📬 Open Source & Linux Weekly - W162026

This week, Linus Torvalds thanked AI tools for finding bugs that people had missed for years. Two days later, a calendar scheduling company closed its open source code and blamed the same technology. Same week. Same technology. Opposite conclusions. One of these people is telling the truth.

Welcome back... Today, four of the biggest open source projects on earth picked four different positions on AI in the same seven days. And the opposite answers show you exactly what this fight is really about.

I watched four open source projects argue with each other in public all week. Only one of them was actually arguing about AI.

Here's the roadmap for today. First, Linux 7.0 shipped last Sunday, and the grumpy guy who runs Linux did something nobody expected. He thanked the machines. Second, four projects picked four different stances on AI in the same week, and one of them made an argument so shaky it falls apart the moment you read it twice. A calendar scheduling company told the world that public code is too dangerous, then published the same code under a different name for free. Third, while all that was happening, three other open-source tools were hit by nearly identical bugs, and one of them was exploited 9 hours and 41 minutes after it was announced. And then the turn. A Samsung engineer named Namjae Jeon spent four years rebuilding a single piece of Linux. He submitted it. He got rejected. What he did next is the answer to this whole mess.

Let me set the scene.

Linux 7.0 shipped last Sunday. The version number is not the big story. The big story is what rode along with it.

After five years of fighting, Rust code is now a permanent part of Linux. Think of Rust like a foreign exchange student who moved in five years ago. Everybody argued about whether to let them in. Everybody argued about whether they'd ever fit. Five years later, they have their own keys. The adults changed their minds, slowly, but they changed.

On top of that, a gap in how the internet handles traffic, a gap that sat open for thirty-eight years, finally got closed. That's older than most people listening to this.

But the real headline is not in the code. It's in the release notes. Linus Torvalds, the guy who runs Linux, openly thanked AI tools for finding bugs that humans had missed for years.

If you don't know Torvalds... This is the man who used to yell at people in public email threads. The grumpy old-school guy. The last person you'd expect to give credit to a machine. And he did it anyway.

So why does that Torvalds shift matter? Because three days later, another company examined the same technology and reached the exact opposite conclusion. And that's where the real fight starts.

Four projects. Four stances. Same seven days.

Project one. The calendar scheduling company. On Tuesday, they closed their open source code. Locked it up. The CEO went public and said AI makes open source too dangerous. His exact words. He compared public code to, quote, handing out the blueprint to a bank vault.

Dramatic. Serious. Scary.

The same day, the same company released a free version under an open license. Same scheduling engine. Same code that was supposedly the blueprint to a bank vault. Free to read. Free to copy. Free to run at home.

So which is it? Is the code dangerous, or is the code free? It cannot be both.

The real reason is pricing. Security is just the excuse.

Project two. SDL. If you don't know SDL, it's the code that powers thousands of video games on Linux. It's everywhere. This week, SDL announced they won't accept AI-written code contributions at all. Not one line. Clean rule. Hard line. Easy to understand.

Project three. Mozilla, the people behind Firefox. They released an AI tool that companies can run on their own computers. The pitch is simple. Companies that don't want to send their data to ChatGPT or the big AI tools can run this one in-house. Keep the AI. Keep your data.

Project four. The Linux kernel itself. Their rule is the cleanest of all. AI is welcome to find bugs. Humans still have to write the code and sign their name on it.

Four projects. Four different answers. Every one of them said the same thing out loud. We are keeping our users safe. They cannot all be right.

Security researcher Bruce Schneier pointed out something this week that quietly destroys the calendar company's whole argument. A small security team got the exact same bug-finding results. They did it with cheap, older, public AI models. Not the fancy hundred-million-dollar program. The stuff you can buy off a shelf.

If any AI model can read code, hiding the source code doesn't slow attackers down. Attackers don't need your source code. They can read the finished, running program directly. The robots already know how.

Hiding the source code only slows down the good guys. The researchers. The defenders. The people who would find the bug before the attacker did.

