"We will ban you and ridicule you in public if you waste our time on crap reports."

https://curl.se/.well-known/security.txt

#curl

These two @lwn articles are prime examples of why good journalism matters and why you should pay money to make sure it thrives:

They both look beyond the shiny statements from the different parties involved and outside commentators such as @torvalds in this case and explain just how it is from a mostly neutral[1] point of view so that you can make your own judgments.

* GPLv2 and installation requirements – https://lwn.net/Articles/1052842/

* SFC v. VIZIO: who can enforce the GPL? – https://lwn.net/Articles/1052734/

[1] We are humans, and even if we try, we are never completely neutral – and a publication like #LWN that targets the FLOSS community obviously will somewhat look at things from the view of its target audience.

#gpl #Linux #kernel #VIZIO #sfc

@g0hl1n @monsieuricon which protocol are you using, git or http?

We've seen git do this in the past, I think there are many discussions about this on the git list in the archives.

This post by Bruce Schneier contains so many thoughtful soundbites:

> The question is not simply whether copyright law applies to AI. It is why the law appears to operate so differently depending on who is doing the extracting and for what purpose.

> Like the early internet, AI is often described as a democratizing force. But also like the internet, AI’s current trajectory suggests something closer to consolidation.

https://www.schneier.com/blog/archives/2026/01/ai-and-the-corporate-capture-of-knowledge.html

I talked for more than two hours (135 mins to be precise) about upstream Linux kernel hardening at Okayama University this afternoon. 🐧👨🏽‍💻🎙

I just uploaded my slides here: https://embeddedor.com/blog/presentations/#Enhancing_spatial_safety_Better_array-bounds_checking_in_C_and_Linux_Okayama_University_%E2%80%93Guest_talk

I really enjoyed the session. The students were amazing. They were well prepared and asked a lot of questions. 👏🏼👏🏼

#Linux #OpenSource #Education #Mentoring #Okayama #OkayamaUniversity

A thought that popped into my head when I woke up at 4 am and couldn’t get back to sleep…

Imagine that AI/LLM tools were being marketed to workers as a way to do the same work more quickly and work fewer hours without telling their employers.

“Use ChatGPT to write your TPS reports, go home at lunchtime. Spend more time with your kids!” “Use Claude to write your code, turn 60-hour weeks into four-day weekends!” “Collect two paychecks by using AI! You can hold two jobs without the boss knowing the difference!”

Imagine if AI/LLM tools were not shareholder catnip, but a grassroots movement of tooling that workers were sharing with each other to work less. Same quality of output, but instead of being pushed top-down, being adopted to empower people to work less and “cheat” employers.

Imagine if unions were arguing for the right of workers to use LLMs as labor saving devices, instead of trying to protect members from their damage.

CEOs would be screaming bloody murder. There’d be an overnight industry in AI-detection tools and immediate bans on AI in the workplace. Instead of Microsoft CoPilot 365, Satya would be out promoting Microsoft SlopGuard - add ons that detect LLM tools running on Windows and prevent AI scrapers from harvesting your company’s valuable content for training.

The media would be running horror stories about the terrible trend of workers getting the same pay for working less, and the awful quality of LLM output. Maybe they’d still call them “hallucinations,” but it’d be in the terrified tone of 80s anti-drug PSAs.

What I’m trying to say in my sleep-deprived state is that you shouldn’t ignore the intent and ill effects of these tools. If they were good for you, shareholders would hate them.

You should understand that they’re anti-worker and anti-human. TPTB would be fighting them tooth and nail if their benefits were reversed. It doesn’t matter how good they get, or how interesting they are: the ultimate purpose of the industry behind them is to create less demand for labor and aggregate more wealth in fewer hands.

Unless you happen to be in a very very small club of ultra-wealthy tech bros, they’re not for you, they’re against you. #AI #LLMs #claude #chatgpt

@manx @bagder @defnull @pierstoval Your proposal seems to match what is currently available to you by asking for a CVE id from the existing CNAs that offer them (red hat and github). You always need a person involved in the process, and those two CNAs are giving you their time and resources to do this for you, for free. If you don't want the delay involved in using that resource, then again, you can spend a bit of your own resources (i.e. time, one time) to become a CNA so that you don't have to rely on others in the future.

Any system of "global identifiers" is going to do the same exact thing, this isn't unique to cve.org at all. It's just that cve.org actually allows you to take ownership of your own destiny, instead of being forced to rely on others, if you so desire.

@manx @defnull @bagder @pierstoval If there are steps involved that you feel are unneeded or "too much effort", let them know, they are responsive to making this process easy to work with.

