π¬ Open Source & Linux Weekly - W18_2026
CopyFail: 732-byte script roots every Linux since 2017. Fedora 44 enforces 99% reproducible builds. pgBackRest archived, pgxbackup fork ships in 4 days.
What I Wrote this Week
Fedora 44: An Open Linux Release Ubuntu Cannot Copy
The curl maintainer said AI was drowning open source in slop. Nine weeks later, he said the opposite. Open source governance split three ways in one quarter.
Medium Link | Canartuc.com Link
A Dorm Room in 1993. The International Space Station Today. One Person the Industry Forgot.
Deb and Ian. A 20-year-oldβs act of love is now the foundation on which billions of lines of code run. The relationship lasted 14 years. The name will last forever.
Medium Link | Canartuc.com Link
35 Years of Linux Principles. Ubuntu Just Threw Them Away in One Snap.
Ubuntu 26.04 LTS just shipped the fastest developer setup Linux has ever seen. It is hidden in a roadmap Canonical published one day before public release.
Medium Link | Canartuc.com Link
This week, a 732-byte Python script gave root access to every Linux box shipped since 2017; Germany started paying open-source maintainers EUR 5,200 a month to attend standards meetings; and a PostgreSQL backup tool used by half the industry was rescued by a specialist PostgreSQL consulting firm 4 days after its creator walked away.
Here's the roadmap for today. First, the kernel bug nicknamed CopyFail. A nine-year-old crack in the part of Linux that does the locking and unlocking, the cryptography. Found by an AI auditing tool, not a human. Second, the human story. A man named David Steele who maintained the world's most popular PostgreSQL backup tool for over a decade, paid by one company. That company got bought. His job vanished. He archived the project on a Monday. By Friday, a specialist PostgreSQL consulting firm had forked it and committed to keeping it alive. Fastest community rescue I've seen this decade. Third, the surprise: Germany. The German government just opened applications to pay open source maintainers around five thousand euros a month. Not for code. For sitting in meetings. I'll explain why it is important.
Linux runs almost everything. Your bank's settlement systems. The cell tower is routing your phone calls. The train control system on the line you took home. The monitor next to a hospital bed. All of it. Linux underneath.
Now imagine a crack in the foundation of every one of those systems. A crack that was put there nine years ago.
The crack lives inside the part of Linux that handles encryption. The lock on the front door. The thing that decides who has admin rights and who doesn't.
The patch went out before the public knew about it. That part is good news. The system worked.
But the next day, an older version of openSUSE Linux, which runs on many mid-sized business servers, reached the end of support. Which means anyone still on it is now permanently exposed to the same bug.
So the AI found a nine-year-old bug. Big deal, right? Patched, shipped, done.
Now I want to tell you about David Steele.
David Steele built and maintained the most popular backup tool for the world's most popular open source database: PostgreSQL. One of the most widely used databases on the Internet, running banks, hospitals, settlement systems, and most of the modern web.
He worked on this tool for over a decade. Made it the standard. The default choice for any serious PostgreSQL deployment that needed backup and restore that actually worked at scale. Crunchy Data's own products. EnterpriseDB. Supabase, which sponsored his work. Most on-premises enterprise PostgreSQL clusters are used in finance, healthcare, and government.
One company paid him. A consulting firm called Crunchy Data. They picked up his salary so he could keep maintaining the tool full-time.
Then Crunchy Data got bought. By a much bigger company. The acquisition closed. David's job evaporated. And on a Monday at the end of last week, he archived the project on GitHub. Read-only. No more updates. No more security patches. Done.
Think about who depends on this tool: banks, airlines, and hospitals running PostgreSQL clusters. Enterprise vendors and managed-Postgres companies whose customers trust them precisely because the backup story works. All of them.
And then something beautiful happened. By Friday, 4 days later, a specialist PostgreSQL consulting firm I'd never heard of forked the project under a new name. They committed to keeping it alive.
That is the fastest community rescue I have seen this decade. And honestly? It's incredible.
But it should never have been a rescue.
You don't rescue your safety net. You fund it. The companies whose entire revenue stream depends on this code and that have built business empires on top of it could not collectively pay for one maintainer. One.
Now stay with me, because this is where the week gets weird.
Germany... Specifically, Germany's government open source agency. They opened applications this week to pay open-source maintainers around 5,000 euros a month for one year. Travel and training are paid on top.
Pay them to do what? To go to standards meetings.
Not to write code. To attend the meetings where the Internet's rules are written. The groups that decide how email works. How web traffic gets routed. How encryption protocols evolve.
Volunteer maintainers have been doing that work on top of unpaid maintenance, on top of their day jobs, for 30 years. Burning vacation days to fly to standards meetings that no one pays them to attend.
Germany just became the first European government to fund the chair at the standards table. Ten people. One year to start.
A whole ecosystem of enterprise databases, managed services, and consultancies grew on top of David Steele's PostgreSQL backup tool. Could not collectively fund one maintainer. Germany's taxpayers just funded ten.
The country that gave the world the printing press is now subsidizing the Internet's printing press. And the companies whose entire revenue depends on this code did not show up.
The bug no one caught for nine years. The backup tool that almost died on a Monday. The German government is writing checks to people for sitting in meetings.
Three angles on the same story.
If you run servers, ship code, or make architecture decisions, here are two questions for this week:
- The open source projects you depend on. Find the maintainer list. Read it. Ask yourself whether anyone is being paid by the company that benefits from their work. Probably not.
- If your company makes money on top of open source, which it does, write the check. You don't need a foundation. You don't need a board approval. You can sponsor one person on GitHub today, this afternoon, before the next CopyFail lands.
Because the next one will land.
π€ If you need me, I will be writing a 732-byte Python script to escalate my coffee privileges, upgrading from Leap 15.6 to Leap 16 on a production server I forgot existed, and filing a bug report against myself for not being 99 percent reproducible.
Have a great week!
π§ Linux
CopyFail: A 732-Byte Python Script Gets Root on Every Linux Box Since 2017
CVE-2026-31431 dropped April 29. A logic flaw in the kernel's algif_aead AF_ALG socket-interface path, introduced by a 2017 in-place optimization, lets an unprivileged local user open an AF_ALG socket, splice a setuid binary into the page cache, run an authencesn decrypt, and get a deterministic four-byte controlled write into the page cache backing /usr/bin/su. The proof of concept is 732 bytes of Python. It works as a container escape because the page cache is shared with the host kernel. Xint Code (operating under Theori) found it using AI-assisted auditing, reported it to security@kernel.org on March 23, and patches went into mainline on April 1. Distributions shipped fixes before the public advisory was issued. First high-impact AI-assisted kernel vulnerability discovery I have seen run a clean coordinated disclosure from end to end.
Linux 7.1-rc1 Drops 138,000 Lines, rc2 Ships May 3
Linus Torvalds tagged 7.1-rc1 on April 26 with 12,996 non-merge changesets. Out: 138,161 lines covering AX.25, ISDN, ATM drivers, 18 legacy Ethernet drivers, and the start of i486 removal. In: Namjae Jeon's four-year NTFS rewrite (passing 326 xfstests versus ntfs3's 273), Intel FRED, Flexible Return and Event Delivery, on by default for Panther Lake, Linear Address Space Separation hardware mitigation, and PREEMPT_RT in mainline for 32-bit ARM (closing the last out-of-tree gap after 15 years). The kernel tree approaches 40 million lines at 39,880,636. Linux 7.1-rc2 shipped May 3 with DRM driver fixes including AMDGPU fixes for older hardware like the Radeon HD 7870 XT. The PostgreSQL throughput regression on AWS Graviton4 under PREEMPT_LAZY remains unfixed at day 21.
openSUSE Leap 15.6 End of Life Closes Eight Years of Leap 15
openSUSE Leap 15.6 reached end of life April 30, closing the Leap 15 line that started in May 2018. The timing collides directly with CopyFail. Leap 15.6 will never receive the kernel patch. Any operator still running 15.6 past April 30 is exposed to a known root-escalation primitive on top of every unpatched CVE accumulating from May 1 forward. The path forward is in-place upgrade to Leap 16 on the Adaptable Linux Platform base, which carries an eight-year support window.
Ubuntu 26.04 LTS Completes First Week With No Major Regressions
Ubuntu 26.04 LTS "Resolute Raccoon" survived its first week in production. NVIDIA CUDA and AMD ROCm land in official repositories as first-party packages. Rust Coreutils replaces GNU coreutils for everything except cp, mv, and rm (which still ship from GNU because the TOCTOU (Time-of-Check to Time-of-Use) issues have not yet been resolved). The Framework Laptop 13 Pro is the first Framework system to be Ubuntu Certified. The PostgreSQL Graviton4 regression ships into the LTS support window unfixed, and the huge-pages mitigation is still the only operational workaround. Direct upgrades from 24.04 LTS open after the August 6 point release.