So, who does hiding the source code actually protect? Not you. Not the researchers. The attackers already have what they need.

Meanwhile, in the same week, three other open-source tools were hit by nearly identical bugs. A web control panel for a popular server. An AI notebook used by developers. A messaging system used inside banks.

Every one of these bugs followed the same recipe. Somebody added a new feature. A login check got skipped. Attackers showed up within hours.

One of those bugs got attacked nine hours and forty-one minutes after it was announced. Nine hours. Forty-one minutes. That's faster than a shift at a hospital. That's faster than most people read their email on a Monday morning.

Projects are racing to add AI-friendly features. The security review isn't keeping up. The code is moving faster than the humans who have to sign off on it.

So the question isn't "Does AI belong in your project?" The question is, who gets to write this code, and who signs their name on it.

The industry is measuring AI in open source as a simple yes-or-no. Allow it. Ban it. The real fight is between projects that welcome AI help while keeping humans accountable, and projects that hide behind AI to justify a business choice they already made.

And it's right there in the release notes of every project I just named.

So let me line these up one more time.

Four projects. Four stances.

The kernel's rule is the clean line. AI can find. Humans have to fix and sign.

SDL went further. No AI in the code at all.

Mozilla split the difference: ship the AI tool, keep your data.

And the calendar company? "Trust us on this one."

Three of those make sense. One of them is a business decision with a security sticker slapped on it.

The next time a project you rely on makes a choice here, I want you to ask one question. Who wrote the code, and who is responsible for it? If the answer is unclear, that's your signal. Walk away, or at least keep watching.

Remember the Samsung engineer I mentioned at the top? Namjae Jeon. Four years of quiet work rebuilding the Linux component that lets it read Windows drives. He submitted it to Torvalds. Torvalds rejected it the same day over a formatting issue.

Jeon did not complain. He did not post about it. He fixed the formatting. He resubmitted the same day. Torvalds pulled it in two days later.

Four years of work. One rejection. One same-day fix. No drama.

That is what taking responsibility for your work looks like. That is also the answer to the AI question. The tool is not the problem. Who signs their name on the code is the problem.

If you work anywhere near open source, these decisions are going to land on your desk sooner than you think. That's what I cover every day.

If you need me, I will be writing a formal business proposal for the Ageless Linux Foundation, running Claude Code reviews on my scheduling app before I close its source, and timing how long it takes my external NTFS drive to mount on Linux 7.1 versus what I have been quietly putting up with since 2021.

I'll see you next time. Have a great week!

🐧 Linux

Linux 7.0 Ships With Rust Graduated From Experimental, Torvalds Credits AI Tools For Corner-Case Finds

Linus Torvalds tagged Linux 7.0 on Sunday, April 12. Rust for Linux officially left the experimental umbrella after five years, with Miguel Ojeda's release line, "the experiment is done, i.e., Rust is here to stay," closing the arc that started with the 2020 RFC. Accurate Explicit Congestion Notification (AccECN) is on by default for all TCP connections; XFS gained autonomous self-healing; Bcachefs 1.37 brings stable erasure coding; the ML-DSA post-quantum module signing lands in-tree; and SHA-1 module signing is gone. The version jump from 6.19 is cosmetic. The most quoted line was Torvalds crediting AI tools for surfacing corner cases that humans had walked past for years.

The "NTFS Resurrection" Has Occurred For Linux 7.1

Samsung engineer Namjae Jeon spent four years rebuilding the Linux NTFS driver from the old read-only codebase into a modern read-write driver with a userspace fsck utility. He submitted it to Torvalds on April 15. Torvalds unpulled it the same day over git-history layout issues. Jeon resubmitted with the layout Torvalds wanted. Torvalds pulled it on April 17 and called it "the NTFS resurrection." The driver posts roughly 3 to 5 percent single-threaded write gains and 35 to 110 percent multi-threaded write gains over Paragon's NTFS3, plus 4x faster mount on a 4 TB drive. For anyone who dual-boots Windows, owns an NTFS external drive, or writes from Linux to a shared partition, this is the biggest NTFS improvement since NTFS3 landed in 5.15 back in 2021.

