Link (feedback possible until March 31): https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en

This week the European Commission published the draft for a guidance document for the Cyber Resilience Act (CRA). It is 70 pages, but contains some helpful examples and flowcharts, like this one, making it accessible even to Open Source folks with limited time.

Here: Quick guidance for the question if your FOSS component is in scope for the CRA, and if so, wether you're deemed a steward or manufacturer in regards of the component.

#opensource #cra

@musicmatze Yes, I use b4 a lot, it's very helpful. And one of these days I'll document my patch workflow again, it is be behind many other things I "should" be writing about :)

@wagi https://git.sr.ht/~gregkh/presentation-cra/tree is a link to my CRA presentations, but I don't know about any "tool to check CRA compliance" that is out there.

For a steward, you only have to do 2 things, so should I just make a checklist with those 2 things on it for people to use? :)

After talking with a bunch of different companies / groups, we've now bumped the length of a few of the longterm kernels we are supporting:
https://git.kernel.org/pub/scm/docs/kernel/website.git/commit/?id=d04587da86a3464881e0c97aabddd2c271105698

As always, the dates can be found at:https://www.kernel.org/category/releases.html

Gemini, please convert this response into a politely worded email:

Hi:

Your vulnerability report is stupid. You have no idea what you're talking about, or you're hoping that nobody actually checks your findings. Unfortunately for me, I did check your findings and I will never get these 20 minutes of my life back. Everyone is dumber as a result of your report. Please do not contact us again.

@T_X according to cve.org, nope, sorry. Take it up with them if you don't agree, I don't write the rules here (hint, I think backups should have been involved somewhere...)

@T_X @awlnx "sophisticated USB storage devices " can do loads of horrible things to your system. Linux (and all other operating systems) trust the hardware not to do dumb/bad/foolish things like that. If you don't trust the hardware, don't plug it in. That's what USBGuard is for, a protection for you to make the decision to trust the device or not, that's not something that the kernel can decide for you.

It was one of those Mondays...

https://lwn.net/Articles/1059031/

@joshbressers The version question/range is a good one, it requires a solid and long description of the problem and why it's required, with real examples. A response here isn't going to be sufficient, I'll work on that as the "next" post in this series.

For "why we we provide CPE", we provide it because some groups were "adding" CPE data that was flat out wrong because our records did not have any values. By providing the "real" CPE description, according to their specification, that mostly prevents that from happening.

CPE on its own, doesn't actually give you enough information to properly determine a "am I vulnerable" question giving a release that someone is currently on, as you well know. I guess it's good enough to search on "linux*" to filter that way :)

Hopefully PURL will help out a lot here, I have hope...

Another post in my series about the kernel CVE process, all about how we classify fixes to be assigned a CVE and other related things:

http://www.kroah.com/log/blog/2026/02/16/linux-cve-assignment-process/

If you use AI-generated code, you currently cannot claim copyright on it in the US. If you fail to disclose/disclaim exactly which parts were not written by a human, you forfeit your copyright claim on *the entire codebase*.

This means copyright notices and even licenses folks are putting on their vibe-coded GitHub repos are unenforceable. The AI-generated code, and possibly the whole project, becomes public domain.

Source: https://www.congress.gov/crs_external_products/LSB/PDF/LSB10922/LSB10922.8.pdf

@n0toose @bagder @hughsie @Stephanie Of course, public fixes for public bugs is the huge percentage (like 99%) of all of our security fixes that end up getting accepted and later assigned a CVE.

@jbm The backlash against Linux kernel advisories is confusing. We wanted transparency; now we have it. More data is always better than a black box. If the new influx of CVEs is breaking your vulnerability management workflow, the problem might be your process, not the advisories.

Thanks for the hard work @gregkh

@bagder

The #Rust support in the #Linux #kernel is now officially a first class citizen and not considered experimental any more:

https://git.kernel.org/torvalds/c/9fa7153c31a3e5fe578b83d23bc9f185fde115da; for more details, see also: https://lwn.net/Articles/1050174/

This is one of the highlights from the main #RustLang for #LinuxKernel 7.0 that was merged a few hours ago ; for others, see https://git.kernel.org/torvalds/c/a9aabb3b839aba094ed80861054993785c61462c

@bagder @hughsie @Stephanie @sethmlarson I second this, @hugsie, you should become a CNA for fwupd. The application process is relatively painless (sit through a presentation, fill out some sample CVEs to prove you know what you are doing, and submit a few testing CVEs to show you know how the tools work).

The OpenSSF guide is great, and a huge shoutout to Python for paving the way for us all to be able to do this.

@hughsie @bagder @Stephanie If you want a CVE for your CV, come fix a Linux kernel bug! We are giving out 13 CVEs a day, plenty to go around for everyone! :)

@jbm @adulau @bagder No, we can't do this for kernel config options, which is why we give you a list of files affected. You know what files you build, so filter on that.

CPE doesn't work to attempt to describe a kernel configuration option as that is not what it was designed for. It was an attempt to make a machine-readable version/program definition, and even then, it does not work well anymore. PURL is the hope for the way out of that mess, and based on my conversations with the PURL developers at FOSDEM, there is hope that it will "soon" work for all open source software packages (right now it does not, so the kernel can not use it.)

The 2nd Annual #EuropeanOpenSourceAwards have come to a close, but you can still revisit the best moments of the Awards Ceremony.

👇Watch the recording available here :
https://awards.europeanopensource.academy/awards/2026-recording-event

The European Open Source Awards ceremony from January 29th, in one loooong recording with yours truly showing up several times.

Most blabbing at 1h24 and onward when @gregkh was up.

https://youtu.be/KXS5KQjWjns?si=bN35SofySbhbtys_&t=150