π¬ Open Source & Linux Weekly - W25_2026
Linux 7.2 Rust and Cache Aware Scheduling, a Mastra npm takeover, and nearly 2,000 backdoored Arch AUR packages.
This is the last issue
Thank you all!
I have been writing for more than two decades, including for big technology magazines back in the early 2000s. I have always loved it, but until recently, I never carved out enough time to commit my writing to a single platform. In December 2025, I set a goal for 2026: to put writing and public speaking first. So I started writing seriously on Medium, where I have been a member for almost ten years, and the feedback has been generous and steady.
I also wanted my own website, because you can never fully trust a platform. No one knows what changes tomorrow.
The problem is the numbers. Medium is going well, but my own site brings in little traffic and even fewer paying members.
I do not want to self-host. I deal with all kinds of technical problems at work all day, and in my own time, I would rather write than babysit a web server. So I pay $35 a month for Ghost Pro, because they do excellent work. The catch is that the paid members on my own site do not cover even that monthly bill. The free newsletter never found much of an audience either, which I half-expected when I built it: almost no one in the open source and Linux realm wants a newsletter in their inbox.
Refunds, and where I keep writing
First, thank you to every paid subscriber. Your support meant a great deal, and I am grateful for it.
Every paid member will get a full refund in the coming days. I am not prorating it or taking a cut from your invoice. Consider it my thank-you for backing this while I built it.
I will keep writing the same topics on Medium: canartuc.medium.com. It is a good place to read, and the membership is reasonable. It costs a little more than my own subscription did, but it also opens up access to many other strong writers.
There will be no more Open Source & Linux newsletter.
I will run a weekly newsletter for the data world here: newsletter.dataprincipal.io. And because I am, as you know, an opinionated person, I am planning another weekly newsletter on broader technology topics.
If you still want a daily dose of open source and Linux, I post it across my social accounts: Mastodon, Bluesky, and Threads. You can also connect with me on LinkedIn.
canartuc.com will stay online, but the interface is changing. The current version runs until June 30, 2026.
Enjoy the last issue!
π€ What I Wrote This Week
He Treated It as a Dream Job for 18 Years. Not Anymore.
He was the platformβs most loyal user for 18 years. Then he started counting the days it betrayed him. The count got ugly very fast.
You Run One Update. Your Whole Professional Life Is Stolen.
Abandoned Arch Linux package changed hands while you slept. You updated at breakfast. After your first coffee, it was already too late.
β‘ TL;DR
- Linux 7.1 shipped on June 14, the 7.2 merge window opened, and Cache Aware Scheduling and over 40,000 lines of new Rust landed in it.
- An attacker used a dormant contributor account to republish 142 Mastra npm packages on June 17, hiding a cross-platform RAT inside a fake dayjs dependency.
- Arch Linux froze AUR uploads as a wave of malicious orphan-package adoptions grew to nearly 2,000 packages, each carrying a Rust infostealer and an eBPF rootkit for anyone who built it.
- KDE shipped Plasma 6.7.0 on June 16 with per-screen virtual desktops, after two decades of a single desktop spanning every monitor.
- systemd 261 became stable on June 19, with a text-based OS installer, a cloud metadata service, and a storagectl tool.
- Z.ai published GLM-5.2, a 753-billion-parameter model that outscores GPT-5.5 on a coding benchmark, as open weights under the MIT license.
π§ Linux
Linux 7.1 ships, and the 7.2 merge window opens with Cache Aware Scheduling and 40,000 lines of Rust
Linus Torvalds tagged Linux 7.1 on June 14, closing the cycle he spent flagging AI-assisted networking churn, and the 7.2 merge window opened straight after. Cache Aware Scheduling: the Intel scheduler changed this newsletter, tracked as queued last week, actually merged; it keeps tasks that share data in the same last-level cache domain and showed a 44 percent throughput gain on one AMD EPYC benchmark. Miguel Ojeda's Rust pull added more than 40,000 lines, including the zerocopy library to eliminate unsafe memory code, AutoFDO support for profile-guided optimization, and the AMDGPU HDMI 2.1 FRL work that AMD submitted in late May, which was merged as well and is disabled by default until variable refresh rate lands. Torvalds warned that the window would run slowly because he was traveling without reliable internet, a rare scheduling constraint that no kernel feature can fix.