Linux 7.1 Merge Window Opens With Torvalds Killing Two Pull Requests In Record Time

Two days after 7.0 shipped, the 7.1 merge window opened, and Torvalds set the tone by rejecting two pull requests at an unusual pace. He killed an audit subsystem performance fix with "I absolutely hate it," arguing the audit code is historical and broken and does not deserve surgical patches. He killed a BOOTPARAM_RCU_STALL_PANIC Kconfig option with "No. Dammit, stop doing these horrible things," arguing Kconfig sprawl hurts new kernel builders more than narrow operator preferences help experienced ones. Day six closed with roughly 3,855 non-merge changesets pulled, Rafael Wysocki's power management pull with AMD P-State additions landed, FSMOUNT_NAMESPACE from Christian Brauner is queued, Ingo Molnar's i486 removal series ends 37 years of that architecture, and Thomas Gleixner's 38-patch spring cleaning deletes LATCH scaffolding dating to Linux 0.1. Rust 1.85 is the new minimum toolchain, matching Debian Trixie. The Graviton4 PostgreSQL regression is not in the queue.

Ubuntu 26.04 LTS "Resolute Raccoon" Release Candidate Locks With Graviton4 Regression Unfixed

Ubuntu 26.04 LTS hit Release Candidate freeze on April 16 and ships stable on April 23. It is the first major distribution to default to Linux 7.0. GNOME 50 on Wayland only (XWayland retained for legacy), Rust-based coreutils replacing the GNU versions, systemd 259 with mandatory cgroup v2, Dracut as the default initramfs generator, TPM-backed full disk encryption, Snap permission prompts on by default, Python 3.14, GCC 15.2, Rust 1.93, Mesa 26.0. The codename honors Steve Langasek, Debian and Ubuntu release manager, who died in early 2025. The PostgreSQL throughput regression on AWS Graviton4 under PREEMPT_LAZY remains unfixed. Peter Zijlstra wants PostgreSQL to adopt RSEQ. Canonical has not committed to a downstream PREEMPT_NONE restoration patch. If 26.04 ships Thursday without one, the regression becomes a documented known issue for the full five-year support window through 2031.

Fedora 44 Slips a Second Time to April 28 After April 16 Go/No-Go Declares No-Go

Fedora 44 was originally scheduled for April 14. The April 10 Go/No-Go got canceled because QA lead Adam Williamson summed up the room: "We have multiple outstanding blockers and no indication that folks wanted to contemplate waiving them all." The slip moved the target to April 21. The April 16 Final Go/No-Go was declared a no-go and pushed to a stable on April 28. Outstanding blockers include non-ASCII keyboard handling, KDE Plasma Setup keyboard layout breakage, a Btrfs installation issue, a kernel-related black screen during Linux Unified Key Setup (LUKS) passphrase entry, a Grand Unified Bootloader (GRUB) BitLocker dual-boot issue, and a Mesa crash on NVIDIA hardware during initial setup. The next Go/No-Go is April 23 at 18:00 UTC, the same day Ubuntu 26.04 LTS ships stable. Two slips in ten days reverse the Fedora-then-Ubuntu release order for the first time in sixteen years. Fedora lands five days after Ubuntu.

Valve Ships Proton 11.0 Beta 1 With NTSync And A Quiet ARM64 Build

Valve released Proton 11.0 Beta 1 on April 17, the first beta of the major version bump for Steam Play. The base moves to Wine 11 and integrates NTSync, the kernel driver that puts parts of the Windows NT synchronization model into the Linux kernel. NTSync landed upstream earlier in the 7.0 cycle. Proton 11.0 is the first release to ship with integration, with a 5-15% uplift expected for CPU-limited, synchronization-heavy workloads. Resident Evil 1 and 2, Dino Crisis 1 and 2, X-Plane 12, Gothic 1 Classic, DCS World Steam Edition, and Deadly Premonition graduate to playable. The surprise is a separately tagged Proton 11.0 (ARM64) build with FEX 2604 x86-to-ARM translation, uploaded to SteamDB without a public announcement. That build reads as preparation for the Steam Frame VR headset (Snapdragon 8 Gen 3, 16 GB LPDDR5X), and it closes the last platform gap between Valve and an ARM-based Steam device.

