@larsmb crazy, it has been a long time! And thanks for the kind remarks, from you and everyone else!

As it came up in a few conversations during "FOSDEM week", here's a link to the OpenSSF blog post about why the idea of "attestation for open source projects" is, in my opinion, and others, a bad idea:

https://openssf.org/blog/2026/01/21/preserving-open-source-sustainability-while-advancing-cybersecurity-compliance/

Yes, FOSS foundations and projects need ways of getting funding, that is very important, but thinking that "attestation is how we will get that money!" might not be such a good idea given the risks involved, and the past experience for those that have attempted it.

so I like to make plaintext outlines of presentations I do. Today is a banger.

I may regret this at some point, but I felt the need to put down in writing how I feel about this moment in the tech industry.

It is not kind. You may well be insulted by it. If you are... then you really should question yourself.

https://www.garfieldtech.com/blog/selfish-ai

#AI #LLM #Programming

There is no Claude, just other people's code

Michiel Leenaars for @nlnet at @fosdem

Everything you’re hearing about AI is completely true and not at all made up by sycophants

The only thing that is real is your FOMO

Also ducks. Ducks are real

@kirschner We were lucky to do so, as you well know :)

Traditional #FOSDEM lunch break, club-mate and kernel CVE assignments.

Another day, another stage. Same duo.

Prediction for the potential future:

When the AI coding agent companies are just about to run out of money, down to their last few % raised as none of their customers are actually paying the real cost required to run these services, they pivot and take all of the uploaded code that was willingly sent to them, turn it into thousands of products / services to sell / rent, disconnect the public api endpoints leaving their old customers helpless as they no longer remember how to program "in the raw" and can not understand their own codebases, and compete directly against them putting their own customers all out of business which finally results in a positive income stream and "validation" of the coding agent companies previously over-hyped business valuations.

"But copyright law will prevent this!" you say...

@bagder It was an amazing honor to receive this, thank everyone so much, and for your great speech at the event.

RE: https://mastodon.social/@bagder/115980733920028429

The @europeanOSacademy‘s Excellence in Open Source Award 2026 goes to @gregkh #opensource #OSAwards #eosawards26, presented by @bagder. #linux

"We will ban you and ridicule you in public if you waste our time on crap reports."

https://curl.se/.well-known/security.txt

#curl

These two @lwn articles are prime examples of why good journalism matters and why you should pay money to make sure it thrives:

They both look beyond the shiny statements from the different parties involved and outside commentators such as @torvalds in this case and explain just how it is from a mostly neutral[1] point of view so that you can make your own judgments.

* GPLv2 and installation requirements – https://lwn.net/Articles/1052842/

* SFC v. VIZIO: who can enforce the GPL? – https://lwn.net/Articles/1052734/

[1] We are humans, and even if we try, we are never completely neutral – and a publication like #LWN that targets the FLOSS community obviously will somewhat look at things from the view of its target audience.

#gpl #Linux #kernel #VIZIO #sfc

@g0hl1n @monsieuricon which protocol are you using, git or http?

We've seen git do this in the past, I think there are many discussions about this on the git list in the archives.

This post by Bruce Schneier contains so many thoughtful soundbites:

> The question is not simply whether copyright law applies to AI. It is why the law appears to operate so differently depending on who is doing the extracting and for what purpose.

> Like the early internet, AI is often described as a democratizing force. But also like the internet, AI’s current trajectory suggests something closer to consolidation.

https://www.schneier.com/blog/archives/2026/01/ai-and-the-corporate-capture-of-knowledge.html

I talked for more than two hours (135 mins to be precise) about upstream Linux kernel hardening at Okayama University this afternoon. 🐧👨🏽‍💻🎙

I just uploaded my slides here: https://embeddedor.com/blog/presentations/#Enhancing_spatial_safety_Better_array-bounds_checking_in_C_and_Linux_Okayama_University_%E2%80%93Guest_talk

I really enjoyed the session. The students were amazing. They were well prepared and asked a lot of questions. 👏🏼👏🏼

#Linux #OpenSource #Education #Mentoring #Okayama #OkayamaUniversity

A thought that popped into my head when I woke up at 4 am and couldn’t get back to sleep…

Imagine that AI/LLM tools were being marketed to workers as a way to do the same work more quickly and work fewer hours without telling their employers.

“Use ChatGPT to write your TPS reports, go home at lunchtime. Spend more time with your kids!” “Use Claude to write your code, turn 60-hour weeks into four-day weekends!” “Collect two paychecks by using AI! You can hold two jobs without the boss knowing the difference!”

Imagine if AI/LLM tools were not shareholder catnip, but a grassroots movement of tooling that workers were sharing with each other to work less. Same quality of output, but instead of being pushed top-down, being adopted to empower people to work less and “cheat” employers.

Imagine if unions were arguing for the right of workers to use LLMs as labor saving devices, instead of trying to protect members from their damage.

CEOs would be screaming bloody murder. There’d be an overnight industry in AI-detection tools and immediate bans on AI in the workplace. Instead of Microsoft CoPilot 365, Satya would be out promoting Microsoft SlopGuard - add ons that detect LLM tools running on Windows and prevent AI scrapers from harvesting your company’s valuable content for training.

The media would be running horror stories about the terrible trend of workers getting the same pay for working less, and the awful quality of LLM output. Maybe they’d still call them “hallucinations,” but it’d be in the terrified tone of 80s anti-drug PSAs.

What I’m trying to say in my sleep-deprived state is that you shouldn’t ignore the intent and ill effects of these tools. If they were good for you, shareholders would hate them.

You should understand that they’re anti-worker and anti-human. TPTB would be fighting them tooth and nail if their benefits were reversed. It doesn’t matter how good they get, or how interesting they are: the ultimate purpose of the industry behind them is to create less demand for labor and aggregate more wealth in fewer hands.

Unless you happen to be in a very very small club of ultra-wealthy tech bros, they’re not for you, they’re against you. #AI #LLMs #claude #chatgpt

@manx @bagder @defnull @pierstoval Your proposal seems to match what is currently available to you by asking for a CVE id from the existing CNAs that offer them (red hat and github). You always need a person involved in the process, and those two CNAs are giving you their time and resources to do this for you, for free. If you don't want the delay involved in using that resource, then again, you can spend a bit of your own resources (i.e. time, one time) to become a CNA so that you don't have to rely on others in the future.

Any system of "global identifiers" is going to do the same exact thing, this isn't unique to cve.org at all. It's just that cve.org actually allows you to take ownership of your own destiny, instead of being forced to rely on others, if you so desire.

@manx @defnull @bagder @pierstoval If there are steps involved that you feel are unneeded or "too much effort", let them know, they are responsive to making this process easy to work with.

Personally, I didn't find it took that long at all.