KDE ships Plasma 6.7.0 with per-screen virtual desktops after twenty years
KDE released Plasma 6.7.0 on June 16, the day the project promised in last week's countdown, and the headline is per-screen virtual desktops, so each monitor finally keeps its own desktop set instead of every display switching together. The release also ships the Union theming system, a tech-preview CSS engine that styles Plasma, QtQuick, and QtWidgets from one stylesheet, plus microphone volume testing, press-and-hold special characters on the virtual keyboard, and a restored Oxygen theme for KDE's 30th anniversary. Per-screen desktops were a feature request open for the better part of two decades, and they ship the same season KDE pushes Bigscreen at living-room machines.
systemd 261 goes stable with an OS installer, a cloud metadata service, and storagectl
Lennart Poettering's team cut stable systemd 261 on June 19, after the rc3 this newsletter noted two weeks ago, and it carries three structural additions that land in second-half distributions. systemd-sysinstall is a text-based OS installer that orchestrates partitioning, bootloader setup, and reboot via Varlink calls; systemd-imdsd exposes cloud instance metadata locally and recognizes AWS, Azure, GCP, Hetzner, Oracle, and several other providers from SMBIOS data; and storagectl provides a unified command-line view of block devices and filesystems. systemd keeps absorbing layers that used to be separate tools, and the people who package distributions will feel this more than desktop users will.
The open NVK Vulkan driver gets experimental DLSS support
On June 19, the community NVK Vulkan driver merged experimental DLSS support into Mesa 26.2-devel, using the VK_NVX_binary_import extension to load NVIDIA's precompiled DLSS binaries and run the upscaler through the open driver instead of the proprietary stack. It sits behind the NVK_EXPERIMENTAL=dlss environment variable because the work still has known bugs, and Mesa 26.2 stable is not expected until later this summer. Rather than reimplementing a closed upscaling model, NVK imports the vendor's compiled binary in its entirety, which is how an open driver can pick up a proprietary feature without waiting on the proprietary driver.
Distributions ship dual-signed shims before the Microsoft Secure Boot key expires
The Microsoft UEFI CA 2011 certificate that signs the shim first-stage bootloader on almost every Secure Boot Linux machine expires June 27, and distributions spent the week making the transition invisible. Red Hat shipped shims signed with both the 2011 and newer 2023 keys across supported RHEL 8, 9, and 10; Ubuntu has been dual-signed since 22.04; and Arch pushed an updated shim to its rolling repo. Machines already installed keep booting after the deadline; only newly signed boot components require the 2023 key, so the onus is now on packagers to spare users a broken boot later.
𧩠Open Source
A dormant contributor account handed an attacker the entire Mastra npm scope
On June 17, an attacker republished 142 packages across the @mastra/* npm scope, the AI agent framework whose @mastra/core package alone pulls more than 900,000 downloads a week, and injected a fake dayjs dependency called easy-day-js that ran a postinstall dropper for a cross-platform remote-access trojan on Windows, macOS, and Linux. Snyk traced the access to ehindero, a real former Mastra contributor whose account published a handful of alpha versions between late 2024 and early 2025, went dormant for roughly 16 months, and was never stripped of scope publish rights, with an email change away from the contributor's address pointing to a takeover rather than an insider. The clean bait version of easy-day-js was published a day earlier, on June 16, then flipped to malicious minutes before the scope-wide republish. The campaign carried no CVE, so signature-based scanners had nothing to match during the active window. As Snyk put it, "npm does not expire scope publish permissions on inactivity, so one stale maintainer credential was enough to push to every package in the scope." Audit your scope's publisher list this week, because the account that compromises you next may be one a maintainer forgot existed.
Arch freezes AUR uploads as a malicious-package wave grows to nearly 2,000 packages
Arch Linux reported a high volume of malicious package adoptions in the Arch User Repository and, by June 15, froze new account creation, package pushes, and adoptions while staff traced the commits. The official notice gave no numbers. Security researchers did. Attackers adopted orphaned packages and rewrote their PKGBUILDs to pull a malicious dependency, and the campaign Truesec and others tracked grew from a few hundred packages to a consolidated list of roughly 1,500 to 1,937. The payload was a Rust infostealer that hunts Sfor SSH keys, browser cookies, and credentials for GitHub, npm, Slack, and Discord, paired with an eBPF rootkit that hides its own processes and files at the kernel level. The official core, extra, and multilib repositories were untouched, but the guidance for anyone who built an affected package, especially as root, is to rotate every credential and treat the machine as compromised. The AUR has always been the unreviewed-by-design corner of Arch, and adopting an orphaned package is the trust mechanism the attackers exploited.
Vercel opens "eve", an agent framework where every agent is a directory
Vercel released eve on June 17, an Apache-2.0 TypeScript framework that treats each AI agent as a folder of files, an agent.ts plus an instructions.md, and auto-discovers its tools, skills, and channels into a compiled manifest. Durable execution, sandboxing, human-in-the-loop approvals, subagents, and OpenTelemetry tracing ship in the box, and Vercel says it already runs more than 100 internal agents on it, including a data analyst who fields 30,000 questions a month. The framework is open source; the runtime, sandbox, and model gateway it relies on are Vercel's own, in the now-familiar shape of an open core wrapped around proprietary infrastructure.