KDE Ships Wayland Session Restore and Per-Screen Virtual Desktops

KDE's "This Week in Plasma" post on April 18 reported that KWin now supports the Wayland session management protocol. Applications can remember their sizes and positions after a restart. The same update lands per-screen virtual desktop assignment, so each monitor switches desktops independently. Both shipped out of the KDE annual mega-sprint in Graz that wrapped on April 11. The xdg-session-management protocol merged on March 23 after six years of development, and within weeks, Chromium, Mutter, and KWin all landed implementations. Session save and restore was one of the most-cited X11-versus-Wayland gaps for holdouts. Combined with GNOME 50's X11 removal and SteamOS 3.8's Wayland default, the edge-case gap is closing faster than skeptics predicted six months ago.

KDE Gear 26.04 Ships as "KDE at 30" Anniversary Release

KDE Gear 26.04 landed April 16 as the KDE project's 30th-anniversary applications bundle. Dolphin allows keyboard shortcut assignment to nearly any menu option, plugin, or extension, a long-requested power-user feature. Merkuro Calendar ships a redesigned schedule view and event editor. NeoChat (Matrix client) adds thread support, closing a feature gap with Element. KDE Itinerary adds Swiss travel coverage. For Plasma users on rolling distributions, Gear 26.04 plus the KWin session restore update from April 18 is the week's most operationally relevant desktop bundle.

Linux Gems

Ageless Linux, The California AB 1043 Protest Distro That Hit 600 HN Upvotes

A Debian-based distribution that exists to defy California's Digital Age Assurance Act (AB 1043, effective January 1, 2027). It ships with a modified /etc/os-release that registers the installation as an operating system under the statute while declaring "full, knowing, and intentional noncompliance" with the age-verification requirements. It commits to publishing removal scripts for any distro-side age-verification prompt that ships. Nearly 600 upvotes on Hacker News on April 16. This is the most petty, most legally literate protest distribution the open source community has produced in a decade. For California lawmakers, it raises the unresolved question of which entity is regulated when an operating system is a community project rather than a commercial product.

Raspberry Pi OS 6.2 Disables Passwordless Sudo By Default, Shifts Audio To PipeWire

Raspberry Pi OS 6.2 shipped on April 14 with passwordless sudo disabled by default on new installations. Users now see a password prompt with a five-minute grace period. Existing installations keep the old behavior unless manually switched. PulseAudio is no longer installed by default, and its raspi-config option is gone. cups-browsed no longer runs continuously. The sudo default was a legacy of Raspberry Pi's educational origins. As Pis increasingly run home automation, network services, and media servers, the default finally matches the threat model. The change affects millions of devices that have been shipping with passwordless sudo for years.

🧩 Open Source

Cal.com Closes Its Source, Cites AI Vulnerability Scanning, Launches Cal.diy MIT Fork

Cal.com, the standard open source Calendly alternative for self-hosters, announced on April 15 that it is moving its core production codebase from an AGPL-licensed public repository to a private proprietary one. CEO Bailey Pumfleet's framing: "Open source code is basically like handing out the blueprint to a bank vault." The cited trigger is Anthropic's Mythos Preview, whose 27-year-old OpenBSD TCP SACK find was referenced directly. Cal.com launched Cal.diy, a fully MIT-licensed fork that retains the scheduling engine and booking infrastructure but strips enterprise features. By April 17 Cal.diy had independent community maintainers. The contradiction Pumfleet has not answered is this: if a public source is too dangerous for the enterprise product because AI scans it, why is the same code safe for the hobbyist fork that shares the scheduling engine? This is the first major commercial response to Project Glasswing and the first time the security argument has been used to close a widely adopted AGPL codebase.

