Open Source & Linux Weekly - W13_2026

X11 died without a funeral. Canonical bets on post-quantum crypto and Rust. TeamPCP hacks four supply chain targets in ten days. Weekly OSS & Linux roundup.

What I Wrote this Week

Mozilla. WordPress. Now Manjaro. Open Source Keeps Dying the Same Way.

He fired the only person watching the money. Made himself treasurer. 2 years later, his own 50/50 business partner signed a public manifesto against him.

Medium Link | Canartuc.com Link

Every Line Looked Clean. The Malware Was Hiding in Characters No Editor on Earth Can Render.

You could stare at the infected file for hours and see nothing. The attack hit 200 Python repos, 151 JS/TS repos, 72 VS Code extensions, and 10 npm packages. A researcher traced 50 blockchain transactions spanning three months. Nobody noticed.

Medium Link | Canartuc.com Link

A Child Safety Nonprofit Filed Taxes as a Lemonade Stand. Then It Wrote Laws in 20 States.

86 lobbyists. 45 states. $2B in nonprofit grants. One company in the USA. A GitHub researcher pulled IRS filings, WHOIS records, and Senate disclosures.

Medium Link | Canartuc.com Link

TL;DR

This week, the tool built to find breaches became the breach, the field with no enforcement logic triggered death threats, and X11 died without a funeral.

X11 died this week. Not with an announcement, not with a funeral. Ubuntu 26.04 LTS beta, GNOME 50, CachyOS Handheld, and Fedora 44 all shipped Wayland-only within days of each other, while SteamOS 3.8 switched its default to Wayland. Nobody coordinated it and had to. The two largest desktop Linux distributions now offer no X11 session at all. Eighteen years of "Wayland isn't ready" ended without a eulogy.

Canonical is betting the entire distribution on security rewrites. Post-quantum cryptography is on by default. GNU coreutils replaced by Rust. A GRUB proposal that strips filesystem support for Secure Boot, breaking Canonical's own recommended install in the process. NVIDIA dropped the GTX 10-series forever. And systemd merged a birth date field into user records. 945 GitHub comments, actual forks, and death threats followed. The field carries no enforcement logic. The fear of what comes next does.

On the open source side, a threat actor called TeamPCP hit four targets in ten days: Trivy, KICS, LiteLLM, telnyx. The telnyx attack hid its payload inside a WAV file using XOR-encrypted steganography. The campaign started by exploiting a vulnerability in a scanner. The tool built to find the breach became the breach. Meanwhile, PHP quietly voted 23-0-1 to switch to BSD 3-Clause after 31 years of license confusion; Google donated an AI kernel code reviewer that catches 53% of bugs humans miss; OpenTitan shipped as the first open-source silicon root of trust in a commercial product; and Firefox added a free built-in VPN.

The loudest stories got the most attention. The quietest ones changed the most.

Linux

Ubuntu 26.04 LTS Beta Ships Three Platform Shifts No Other Distro Has Attempted Simultaneously

Canonical released the Ubuntu 26.04 LTS "Resolute Raccoon" beta on March 26 with three changes landing at once: post-quantum cryptography on by default (OpenSSH uses mlkem768x25519-sha256, OpenSSL uses X25519+ML-KEM for TLS), GNU coreutils replaced by uutils/coreutils v0.7.0 written in Rust, and a Wayland-only desktop inheriting GNOME 50's permanent X11 removal. Kernel: Linux 7.0. Graphics: Mesa 26.0.2 with NVIDIA 590 drivers. Kernel firmware split into 17 vendor-specific packages to shrink install size. The post-quantum default addresses "harvest now, decrypt later" attacks, where adversaries capture encrypted traffic today to crack with future quantum hardware. If you run scripted workflows against coreutils, audit now. uutils v0.6.0 reached 96% GNU test compatibility, v0.7.0 improves further, but the remaining edge cases are worth probing before production. Stable release targets April 23.

Canonical Proposes Gutting GRUB for Secure Boot, Breaking Its Own Default Install

Canonical engineer Julian Andres Klode published a proposal to strip XFS, ZFS, Btrfs, LVM, md-RAID (except RAID1), LUKS encryption, and image format rendering from signed GRUB builds in Ubuntu 26.10. The only supported filesystems for /boot on Secure Boot systems would be EXT4, FAT, ISO 9660, and SquashFS. The rationale is sound: GRUB parsers have generated BootHole-class vulnerabilities that undermine the entire Secure Boot trust chain. The irony is brutal: Ubuntu's own server installer defaults to LVM, and LUKS encryption requires LVM, meaning Canonical's recommended installation would be incompatible with Secure Boot under this proposal. Community response was sharply negative. The proposal targets 26.10, not 26.04 LTS, so there is breathing room. But the upgrade path from 26.04 to 26.10 would block a large fraction of enterprise deployments.

