📬 Open Source & Linux Weekly - W17_2026

What I Wrote this Week

Ubuntu 26.04 LTS Is Coming for the Developers macOS Stole in 2014

macOS kept the developer workstation for 10 years because the whole setup just worked. Ubuntu 26.04 LTS is the first Linux release that does the same.

Medium Link - Free Read

30 Billion+ Devices. Their Maintainers Split 3 Ways on AI.

The curl maintainer said AI was drowning open source in slop. Nine weeks later, he said the opposite. Open source governance split three ways in one quarter.

Medium Link | Canartuc.com Link

GNOME 50 Drops X11. The GNOME Foundation Drops Trust.

GNOME 50 shipped on March 18 without X11. Three directors burned. 33% of staff cut. $105,000 on payroll. Fedora 44 and Ubuntu 26.04 LTS will deliver it next week.

Medium Link | Canartuc.com Link

Linux 7.0: One Bash Script. One Weekend. 23 Years of Kernel Bugs.

Linux 7.0 shipped on April 12. Rust is official. AI is now a kernel coworker. Linus Torvalds calls this the new normal.

Medium Link | Canartuc.com Link

Welcome back. Today, the weekly wrap. One permission grant turned into a platform breach. A senior maintainer wants to delete 28,000 lines of working code to shut up the AI bug reports.

Four stories on the slate.

One. The Vercel breach was a five-door heist where every door was opened from the inside.

Two. The Python notebook clock. From patch to live attack in under one workday, 662 attempts in three days.

Three. A Linux maintainer named Andrew Lunn wants to delete almost 28,000 lines of working network code. AI bug-hunting robots keep flagging fake bugs in it, and humans have to read each one.

Four. A June 2026 boot deadline that snuck up on every laptop made before 2018.

A lot landed in one week...

Start with the breach.

A web hosting company called Vercel disclosed a customer data breach this week. I walked it step by step on a whiteboard before recording. The lesson hides in step two.

Step one. February. An information-stealing virus lands on one employee's machine. It scrapes every saved password from his browser. The credentials show up for sale on a hacker forum. $2000,000 asking price.

Step two. The employee had given an AI productivity tool permission to read his work email. One click, months ago. No one on his team remembers granting it.

Step three. The attacker uses the stolen credentials to log into the AI tool. The AI tool still has a live connection to the work email. The attacker doesn't need to break that connection. He rides it.

Step four. The work email account is connected to internal company tools. Configuration secrets. Customer credentials. Customers had stored passwords in plaintext for their own deployments.

Step five. Customer data leaks.

Five doors... The employee opened four of them himself. A tool he trusted opened the fifth.

Second story, same week.

A Python notebook tool used by data scientists published a fix for a critical bug this month. The bug let a remote attacker run shell commands on your machine.

Attackers were exploiting it in the wild 9 hours and 41 minutes after the fix landed.

662 attack attempts logged in three days, from 11 different internet addresses across 10 countries.

Defenders had less than one workday of head start. Plan your next patch around that number.

A senior Linux networking maintainer named Andrew Lunn proposed deleting almost 28,000 lines of working network code from Linux this week.

The code works. It has worked for 30 years. Old network drivers, cards from the eighties and nineties. Most engineers under 30 have never seen the slots these cards plug into. The code sits there quietly, compiles every release, and boots if you plug in a museum piece.

He wants to delete it because of the AI fuzzers. These tools scan the kernel and flag anything that appears to be a problem. A human has to read each flag and decide if it's real.

Keeping the code costs nothing. Reading the AI reports costs maintainer hours.

Andrew Lunn did the math. Almost no one runs these old cards. The reports keep coming. Each one costs a maintainer 10 or 20 minutes, multiplied across thousands of false reports a year.

He wrote to the networking team's email list and said, "Let's just delete the code."

A senior kernel maintainer just said out loud that AI bug reports cost working code. That part is new.

One more debit...

A privacy-focused Linux system called Tails published a warning this week. Every laptop made before 2018 has a certificate baked into its firmware. That certificate lets Linux boot on most laptops.

Microsoft signed it back in 2011, and it expires in June 2026.

After that, those laptops will not boot Linux without a firmware update from the manufacturer. Most manufacturers will not ship one. The laptops are too old, and no one is being paid to update them.

If your laptop is older than 2018 and you run Linux, check your firmware before June.

