What I Wrote this Week

2 Million People Downloaded Linux. How Many Will Stay?

Zorin OS hit 2 million downloads the day Windows 10 died. 78% from Windows. The installation always works. The first week always works. Medium Link | Canartuc.com Link

Every Video on Earth Runs Through His Code. He Chose Poverty. Google Sent AI Bugs.

Its creator left in 2003. One developer chose minimum income for 11 years to keep it running. Google sent bugs, not money.

Medium Link | Canartuc.com Link

California’s Age Verification Law Has No Idea What Linux Is

A volunteer project banned California rather than comply with an age law meant for Apple, Google, Microsoft. Hundreds of Linux distros with $0 budgets face the same choice.

Medium Link | Canartuc.com Link

Linux

Linux 7.0-rc3 Brings New Laptop and Handheld Support While Torvalds Keeps the Merge Window Tight

Linux 7.0-rc3 landed this week with new hardware support for ASUS, HP, Dell, and OneXPlayer systems. But the real story is the tone around the release cycle: community discussion on r/linux since rc2 has been focused on whether the merge window feels too large, and Torvalds himself flagged he wasn't super-happy with the size. When kernel maintainers start talking about discipline over features, that tells you more about the health of the project than any single driver addition.

GNOME 50 Release Candidate Ships HDR Screen Sharing, Drops X11 for Good

GNOME 50.rc is out, and the stable release is set for March 18. The headline feature is HDR screen sharing support, but the more important shift is what's missing: X11. GNOME 50 is the first release with no X11 backend at all. If you're still running an X11-dependent workflow, March 18 is your deadline to migrate. The RC also adds HDR "sdr-native" color mode, wp-color-management v2 support, improved Orca screen reader with Say All mode, and arrow-key navigation in Calendar's month view.

Linux From Scratch 13.0 Goes Systemd-Only, Drops SysVinit After Two Decades

Bruce Dubbs released LFS 13.0 on March 5, and it's the first version that ships exclusively with systemd. The SysVinit variant, maintained alongside systemd for years, stops at version 12.4. The release includes 36 updated packages, Linux kernel 6.18.10, and 100 commits since 12.4. This is one of those decisions that sounds routine but signals where the gravity is: when the project literally built to teach you how Linux works decides systemd is the only path worth teaching, the init debate is functionally over.

Arch Linux March 2026 ISO Arrives with Kernel 6.18.13, KDE Plasma 6.6.1, and GNOME 49.4

The 2026.03.01 ISO ships with Linux 6.18.13 LTS, GCC 15.2.1, systemd 259.2, Plasma 6.6.1, GNOME 49.4, Firefox 148, Chromium 145, and LibreOffice 26.2.1. Archinstall 3.0.15 is included for guided installs. For a rolling release, the monthly ISO is just a snapshot, but this one is notable because it shows the full Arch stack already on GCC 15 while most enterprise distros are still sorting out GCC 14 compatibility.

NVIDIA 595 Beta Driver Promises Better Wayland Support with Protocol 1.20

The new NVIDIA 595 beta driver adds Wayland protocol 1.20 support. If you've been through the years of NVIDIA-on-Wayland pain, you know each beta is a test of whether NVIDIA is actually closing the gap or just checking boxes. Protocol 1.20 support matters because compositors are starting to require it, and GNOME 50 dropping X11 means NVIDIA users on Wayland need this to actually work.

Steam Survey Shows Linux Gaming Down 1.15 Points, and the Community Is Overthinking It

February 2026 Steam survey numbers show Linux losing 1.15 percentage points. The Reddit thread predictably turned into a debate about whether Linux gaming is stalling. My take: a single month's movement in storefront telemetry says almost nothing about the actual health of Linux gaming. Proton now makes roughly 90% of Windows games playable on Linux. The real question is whether Linux gaming retains users, not whether a survey bounces month-to-month.

CIQ Launches Enterprise "CIQ Linux Kernel" for AI Hardware

CIQ announced CLK, an enterprise kernel built on upstream kernel.org LTS branches with tuning for AI accelerators. Currently based on Linux 6.12 LT with 6.18 LT in development. The pitch: when your data center gets new GPUs from NVIDIA, AMD, or ARM vendors, CLK aims to support them months before traditional enterprise distros catch up. This is interesting because it openly admits the enterprise kernel model is too slow for AI hardware cycles, and CIQ is betting that customers will pay to close that gap.

AlmaLinux Updates Shim Bootloader, Warns Secure Boot Users on ARM64

AlmaLinux's March newsletter covers shim bootloader version 16.1 for AlmaLinux 9.7 and 10.1, with a specific warning about UEFI signing key changes on ARM64. The same newsletter notes ELevate migration paths are now supported in upstream LEAPP. If you run AlmaLinux on ARM hardware with Secure Boot, read this before your next update. The ELevate news is equally practical: supported upstream LEAPP means migration tooling is no longer a downstream fork that could break at any time.

Canonical Says 2026 Is Ubuntu's Year on RISC-V Desktop and Server

Canonical is pushing Ubuntu on RISC-V hard, citing RVA23 profile support, images for multiple dev boards, and ongoing work with silicon vendors on GPU, IOMMU, and virtualization. The "year of" framing is well-worn territory, but what makes this different is that Canonical is actually shipping board-specific images and working directly with silicon vendors on driver support. That's infrastructure work, not just conference-talk optimism.

Kernel Stable and LTS Trees Updated: 6.19.6, 6.18.16, 6.12.76, 6.6.129

Quick housekeeping: 6.19.6 is current stable (March 4), 6.18.16 and 6.12.76 are the actively maintained long-term kernels, and 6.6.129 is the latest for the 6.6 LTS line. If you're running production systems, check which branch you're on and whether you're current.

Linux Gems

Linux Hotplug Events Explained, from Kernel to udev

Hackaday published a deep dive on how the kernel generates and routes hotplug events through netlink and udev. If you've ever wondered why libusb strongly recommends the udev backend over netlink (hint: race conditions with permissions, firmware uploads, and mode-switching), this article lays it all out. The kind of systems knowledge that separates someone who uses Linux from someone who understands it.

Restricting IP Address Access to Specific Ports with eBPF

Chris Siebenmann at the University of Toronto posted a practical sketch on using eBPF for per-port IP restrictions. The approach builds on systemd's IPAddressAllow/IPAddressDeny controls, which already use eBPF under the hood. If you've been reaching for iptables rules that feel too broad, this is a more straight-to-the-point approach worth studying.

PrismLinux 2026.03.05: Arch-Based Ultralight Distro Gets Gaming and Multilingual Overhaul

PrismLinux, a Ukrainian-built Arch derivative targeting modest hardware, shipped a major release with the Electrobun installer, full NVIDIA LiveCD support, ananicy-cpp for dynamic CPU priority management (great for gaming latency), and complete translations for English, German, Russian, and Dutch. Firefox is now the default browser. At 1.76 GB ISO, it's one of the lightest Arch-based distros with genuine gaming support out of the box.

Oreon 10-2603 Drops Anaconda for Centrio Installer, Switches Default to Btrfs

The Linuxverse March roundup caught Oreon 10-2603 replacing Anaconda with a custom Centrio installer, adding automatic NVIDIA detection with optional driver install, and switching the default filesystem from XFS to Btrfs with rollback support. Another distro betting on Btrfs snapshots as the safety net users actually need.

Armbian 26.02 Ships Linux 6.18 LTS for ARM and RISC-V SBCs

Armbian's new 26.02 release targets ARM and RISC-V single-board computers with Linux 6.18 LTS. If you run SBCs in production (and more people do than will admit it), Armbian is the distribution that actually tests on the hardware you're buying, not just the hardware the kernel team owns.

Can's Take: Linux This Week

This week's Linux story is about two forces pulling in opposite directions: the push toward uniformity and the demand for specialization. GNOME 50 dropping X11, LFS going systemd-only, and kernel stable trees all moving in lockstep point to a platform that's consolidating its fundamentals. The init wars are over. The display server wars are ending. The toolchain is converging around GCC 15 and systemd 259. For the first time in years, there's a default path through the Linux stack that almost everyone agrees on.

But at the same time, the edges are splintering. CIQ's enterprise kernel exists because the standard model is too slow for AI hardware. PrismLinux exists because Arch is too heavy for some machines. Armbian exists because mainline kernels don't support most SBC hardware. Canonical's RISC-V push exists because ARM isn't the only future. The center is solidifying while the edges are growing faster than ever.

The NVIDIA 595 beta and Steam survey numbers are symptoms of this same tension. NVIDIA is moving toward Wayland support, but the community still measures gaming progress by monthly percentages rather than the actual compatibility rate (which is around 90% and climbing). Linux is getting better at being one coherent platform while simultaneously becoming many different things. Both of those trends are healthy, even if they make it harder to tell a simple story.

Open Source

Clinejection: A GitHub Issue Title Compromised 4,000 Developer Machines

Security researcher Adnan Khan disclosed how a prompt injection in a GitHub issue title tricked Cline's AI triage bot into poisoning GitHub Actions caches, stealing npm tokens, and publishing a trojanized cline@2.3.0 that silently installed OpenClaw on about 4,000 developer machines. The attack chain composes well-understood techniques (prompt injection, cache poisoning, credential theft) into something new: a supply chain compromise that starts with nothing more than opening an issue. Cline has released 2.4.0, revoked the compromised token, and moved to OIDC publishing. If you use AI-powered issue triage, this is required reading.

OpenTitan Ships in Production: First Open Source Silicon Root of Trust Goes Live

Google announced that OpenTitan, the open source silicon Root of Trust, is now shipping in production hardware. This is bigger than it sounds. Root-of-Trust components sit at the base of device security, the thing that tells your hardware it can trust the software it's running. Moving that from proprietary black boxes to open source, auditable silicon means the supply chain itself becomes inspectable. Open hardware just moved from "interesting transparency project" to practical infrastructure.

System76 CEO Pushes Back on OS-Level Age Verification Laws

Carl Richell published a direct response to Colorado's SB 26-051 and California's AB 1043, which would require operating systems to report user age brackets to app stores and websites. His argument: the laws are too loosely specified, easy for kids to bypass (install a VM, set age to 18), and ultimately threaten open platforms more than they protect minors. The essay is worth reading because it's rare for a hardware company CEO to publicly challenge legislation, and because these bills represent a pattern where age-verification mandates creep from websites to app stores to operating systems.

Anthropic and OpenAI Race to Give Free AI Tools to Open Source Maintainers

Anthropic is offering six months of free Claude Max ($200/month) to maintainers of projects with 5,000+ GitHub stars or 1M+ monthly npm downloads. OpenAI matched with six months of ChatGPT Pro plus Codex access. This isn't altruism. Both companies want the developers who shape the tools everyone else uses. The interesting question: will maintainers who get hooked on AI-assisted development become dependent on specific vendors, or will this accelerate open source AI alternatives?

Apache Gluten and Polaris Graduate to Top-Level Projects

Apache Gluten accelerates Spark SQL using hardware-optimized execution engines. Apache Polaris provides a REST-based catalog for Apache Iceberg, enabling multi-engine interoperability across Spark, Flink, Trino, Dremio, StarRocks, and Doris. The ASF announced both graduations this week, with Gluten graduating on March 5 and Polaris having graduated in February. Polaris is the one to watch: as Iceberg becomes the default table format, having a vendor-neutral catalog that every query engine can talk to is the missing piece that prevents lock-in.

CEL-expr-python: Google Open Sources the Common Expression Language for Python

Google released a Python implementation of CEL, the Common Expression Language built for simplicity, speed, safety, and portability. The interesting angle is governance: the repository is initially read-only, not open to outside contributions. This is a 2026 pattern worth tracking. Companies open source code first and open community processes later (if ever). The software is useful regardless, CEL is how Kubernetes admission policies work, but "open source" without "open contribution" is a different thing than what most people assume.

Red Hat and OpenSSF Publish EU Cyber Resilience Act Supply Chain Case Study

OpenSSF published a Red Hat case study on adapting build processes, SBOMs, and vulnerability disclosure workflows to the EU Cyber Resilience Act. The practical value is in the details: how to propagate vulnerability and component metadata from upstream community projects into downstream commercial products without breaking either the community's volunteer model or the enterprise's compliance requirements. If the EU CRA affects your supply chain, this is the most concrete guidance published so far.

GPL Upgrades via Section 14 Proxy Delegation Gets Serious Community Attention

A widely discussed article proposes using GPLv3/AGPLv3's Section 14 to designate a "proxy" who can publicly accept future GPL versions on behalf of a project. Instead of the standard "GPL v3 or later" approach (which trusts the FSF unconditionally), a proxy can evaluate each future version before committing. The HackerNews and Lobste.rs threads show real interest from maintainers who want upgrade flexibility without blank-check trust. If you maintain a GPL project, this is a governance mechanism worth understanding.

ECMWF Open-Sources OpenIFS Global Weather Forecasting Model

The European Centre for Medium-Range Weather Forecasts released OpenIFS as true open source on GitHub. Previously available only under restrictive research licenses, OpenIFS is the portable version of the production model ECMWF uses for medium-range weather forecasts. Researchers can now run it on a laptop, modify the code, and cite it in open-access papers without licensing barriers. This is open science done right: removing the bureaucracy so the science can actually be reproduced.

SCALE 23x: North America's Largest Community Open Source Conference Runs This Week

SCALE 23x is running March 5-8 in Pasadena, covering open source, security, DevOps, and cloud-native work. Conferences like SCALE work as demand signals for the ecosystem, and the topic mix this year shows contributor attention clustering around infrastructure, operations, and security rather than licensing debates. If you want to know where practitioner energy is going, look at what conferences are talking about, not what X is arguing about.

Huawei to Open Source A2A-T Agent Communication Software

Huawei is preparing to open source A2A-T, software for standardized communication between AI agents. The agent-to-agent communication space is still early enough that whoever establishes the protocol wins. Google has A2A, and now Huawei is entering with its own standard. Whether this leads to interoperability or fragmentation depends on whether any of these projects actually converge.

"Open Source at a Crossroads": New Paper Analyzes Licensing Monetization Shifts

A new preprint analyzes how monetization pressure is reshaping open source licensing, from copyleft to source-available to "copyleft-minus-cloud" models. The paper models how different license strategies affect contributor incentives and downstream commercial adoption. If you're deciding on a license for a new project, or watching companies like HashiCorp and Redis shift their terms, this paper provides the analytical framework for understanding what's happening and why.

Olmo Hybrid: AI2 Releases Fully Open 7B Hybrid Model Under Apache 2.0

The Allen Institute for AI released Olmo Hybrid, a 7-billion-parameter model that uses gated DeltaNet heads instead of standard attention in 75% of its layers. The result: 2x data efficiency over Olmo 3 and 75% better inference efficiency on long contexts. Fully open under Apache 2.0 with training data, code, and weights. AI2 continues to be the organization that proves "fully open" AI is possible and competitive, not just a talking point.

Open Source Gems

Eclipse Foundation Brings Open Source to Embedded World 2026 with ThreadX and OpenHW RISC-V

Eclipse is bringing ThreadX under its governance plus OpenHW's open RISC-V cores to embedded world 2026, along with its 2025 IoT & Embedded Developer Survey. The pitch is a fully open pipeline from IP blocks and toolchains to RTOS and dev tooling for safety-critical systems. If you work in embedded and haven't looked at the Eclipse stack recently, the combination of open RISC-V silicon, an open RTOS, and open tooling is getting genuinely competitive with proprietary stacks.

Open Source Competition 2026 Adds AI Category for German Public Administration

The German Open Source Business Alliance launched its 2026 competition with a new AI category targeting projects that bring explainable, auditable AI into government stacks. Think decision support and document workflows under OSI-approved licenses with interoperability requirements. Germany keeps quietly building the most serious public-sector open source ecosystem in Europe, and this competition is how they surface the projects that actually get deployed.