SteamOS 3.8 Previews Steam Machine Hardware and Defaults KDE Desktop to Wayland

Valve released SteamOS 3.8.0 Preview, the first build referencing the upcoming Steam Machine desktop hardware. KDE Plasma jumps from 6.2 to 6.4.3 and now defaults to Wayland instead of X11 in desktop mode, bringing HDR and Variable Refresh Rate display support. Kernel: Linux 6.16. Battery drain fixes land for Steam Deck, and expanded handheld compatibility covers Lenovo Legion Go, ASUS ROG Ally, GPD Win 5, and MSI Claw. Valve delayed the Steam Machine launch, blaming GDDR6 RAM shortages from industry-wide memory supply constraints. No new launch date.

Linux 7.0-rc5 Released, Torvalds Says the Cycle Is "Starting to Calm Down"

rc2 through rc4 all came in above historical averages (Torvalds blamed "new major version number" psychology). rc5 signals a return to normal. Fixes: workaround for older AMD GCN 1.0 Hainan GPUs, improved Logitech MX Master 4 Bluetooth support. rc6 drops March 29, dominated by audio subsystem fixes from Takashi Iwai covering ASUS Strix G16 and other laptops. Stable Linux 7.0 is projected for mid-April, landing in both Ubuntu 26.04 LTS and Fedora 44 within days of each other.

NVIDIA 595.58 Drops GTX 10-Series Forever, Pushes Remaining Cards to Open Kernel Modules

NVIDIA released the 595.58.03 stable driver, the first production build in the R595 branch. It adds Wayland 1.20 support, DRI3 1.2, new Vulkan extensions (VK_EXT_descriptor_heap, VK_EXT_present_timing), and fixes kernel crashes, X11 compositor flickering, KWin Wayland display wake issues, and GPU hangs in Black Myth: Wukong. GTX 10-series (Pascal) GPUs are permanently dropped, moving to quarterly security-only updates until October 2028. Turing (RTX 20-series) and newer cards automatically migrate to open kernel modules. Pascal launched in 2016. A ten-year support lifecycle is reasonable. What matters more: this accelerates the end of NVIDIA's proprietary kernel module that has caused compatibility headaches for every major kernel update for two decades.

GNOME 50 "Tokyo" Arrives with VRR, Parental Controls, and the Death of X11

GNOME 50, released March 18, enables Variable Refresh Rate on compatible monitors without patches, adds parental controls with screen time monitoring and bedtime schedules for child accounts, and removes the GNOME X11 session from GDM (other desktop environments can still offer X11 sessions through GDM). Orca's screen reader gets a redesigned preferences window, the document viewer supports inline annotations, and Files loads thumbnails faster with less memory. GNOME 50 ships as the default desktop in Ubuntu 26.04 LTS and Fedora 44. This is the release that makes Wayland the only option for the two largest desktop Linux distributions by user count.

Fedora 44 Fast-Tracks Mesa 26.0, Combining Current Kernel, Desktop, and Drivers in One Release

Fedora maintainers granted fast-track approval to ship Mesa 26.0 instead of Mesa 25.3, bypassing the usual waiting period for multiple point releases. Fedora 44 beta shipped with Linux 6.19, GNOME 50, KDE Plasma 6.6, and Mesa 26.0, with Linux 7.0 expected in the final release targeting April 14. This is why Fedora keeps winning Linux desktop users who want current software without running a fully rolling distribution. Fedora CoreOS 44 test week ran March 23-27.

systemd Merges Birth Date Field, Distributions Draw Battle Lines on Age Verification

systemd merged PR #40954, adding an optional birthDate field (YYYY-MM-DD) to userdb JSON user records. The field can only be set by administrators via homectl, not by users directly. It carries no enforcement logic. But the merge triggered over 945 GitHub comments, systemd forks on GitHub, and the developer received death threats. The connection: California's Digital Age Assurance Act (AB 1043, effective January 2027) and similar laws in Colorado and Brazil. Garuda Linux issued the first formal distribution policy response, declaring it will not implement age verification because its infrastructure operates in Finland and Germany where no such laws apply. systemd's position is clean separation of concerns: provide the data field, let distributions decide policy. Expect most non-US distributions to adopt Garuda's jurisdictional argument.