If you need me, I'm off to revoke a few of my own permissions before I forget.

Have a great week!

🐧 Linux

Ubuntu 26.04 LTS Ships With Rust Coreutils, Sudo-rs, and Post-Quantum TLS by Default

Canonical released Ubuntu 26.04 LTS "Resolute Raccoon" on April 23. The codename was Steve Langasek's pick before he died in early 2025. Standard support runs five years through April 2031. Ubuntu Pro extends that to ten through 2036. The stack ships Linux 7.0, GNOME 50 on Wayland-only with XWayland for legacy applications, systemd 259 with mandatory cgroup v2, Dracut as the default initramfs generator, Trusted Platform Module (TPM)-backed full disk encryption, Snap permission prompts on by default, and the optional x86-64-v3 package set. Two changes carry the release. Rust coreutils replace the GNU originals, the first major distribution to ship the switch in an LTS. Sudo-rs replaces the C sudo. This is also the first Ubuntu LTS to ship hybrid post-quantum cryptography in both OpenSSH and OpenSSL by default. Canonical now ships NVIDIA CUDA and AMD ROCm packages as first-party and maintained, so AI and ML operators stop pulling GPU stacks from vendor repos. Direct upgrades from 24.04 LTS open only after the 26.04.1 point release scheduled for August 2026. If your fleet runs 24.04 LTS, plan the production migration window for September, not before.

Framework Computer Announces The Framework Laptop 13 Pro

Framework launched the Laptop 13 Pro on April 21 at its Next Gen event in San Francisco. The chassis is CNC aluminum built from 75 percent pre-consumer recycled 6063 aluminum. Memory is LPCAMM2 LPDDR5X at 7,467 MT/s, upgradable to 64 GB. Other specs: a 74 Wh battery (up from 61 Wh), a custom 13.5-inch 2880x1920 LTPS LCD matte touchscreen with 30 to 120 Hz variable refresh rate, a haptic touchpad, PCIe Gen 5 SSD support up to 14,000 MB/s, and Wi-Fi 7 via the Intel BE211 radio. Chips target Intel Core Ultra Series 3 (Panther Lake) with options for Ultra 5 325, Ultra X7 358H, and Ultra X9 388H, plus AMD Ryzen AI 300 variants. DIY pricing starts at $1,199. The Pro is the first Framework system to ship as Ubuntu Certified with Canonical partnership. Ken VanDine took the stage at Next Gen. Ubuntu preload is now a first-class purchase option in the Framework configurator alongside Windows. First shipments ship June 2026. No other 2026 hardware launch has put Ubuntu next to Windows on the configurator on day one.

Fedora 44 Cleared for April 28 After Three Go/No-Go Meetings

Fedora 44 reached "Go" status at its third Go/No-Go meeting on April 23. Quality Assurance, release engineering, and development teams confirmed the April 28 ship target. The April 14 meeting was cancelled, the April 16 vote was No-Go, and April 21 was No-Go again. The April 23 meeting cleared the remaining installer-stack blockers: non-ASCII keyboard handling, the KDE Plasma Setup Keyboard Layout page breakage, the Btrfs installation issue, the Anaconda configuration-storage failure, and the python-blivet crash on incomplete spanned Btrfs setups. The virtual release party ran April 24. Fedora Project Leader Jef Spaleta gave the keynote. Fedora 44 ships GCC 16, Binutils 2.46, glibc 2.43, GDB 16.3, LLVM 22, Go 1.26, RPM 6.0, Ruby 4.0, PHP 8.5, MariaDB 11.8, DNF5 unified across the entire OS, and NTSYNC autoloading that fires automatically when Wine or Steam is installed. Two slips, three votes, public blocker lists, dated decision points on the wiki. The release went out a week after the original target.

Linux May Drop Old Network Drivers Now That AI-Driven Bug Reports Are Causing A Burden

Andrew Lunn posted a patch series to the netdev mailing list on April 21 proposing the removal of 18 legacy Ethernet drivers. The list covers 3Com (3c509, 3c515, 3c574, 3c589, 3c59x), AMD PCnet, SMSC, Cirrus Logic, Fujitsu, Xircom, and the 8390-based family. The removal would drop approximately 27,646 lines of code across 40 files, all ISA and PCMCIA hardware, 25 to 35 years old. The drivers work. They generate a constant stream of fuzzer-generated and AI-generated bug reports that maintainers have to triage, with no users on the other end. The kernel community's compromise position lets individual users volunteer to maintain specific drivers to keep them in-tree. This is the first public-record case of AI-generated bug-report volume forcing a kernel maintenance-burden conversation. Old USB, old SCSI, and old wireless subsystems are next in line over the following two or three release cycles.

