What I Wrote this Week

The Maintainer Used AI to Kill His Open Source License. It Took Five Days.

The creator deleted himself from the internet in 2011. AI rewrote his code in five days. He broke his silence to fight back.

Medium Link | Canartuc.com Link

59,000 Packages. 1,400 Developers. Zero AI Policy.

Gentoo tried. NetBSD tried. Debian looked at the 45% false positive rate and walked away.

Medium Link | Canartuc.com Link

VS Code Just Gave AI Full Control of Your Machine. Then Told You Not to Trust It.

VS Code 1.111 shipped a feature so dangerous that Microsoft wrote a warning against it in the same release notes. Then enabled it by default.

Medium Link | Canartuc.com Link

Linux

CrackArmor: Nine Flaws in AppArmor Put 12.6 Million Linux Systems at Risk of Root Takeover

Qualys TRU researcher Saeed Abbasi dropped a bomb this week. Nine confused-deputy vulnerabilities in AppArmor (the mandatory access control module that ships enabled by default on Ubuntu, Debian, and SUSE) allow unprivileged users to manipulate security profiles, bypass user-namespace restrictions, escalate to root, and break container isolation. These flaws have been sitting there since kernel v4.11 in 2017. That is nine years of silent exposure across 12.6 million enterprise instances. Debian patched on March 12, Ubuntu and SUSE are working on theirs. If you run AppArmor, stop reading and go patch.

Fedora 44 Beta Ships GNOME 50, KDE Plasma 6.6, and Goes All-In on Wayland

Fedora 44 Beta landed on March 10 with a clear message: Wayland is the future, and Fedora is done hedging. GNOME 50 and KDE Plasma 6.6 (with the new Plasma Login Manager replacing SDDM) are the headliners. The Budgie spin switches to Budgie 10.10 with Wayland support. Under the hood, Linux 6.19 powers everything, and Anaconda now only creates network profiles for devices actually configured during installation (fixing a years-old annoyance). Final release targets April 14. Ubuntu 26.04 LTS follows nine days later on April 23.

EndeavourOS Titan Arrives with Linux 6.19 and a Brand-New GPU Driver Tool

EndeavourOS Titan, released March 12, is the latest Arch-based snapshot shipping KDE Plasma 6.6.2, Firefox 148, Mesa 26.0, and Linux 6.19. The big addition is eos-hwtool, a new utility for installing and removing GPU drivers on demand, plus automatic early-loading of GPU drivers by default. Hardware detection now covers all graphics cards and virtual machines. The ISO grew from 3 GB to 3.4 GB because of these features, but the tradeoff is a noticeably smoother installation experience.

SteamOS 3.7.20 Brings the NTSync Driver to All Steam Deck Users

Valve finally shipped the NTSync kernel driver in the stable SteamOS 3.7.20 release on March 9. NTSync has been ready since Linux kernel 6.14 (March 2025), matching Windows NT synchronization primitives for better accuracy and performance in Proton games. This should produce measurable frame-time improvements in games that rely heavily on threading primitives. The update also patches two security CVEs and fixes installation issues with large game libraries.

Steam Client Update Fixes the Embarrassing "Not Valid on Current Platform" Bug

If you had a large Steam library on Linux, you might have seen Proton games incorrectly flagged as unplayable. Valve's March 9 client update fixes this bug in both online and offline modes. The update also adds optional anonymized framerate data collection and lets users attach hardware specs to game reviews. Small touches, but they show Valve is still actively investing in the Linux gaming experience.

SUSE Reportedly Up for Sale Again at $6 Billion

Private equity firm EQT is exploring selling SUSE for roughly $6 billion, more than double the $2.96 billion valuation when EQT took SUSE private in 2023. SUSE generates about $800 million in annual revenue with $250 million in EBITDA, and counts Walmart, Deutsche Bank, and Intel among its customers. More than 60% of Fortune 500 firms use SUSE technology somewhere. The deal is early-stage, and there is no guarantee it closes, but it signals that enterprise Linux remains a very attractive asset class.