Kali Linux 2026.1 Celebrates BackTrack's 20th Anniversary with MetasploitMCP

Kali Linux 2026.1 ships with a BackTrack 5 desktop aesthetic mode in kali-undercover, eight new security tools, including MetasploitMCP (an MCP server for Metasploit that enables LLM-driven penetration testing workflows), AdaptixC2, Fluxion, GEF, SSTImap, WPProbe, and XSStrike. The kernel bumps to 6.18. MetasploitMCP is the one worth watching: it exposes Metasploit functions via the Model Context Protocol so AI assistants can drive penetration testing. For red teams already using AI, this cuts hours off reconnaissance and exploitation workflows.

Linux Gems

Fedora 45 Approves DRM Panic QR Codes for Kernel Crash Reporting

The Fedora Engineering and Steering Committee approved a feature for Fedora 45 (October 2026) that displays a QR code on kernel panic screens. Scanning it with a phone opens a web page with the full kernel log and Fedora bug reporting instructions. This sounds minor. It is not. The current barrier to reporting a kernel panic is high: photograph a screen of cryptic text or set up serial logging. A QR code that takes a mobile camera to a structured bug report form reduces that barrier to near-zero for non-technical users. Better bug reports mean faster fixes.

CachyOS March 2026 Drops Bcachefs, Adds One-Click Windows VM via Winboat

CachyOS removed Bcachefs from its installer due to out-of-tree DKMS module dependence, switched the Handheld Edition to Wayland, and added one-click Winboat installation for running Windows applications through a Docker-based VM without dual-booting. The Handheld Edition replaces SDDM with plasma-login-manager and switches to gamescope-session-cachyos, a fork of Valve's gamescope-session that supports firmware updates for Steam Deck and Lenovo Legion Go. If you want Windows app compatibility without the dual-boot hassle, Winboat is worth a look.

antiX 26: Systemd-Free Debian 13 with Five Init Systems and 32-Bit Support

antiX 26 ships on Linux 6.6 LTS with runit (default), SysVinit, dinit, s6-rc, and s6-66 as init systems. Available in full (2 GB) and core (660 MB) editions with 32-bit support, it retains IceWM, Fluxbox, JWM, and herbstluftwm window managers. No Flatpak, no Snap, by design. In a week where systemd's birthDate merge generated 945 GitHub comments and actual forks, antiX quietly ships a distribution proving the non-systemd world is still alive and invested.

Canonical Proposes ntpd-rs as Ubuntu's Next Rust System Component

Canonical published a proposal to adopt ntpd-rs, a Rust NTP and NTS implementation, to replace Chrony, LinuxPTP, and GPSD across Ubuntu. They will fund Trifecta Tech Foundation directly to build features and improve security isolation. Let's Encrypt already runs ntpd-rs in production. Available in Ubuntu 26.10, default switch likely in 27.04. The funding model matters: Canonical is paying for upstream development rather than forking or shipping incomplete code. This is a different vendor-upstream relationship than "package and ship."

Can's Take: Linux This Week

The Wayland transition crossed an irreversible threshold this week. Ubuntu 26.04 LTS beta, SteamOS 3.8, CachyOS Handheld, GNOME 50, and Fedora 44 (due April 14) all default to Wayland. The two largest desktop Linux distributions by user count now offer no X11 session at all. What remains: enterprise distributions on extended LTS cycles and a shrinking set of applications with hard X11 dependencies. For the mainstream Linux desktop, the question is no longer "when will Wayland be the default?" It already is.

Canonical is shipping more security rewrites in a single year than any other Linux distribution (Ubuntu). Post-quantum cryptography by default. Rust coreutils replacing GNU. ntpd-rs funded as the next Rust system component. The GRUB stripping proposal. Same strategy, four expressions: reduce attack surface by either removing code or replacing it with memory-safe alternatives. The GRUB proposal is the most controversial: it trades flexibility for security in a way that breaks Canonical's own recommended install. That tension defines Ubuntu's second half of 2026. If they ship it in 26.10, it tells you how seriously they take the Secure Boot trust chain problem.

