This post by Bruce Schneier contains so many thoughtful soundbites:

> The question is not simply whether copyright law applies to AI. It is why the law appears to operate so differently depending on who is doing the extracting and for what purpose.

> Like the early internet, AI is often described as a democratizing force. But also like the internet, AI’s current trajectory suggests something closer to consolidation.

https://www.schneier.com/blog/archives/2026/01/ai-and-the-corporate-capture-of-knowledge.html

I talked for more than two hours (135 mins to be precise) about upstream Linux kernel hardening at Okayama University this afternoon. 🐧👨🏽‍💻🎙

I just uploaded my slides here: https://embeddedor.com/blog/presentations/#Enhancing_spatial_safety_Better_array-bounds_checking_in_C_and_Linux_Okayama_University_%E2%80%93Guest_talk

I really enjoyed the session. The students were amazing. They were well prepared and asked a lot of questions. 👏🏼👏🏼

#Linux #OpenSource #Education #Mentoring #Okayama #OkayamaUniversity

A thought that popped into my head when I woke up at 4 am and couldn’t get back to sleep…

Imagine that AI/LLM tools were being marketed to workers as a way to do the same work more quickly and work fewer hours without telling their employers.

“Use ChatGPT to write your TPS reports, go home at lunchtime. Spend more time with your kids!” “Use Claude to write your code, turn 60-hour weeks into four-day weekends!” “Collect two paychecks by using AI! You can hold two jobs without the boss knowing the difference!”

Imagine if AI/LLM tools were not shareholder catnip, but a grassroots movement of tooling that workers were sharing with each other to work less. Same quality of output, but instead of being pushed top-down, being adopted to empower people to work less and “cheat” employers.

Imagine if unions were arguing for the right of workers to use LLMs as labor saving devices, instead of trying to protect members from their damage.

CEOs would be screaming bloody murder. There’d be an overnight industry in AI-detection tools and immediate bans on AI in the workplace. Instead of Microsoft CoPilot 365, Satya would be out promoting Microsoft SlopGuard - add ons that detect LLM tools running on Windows and prevent AI scrapers from harvesting your company’s valuable content for training.

The media would be running horror stories about the terrible trend of workers getting the same pay for working less, and the awful quality of LLM output. Maybe they’d still call them “hallucinations,” but it’d be in the terrified tone of 80s anti-drug PSAs.

What I’m trying to say in my sleep-deprived state is that you shouldn’t ignore the intent and ill effects of these tools. If they were good for you, shareholders would hate them.

You should understand that they’re anti-worker and anti-human. TPTB would be fighting them tooth and nail if their benefits were reversed. It doesn’t matter how good they get, or how interesting they are: the ultimate purpose of the industry behind them is to create less demand for labor and aggregate more wealth in fewer hands.

Unless you happen to be in a very very small club of ultra-wealthy tech bros, they’re not for you, they’re against you. #AI #LLMs #claude #chatgpt

8 minutes video of commuting in the snow by bike here in the Netherlands earlier this week:
https://www.youtube.com/watch?v=SmMRVeRs3vU
(note, not my video, but I was out in that mess, taking a tram and walking to where I needed to go that day.)

Another post in my Linux kernel CVE process series, "How the Linux kernel security process works": http://www.kroah.com/log/blog/2026/01/02/linux-kernel-security-work/

I've been trying to quit Google for years, and I finally did it: https://jimmunroe.net/writing/divestment-december.html
Anger at the techno-fascists wasn't enough on its own:
I got a big boost of inspiration and mutual aid from the brilliant community at @yunohost who provide ways to install and maintain -- with very little technical knowledge --
digital services like forums, cloud services and media streaming apps. Check them out at https://YunoHost.org !

All 5960 GSD kernel security reports are now finally processed and CVE ids have been assigned for those that meet the cve.org criteria. Only took me almost 2 years of manual review, ugh, that was a grind:

https://lore.kernel.org/r/2025123055-directory-hemlock-a282@gregkh

The kernel CNA assigned their 10000th CVE last week, CVE-2025-68750

So far the “stats” look like:

 Year	Reserved	Assigned	Rejected	 A+R		Returned	Total
  2019:	   0		   2		   1		   3		  47		  50
  2020:	   0		  17		   0		  17		  33		  50
  2021:	   0		 732		  24		 756		  16		 772
  2022:	   3		2041		  47		2088		   0		2091
  2023:	   1		1464		  47		1511		   0		1512
  2024:	   6		3069		  96		3165		   0		3171
  2025:	  73		2421		  39		2460		   0		2533
 Total:	  83		9746		 254		10000		  96		10179

Note, the “year” is the year the bug was fixed in the kernel tree, NOT the year the CVE was applied for/assigned.