Mozilla Ships Thunderbolt As Self-Hostable Open Source AI Client

Mozilla's MZLA Technologies subsidiary (the for-profit arm that operates Thunderbird) announced Thunderbolt on April 16, a self-hostable AI client for organizations that want chat, search, and research workflows without sending data to Copilot, ChatGPT Enterprise, or Claude Enterprise. Native apps for Linux, macOS, Windows, iOS, and Android, plus a web client. It connects to commercial model APIs, open source model servers, and fully local inference, with Model Context Protocol server integration, Agent Client Protocol agent compatibility, and deepset's Haystack platform. CEO Ryan Sipes: "The problem we are solving today is one of sovereignty and control." OMG! Ubuntu flagged the Intel Thunderbolt bus naming collision as "the worst possible name," a support-desk cost MZLA accepted for continuity with Thunderbird brand identity. When I search for "Thunderbolt," search engines always return "Thunderbird," a decades-old e-mail client. We don't need to check Intel's name; they even clash with their own product names. This is not the first time Mozilla has made bad decisions.

OpenSSL 4.0.0 Ships Encrypted Client Hello, Post-Quantum Key Exchange, Deletes Engine API

OpenSSL 4.0.0 was released on April 14, the largest major version bump since the 3.0 rewrite in 2021. Encrypted Client Hello per RFC 9849 is the headline: the initial TLS handshake is encrypted, and the Server Name Indication is hidden from passive observers. Post-quantum additions include the hybrid curveSM2MLKEM768 key exchange group and broader ML-KEM integration. The ML-DSA-MU digest algorithm, cSHAKE per NIST SP 800-185, and negotiated FFDHE key exchange in TLS 1.2 all land. SSLv3 is completely removed (deprecated in 2015). The Engine API is entirely gone, forcing migration to the Provider model introduced in 3.0. For every distribution shipping OpenSSL as the default TLS library, Engine removal is the item that will generate months of downstream packaging work, particularly for hardware security module integrations and PKCS#11 bridges that never made the Provider migration. Supported through May 14, 2027.

SDL Formalizes AI Code Contribution Ban With AGENTS.md And PR Template Checkbox

Simple DirectMedia Layer, the cross-platform multimedia library shipping in Steam Runtime games and countless Linux desktop applications, formalized its AI contribution ban on April 15. Ryan C. Gordon added a PR template checkbox that requires contributors to confirm there is no AI-generated code, and an AGENTS.md file spells out the policy for automated agents. The stated concerns: legal exposure from AI training data of uncertain license provenance that may conflict with SDL's zlib license, hallucination and code-quality problems, and a preference for human-authored solutions. AI may be used to identify issues, but solutions must be authored by humans. SDL sits at the opposite end of the 2026 open source AI spectrum from Mozilla Thunderbolt and Project Glasswing, and the same week, the kernel welcomes AI-assisted bug discovery.

Project Glasswing Two Weeks In: Stenberg and Schneier Pushback, Aisle Reproduces Mythos Findings On Older Public Models

Two weeks into Anthropic's $100M Project Glasswing launch, the first serious pushback from maintainers landed. Daniel Stenberg argued that AI vulnerability reports shift the load onto maintainers who cannot absorb the volume: the find side scales with compute; the fix side does not. Chainguard's Dan Lorenc echoed the concern. On April 13, Bruce Schneier published an analysis noting that security firm Aisle reproduced Mythos' findings using older, cheaper, publicly available models. The implication: the $100M usage credit commitment and $4M in donations to Alpha-Omega and Apache are buying coordination and a marketing moat, not a unique capability. Two weeks after launch, the consortium has not expanded the Mythos access list beyond the 12 initial partners. For maintainers tracking whether Glasswing is a durable funding source or a limited-window program, the anniversary without expansion is the first operational signal.