Linux 7.0's mid-April release creates an unusual convergence. Ubuntu 26.04 LTS already ships Linux 7.0 in its beta. Fedora 44 (beta shipped with Linux 6.19) will likely include Linux 7.0 in its final release. Two of the three largest desktop distributions are shipping the same major kernel version within days of each other. Any remaining 7.0 regressions hit a very large user population at once. The feedback cycle gets faster whether kernel developers want it to or not. The audio fixes in rc6 are the right kind of late-cycle work: hardware-specific quirks rather than core subsystem changes.

Open Source

TeamPCP Hits Four Targets in Ten Days: Trivy, KICS, LiteLLM, telnyx

Four targets in ten days. The TeamPCP threat actor hit Aqua Security's Trivy scanner (March 19), Checkmarx KICS GitHub Actions (March 23), LiteLLM's PyPI package (March 24, versions 1.82.7/1.82.8, 95 million monthly downloads), and the telnyx Python SDK (March 27, versions 4.87.1/4.87.2, 742,000 monthly downloads). The telnyx attack introduced a new trick: the credential-stealing payload was hidden inside a WAV audio file named "ringtone.wav" using XOR-encrypted steganography. On Linux and macOS, the malware exfiltrated SSH keys, cloud tokens, Kubernetes secrets, cryptocurrency wallets, and .env files. On Kubernetes deployments, it enumerated cluster secrets and deployed privileged pods. PyPI quarantined the telnyx packages within six hours. The pattern is consistent: compromise a trusted security or developer tool, harvest CI/CD credentials, pivot to the next target. Microsoft, Kaspersky, Sysdig, Palo Alto Networks, and Datadog have all published incident response guidance. This campaign is not over.

PHP's 31-Year License Confusion Is About to End: BSD 3-Clause Vote at 23-0-1

23 yes. 0 no. 1 abstention. The PHP community vote to replace the PHP License 3.01 and Zend Engine License 2.00 with BSD 3-Clause is all but done. With roughly 40 voters and a two-thirds majority required, approval before the April 4 deadline is near-certain. Ben Ramsey led the effort with sign-off from The PHP Group, Zend/Perforce, and legal counsel. The change takes effect in PHP 9.0. The Zend Engine License 2.00 is not GPL-compatible under current terms, a friction point for downstream packaging that has persisted for 26 years. BSD 3-Clause is a standard SPDX identifier recognized by all major compliance tooling. A 23-0-1 vote count. Zero opposition. On something, the PHP community could not agree on for decades.

KubeCon Europe Wraps: 19.9 Million Cloud Native Developers, Kubernetes Becomes the AI Control Plane

KubeCon + CloudNativeCon Europe 2026 (March 23-26, Amsterdam) closed with a big number: 19.9 million cloud native developers globally, up 28% from 15.6 million in Q3 2025. 7.3 million of those are AI developers building on cloud native infrastructure. Microsoft announced AI Runway, a Kubernetes API for inference workloads with HuggingFace integration and NVIDIA Dynamo support. Google open-sourced the GKE Cluster Autoscaler, eliminating the provisioning advantage GKE held over self-managed clusters. Dynamic Resource Allocation graduated to GA. SNCF (the French national railway) won the Top End User Award for migrating 70% of 2,000 applications to Kubernetes across 200+ AWS and Azure clusters. Dapr Agents v1.0 hit GA on Day 1: durable AI agent workflows, state management across 30+ databases, and secure multi-agent communication using SPIFFE identity.

Google Donates Sashiko, an AI Kernel Code Reviewer That Catches What Humans Miss

Google donated Sashiko, a Rust-based agentic AI code review system, to the Linux Foundation under Apache 2.0. It monitors kernel mailing lists and evaluates patches through five stages: architectural analysis, commit message verification, execution flow tracing, memory lifecycle analysis, and concurrency checking. Tested against 1,000 recent upstream issues with "Fixes:" tags, Sashiko caught about 53% of bugs. Every one of those had slipped past human reviewers before being merged. Sashiko now runs on every kernel mailing list submission. Google funds the compute and LLM token costs. The 53% detection rate deserves context: these are not trivial bugs. They are issues serious enough to require a "Fixes:" tag in a subsequent commit. Sashiko as a signal amplifier for human reviewers is valuable. Sashiko as a gate that contributors learn to game is a different outcome.