Rare footage of @gregkh signing an autograph with the phrase "do not use old kernels!" at Open Source Summit Korea 2025, after one of his sessions.

#Linux #OpenSource #OpenSourceSummit

Just found that the 2026 edition of the Linux Plumbers Conference will be in Prague 🇨🇿 , Oct. 5-7, on the same week as Open Source Summit Europe and Embedded Linux Conference Europe.

Save the dates and see you there! That's too early to book my train tickets though 🤔

https://lpc.events/event/20/

Whenever I see a “rice my Arch #Linux w/hyprland” video, I’m like:

You think that’s badass? You should’ve tried getting X11 running on a Linux machine in the mid-90s. You needed your monitor & video card manuals & a calculator (seriously) so you could calculate “modelines” for your X11 config file.

If you got the math wrong you’d fry your monitor by driving it at too high a frequency (back then nearly all monitors were fixed-frequency).

Typing “startx” for the first time was *so* stressful.

Stephen Rothwell is "stepping down as #Linux-Next maintainer on Jan 16, 2026. Mark Brown [@broonie] has generously volunteered to take up the challenge.":

https://lore.kernel.org/linux-next/20251218180721.20eb878e@canb.auug.org.au/T/#u

To quote: ""It seems a long time since I read Andrew Morton's "I have a dream" email and decided that I could help out there - little did I know what I was heading for.""

Many many thx Stephen for all your really hard work on this over all those years, it helped a tremendous lot!

#LinuxKernel #kernel

Interesting tidbit about Rust as used in the Android OS: to prevent the trusting trust attack, and not rely on rust-lang.org build, they bootstrapped rustc 1.19 with mrustc (0.8.0), and then built all following rustc versions with their previous version.

https://cs.android.com/android/platform/superproject/main/+/main:prebuilts/rust/bootstrap/README.md

#RustLang #Android #Toolchains #Bootstrapping #TrustingTrust

Rust is is not a "silver bullet" that can solve all security problems, but it sure helps out a lot and will cut out huge swatches of Linux kernel vulnerabilities as it gets used more widely in our codebase.

That being said, we just assigned our first CVE for some Rust code in the kernel: https://lore.kernel.org/all/2025121614-CVE-2025-68260-558d@gregkh/ where the offending issue just causes a crash, not the ability to take advantage of the memory corruption, a much better thing overall.

Note the other 159 kernel CVEs issued today for fixes in the C portion of the codebase, so as always, everyone should be upgrading to newer kernels to remain secure overall.

Two different ways to help track kernel commits across the different kernel branches, depending on your use case (bash + big git repo, or binary + sqlite db). I use them both on a daily basis: http://www.kroah.com/log/blog/2025/12/15/tracking-kernel-commits-across-branches/

Starting to write up a series of articles about the Linux kernel CVE work that has happened in the past 2 years, starting with some "back to basics" information about how Linux kernels are numbered as many people/companies really don't know how we do this, and it matters a lot in tracking bugfixes and how to determine "vulnerable" and "fixed" kernel releases:
http://www.kroah.com/log/blog/2025/12/08/linux-cves-more-than-you-ever-wanted-to-know/
and
http://www.kroah.com/log/blog/2025/12/09/linux-kernel-version-numbers/

In the early 2000s the ReactOS team paused development for years; to engage in a project wide audit, under accusations that a developer may have SEEN leaked windows sourcecode.

In the 2020s folks keep insisting it's cool for #FLOSS devs to use AI's trained on random other projects to generate code; when it is known that such AI assistants occasionally reproduce code verbatim, without regard to the original software license. #llm #AI #eliza #generativeAI

Unpopular opinion: a vulnerability that was disclosed privately by researchers and had a coordinated response from vendors and service operators under an (albeit short) embargo is not a “0-day”.

#InfoSec #CVD

Next week I'll have a talk at Open Source Summit Japan 🇯🇵:

"We need an open source phone OS - postmarketOS!"

If you are there in-person, say hello, and otherwise a live stream (December 10th, 11:40 UTC+9) should be available, and the recording will appear also at some point!

https://ossjapan2025.sched.com/event/29Fpa/

#OSSummit #postmarketOS #MobileLinux #LinuxMobile #DigitalIndependence

The European Union has now published a great page about the Cyber Resilience Act that contains a 66 page FAQ about lots of things in "plain english": https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation