had plenty of warning. The reaction will be predictable (outrage from the anti-systemd crowd, shrugs from everyone else), but the practical impact is minimal for anyone who has been keeping their infrastructure current.

The bigger pattern I see is Linux becoming AI infrastructure. Canonical integrating NVIDIA DOCA-OFED into Ubuntu, glibc landing FMA optimizations, kernel 7.0 progressing steadily with Rust binder improvements. Every layer of the stack is being tuned for the workloads that are actually driving hardware purchases right now: AI training and inference.

Linux is not just the operating system that runs AI. It is being reshaped by it.

Brazil’s age verification law creating a de facto Linux distribution ban is a problem. When well-intentioned child safety legislation has the side effect of blocking access to free operating systems, something has gone very wrong in the drafting process.

I expect this to get walked back or clarified, but the chilling effect on smaller distro projects is real. Not every volunteer maintainer has the legal resources to evaluate compliance with foreign regulatory regimes.

Open Source

Tech Giants Pledge $12.5M to OpenSSF to Shield Open Source From AI-Generated Bug Floods

On March 17, the Linux Foundation announced $12.5 million in grants from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI, all channeled through Alpha-Omega and OpenSSF. The stated goal: help open source maintainers cope with the flood of AI-generated vulnerability reports. As automated scanning tools get smarter, they are drowning maintainers with findings they lack the resources to triage.

The irony is thick: the same AI companies whose tools generate the bug reports are now funding the infrastructure to handle them. Still, $12.5M split across the entire open source ecosystem is not exactly generous. It is a start.

OpenAI Acquires Astral (uv, ruff, ty) and the Pattern Becomes Impossible to Ignore

On March 19, OpenAI announced it is buying Astral, the company behind uv (Python dependency management), ruff (linting and formatting), and ty (type checking). These tools have become essential to the Python ecosystem, with millions of users. OpenAI says they will remain open source and integrate with Codex.

Simon Willison flagged something interesting: Astral had hidden Series A and B funding rounds that were never publicly announced. Anthropic bought Bun (the JavaScript runtime) in December 2025. The pattern is clear.

AI labs are acquiring the developer tooling layer, not just building models. If your workflow depends on open source tools backed by VC funding, pay attention to who is buying what.

OpenAI Also Acquires Promptfoo, the AI Security Testing Platform

Two acquisitions in one month. OpenAI announced on March 9 that it is buying Promptfoo, whose open source tools for red-teaming and evaluating LLM security are used by over 25% of Fortune 500 companies. Promptfoo will be integrated into OpenAI Frontier, their agent platform, and will remain MIT-licensed and open source.

OpenAI is methodically building a complete developer platform: Python tooling (Astral), security testing (Promptfoo), and the models themselves. That is a lot of the stack.

Germany Makes Open Source the Default for All Federal IT, Mandates ODF, Bans OOXML

Germany’s new Deutschland-Stack framework, published March 20, mandates ODF and PDF/UA as the only allowed document formats for public administration. Microsoft’s .doc, .ppt, and .xls are explicitly excluded.

This is not a recommendation. It is a mandate covering every level of government from federal bodies down to municipalities, with a “Made in EU first” principle and explicit requirements for open source development.

Florian Effenberger of The Document Foundation called it exactly what it is. Implementation targets 2028. If Germany actually follows through, this would be the most binding government open source mandate any major European country has implemented.

NVIDIA Launches NemoClaw, OpenShell, and Agent Toolkit at GTC as Open Source

NVIDIA released NemoClaw at GTC 2026, an Apache 2.0-licensed reference stack for running OpenClaw AI agents securely. It bundles OpenShell (a governance runtime with sandbox, policy engine, and privacy router) with Nemotron open models, deployable with a single command.

The Agent Toolkit is a three-component software stack for building autonomous AI agents with guardrails. Early preview started March 16. Not production-ready yet, but NVIDIA open-sourcing its agent security stack is a clear tell about where enterprise AI deployment is heading.

NanoClaw Goes From Weekend Project to Docker Partnership in Six Weeks, 22K GitHub Stars

Gavriel Cohen built NanoClaw in a weekend as a container-isolated alternative to OpenClaw after discovering security vulnerabilities. It went viral on Hacker News, got praised by Andrej Karpathy, hit 22,000 GitHub stars and 4,600 forks, and on March 13 secured a partnership with Docker.

The integration marks the first time any claw-based agent platform can deploy inside Docker’s MicroVM sandbox infrastructure with a single command. Six weeks from “I built this over the weekend” to a Docker partnership. Open source still works.