Steam on Linux Hits 5.33 Percent in March, More Than Double the macOS Gaming Share

Linux's share in the Steam Hardware & Software Survey reached 5.33 percent in March 2026. That is more than double macOS at 2.35 percent. The jump from November 2025 to March 2026 was 2.13 percentage points, the largest single-period gain Linux has ever recorded on the survey. The Steam Deck registers every owner as a Linux user, and SteamOS sits at 24.48 percent of the Linux user base, the most popular single Linux variant on Steam. Fedora 44 ships NTSYNC autoload next week and Ubuntu 26.04 LTS ships the same day, so Steam Deck spillover is strong enough to pull general-purpose Linux desktops along with it. At 1 to 2 percent, Linux gaming was a rounding error for AAA developers. At 5 percent, it crosses the line where game studios cannot ship without testing against Proton.

Tails 7.7 Adds Secure Boot Certificate Expiry Alerts

The Tor Project released Tails 7.7 on April 23. The headline change is a new "Secure Boot Update Needed" notification that warns users when their Secure Boot certificates approach the 2026 cutoff. Microsoft's third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) certificates issued in 2011 begin expiring in June 2026. Tails will no longer start on hardware with expired certificates. The release also patches a permissions glitch that left the /root directory readable by non-root users, upgrades Tor Browser to 15.0.10, and bumps Thunderbird to 140.9.1. If you run Tails on hardware from 2018 or earlier, the certificate expiry warning is the cue to plan a hardware refresh or UEFI firmware update before June 2026. After that date, any Linux distribution that depends on the Microsoft third-party CA for Secure Boot fails to boot on affected machines. Treat the " Treat the Tails" warning as a 30-day deadline.

Linux Kernel 7.0.1, 6.19.14, 6.18.24 Released

Greg Kroah-Hartman released the 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels on April 22, the first 7.0.1 point release. The 6.19.x series ends at 6.19.14. That closes the post-7.0 transition. Two fixes stand out. The Server Message Block (SMB) stack now rejects malformed packets that could leak kernel heap data or trigger double-free crashes. The Near Field Communication (NFC) digital handler adds a missing cascade depth check that would otherwise allow a malicious peer to overwrite heap memory. If you run Ubuntu 26.04 LTS on 7.0 stable, the 7.0.1 point release is the first post-LTS-shipment kernel update. The SMB and NFC hardening are reasons to schedule it this week, not at the next maintenance window.

Linux Gems

Bcachefs 1.38 Released With Faster Mounts and Discard Fixes

Kent Overstreet released Bcachefs 1.38 on April 19, the second post-mainline-removal release targeting functional reliability rather than feature breadth. Pending discard work is now indexed by journal sequence number rather than by device and bucket. The new index restructures how the allocator coordinates with the discard worker and breaks the on-mount allocator deadlock behind three releases of "stuck on mount" reports. Journal pipelining moves from a 16-entry hard cap to a 256-entry first-in-first-out queue. An accidental O(n^2) growth path in the in-memory snapshot table is fixed, which cuts mount times sharply on systems with many snapshots. Bcachefs was removed from the mainline kernel for Linux 6.18 in late 2025 and now ships as DKMS (Dynamic Kernel Module Support). If you want copy-on-write filesystem features without ZFS license friction, Bcachefs is the path Overstreet is stabilizing. Coverage outside the bcachefs mailing list has stayed thin since the mainline removal. The on-mount fix is the release every Bcachefs operator has been waiting on since 1.36.

NTFS-3G FUSE Driver Sees First New Release In Four Years

Tuxera released NTFS-3G 2026.2.25 on April 21, the first stable NTFS-3G release in roughly 4 years. The release fixes four things. Common Vulnerabilities and Exposures (CVE) entry CVE-2026-40706 closes a heap buffer overflow when POSIX ACLs were enabled. A bashism in the configure script that broke non-bash shells is corrected. mkntfs gains microsecond-level volume creation timestamps. Use-after-free conditions across the library and tools are patched. Timing is what makes this release matter. Namjae Jeon's NTFS driver rewrite merged into Linux 7.1 on April 17, the first actively maintained kernel-level NTFS write driver in Linux history. NTFS-3G has been the de facto Linux path for read-write NTFS for more than 15 years through Tuxera's maintenance. The 2026.2.25 release positions NTFS-3G as the compatibility path for kernels older than Linux 7.1, which covers every LTS currently in support. If you mount NTFS volumes through FUSE, the heap-overflow fix is the upgrade trigger. Patch this week and start the kernel-7.1 migration plan in parallel.

🧩 Open Source

Kubernetes v1.36: ハル (Haru)

Kubernetes 1.36 hit its scheduled General Availability (GA) on April 22 with 70 enhancements (18 stable, 25 beta, 25 alpha) from 491 contributors across 106 companies in a 15-week cycle. Dynamic Resource Allocation graduated to GA after a multi-year alpha and beta path. DRA scheduling performance improved by approximately 50 percent through the ResourceSlice restructure. HPAScaleToZero (filed in 1.16 back in 2019) is enabled by default. The Horizontal Pod Autoscaler can now drop deployments to zero replicas when no workload is present. User Namespaces for Pods graduated to GA after 3.5 years from alpha in 1.25. MutatingAdmissionPolicy reached GA with Common Expression Language (CEL) mutation expressed as Kubernetes objects rather than webhook servers. Two removals tighten cluster security. The gitRepo volume plugin is permanently disabled. Ingress NGINX, formally retired by SIG Network and the Security Response Committee in the November 11, 2025 announcement, ends best-effort maintenance in March 2026. From 1.36 forward: no further bug fixes, no further Common Vulnerabilities and Exposures (CVE) patches, no further security updates. Gateway API is now the 2026 ingress default for everyone still on the NGINX path. The "Haru" theme (春 spring, 晴れ clear skies, 遥か far-off) and the avocadoneko-illustrated Hokusai-inspired logo round out the release. If you still run Ingress NGINX in production, you are running a CVE waiting list.

Vercel April 2026 security incident

Vercel published its security bulletin on April 19 (last updated April 24). The bulletin confirms unauthorized access to certain internal systems. The entry point was a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attack chain traces back to February 2026, when Lumma infostealer malware harvested a Context.ai employee's credentials. The attacker used those credentials to compromise a Vercel employee's Google Workspace account through Context.ai's Google Workspace OAuth (Open Authorization) grant. Lateral movement lets the attacker enumerate and decrypt non-sensitive environment variables (those that decrypt to plaintext) for a limited subset of customers. Vercel says no npm packages it publishes were compromised. Next.js and Turbopack projects were not affected. The bulletin followed a "ShinyHunters" forum post from the same week that listed alleged Vercel access for $2 million. Hacker News landed the right reading. One OAuth grant to a third-party AI tool cascaded into developer-platform internal access. Every OAuth integration is now a blast radius decision.

Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

Between April 21 and 23, security researchers at Socket, StepSecurity, GitGuardian, and Panther documented three simultaneous supply chain campaigns. The campaigns hit npm, PyPI, and Docker Hub. All three share infrastructure and tactics with the CanisterWorm campaign first disclosed by Aikido Security on March 20. The CanisterSprawl variant targets Namastex Labs and pgserve npm packages. Postinstall hooks steal credentials from developer environments. The worm self-propagates by republishing infected versions under compromised credentials. If it finds a PyPI token, it jumps ecosystems entirely. The exfiltration target across all variants is an ICP (Internet Computer Protocol) canister at cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io. The attackers deliberately chose canister infrastructure because it resists conventional takedowns. The Register confirmed shared infrastructure with the March TeamPCP campaign that compromised over 66 packages including telnyx. The root infection vector continues to trace back to continuous integration (CI) pipelines that used the compromised trivy-action between March 19 and 24. If your CI history touches that window, rotate every npm and PyPI token your runners ever held.