OpenTitan Ships in Commercial Chromebooks: First Open Source Silicon Root of Trust in Production

Seven years of development by Google and lowRISC. OpenTitan now ships in Dell Chromebook CC11260 models, with the chip produced by Nuvoton. First commercially available open source Root of Trust. First to support post-quantum cryptography secure boot based on SLH-DSA. Google data center deployment planned for later in 2026. OpenTitan in hardware and Ubuntu 26.04's post-quantum software defaults landing in the same week is coincidence. But the direction is the same: production open source systems now treat quantum-resistant security as a baseline, not a future concern.

FreeCAD 1.1 Ships with 300 Contributors and Genuine Engineering Workflow Improvements

Nearly 300 developers, 100+ translators, hundreds of documentation contributors. FreeCAD 1.1 shipped March 25. The Part Design workbench adds transparent previews for additive and subtractive operations, interactive 3D draggers for Fillet, Chamfer, and other tools, and a completely redesigned Hole tool supporting British Standard Whitworth and National Pipe Threads. The Assembly workbench gains simulation tools for joint animations. FEM results now support animations. Wayland stability improved noticeably, especially for NVIDIA users. FreeCAD's trajectory over the past three releases keeps closing the gap with commercial parametric CAD tools. Version 1.0 arrived in November 2024, the first stable release after over two decades of development. Version 1.1 follows five months later. Two consecutive major releases with real engineering workflow improvements, not prototype-level features. That is a different project than the one most people remember.

Firefox 149 Ships with a Free Built-in VPN (50 GB/Month) and Split View

Firefox 149 (March 24) ships with a free built-in VPN: 50 GB of monthly encrypted traffic, available in the US, France, Germany, and UK. Split View puts two web pages side by side in a single window. Tab Notes (Firefox Labs) lets you attach notes to individual tabs. Granular AI controls let you toggle individual generative AI features independently. On Linux, the release adds XDG portal file picker support. A free built-in VPN is a direct shot at Brave and Opera. Split View matches Arc and Vivaldi. This is the most feature-aggressive Firefox release since the Quantum rewrite in 2017.

Grafana Loki 3.7 Kills Promtail and Hands the Helm Chart to the Community

Promtail is dead. Grafana Labs released Loki 3.7 on March 27, completing the deprecation that started with Loki 3.4. Log collection now lives entirely in Grafana Alloy. The official Loki Helm chart moved to community maintenance in a separate repository. Under the hood: refined request distribution, better in-flight data tracking, a built-in loki health command, and expanded filtering. Watch the breaking changes: the query engine calculates scheduler capacity differently and shares worker threads across connections. BoltDB storage is also deprecated. The Helm chart handoff is the buried lede. When Grafana Labs hands chart maintenance to the community, same-day chart updates with releases are no longer guaranteed. That means days or weeks of lag for Kubernetes-native deployments. If you run Loki in Kubernetes, check your chart update workflows now.

Mesa AI Policy Deadline Passed, Three Competing Proposals and Zero Consensus

The Mesa 3D graphics project missed its informal late-March deadline for an AI code contribution policy. Three positions remain in play: a total ban on autonomous AI agents, transparency-only requirements, and per-directory rules allowing different policies for different Mesa components. Same pattern as Debian (vote abandoned) and the Linux kernel (individual maintainer discretion). The per-directory approach is the most technically interesting option. But nobody has championed it concretely, and without a champion, the status quo (no formal policy) wins by default.

Krita Ships Dual Release: 5.3 for Production, 6.0 for Qt 6 Early Adopters

Krita shipped two simultaneous releases on March 24: version 5.3.0 (the production release on Qt 5) and 6.0.0 (the experimental Qt 6 port with Wayland HDR support). Both share the same source code built against different Qt versions. The major feature is a completely rewritten text engine with on-canvas editing, full OpenType support, and text flowing into shapes. Other additions: gap-closing fill tool, faster liquify transform, new filters, and better HDR painting. Krita 6.0 should become the primary version by year-end.

Open Source Gems

Dovecot 2.4.3 Patches SQL Injection, LDAP Injection, and Path Traversal in a Single Release

Three security vulnerabilities, one release. CVE-2026-24031: SQL injection bypasses authentication when auth_username_chars is cleared. CVE-2026-27860: arbitrary LDAP filter injection from missing username escaping. CVE-2026-0394: path traversal in passwd-file passdb. All three are regressions from the 2.4/3.1 series. If you run Dovecot, patch immediately. These are not obscure edge cases. SQL injection to bypass auth is about as bad as it gets for a mail server.

