π¬ Open Source & Linux Weekly - W15_2026
Linux 7.0 ships with Rust, AccECN, and an unfixed PostgreSQL regression. France orders ministries to exit Windows. Wasmtime patches 12 CVEs from LLM sprint.
Five million automated tests ran against one piece of code for sixteen years. They found nothing. This week, an AI found the bug in minutes. And that was just the warm-up for a week where four separate teams proved the same thing at the same time.
What I Wrote this Week
Two Weeks of Fake Friendship. One Click. A Global Backdoor.
North Korea built a fake company to trick one developer. For three hours, a tool used by banks, hospitals, and governments carried a hidden spy program.
Medium Link | Canartuc.com Link
Billions Read His Code. 7 Days in Prison. No Regret.
Four agents. Evinβs Ward 2A. Eight-hour interrogations. They wanted an informant on activists in three countries. He refused. Five years later, his code shipped.
Medium Link | Canartuc.com Link
Ubuntu 26.04 LTS Breaks Backward Compatibility on Purpose
Ubuntu 26.04 LTS ships three changes that will break existing workflows on upgrade day
Medium Link | Canartuc.com Link
Welcome back. Today, the weekly wrap. AI bug hunters just had the most productive week in open source history. France told every government ministry to start planning its exit from Windows. And Linux 7.0 shipped with a known performance problem that nobody could agree on fixing.
Three stories. One thread. And it's not the thread you'd expect.
Here's the roadmap.
First, Linux 7.0. The biggest version bump in years. A new programming language in the kernel, the core of every Linux system. Memory sped up eight times. But also a database problem that'll ship with Ubuntu for the next five years.
Second, the AI bug-hunting sprint. Four independent teams found decades-old security bugs in the same week. I'm going to use a highway analogy to explain why the numbers are scarier than they sound. And one team's results involve five million tests that missed a bug for sixteen years.
Third, France betting its entire government on Linux. There's a historical callback to Munich. A city that tried this before and failed.
And then the turn. The part that connects all three stories. Finding bugs is now the easy half. Fixing them is the hard half. And nobody's counting the people who do that work.
Linux 7.0 went stable today.
The version number is cosmetic. Linus Torvalds said he ran out of fingers and toes to count. But the features underneath are real.
Rust, a newer (in Linux kernel), safer programming language, officially graduated from experimental status. That's been a five-year fight. Developers argued on online forums about whether it belonged in Linux at all. It's in now. And that changes what new code in Linux can look like.
Memory operations got eight times faster. Starting new workloads in the cloud is 40% quicker. A networking fix that waited 38 years finally ships active by default.
Sounds like a clean win, right?
There's a catch.
PostgreSQL, the most popular open source database, runs at half speed on modern cloud hardware under the new scheduling model. The new way the system decides which program runs next doesn't play well with how the database handles multitasking.
It's like shipping a new highway that makes every car faster. Except trucks slow down to half speed. And trucks carry 80% of the freight.
Neither the kernel team nor the database team could agree on whose code needs fixing. The kernel shipped anyway. Ubuntu ships it later this month. Five years of support. That performance problem rides along for the entire trip.
So Linux 7.0 shipped with a known flaw because two teams couldn't coordinate in time. Now multiply that problem by a hundred. Because this week, AI decided to find every flaw it could.
Four separate teams ran AI-powered bug hunts this week. None of them coordinated. None of them shared tools. They all published results in the same window.
Team one. Anthropic's Project Glasswing. A hundred million dollars in credits. Partners include Apple, Google, Microsoft, Amazon, and over forty others. They pointed an unreleased AI model at critical open source code.
What it found.
A networking bug in OpenBSD, an operating system that powers critical internet servers. Twenty-seven years old. Sitting there since 1999. Thousands of developers read that code. Security teams audited it. Automated scanners ran across it. Every single one walked right past it.
An attacker gaining full control of a FreeBSD system, a similar operating system. Seventeen years old. The highest level of access an attacker can get.
And a bug in a video processing tool used by almost every streaming service on earth. Sixteen years. Five million automated tests. None of them caught it. The AI did.
