Open source is having a governance decade. Ruby Central is in “real financial jeopardy”; the FSF is openly ruling on AGPL abuse; Ubuntu shipped its first Wayland-only LTS; Firefox is running on Anthropic’s Mythos Preview to find 271 CVEs at a time. None of these are purely technical stories — they’re about who funds the plumbing every profitable tech stack depends on, and what happens when the answer is “no one consistent enough.”
43 articles in this topic
DepthFirst's agent surfaced 21 FFmpeg zero-days for about $1,000. One 183-byte packet hits RCE. The deeper story is who pays the volunteers who fix them.
A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.
Cloudflare acquired VoidZero, Evan You's company behind Vite, Vitest, Rolldown and Oxc. The tools stay MIT-licensed, and there's a $1M ecosystem fund.
Godot, Unity and Unreal get the headlines, but six open-source tools quietly do the art, levels, and dialogue work that real games ship on.
Microsoft's Coreutils for Windows brings native ls, cp, and grep to Windows, built on the Rust uutils project. Here's what it is and why the Rust rewrite matters.
Two of the most cautious C projects split on AI contributions in the same week. The real fight is over copyright provenance and who cleans up the slop.
Six dev-tooling and AI posts that climbed Hacker News in late May 2026: durable execution on plain Postgres, LLM code smells, a permission-fatigue game, Rust 1.96, and more.
MySQL bug #11472 was filed in 2005: triggers never fired on foreign key cascade actions, silently breaking audit logs. MySQL 9.7 finally closes it via WL#17024.
Yufeng Gao and Rich Cini scanned Tim Paterson's 1981 assembler printouts. Microsoft pushed them to DOS-History/Paterson-Listings on April 28, the 45th anniversary.
Vivado 2026.1 introduces a five-tier licensing model. The free BASIC tier supports Windows only; Linux requires the paid CORE tier. FPGA hobbyists are pushing back.
Sebastian Wick and Adrian Vovk pitched systemd-appd at Linux App Summit on May 17. The cost of nested sandboxing is a hard systemd dependency in mainline Flatpak.
yt-dlp's maintainer bashonly says Bun's Rust rewrite 'has taken a turn towards being fully vibe-coded.' The supported window narrowed to four versions.
Alibaba showed the Zhenwu M890 at its Cloud Summit on May 19. 144 GB of memory, 800 GB/s interchip bandwidth, and Qwen3.7-Max riding on top.
Three Cloudflare engineers shipped panic and abort recovery into wasm-bindgen on April 22. A Rust Worker that panics now reinitialises on the next request.
Vasilios Syrakis spent eight years building Atlassian's Envoy control plane. After the March cuts, he posted a 40-minute walkthrough that hit 1.1M views.
Linux 6.14 merged the NTSYNC driver Elizabeth Figura wrote at CodeWeavers. SteamOS 3.7.20 loads it by default; Wine 11 went mainline on it. Here's what changed.
FULU-Foundation/OrcaSlicer-bambulab hit 1,700 stars on May 12. Geerling won't recommend a Bambu printer again, and Louis Rossmann pledged $10,000 toward Jarczak's defense.
Obsidian launched Obsidian Community on May 12. The new directory replaces the GitHub plugin queue with automated reviews, and paid plugins are in for the first time.
The PS3 emulator project posted on X on May 10, citing 'AI slop' that has been clogging review. The hard line: ban-on-sight if you don't disclose.
Dirty Frag chains two page-cache flaws in the ESP and RxRPC subsystems into a deterministic privilege escalation that hits every major distro. A PoC exploit is public.
Bun's creator used Claude to port the JavaScript runtime from Zig to Rust, hitting 99.8% test compatibility. He says there's a 'very high chance' it gets scrapped.
Valve published STP and STL CAD files for the Steam Controller and Puck under CC BY-NC-SA 4.0 on GitLab. Anyone with a 3D printer can now mod it.
Pawel Jarczak pulled OrcaSlicer-bambulab off GitHub on May 1 after Bambu Lab's legal team accused him of impersonating Bambu Studio and bypassing authorization.
MIT-licensed at GitHub on April 28, the 86-DOS 1.00 kernel and PC-DOS development snapshots were OCR'd from 45-year-old assembler listings.
The 313 Team flooded Canonical's infrastructure starting May 1, blocking apt updates and the Ubuntu security API just as admins needed both.
Andrey Letov shipped a native macOS Notepad++ port as a universal binary with the original Scintilla engine and a new Cocoa UI. It's GPL, free, and unaffiliated with Don Ho.
Zed Industries shipped 1.0 on April 29 after five years of Rust and GPU work. Free forever for humans, with $10/month hosted AI and an open Agent Client Protocol.
CVE-2026-31431 chains AF_ALG and splice() to write into the page cache of /usr/bin/su. Xint Code disclosed it on April 29, nine years after the bug shipped.
Ghostty's creator has tracked GitHub outages every workday for months. After 18 years on the platform, he's moving the project. A read-only mirror stays.
Warp released its 36k-star Rust client on GitHub under AGPLv3 on April 28. OpenAI is the founding sponsor and Oz keeps the bills paid.
MinIO's GitHub repo went read-only with a 'NO LONGER MAINTAINED' banner pointing users at AIStor. Pigsty's Ruohang Feng forked it and restored the binaries.
DeepSeek shipped V4-Pro and V4-Flash under MIT on April 24. V4-Pro hits 80.6% on SWE-bench Verified. V4-Flash is $0.14 in / $0.28 out.
Jakub Kicinski's networking pull request removes 138,161 lines of decades-old code. Kernel maintainers say LLM-generated bug reports made the old subsystems un-maintainable.
Canonical released Ubuntu 26.04 'Resolute Raccoon' on April 23. It's the first LTS without X11, ships kernel 7.0 and GNOME 50, and sets post-quantum SSH on by default.
Firefox 150 shipped Monday with 271 security fixes from Anthropic's Project Glasswing. Mozilla CTO Bobby Holley says Mythos matches elite human researchers.
Framework opened pre-orders for the Laptop 13 Pro on April 21. Panther Lake or Ryzen AI 300, LPCAMM2, a 74Wh battery, and Framework's first touch display.
A Carnegie Mellon study counted 6 million suspected fake stars across 18,617 GitHub repos. Here's what the StarScout research actually found and how to read a star count now.
Ruby Central cut its executive director, CFO, and PR firm, and shifted to a volunteer working board. The April 16 letter closes the arc from September's RubyGems walkout.
OnlyOffice bolted a 'keep our logo' clause onto its AGPLv3, then accused the Euro-Office fork of violating it. The FSF says users can strip the clause.
Unweight is Cloudflare Research's new BF16 weight compressor. 22% smaller bundles, 13% smaller inference footprint, 30-40% throughput overhead, BSD license.
Google's Android Developer Verifier is landing in Settings in April 2026. Enforcement starts in four countries in September. Here's what changes, and what 'Advanced Flow' gets you.
Nawfal Motii's Aeris-10 phased-array radar beats $250,000 commercial systems at 3% of the cost. Hardware, firmware, and FPGA bitstream are all on GitHub.
Alibaba's Qwen 3.6-35B-A3B is a 35B-param mixture-of-experts with only 3B active. Apache 2.0, runs on consumer GPUs, and it's already winning real tasks.