OpenSSF Launches Free Supply Chain Tooling and AI Security Working Groups at SecurityCon Europe

$12.5 million from Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI. The Open Source Security Foundation used SecurityCon Europe to announce Kusari Inspector (free supply chain visibility tool), SLSA reaching "Graduated" status, new AI/ML security SIGs on model provenance and GPU-based integrity, and an Ambassador Program. The AI security SIGs are the signal to watch: as LLM-generated code floods open source repositories, standardized provenance and integrity checking for models becomes as important as it already is for packages.

Blender 5.1 Ships After "Winter of Quality" Push Resolving 350 Issues

Blender 5.1 adds a new Raycast node for Cycles and EEVEE, node-based transition effects in the Compositor, a Mask-to-SDF node, and major animation playback speedups for Shape Keys. Libraries update to VFX Reference Platform 2026 targets: Python 3.13, OpenColorIO 2.5, OpenEXR 3.4, OpenVDB 13.0. The "Winter of Quality" focus (350 issues resolved before release) is the real story. Quality-focused releases matter more than feature additions for professional adoption. More projects should copy this playbook.

Calibre 9.6 Adds Card-Based Full-Text Search with Book Covers

Calibre 9.6 adds card-based full-text search results with book covers alongside hits, word-prefix completion, constant book height per group in Bookshelf view, and security fixes restricting internet background images in the e-book viewer. Kovid Goyal has maintained Calibre solo for nearly 20 years, funded entirely by voluntary donations. Free. Ad-free. Independent. Still shipping.

Can's Take: Open Source This Week

The TeamPCP campaign should force every team to rethink their CI/CD trust assumptions. It will not. The pattern (compromising a security tool, harvesting CI/CD credentials, pivoting to the next target) is exactly what supply chain security researchers have warned about for years. Theory became practice. The WAV steganography in the telnyx attack is a real step up: it bypasses every static code analysis tool that scans text but never thinks to decode an audio file. Four targets in ten days. The campaign started with a vulnerability scanner (Trivy) becoming the attack vector. The CI/CD credential chain is the threat model: once one trusted tool is compromised, every tool that trusts it is exposed.

PHP's license vote at 23-0-1 is the governance story of the week. The Zend Engine License 2.00 created compliance friction for 26 years: it was not GPL-compatible and required custom license text in every downstream distribution. Getting to 23-0-1 with zero opposition required years of legal coordination with The PHP Group, Zend/Perforce, and external counsel. Compare this to Manjaro (week four, no resolution), Mesa (deadline passed without consensus), and Debian (vote abandoned). PHP found consensus because Ben Ramsey did the unglamorous legal coordination work that most open source projects cannot sustain for months. The pattern across all four (Mesa, Debian, Manjaro, PHP) is clear. Projects that resolve governance impasses share one thing: a person or small group taking sustained, unglamorous action. The ones that stall keep waiting for a consensus that will never arrive on its own.

Canonical's Rust strategy now reads as a multi-year infrastructure program. Sudo-rs landed first. Rust coreutils ship in 26.04 LTS. ntpd-rs is funded through Trifecta Tech Foundation for 26.10. The ntpd-rs funding model is the one to watch: Canonical is directly paying for upstream development rather than forking or shipping incomplete code. That is a different vendor-upstream relationship. Not waiting for volunteers. Paying directly for Rust rewrites of critical infrastructure.

Spotlight

Jessica Tegner - pypandoc

Jessica Tegner is a software developer from Denmark who became the maintainer of pypandoc, a widely used Python wrapper for pandoc. The project pulls nearly 4 million monthly downloads from PyPI. She originally built a markdown application for visually impaired users (herself included), used pypandoc as a dependency, and started filing issues, contributing code, and improving documentation. When the previous maintainers became inactive, she emailed them to volunteer as successors. They agreed. Only after taking over did she check the download statistics and realize how many downstream users depended on her work.

She has no eyesight, and it has not stopped her from interning at Uber, joining the first GitHub Accelerator program, or speaking at international conferences. Her path to maintainership follows the pattern open source gets right when it works: a user becomes a contributor, a contributor becomes a maintainer, and the project continues because someone stepped up. No formal governance process, no corporate sponsor. Just someone who cared enough to send an email.

🐧 If you need me, I will be migrating my last X11 config before Ubuntu notices, explaining to my GPU that ten years of driver support is more than most marriages get, and hiding my coreutils scripts from Rust before someone rewrites them without asking.

Have a great week!

You can follow me on Medium, Canartuc.com, X, Bluesky, and Mastodon.