Mistral Releases Small 4: 119B-Parameter MoE Model Under Apache 2.0

Mistral Small 4 dropped March 16 as an open source (Apache 2.0) model with 119 billion total parameters, 128 experts (4 active per token), 256K context window, and multimodal text-image support. It is the first Mistral model to unify instruction following, reasoning, multimodal understanding, and agentic coding into one deployment.

Compared to Small 3: 40% lower latency, 3x higher throughput. Available via Mistral API, Hugging Face, NVIDIA NIM containers, vLLM, and llama.cpp. Open weight models just keep getting better.

Google Summer of Code 2026 Applications Open Through March 31

GSoC enters its 22nd year with 185 mentoring organizations and an expanded focus on AI, security, and machine learning projects. Contributor applications are open until March 31 at 18:00 UTC. Over 22,000 contributors from 123 countries have participated since the program started.

Accepted contributors will be announced April 30. If you have ever wanted to get paid to contribute to open source with real mentorship, this is the most established program that does it.

Open Source Gems

Betterleaks: The Gitleaks Creator Built Its Successor, and It Is Designed for AI Agents

Zach Rice, who created Gitleaks (26 million downloads, 35 million+ Docker pulls), lost full control of his own project. So he built Betterleaks as a drop-in replacement at Aikido Security. It is MIT-licensed, uses byte pair encoding tokenization (”Token Efficiency”) that achieves 98.6% recall versus Gitleaks’ 70.4% on the CredData dataset, and writes validation logic in Common Expression Language.

The killer feature: flag-based output control designed specifically for AI coding agents like Claude Code or Cursor to consume as a subprocess. Secrets scanning, rebuilt from scratch for an AI-native workflow.

Open Source Summit + Embedded Linux Conference NA 2026 Schedule Published

The Linux Foundation published the full schedule for Open Source Summit + Embedded Linux Conference North America 2026, happening May 18-20 in Minneapolis. Sessions cover AI agents, software supply chain security, embedded Linux, and edge computing.

Speakers from AWS, Cloudflare, Google, IBM, Intel, Microsoft, Netflix, OpenAI, and Sony. Co-located events include Linux Security Summit, Observability Summit, and OpenSSF Community Day. Early bird pricing runs through March 24.

Can’s Take: Open Source This Week

The acquisitions are the story. OpenAI buying Astral and Promptfoo in the same month, after Anthropic bought Bun in December.

AI labs are not just consumers of open source. They are becoming owners of the developer tooling layer.

Today it is dependency management and linting. Tomorrow it could be your build system, your CI pipeline, your editor plugins.

The “tools remain open source” promise is reassuring until you remember that control over a project’s roadmap matters as much as its license. When the company that owns your Python toolchain also sells the AI that writes your Python, the incentives get messy.

Germany’s ODF mandate is the kind of policy decision that actually changes things, if followed through. Government procurement is the one force strong enough to break vendor lock-in. Microsoft has survived every open source challenge for decades because enterprises and governments kept buying Office.

If Germany makes ODF stick and the EU follows, that changes how governments interact with open source software for good. The Deutschland-Stack’s “Made in EU first” principle is not just about documents. It is about digital sovereignty, and it has teeth.

The $12.5M OpenSSF funding points to a real tension. AI tools find bugs faster than humans can fix them. Maintainers are already overwhelmed, and now they face a firehose of automated vulnerability reports.

The funding is welcome but small relative to the scale of the problem. Open source needs reliable funding, not occasional grants from companies whose products are part of the problem. At least the conversation is happening.

Spotlight

Arnold Robbins - gawk (GNU Awk)

Arnold Robbins has been maintaining gawk, the GNU implementation of awk, since the early 1990s. That is over three decades of maintaining one of Unix’s most fundamental text processing tools. In 2024, USENIX awarded him the Lifetime Achievement Award (”The Flame”) for his work on gawk and for his extensive writing on Unix and Linux topics.

Robbins did not just maintain gawk. He improved it substantially, adding features like the extension API that opened the language to external libraries, and he helped shape the POSIX standard for awk as a member of the POSIX 1003.2 balloting group. He has been working with Unix systems since 1980, and his book “Effective awk Programming” remains one of the definitive references for anyone working with text processing on the command line.

What makes Robbins’ story worth telling is the sheer persistence. In an industry obsessed with the new, he has spent three decades making a tool from the 1970s better, more standards-compliant, and more capable.

Awk does not get the attention that Python or Rust commands. But it is there in every shell script, every log parser, every quick data extraction job.

And Arnold Robbins is the reason the GNU version of it works as well as it does. Quiet, essential work that most people never think about.

If you need me, I will be converting my last SysV init script before systemd notices, checking whether OpenAI has acquired my text editor yet, and explaining to Germany that I have been using ODF since before it was a mandate.

Have a great week! 🐧

You can follow me on Medium, Canartuc.com, X, Bluesky, and Mastodon.