Valve Confirms Steam Controller Launches May 4 at $99
The new Steam Controller drops May 4 at $99 with dual trackpads, haptic feedback, symmetrical analog sticks using Tunnel Magnetoresistance (TMR) sensors for precision and drift resistance, 6-axis gyroscope with Grip Sense, four programmable rear buttons, infrared LEDs for VR tracking, a magnetic charging puck, and over 35 hours of battery life. It works with Steam Deck, the upcoming Steam Machine, and anything running Steam or Steam Link. Steam on Linux pulled back to 4.52 percent in April from the March record of 5.33 percent, with roughly 5.97 million estimated monthly active Linux users on Steam.
Arch Linux 2026.05.01: First Arch ISO Powered by Linux 7.0
The May 2026 install media shipped with Linux 7.0.3, making this the first Arch ISO on the 7.0 kernel. Archinstall 4.3 adds a new "Additional fonts" section. Combined with the reproducible Docker image shipped under the "repro" tag last week, Arch's supply-chain story is getting stronger.
Wine 11.8 Continues MSXML Overhaul, Finally Fixes Microsoft Golf 1999
Wine 11.8 shipped May 1 with continued MSXML reimplementation work dropping the libxml2 dependency, Mono 11.1.0, SDL 3.3.4, VBScript compatibility improvements (ExecuteGlobal and Eval), better keyboard layout support via XKBRegistry, and a Direct3D device enumeration fix that resolves a fatal-error-on-launch bug dating back to Microsoft Golf 1999. The bug sat in the tracker for twenty-seven years before this release closed it. The joystick handling rewrite now caches connected HID devices properly.
Stable Kernels 7.0.2, 6.18.25, 6.12.84, and 6.6.136 Ship With ksmbd and FUSE Hardening
Greg Kroah-Hartman released stable kernels April 27 with fixes plugging remote-exploitation vectors in the ksmbd in-kernel SMB server, FUSE cache overflow hardening, an f2fs use-after-free during unmount, and an AMD GPU deadlock fix. The 6.19 series ended at 6.19.14, completing the post-7.0 transition. Distributions on the 6.19 hardware-enablement track should treat end-of-life as the upgrade signal.
Linux Gems
xdg-user-dirs 0.20 Adds Default Projects Directory After Eleven Years
The xdg-user-dirs 0.20 release adds a Projects folder by default in the user home directory, closing an eleven-year-old freedesktop.org bug. This is the first new default XDG (X Desktop Group) directory category since the original specification. The release also moves from Automake to Meson, replaces the shell script with a C binary (fixing an arbitrary-code-execution bug from unsanitized input), and GLib support is queued for propagation to Flatpak, GNOME, KDE Plasma, and every application using GLib's user-directory APIs.
IPFire 2.29 Core Update 201 Bakes DNS Firewall Into the Distribution
IPFire's DNS Firewall blocks, redirects, or rate-limits DNS queries for known-malicious domains at the resolver level before any traffic reaches the destination. Continuously updated domain blocklist with incremental zone transfer. No client configuration, no extra hardware. If you run small business networks, home labs, or remote office gateways on IPFire, this is the upgrade worth scheduling this weekend.
BleachBit 6.0 Ships Per-Cookie Manager and Expert Mode
The biggest BleachBit release in years. Per-cookie keep/delete manager for Chromium and Firefox profiles closes the old all-or-nothing problem. New cleaners for Vivaldi and Zen Browser. Expert Mode exposes dangerous-by-default rules. If you have wanted to clean browser caches without nuking your signed-in sessions, this is the release that finally makes BleachBit usable without anxiety.
Talos Linux Shows How Immutable Defaults Narrow the CopyFail Blast Radius
Sidero Labs published a post-mortem showing that Talos Linux's immutable, container-focused defaults materially shrank the CopyFail exploit path even with the vulnerable kernel component present. Still worth patching. But a useful reminder that distro architecture and security posture can matter as much as CVE count.