Forgejo 15.0 LTS Ships With OIDC, Ephemeral Runners, Repository-Scoped Tokens

Forgejo 15.0, the community-developed self-hosted code forge and Gitea fork, shipped April 16 as a Long Term Support release through July 15, 2027. It is the 100th Forgejo release. Repository-specific access tokens let administrators restrict credentials to selected repositories. Ephemeral runners execute a single job before their credentials are invalidated and their registrations are removed, targeting autoscaled fleets. OpenID Connect (OIDC) support graduates to first-class authentication for Forgejo Actions, so workflows can use short-lived signed tokens rather than long-lived static secrets. For teams running Codeberg, hosting their own Forgejo instances, or migrating away from vendor-locked forges, the LTS designation, along with access-token scoping, removes two specific blockers from the 2026 self-hosted Git evaluation.

nginx-ui MCPwn: First Major MCP Exploit In The Wild Hits 2,689 Instances

CVE-2026-33032, codenamed MCPwn by Pluto Security, scores 9.8 on the Common Vulnerability Scoring System (CVSS) and is an authentication bypass in nginx-ui, the web management interface for Nginx. The /mcp endpoint enforces authentication. The /mcp_message endpoint relies solely on IP whitelisting, and the default whitelist allows all IP addresses. Two HTTP requests are enough to take over a full Nginx server: traffic interception, admin credential harvesting, persistent access, infrastructure reconnaissance via Nginx configuration files, and the ability to kill the service. VulnCheck added it to the Known Exploited Vulnerabilities (KEV) catalog on April 13. About 2,689 exposed instances on the internet, most in China, the US, Indonesia, Germany, and Hong Kong. Version 2.3.4 (March 15) contains the fix. This is the first major Model Context Protocol exploit tracked in the wild, and it lands the same week Mozilla ships Thunderbolt with MCP integration and Anthropic's Mythos Preview matures around MCP tooling. The adoption curve is outpacing the security review curve.

Marimo CVE-2026-39987: Pre-Auth RCE Exploited In 9 Hours, 41 Minutes

Marimo, the reactive Python notebook used in AI development toolchains, disclosed CVE-2026-39987 on April 8 as a pre-authenticated remote code execution vulnerability with a CVSS score of 9.3. The terminal WebSocket endpoint at /terminal/ws skips the validate_auth() call that other WebSocket endpoints correctly perform. Attackers can execute arbitrary commands as the Marimo process. The first exploitation attempt landed within 9 hours and 41 minutes of advisory publication. A complete credential-theft operation ran in under three minutes. Between April 11 and April 14, telemetry recorded 662 exploit events. Attackers deployed a new variant of NKAbuse malware for command-and-control. Fixed in Marimo 0.23.0. For AI engineering teams running Marimo on internal or internet-facing hosts, this advisory-to-exploitation window is collapsing to hours for notebook-class web applications.

Apache ActiveMQ CVE-2026-34197 Added To CISA KEV After Jolokia Bridge RCE Exploitation

CISA added CVE-2026-34197 to the Known Exploited Vulnerabilities catalog on April 16 after active exploitation in the wild. The flaw is improper input validation in the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the ActiveMQ web console. An attacker with bridge access can invoke BrokerService.addNetworkConnector with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context, causing Spring's ResourceXmlApplicationContext to instantiate attacker-controlled singleton beans before the broker validates the configuration. Arbitrary code execution on the broker JVM. On versions 6.0.0 through 6.1.1, the earlier CVE-2024-32114 exposes Jolokia without authentication, resulting in unauthenticated RCE. Discovered with AI assistance during a Claude-driven code review. Fixed in ActiveMQ 5.19.4 and 6.2.3. Federal civilian agencies have 14 days to patch.