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

Marimo, the open-source reactive Python notebook for data science and ML work, disclosed CVE-2026-39987 with a Common Vulnerability Scoring System (CVSS) score of 9.3. The terminal WebSocket endpoint /terminal/ws lacked authentication validation. Unauthenticated attackers could obtain a full PTY shell and execute arbitrary system commands. The fix shipped in version 0.23.0. The Sysdig Threat Research Team observed exploitation within 9 hours and 41 minutes of the April 8 disclosure, the shortest disclosure-to-in-the-wild window observed in 2026 so far. Sysdig then recorded 662 exploit events between April 11 and 14, originating from 11 unique source IP addresses across 10 countries. The exploit deploys a new variant of NKAbuse that abuses the NKN peer-to-peer network protocol for command-and-control. If your data-science or ML team runs Marimo as a shared-notebook server, upgrade and audit every 0.20.4-or-earlier instance today. Tomorrow is too late.

OpenVPN 2.7.2 Fixes Two Security Flaws and Improves Password Handling

OpenVPN 2.7.2 released April 22 with two CVE fixes. CVE-2026-40215 closes a race condition in the Transport Layer Security (TLS) handshake where packet data from a previous handshake could be exposed under specific conditions. CVE-2026-35058 fixes a server-side ASSERT abort triggered by a malformed packet carrying a valid tls-crypt-v2 key, which turned a denial-of-service vector into a trivial crash of the server process. The release also adds management interface version 6 with support for very long base64-encoded multiline passwords, Windows DNSSEC flag handling fixes, and installer improvements. For anyone running OpenVPN as a site-to-site or road-warrior VPN concentrator, the server-side ASSERT fix is the upgrade trigger because a crash-on-crafted-packet vector is live, not theoretical.

Apache Airflow Code Execution CWE-502 (CVE-2026-25917)

Apache Airflow 3.2.0 closed CVE-2026-25917, a Common Weakness Enumeration entry (CWE-502) deserialization-of-untrusted-data flaw where Directed Acyclic Graph (DAG) authors could craft malicious XCom payloads that achieve arbitrary code execution within the webserver context. The GitLab advisory database, updated April 21, lists a CVSS Base Score of 9.8. The official Apache assessment marks practical severity as low because only trusted DAG authors can exploit it (CISA Authorized Data Publisher (CISA-ADP) scores it 7.2). Airflow 3.2.1 fixes three more CVEs. CVE-2026-38743 let authenticated users access Human-in-the-Loop prompts and TaskInstance details for DAGs outside their authorized scope. CVE-2026-40690 leaked the existence and names of DAGs and assets through the asset dependency graph to users without read access. CVE-2026-32690 failed to mask secrets stored in JSON dictionary variable nested fields. If your data engineering team runs self-hosted Airflow as the orchestration plane for ML pipelines and data warehousing, the upgrade window from 3.1.x to 3.2.1 is short. Plan it this week.

WWBN AVideo Critical WebSocket RCE (CVE-2026-40911)

CVE-2026-40911, published April 21, identifies a CVSS 10 remote code execution vulnerability in WWBN AVideo, the open-source video platform that backs many self-hosted streaming services. An unauthenticated attacker can connect to the YPTSocket plugin's WebSocket server and send specially crafted JSON messages with malicious JavaScript embedded in the msg or callback fields. The plugin's client-side script feeds those unsanitized messages directly into JavaScript dynamic-evaluation sinks, which execute the attacker payload within the user's browser origin. The system mints tokens for anonymous visitors, and these tokens are not revalidated beyond decryption. Affected versions are 29.0 and prior. Universal account takeover, session theft, and privileged action execution are the practical ceiling. CVSS 10 with no authentication and a ready exploit chain leaves no triage window.

CISA Adds Eight Known Exploited Vulnerabilities to Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) added eight actively exploited vulnerabilities to the Known Exploited Vulnerabilities Catalog on April 20. Three target Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Manager: CVE-2026-20122 (file overwrite via privileged API misuse), CVE-2026-20128 (password storage in recoverable format), and CVE-2026-20133 (information disclosure). The federal remediation deadline for those three hit April 23, alongside CVE-2025-48700 Zimbra Collaboration zero-click cross-site scripting (XSS). Cisco confirmed CVE-2026-20128 and CVE-2026-20122 as actively exploited in early March 2026. The other four CVEs (CVE-2023-27351 PaperCut NG/MF, CVE-2024-27199 JetBrains TeamCity, CVE-2025-2749 Kentico Xperience, CVE-2025-32975 Quest KACE with CVSS 10.0) carry a May 4 deadline. Three CVEs on a single network-management product in a single batch is the unusual signal here. If your network team runs Cisco Catalyst SD-WAN Manager and missed April 23, you are already operating past the federal deadline.