Team two. A tool that runs programs safely inside a sandbox. The team ran an AI-powered testing system for three weeks. Twelve security warnings in one day. Triple everything they published in all of 2025. Eleven of the twelve came from the AI. Two were critical. Untrusted code escaping its cage. The whole point of a sandbox is that this is impossible. The AI found two ways to do it.
Team three. The Linux kernel's second-in-command, Greg Kroah-Hartman, built his own AI bug-finding tool. He's been filing patches across seven different parts of Linux. Every fix carries a tag saying the AI helped. He's not hiding it.
Team four. A university lab. Twenty-four new kernel bugs. Eleven confirmed as serious enough for public warnings.
Four teams. Same week. Same answer. The bugs didn't arrive this week. They've been waiting. Decades. And now the tools to find them exist.
So what happens when you can suddenly see every crack in the foundation?
Same week. Different continent. Same problem underneath.
France told every government ministry to start drafting a plan to leave Windows.
France's government technology agency announced it this week. Eight categories. Operating systems. Collaboration tools. Antivirus. AI platforms. Databases. Networking equipment. Every ministry must have a plan by autumn.
What makes this more than a press release? France already has proof it works.
The Gendarmerie, the national police force, runs 97% of its 103,000 workstations on a custom version of Linux. That's not a pilot program but production. And over 600,000 French government workers already use an encrypted messaging app built on open source.
Now, if this sounds familiar, it should. Munich tried this over two decades ago. That earlier attempt to switch to Linux was one of the most famous open source migrations in history. And it failed.
Not because the technology didn't work. The technology was fine. It failed because the organization fought back. Politics, training budgets, institutional resistance.
France has one advantage Munich never did. The Gendarmerie already proved it works at a government scale. That's not a theory. That's 103,000 machines.
The tension is real, though. The software France is betting on is the same software that AI just proved is full of decades-old bugs. That's not a reason to stay on Windows. Windows has its own problems. But it is a reason to fund the people who maintain the alternative.
Step back.
The celebration this week is: "AI is making open source safer." And that's true. It's finding real bugs. Critical ones. Bugs that humans and automated tools missed for decades.
But every bug AI finds needs a human to fix.
The sandbox team got lucky. They had four organizations working together. They had a dedicated cleanup lead at a company that helps run a big chunk of the web. They shipped fixes for four versions of their tool on the same day the bugs went public.
That took weeks of coordinated human work. Weeks nobody budgeted for.
Now scale that up. Every important open source project runs an AI bug hunter. Every hunter finds ten, twenty, or fifty bugs per sprint. Who reviews them? Who writes the patches? Who tests the fixes?
The same people who were already burned out. The same handful of volunteers.
The Linux Foundation announced a $12.5 million fund to protect maintainers from AI-generated security reports. Three weeks before these disclosures. The timing was lucky. But the fund's capacity won't match the scale of what's coming.
The missing column here is discovery speed versus repair capacity.
Everyone is measuring how fast AI finds bugs. No one is measuring whether the people who maintain open source can absorb the flood. Reports, patches, review work. It keeps growing. The workforce stays flat.
The discovery speed keeps climbing. The repair capacity stays flat. That gap is not temporary. It's structural.
And France just bet its entire government on this software. A hundred and three thousand machines are already running it. Hundreds of thousands more to follow. The code they're migrating to is the code that AI just proved needs serious repair work.
That's not a contradiction. It's a funding question. Do we pay the people who maintain the foundation, or do we just keep finding cracks in it?
So what does this week mean?
AI proved it can find bugs faster than any human team. A government committed its future to open source. And the biggest Linux release in years shipped with a known defect because two teams couldn't coordinate a fix.
Power and fragility. Side by side.
π€ If you need me, I will be explaining to my PostgreSQL instances why their spinlocks need therapy under PREEMPT_LAZY, teaching 500,000 French civil servants how to run apt history-rollback, and quietly checking whether my Flatpak sandbox actually contains anything.
I'll see you next time.
More news and gems below. Free membership gets you the full newsletter. Why the gate? AI bots scrape open pages faster than you can scroll. I write for humans, not training datasets.