"So Open, Yet So Overlooked": FOSS Security Trade-offs Examined

SpicyIP's third installment comparing FOSS and proprietary software on security. The series challenges the "many eyeballs make all bugs shallow" assumption with actual data. Worth reading if you've ever had to argue the security case for open source to a CISO who doesn't buy the conventional wisdom.

OpenChain and Friends 2026 Plans "Unified RISC-V IP Access Platform"

The OpenChain event is planning a unified platform for RISC-V IP access, aimed at European technological sovereignty. The connection between open source compliance tooling (OpenChain) and open hardware sovereignty (RISC-V) is underappreciated. If Europe wants to reduce dependence on ARM and x86 IP, the compliance and licensing infrastructure needs to exist first. OpenChain is building that.

Can's Take: Open Source This Week

The theme this week is maturation, the kind where open source projects have to deal with consequences instead of just possibilities. The Clinejection attack showed that AI-powered development tools create new attack surfaces that didn't exist before. It wasn't a zero-day in the traditional sense. It was a social-engineering attack on an AI bot, chained through existing CI/CD infrastructure. That's a new class of problem, and it's going to get worse as more projects add AI automation to their workflows.

At the same time, the OpenTitan production deployment and the ECMWF open-sourcing of OpenIFS show what happens when open source projects survive long enough to become infrastructure. OpenTitan stopped being interesting for its openness the moment Google put it in shipping hardware. Now it's interesting because a production Root of Trust has passed the bar that proprietary silicon has owned for decades. OpenIFS isn't interesting because ECMWF released code. It's interesting because removing the licensing barriers means the science can actually be reproduced. These are projects that have moved past the novelty phase into the phase where they have to be reliable, auditable, and boring.

The Anthropic/OpenAI race to provide free tools for maintainers follows the same pattern. Maintainers are now recognized as infrastructure, as the people whose decisions shape everyone else's stack. Both companies are treating maintainer attention as a strategic resource, which is both flattering and worrying. When your tools are free, but your switching costs are high, the cost model has just shifted from "pay for software" to "pay with lock-in." The licensing paper on ArXiv, the GPL proxy delegation discussion, and the CEL-expr-python "open code but closed contributions" release all circle the same question: what does "open" actually mean when the incentives are this complicated?

Spotlight

Marta Rybczynska - Embedded Security, Eclipse Foundation, Yocto Project

Marta Rybczynska has spent over 20 years in open source, with 15 of those in embedded development. She founded Syslinbit in 2021, an open source consulting company focused on helping organizations use FOSS in production. She sits on the Eclipse Foundation Security Team and is a member of the Yocto Project security team. She writes Linux kernel drivers. She builds SBOM tooling. She trains developers on vulnerability management. She does all of it at the same time.

Her recent work lands directly in the middle of this week's biggest stories. The Eclipse Foundation is heading to Embedded World 2026 to showcase open source stacks for industrial IoT, automotive, and edge AI. Rybczynska is part of the security infrastructure that makes those stacks credible. The Red Hat/OpenSSF case study on adapting to the EU Cyber Resilience Act describes exactly the kind of pipeline changes (mandatory SBOM generation, component risk classification, continuous scanning) that she has been building and teaching at the Eclipse Foundation since 2022. Her security training sessions on vulnerability management and SBOMs, delivered through Eclipse in 2025, are now available as open resources for any developer working in regulated embedded environments.

At FOSDEM 2025, she presented "Vulnerability Management at a Scale for the Yocto Project," tackling how distributions built on Yocto can detect and manage CVEs across massive dependency trees. She also contributed to SBOM generation in Eclipse Oniro and developed yocto-vex-check, a standalone CVE checker that operates on SBOM data. Nobody writes blog posts about CVE checkers that run over SBOM data. But every certified embedded product ships because someone built exactly that.

In a week when the newsletter covers CRA compliance, SBOM governance, open hardware moving into production, and Linux pushing into RISC-V and constrained architectures, Rybczynska's work connects every thread. She is building the security layer that lets open-source embedded systems ship in environments where "move fast and break things" can get people hurt.

Happy International Women's Day.

You can follow me on Medium, Canartuc.com, X, Bluesky, and Mastodon.