Open Source Gems

Forgejo v15.0 is available

Forgejo v15.0 released April 16, the 100th release of Forgejo, and the first Long Term Support release in this cycle, supported through July 15, 2027. Three additions matter. Repository-scoped access tokens let administrators and users restrict tokens to selected repositories. OpenID Connect support for Forgejo Actions lets workflows authenticate with third-party systems using short-lived signed tokens rather than long-lived static secrets. Ephemeral runners execute a single job, then their credentials are invalidated and the registration is removed. A new web-based registration workflow replaces part of the previous command-line process. The v11.0 LTS reaches end-of-life July 16, 2026, so everyone on v11 has roughly three months to migrate. If you self-host code and have been holding off on Forgejo for a proper OIDC and ephemeral-runner LTS, this is the milestone to plan against. Coverage outside the self-hosted code-forge community stays thin because Forgejo ships without venture-capital fanfare. The OIDC-plus-ephemeral-runners combination closes the last serious gap that kept enterprise teams on GitHub Enterprise Server.

Arch Linux Now Ships a Reproducible Docker Image

Arch Linux announced on April 20 that its Docker base image is now bit-for-bit reproducible, distributed under a new "repro" tag on Docker Hub. A reproducible image means repeated builds from the same source produce an identical byte-for-byte result and the same Open Container Initiative (OCI) manifest digest, confirmed via diffoci comparison. The technical pieces are SOURCE_DATE_EPOCH applied to the OCI image creation label, removal of the ldconfig auxiliary cache file, and timestamp normalization across Docker and Podman builds. The trade-off worth knowing: pacman keys are stripped from the image to ensure determinism, so pacman is not usable out of the box. Run pacman-key with --init and --populate archlinux before installing or updating packages. If your supply-chain security team builds container infrastructure on an Arch base, the reproducible tag gives you a hash you can verify against the source tree. With the WSL image earlier this year and the Docker image now, Arch has shipped two reproducibility milestones in 2026. Mainstream distributions have shipped zero.

Trisquel GNU/Linux 12.0 LTS Released

The Trisquel Project released Trisquel GNU/Linux 12.0 LTS (codename Ecne) on April 12, with broader coverage through the past week. Trisquel is based on Ubuntu 24.04 LTS Noble Numbat (supported until 2029) and carries Free Software Foundation (FSF) endorsement as a fully free distribution. The default kernel is GNU Linux-libre 6.8 with 6.14 as the Hardware Enablement Stack. The default browser is Abrowser 146 (a Firefox derivative with proprietary features stripped). Icedove 140 is the default email client. LibreOffice 24 ships in the install. APT 3.0 with the deb822 repository format is now the package management default. Editions include MATE 1.26, KDE Plasma 5.27.12 (Triskel), LXDE (Mini), Sugar (educational), and a NetInstall variant. If you want a system built entirely from free software (no proprietary drivers, firmware, or other non-free components), Trisquel is the most actively maintained FSF-endorsed Ubuntu derivative. Coverage outside the GNU community stays thin on every Trisquel release cycle. The five-year Ubuntu base means a 12.0 install today carries you through April 2029 without a re-image.

🔍 Spotlight

Enrico Weigelt, XLibre Project

Enrico Weigelt may be the most consequential and least-celebrated figure in the Linux display server ecosystem right now. Since 2024, he has been the most active contributor to the X.org X server, submitting hundreds of patches that add new functionality and improve the testing pipeline. When the broader Xorg project's momentum stalled, with Wayland advocates deprioritizing maintenance and corporate contributors pulling back, Weigelt didn't wait. He forked the project as XLibre, committed to active maintenance and security hardening, and, within less than a year, delivered a release mature enough for Artix Linux to adopt it as a default. This week, XLibre became the focal point of a three-way Linux display war: GNOME and Ubuntu pulling users toward Wayland-only, Artix and GhostBSD adopting XLibre as a maintained alternative for users who cannot migrate, and the traditional Xorg sitting between them, though in practice unmaintained. Weigelt's contribution is not glamorous. It is the maintenance work that most developers avoid. Without it, the users whose remote desktop workflows, legacy enterprise applications, and AMD/Nvidia edge cases remain unsupported on Wayland would have no viable upgrade path. That is the unglamorous work that keeps Linux running while the headlines go to Wayland.