𧩠Open Source
pgBackRest Archived, PGX Launches pgxbackup as Continuity Fork in Four Days
David Steele, who maintained pgBackRest for over a decade with sponsorship from Crunchy Data, archived the repository on April 27. Crunchy's acquisition by Snowflake erased his funded position, and community sponsorship efforts fell short. PGX (PostgreSQL Experts) announced pgxbackup on May 1, four days later, committing to critical bug fixes, security patches, and compatibility with new PostgreSQL releases. The naming decision (honoring Steele's request that forks not carry the pgBackRest name) and the four-day turnaround are the fastest community response. Open question for the next 90 days: whether a multi-vendor funding pool materializes from the cloud-Postgres providers (AWS RDS, GCP Cloud SQL, Azure, Supabase, Neon, EnterpriseDB) who collectively make hundreds of millions per year on backup paths pgBackRest sits beneath.
Warp Terminal Open-Sources Client Under AGPLv3 With OpenAI as Founding Sponsor
Warp, the AI-first terminal used by close to a million developers, pushed its client codebase to GitHub on April 28. The UI framework (warpui_core and warpui crates) ships under MIT, the rest under AGPLv3 (Affero General Public License v3). OpenAI is the founding sponsor. The Oz orchestration platform and server-side components stay proprietary. This is the same dual-license pattern MongoDB, Elastic, and HashiCorp ran: open AGPL clients with proprietary servers, which produces full client-side transparency and license friction on commercial redistribution. The contribution model is the novel part. Warp's process runs through Oz, where AI agents handle implementation while humans focus on specifications and verification. Against Ghostty, Wezterm, Alacritty, and Kitty, Warp is positioning itself as the AI-native terminal that other projects cannot replicate without building their own orchestration layer.
Anthropic MCP Design Vulnerability Affects 200,000 AI Servers, Anthropic Calls It "Expected"
OX Security's disclosure of a systemic vulnerability in Anthropic's Model Context Protocol (MCP) STDIO (standard input/output) interface continued to expand throughout the week. Any process command passed to the MCP STDIO interface executes on the host system regardless of whether it initializes a valid MCP server. The flaw affects all officially supported SDKs (Software Development Kits) for Python, TypeScript, Java, and Rust. CVE entries cover MCP Inspector, LibreChat, WeKnora, Cursor, and Windsurf. Anthropic confirmed the behavior as intentional and declined to change the protocol architecture, pushing defense to the application layer. Joe Beda (Kubernetes co-creator), joining Stacklok as CTO the same week to build Kubernetes-to-MCP security tooling, tells you how infrastructure veterans categorize this problem.
SGLang CVE-2026-5760 (CVSS 9.8): Third LLM Framework in Two Years on the Same Jinja2 Bug
SGLang's chat-template rendering path carries a critical command injection (CVSS 9.8 on the Common Vulnerability Scoring System) via Jinja2 server-side template injection. An attacker crafts a malicious GGUF model file with a payload in tokenizer.chat_template, points an SGLang deployment at it, and waits for a request to hit /v1/rerank. The fix is one line: use ImmutableSandboxedEnvironment instead of Environment. Third time in two years on the same root cause (llama-cpp-python in 2024, vLLM in 2025, SGLang in 2026). CERT/CC (Computer Emergency Response Team Coordination Center) has now issued advisories for three frameworks running the same bug class. Treat any GGUF (GPT-Generated Unified Format) file pulled from Hugging Face or an Ollama-style registry as executable code.
Germany's Sovereign Tech Agency Opens Paid Standards Program for Open Source Maintainers
The Sovereign Tech Agency opened applications April 29 for the Sovereign Tech Standards network. Up to ten open source maintainers will be selected for a cohort running mid-June 2026 through June 2027, compensated at EUR 4,800 to EUR 5,200 per month, with roughly ten hours per week on standards work at the IETF (Internet Engineering Task Force), W3C (World Wide Web Consortium), and ISO (International Organization for Standardization). Training, mentoring, and travel reimbursement included. Standards work has always been unfunded volunteer time layered on top of paid maintenance. This is the first European public-funder commitment to standards-participation costs. Applications close May 19.
elementary-data 0.23.3 PyPI Compromise Steals Developer Secrets via GitHub Actions
The elementary-data Python package (1.1 million monthly PyPI downloads) was compromised on April 24 with a malicious version 0.23.3. The attacker exploited GitHub Actions script injection through a pull-request comment to grab the workflow GITHUB_TOKEN and forge signed commits. The payload lifted SSH keys, Git credentials, AWS, GCP, Azure credentials, Kubernetes, Docker secrets, and cryptocurrency wallets. Clean replacement is 0.23.4. The pattern matches the wider supply-chain trend across H1 2026: LiteLLM, Telnyx, Bitwarden CLI, Checkmarx GitHub Action, and elementary-data all hit CI/CD trust paths upstream of the maintainer's own build.