Kubernetes 1.36 Ships April 22 With DRA Graduating To GA And HPA Scale-To-Zero Default

Kubernetes 1.36 ships on April 22, bringing roughly 80 enhancements: 18 graduating to stable, 18 to beta, 26 new in alpha. Dynamic Resource Allocation moves to General Availability as the headline, changing how GPU and FPGA resources are scheduled for AI and ML workloads. HPA scale-to-zero is on by default (the feature gate first landed in 1.16 in 2019), allowing the Horizontal Pod Autoscaler to scale deployments to 0 replicas and restore them on demand. User Namespaces for Pods graduate to GA after a three-and-a-half-year path from Kubernetes 1.25 in 2022. Mutating Admission Policies graduate to GA. SELinux label optimization, OCI VolumeSource reach stable. Removals: the gitRepo volume plugin, IPVS mode in kube-proxy, and the completion of the ingress-nginx project retirement. Gateway API is the default ingress answer for 2026.

Open Source Gems

Hyperledger Fabric-X v1.0 Alpha Ships With 100,000+ TPS And Microservice Peer Architecture

Hyperledger Fabric-X v1.0 Alpha shipped on April 17, the re-architected enterprise blockchain platform that decomposes Fabric's previously monolithic peer into independently scalable microservices for endorsement, validation, and committing. The ordering service integrates the ARMA Byzantine fault-tolerant consensus protocol, which orders compact transaction digests rather than full payloads. Published benchmarks show sustained throughput above 100,000 transactions per second on commodity hardware at under two-second end-to-end latency, roughly 100x prior Fabric throughput. A four-party four-shard deployment reaches over 400,000 TPS on the ordering service alone. Release Candidate lands April 30, production V1.0 on May 15.

Zig 0.16.0 "Juicy Main" Delivers Dependency Injection And io_uring-Backed I/O

Zig 0.16.0 shipped April 14 with eight months of work from 244 contributors across 1,183 commits. The lead feature "Juicy Main" is a dependency injection mechanism for the program's main function: accepting a process.Init parameter grants access to a struct of useful properties (general-purpose allocator, default Io implementation, environment variables, CLI arguments) without global state. A new std.Io interface exposes a threaded backend (feature-complete, the default for Juicy Main), an experimental event-driven backend, and a proof-of-concept io_uring implementation on Linux, eliminating function coloring in async Zig code. Dependencies now live in a local zig-pkg directory with a global compressed cache. For systems programmers evaluating Zig as a C replacement, std.Io with io_uring closes the last major Linux I/O performance gap.

🔍 Spotlight

Namjae Jeon - New NTFS driver for Linux

Namjae Jeon is a Samsung kernel engineer who spent four years rebuilding the Linux NTFS driver from the old read-only codebase into a modern read-write driver with a userspace fsck utility. The project started as NTFSPlus, was renamed back to NTFS, was proposed for mainline inclusion multiple times, and finally landed in the 7.1 merge window on April 17. The story is short, and the lesson is long: Torvalds initially unpulled Jeon's submission over git-history layout issues. Jeon immediately resubmitted with the layout Torvalds wanted. No argument, no thread, no public re-litigation. The code merged the same window, and Torvalds called it "the NTFS resurrection" in the merge commit.

That exchange is the part that does not show up in commit logs: a maintainer with the patience to accept process rejection and the engineering discipline to fix the specific issue without debating the merits. Four years of rework is a long time to keep a driver project for a non-Linux filesystem together that most kernel developers do not personally care about. The measured results are 35 to 110 percent multi-threaded write gains over Paragon's NTFS3, 3 to 5 percent single-threaded gains, and a 4x faster mount time on a 4 TB drive. For the Linux-Windows interop story that has sat unchanged since NTFS3 landed in 5.15 in 2021, Jeon's driver is the first real improvement in five years.

Samsung has paid Jeon to do this work. Samsung does not sell a Windows product that benefits from faster NTFS on Linux. What this project actually is: four years of hardware-independent, user-facing kernel engineering by a maintainer who cared enough to resubmit the same day the first version got rejected, in a subsystem most people would have given up on. When Torvalds says "ntfs resurrection" in a merge commit, that is what the sentence means. For any contributor wondering how to respond when the maintainer of last resort says no on their first attempt, Jeon's week is the case study.