Personally, I didn't find it took that long at all.

@manx @defnull @bagder @pierstoval There will always be something that has to be a "gatekeeper" to get access so that you can assign identifiers, otherwise the system is useless and will be flooded with junk.

There are other alternatives to CVE, if you don't want to go through the "hoops" that cve.org puts up, but all of those alternatives also require a basic "here's how you work with our system and let's verify you are a real person/group to be using it", which all amount to pretty much the identical effort involved.

So it's fun to wish for free ponies, but someone has to be responsible for taking care of it :)

8 minutes video of commuting in the snow by bike here in the Netherlands earlier this week:
https://www.youtube.com/watch?v=SmMRVeRs3vU
(note, not my video, but I was out in that mess, taking a tram and walking to where I needed to go that day.)

@pierstoval @defnull @manx @bagder Again, we have that today, there is a "one click submission to assign a CVE web form" that a CNA can use (and many do.)

So I really don't understand what you are wanting to see created that isn't already here for you to use today.

@pierstoval @defnull @manx @bagder Um, we have that today, with the CVE infrastructure. Any open source project can become a CNA now, and once that is done, they have access to do everything you are asking for.

There is always going to be a "hurdle" of signing up to get that token/oath/whatever, which is what the process is for in becoming a CNA (proof you know how to issue a cve properly, using the tools). So no matter who "hosts" this thing, it's going to be the same.

Try it yourself and see!

@manx @bagder There is no work involved in "maintaining" a CNA, other than actually doing the normal work of being a CNA by assigning CVEs to your project when needed.
Yes, it takes a small bit of time to become a CNA, but it's really painless and it involves a small amount of homework to show that you know how the process works, which is a good thing for everyone involved. Once completed, being a CNA is trivial.

But if you don't want to be one, fine, just hit up a CNA that can give you a CVE id if needed for your project (Red Hat and Github do this for open source projects), but then you are at the mercy of their workloads, not yours. It all depends on who you wish to depend on, someone else, or yourself :)

@manx @bagder It does not take longer than that, it's a "simple" api call (i.e. a scripted curl command) that any CNA can do to get a CVE number, and you can allocate any amount at once (within reason, CNAs have a max they are allowed to request and "hold" without assigning at any point in time, usually around 500 or so.)

Another post in my Linux kernel CVE process series, "How the Linux kernel security process works": http://www.kroah.com/log/blog/2026/01/02/linux-kernel-security-work/

I've been trying to quit Google for years, and I finally did it: https://jimmunroe.net/writing/divestment-december.html
Anger at the techno-fascists wasn't enough on its own:
I got a big boost of inspiration and mutual aid from the brilliant community at @yunohost who provide ways to install and maintain -- with very little technical knowledge --
digital services like forums, cloud services and media streaming apps. Check them out at https://YunoHost.org !

All 5960 GSD kernel security reports are now finally processed and CVE ids have been assigned for those that meet the cve.org criteria. Only took me almost 2 years of manual review, ugh, that was a grind:

https://lore.kernel.org/r/2025123055-directory-hemlock-a282@gregkh

The kernel CNA assigned their 10000th CVE last week, CVE-2025-68750

So far the “stats” look like:

 Year	Reserved	Assigned	Rejected	 A+R		Returned	Total
  2019:	   0		   2		   1		   3		  47		  50
  2020:	   0		  17		   0		  17		  33		  50
  2021:	   0		 732		  24		 756		  16		 772
  2022:	   3		2041		  47		2088		   0		2091
  2023:	   1		1464		  47		1511		   0		1512
  2024:	   6		3069		  96		3165		   0		3171
  2025:	  73		2421		  39		2460		   0		2533
 Total:	  83		9746		 254		10000		  96		10179

Note, the “year” is the year the bug was fixed in the kernel tree, NOT the year the CVE was applied for/assigned.

@trashheap The “argument” by the SFC is complete garbage, and always has been. There has been no question about the license, and I have made it very clear over the years. And the SFC knows that.

So when they argue their incorrect reading of the GPLv2 in court, they are absolutely not doing GPLv2 enforcement. They are trying to further an agenda that is invalid, and always has been, and is explicitly against the wishes of the actual copyright holders.

So the SFC is just pure trash.

If they want to “protect” some project, let them protect a project that asks for it - not one that is known to not want their kind of protection.

Because what they are doing is a racket, plain and simple.

Rare footage of @gregkh signing an autograph with the phrase "do not use old kernels!" at Open Source Summit Korea 2025, after one of his sessions.

#Linux #OpenSource #OpenSourceSummit