cPanel CVE-2026-41940 (CVSS 9.8) Added to CISA Known Exploited Vulnerabilities Catalog
CISA (Cybersecurity and Infrastructure Security Agency) added cPanel CVE-2026-41940 to its Known Exploited Vulnerabilities catalog April 30 with a federal patch deadline of May 21. The CVSS 9.8 authentication bypass (CRLF, Carriage Return Line Feed, injection in cpsrvd login and session-loading paths) was exploited as a zero-day from at least February 23. Over 1.5 million cPanel instances are exposed online per Shodan. cPanel runs on CentOS, AlmaLinux, RHEL (Red Hat Enterprise Linux), and Ubuntu, which is where most small-business and shared-hosting infrastructure lives. If you patched on April 28, you still need to audit recent session files for forged user properties. Patching alone does not cover the prior exposure window.
Wireshark 4.6.5 Ships 38 Security Fixes, Credits AI-Assisted Vulnerability Reports
Wireshark 4.6.5 shipped April 30 with up to 38 security fixes spanning more than a dozen protocol dissectors. Infinite-loop DoS issues in DLMS/COSEM, GNW, OpenFlow v5 and v6, RPKI-Router, UDS, and USB HID, plus possible code execution in TLS and RDP dissectors. The project openly credits the fix volume to a sharp rise in AI-assisted vulnerability reports, the same pattern that produced CopyFail two days earlier.
Open Source Gems
GnuPG 2.5.19 Lands Kyber Post-Quantum Encryption as 2.4 Branch Nears End of Life
Werner Koch announced GnuPG 2.5.19 on April 24 with Kyber (NIST FIPS 203, ML-KEM) as a usable encryption primitive. The threat model is harvest-now-decrypt-later. GnuPG users can generate Kyber keys and encrypt today, with backwards compatibility for 2.4 recipients. The 2.4 branch goes end of life in about two months, and most distributions still ship 2.4 as default. If you run GnuPG inside email gateways, signing pipelines, or key-management workflows, the 2.5 migration window is narrow.
Open Source State of Play 2026: Lock-in Avoidance Now the Top Reason for Adoption
Fresh 2026 survey data from the Open Source Initiative shows that avoiding vendor lock-in was cited by 55% of respondents, up 68% year over year. Open source is now being justified as a strategic hedge against dependency, not just a cheaper engineering choice. That is the background condition that explains why self-hosted tools, open models, and permissive infrastructure keep gaining oxygen.
π Spotlight
Elizabeth Figura: Wine, NTSync (NT Synchronization), Linux Gaming
Elizabeth Figura's work sits behind one of the most concrete quality-of-life improvements in Linux gaming this decade. She built NTSync, the kernel driver that implements Windows NT synchronization primitives in Linux, so that Wine and Proton can stop working around user-space bottlenecks that have hurt Windows game compatibility for years. Before NTSync, she created esync and then fsync, each one a performance step forward. NTSync landed in the mainline kernel with version 6.14 after multiple revision cycles and a 2023 Linux Plumbers Conference presentation.
In developer benchmarks comparing against vanilla upstream Wine (no fsync), Dirt 3 went from 110.6 FPS to 860.7 FPS. Resident Evil 2 jumped from 26 FPS to 77 FPS. Call of Juarez went from 99.8 FPS to 224.1 FPS. If you have been running Proton with fsync, your baseline is already better, and the gain from NTSync is more modest. But these are real frame-timing improvements that come from eliminating synchronization overhead that existed because Linux lacked kernel-level equivalents to Windows NT semaphores and mutexes. Fedora 44 now ships with NTSync autoloading for Wine and Steam. Proton 11 beta pulls in Wine 11-era gains that make these improvements visible to anyone installing a game from their Steam library.
What makes Figura's story worth telling is the duration. This was not a weekend project. She has been iterating on this problem for years, pushing patch revisions through kernel review, refining the interface, and doing the quiet, persistent work that turns a kernel patch set into a shipping feature used by millions of gamers without ever knowing her name. In a week full of major distribution releases, CopyFail, and open source succession crises, her contribution lands in the part of Linux that people actually touch every day.