GitHub lets maintainers cap open pull requests from drive-by contributors
On June 17, GitHub shipped a setting that caps the number of pull requests a user without write access can keep open at once, so a contributor at the ceiling has to close or merge one before opening another. Draft pull requests do not count toward the limit, and maintainers can exempt trusted contributors with a bypass list. The target is the flood of low-quality and AI-generated pull requests that burns through triage time, the same maintainer-fatigue pressure that has been building across large projects all year.
Z.ai publishes GLM-5.2 weights under MIT
Z.ai released the full weights for GLM-5.2 under an MIT license on June 16: a 753-billion-parameter mixture-of-experts model with 40 billion active parameters per token and a one-million-token context window. It posts 62.1 on SWE-bench Pro against GPT-5.5's 58.6 at roughly a sixth of the API cost, and the MIT license carries no regional restriction, so the weights are fine-tunable and self-hostable. A model this capable arriving as open weights rather than a research-only preview is uncommon at this size.
The Linux Foundation launches the Appia Foundation for AI conformity standards
The Linux Foundation announced the Appia Foundation this week, operating under the Joint Development Foundation, to build open specifications and conformity assessment frameworks across the AI value chain, covering testing criteria, evaluation guidelines, and component typologies. Founding members include Arm, Ericsson, Google, Mastercard, Microsoft, OpenAI, Schneider Electric, and Siemens, as well as Armilla AI, Mitsubishi Electric, Naaia, Nemko, and Omron. "The Appia Foundation was formed to do that work: creating publicly available specifications that organizations across the AI value chain use to demonstrate their systems meet those criteria," said executive director Craig Shank. It is the second AI-governance body the Foundation has stood up this month after OpenSharing, and a conformity spec only matters once a real vendor fails a test against it.
π Gems & Tools
The self-hosted photo and video manager reached its first-ever release candidate ahead of the 3.0 stable, the largest update in the project's history, adding non-destructive mobile photo editing, a workflows engine, OCR search, real-time transcoding, and a Recently Added view. After years of shipping straight to stable, Immich's use of release candidates at all is a sign that the project takes its own scale seriously.
The June release lets you choose where silence is removed within a clip, exports Podcast 2.0 chapters as JSON from label tracks, and improves HiDPI rendering on Linux and wxGTK, along with fixes for multichannel FLAC import and envelope corruption after joining clips. For a free editor, native chapter export is the feature that pulls a podcast workflow back.
The Rust terminal workspace and multiplexer continue to mature, with customizable layouts, a first-class plugin system, and a built-in web client for sharing sessions. If tmux muscle memory has held you back, the discoverable keybindings are the reason to try the switch.
This Rust project mounts S3-compatible object storage as a real Linux filesystem over NFS and 9P, and as a raw block device over NBD, all from a single process, with mandatory encryption and heavy caching to hide object store latency. You can format an S3-backed NBD device with ext4, mount a ZFS pool or a VM disk on it, and treat a bucket as primary storage rather than a backup target. Version 1.2.7 landed on June 18.
Alibaba open-sourced the AI code-review tool it had run internally: a CLI and GitHub Action that scans pull requests for hallucinated imports, stale APIs, logic errors, and security anti-patterns using a local or any OpenAI-compatible model. It pairs a deterministic ruleset for null pointers, thread safety, and injection with an LLM pass and leaves line-level comments. It arrived the same week GitHub began throttling AI-generated pull requests. v1.3.19 shipped June 17.
π Spotlight
Miguel Ojeda, lead maintainer, Rust for Linux
Ojeda leads the project that put Rust in the Linux kernel, and this week, his pull request for the 7.2 merge window added more than 40,000 lines, the largest Rust pull in a kernel cycle so far. The standout pieces are the zerocopy library, which lets driver authors do memory manipulation without writing unsafe blocks, and AutoFDO support, which lets the compiler optimize Rust kernel code from real profiling data. Future drivers will build on both abstractions, even though users will never see them directly.
Torvalds spent 7.1 flagging oversized, AI-assisted networking pull requests that flooded the review queue, while Ojeda's Rust work moved at the opposite pace, landing after the Tokyo maintainer summit formally dropped the "experimental" label and made Rust a permanent part of the tree. Ojeda has been candid that compatibility across all kernel configurations, architectures, and toolchains is still unfinished.
That is the week. Audit your npm scope publishers, read the PKGBUILD before you update, and decide whether your fleet wants 7.2's scheduler before it ships.
You can find me on Medium, X, Bluesky, Mastodon, and Threads.