AMD's HDR Color Pipeline Patches for Linux and KDE KWin Were Co-Developed with Claude

AMD engineer Harry Wentland submitted new AMDGPU driver patches adding color-space conversion (CSC) support to the DRM color pipeline API, along with matching KDE KWin compositor integration. The patches carry a "Co-developed by Claude Sonnet 4.5" credit line. Regardless of your feelings about AI-assisted kernel development, the actual feature matters: proper CSC support is one of the missing pieces for HDR on Linux to work as well as it does on Windows.

SUSE Engineer Proposes Making IPv6 Built-In Only, Dropping Module Support

A SUSE engineer proposed patches changing CONFIG_IPV6 from a tristate to a boolean, meaning IPv6 would be either built directly into the kernel or disabled entirely. No more loadable module. The reasoning is straightforward: modern distributions overwhelmingly build IPv6 in, the modular path adds architectural burden and maintenance complexity, and the benefits of modularity here are minimal. Patch is out for review on the mailing list.

Linux Gems

PipeWire 1.6.1 Squashes Socket Activation and JACK Crash Bugs

PipeWire 1.6.1 shipped on March 8 with targeted fixes for socket-activation failures, JACK application crashes, and encoded-audio playback issues with the pw-cat utility. If you run a pro-audio or streaming setup on Linux that relies on JACK compatibility, this is a stability release worth grabbing immediately. PipeWire's consolidation of Linux audio continues, and these fixes show the project is serious about not breaking workflows during the transition.

KDE Plasma 6.5.6: Final Bugfix for the 6.5 Series Before Plasma 6.6 Takes Over

KDE released Plasma 6.5.6 on March 10 as the last maintenance update for the 6.5 line. The fixes cover KWin compositor stability (Night Light color pipeline, screencast, pointer constraints), KScreen synchronization on Wayland, screen locker improvements, and Spectacle remembering save locations. If you are on Plasma 6.5 and not ready to jump to 6.6, this is the polish pass that makes staying worthwhile.

Can's Take: Linux This Week

The CrackArmor disclosure is the biggest story this week, and it should be. AppArmor is not some obscure module. It is the default security framework on three of the most widely deployed enterprise distributions. Nine vulnerabilities sitting undetected for nine years in a security-critical component says something about the depth of security auditing in Linux kernel subsystems. Qualys found these, not the vendors who ship them.

Fedora 44 and EndeavourOS Titan both commit fully to Wayland, KDE Plasma 6.6, and Linux 6.19. The desktop stack is maturing fast. Fractional scaling, mixed refresh rates, and multi-display layouts now work (not for me, I still have problems with fractional scaling in GNOME). If you haven't tried a Wayland-native setup recently, this is the moment. Meanwhile, the SUSE sale at $6 billion (more than double the 2023 take-private price) confirms that enterprise Linux is not just surviving, it is growing in value even as cloud-native architectures shift workloads around.

And then there is the AMD HDR patch with its "Co-developed by Claude Sonnet 4.5" tag. AI-generated code in kernel patches is no longer hypothetical. It is happening, with credits, in public, from a major hardware vendor. The Linux kernel community will need a real policy on this sooner rather than later.

Open Source

81,000 Open-Source Package Versions Have Unpatchable CVEs, and the Real Number May Be 400,000

A new HeroDevs analysis for the 2026 State of the Software Supply Chain Report says at least 81,000 open-source package versions are both end-of-life and vulnerable, with no upstream fix coming. Once poorly tracked ecosystems and undisclosed flaws are included, the true number of unpatchable EOL vulnerabilities may be closer to 400,000. Most scanners miss these because the projects quietly reach EOL (end of life) without formal announcements. If your dependency scanner only checks CVE counts and patch availability without checking maintenance status, you are flying blind.

OpenClaw's "Full Computer Access" Triggers a Global Security Debate

OpenClaw, the open-source autonomous AI agent that surpassed Linux and React on the GitHub star leaderboard, runs locally with full system access: it reads files, executes shell commands, and connects to messaging apps. China's response illustrates the policy dilemma perfectly. National ministries warned state agencies and banks not to install it, citing risks of data exfiltration. Yet Shenzhen's Longgang district is actively subsidizing companies building around OpenClaw to capture economic upside. The community has already spawned safer variants (ZeroClaw, NanoClaw), but the core question remains: how do you sandbox an agent designed to have no sandbox? Can's Note: If China sees a risk about data being collected (Data protection and China are two separate words normally), be careful about these agents, just saying.

Karpathy Open-Sources "autoresearch" for Large-Scale AI Experiments

Andrej Karpathy released autoresearch on March 6, an open-source tool that lets researchers run hundreds of AI experiments overnight. It automates configuration sweeps and experiment management, which materially lowers the barrier to systematic ML research for smaller labs and individual contributors. This is the kind of open-source release that changes who can do research, not just how it is done.

LLM.co Study: 78% of Enterprises Use AI, but Open-Source LLMs Are Gaining Fast

A new LLM.co industry study finds 78% of companies now use AI somewhere, with generative AI adoption at 71%. Closed-source LLMs still power about 87% of production workloads, but 41% of organizations plan to expand open-source LLM use and another 41% would switch once performance parity is reached. The shift mirrors earlier waves (Linux, databases, Kubernetes) where adoption started as skunk-works and gradually moved into core infrastructure. Open-source AI is no longer an ideology question. It is a procurement decision.

OpenAI Releases GPT-OSS Under Apache 2.0, Its First Truly Open-Source Models

OpenAI released gpt-oss-120b and gpt-oss-20b under the Apache 2.0 license, making them the company's first fully open-source large language models. The Apache 2.0 license means no restrictions on commercial use, derivative works under any license, and a patent grant. The 120B model achieves near-parity with o4-mini on reasoning benchmarks and runs on a single 80 GB GPU. This is OpenAI directly competing with Meta's Llama on open-source turf, and the permissive license choice tells you exactly where the industry thinks open-source AI is heading.

Dify Raises $30M at $180M Valuation for Open-Source AI Workflow Platform

Dify, the open-source platform for building and deploying AI applications, raised $30 million in Series Pre-A funding. The platform runs on over 1.4 million machines worldwide, with 2,000+ teams and 280 enterprises (including Maersk, Novartis, and Anker) building on commercial versions. Led by HSG with participation from GL Ventures, 5Y Capital, and others, the round values Dify at $180 million. The funding will go toward enterprise features, agent capabilities, and community initiatives. This is what open-source business models look like when they work.

Kubernetes Ingress NGINX Reaches End of Life This Month

The Kubernetes community project Ingress NGINX officially reaches end of life in March 2026. No more releases, no bugfixes, no security patches. This matters because 50% of Kubernetes users still rely on it for traffic management. The retirement was announced months ago after years of warnings about the project's need for maintainers. F5's NGINX Ingress Controller (separate project, same name confusion) remains supported. The recommended migration path is either a drop-in replacement like Traefik or a full move to the Gateway API. If you are still running it, your clock just ran out.

The Open Source Endowment Launches with $750K+ to Fund FOSS Like a University

A new 501(c)(3) nonprofit called the Open Source Endowment launched with commitments exceeding $750K and a simple idea: fund open source the way universities fund themselves. Donations are invested, and only the annual returns go out as grants. The principal stays forever. Backers include former GitHub CEO Thomas Dohmke, HashiCorp founder Mitchell Hashimoto, Supabase CEO Paul Copplestone, and the creators of Vue.js and cURL. First grant round is planned for Q2 2026. This is the most structurally sound funding model the open-source world has seen.

Open Source Gems

AlmaLinux Publishes 2026 Goals: More Testing, More Diverse Contributors, More Transparency

AlmaLinux published its 2026 strategic goals on March 10, focusing on increased testing (validating everything before shipping, including SIG output), greater diversity in contributors, expanded documentation language support, and more transparency in decision-making. They are also looking to engage underrepresented communities and figure out where their users actually spend their time. For an enterprise distro that rose from CentOS's ashes, this kind of self-aware roadmap is exactly what keeps a community healthy.

FOSSASIA Summit 2026 Runs in Bangkok as Asia's Largest Open Tech Conference

FOSSASIA Summit 2026 ran March 9-10 in Bangkok as a hybrid conference spanning cloud, hardware, AI, and community building across enterprises, educators, and grassroots groups. If you only follow North American and European events, you are missing where a huge portion of open-source contributor growth is actually happening. Asia-Pacific open-source communities are growing faster than their Western counterparts, and FOSSASIA is where that energy concentrates.

Hancom's OpenDataLoader PDF v2.0 Tops Benchmarks, Switches to Apache 2.0

Korean vendor Hancom reports that OpenDataLoader PDF v2.0 outperforms rival open-source PDF parsers on reading order, table extraction, and heading inference. They also relicensed from MPL 2.0 to Apache 2.0, removing barriers for commercial reuse. The combination of performance claims backed by a public benchmark dataset and a permissive license is a strategic bet on building a downstream community rather than keeping parsing technology proprietary.

GitHub Availability Report: Six Incidents in February 2026

GitHub experienced six incidents in February causing degraded performance across its services. For open-source teams, platform reliability is now part of community health because so much issue tracking, code review, release automation, and social coordination runs through GitHub. When GitHub goes down, open source effectively pauses. This report is worth reading if you depend on GitHub for CI/CD and haven't thought about your bus factor with the platform.

Can's Take: Open Source This Week

This was the week where security debt and AI governance met head-on. The HeroDevs report says that 81,000 open-source package versions are dead and vulnerable, with no fix in sight. These are not zero-days waiting for a patch. These are dead projects with known vulnerabilities and zero chance of an upstream fix. Most dependency scanners do not even flag them because the projects quietly stopped without a formal EOL announcement. Combined with CrackArmor on the Linux side, the message is clear: "open" does not automatically mean "secure," and maintenance status matters as much as vulnerability counts.

OpenClaw's rapid rise and the immediate security backlash show the new tension in open-source AI. An agent with full system access is either the most powerful developer tool ever built or the most dangerous attack surface ever deployed, depending entirely on its configuration. China's split response (Beijing says ban it, Shenzhen says subsidize it) is not contradictory. It is the honest reaction to a technology that is simultaneously too useful (!) to ignore and too dangerous to trust. Expect every organization to face this same internal debate within the next year.

Kubernetes retiring Ingress NGINX is a warning sign. The project was not abandoned because of a technical failure. It died because not enough people stepped up to maintain it. Half of all Kubernetes deployments use it, and now those teams have weeks to migrate. The pattern keeps repeating: critical infrastructure, insufficient maintainers, eventual collapse. The Open Source Endowment's university-style model might be part of the answer, but only if the money reaches the projects that need it most.

Spotlight

Harry Wentland - AMD HDR/Color Pipeline for Linux

Harry Wentland is an MTS (Member of Technical Staff) software engineer at AMD who has spent years working on a problem most Linux users do not know exists: making colors look right on HDR displays. That might sound simple, but it is one of the hardest unsolved problems in the Linux desktop stack, requiring changes across the kernel DRM subsystem, GPU drivers, and desktop compositors simultaneously.

Wentland has been submitting patches since at least 2021, collaborating with Valve's Joshua Ashton and kernel developer Melissa Wen to build the Color Pipeline API that will eventually give Linux parity with Windows for HDR and color management. His latest patches, submitted this week, add color-space conversion support to the DRM color pipeline and include matching KDE KWin integration. He presented at XDC 2022 with a talk titled "Is HDR Harder?" (the answer, clearly, is yes).

What makes Wentland's work stand out is the patience required. HDR on Linux is not a single patch or a single release cycle. It is a multi-year, multi-stakeholder engineering effort that requires a kernel developer to also understand display hardware, compositor internals, and GPU driver architecture. His latest patches also carry an AI co-development credit, which makes him one of the first kernel contributors openly using AI tools in upstream submissions. That takes both technical confidence and willingness to be part of an uncomfortable conversation.

🐧 If you need me, I will be patching AppArmor, migrating off Ingress NGINX, and mass-emailing my dependency list to ask if they are still alive.

Have a great week!

You can follow me on Medium, Canartuc.com, X, Bluesky, and Mastodon.