Video is now up: https://www.youtube.com/watch?v=QlgBivq_VaI

„By Wednesday morning, Anthropic representatives had used a copyright takedown request to force the removal of more than 8,000 copies and adaptations of the raw Claude Code instructions—known as source code—that developers had shared on programming platform GitHub.“

Because if there’s one thing GenAI companies absolutely don’t take lightly, it’s copyright.

https://www.wsj.com/tech/ai/anthropic-races-to-contain-leak-of-code-behind-claude-ai-agent-4bc5acc7

Unboxing videos with Linus:

"Let's see what we have here.... Yep, looks like a pile of hot garbage."

Posting this link here, as I always have to dig every few years when I need it: https://cdecl.org/ a C -> English translator for those "fun" const pointer to const array issues that you have to work out every so often...

Ok, it's now 6, something is odd is happening...

@ffmancera I've responded now for them to cut that out. If you see other instances of this, please let me know.

Claude Code's source code has been leaked via a map file in their NPM registry https://xcancel.com/Fried_rice/status/2038894956459290963 😂

Guess what? Most of code is either slop or even old good regex like for detecting negative sentiment in users prompt which is then logged

https://github.com/chatgptprojects/claude-code/blob/642c7f944bbe5f7e57c05d756ab7fa7c9c5035cc/src/utils/userPromptKeywords.ts#L8

These tools are going to replace 80% of all dev jobs and their plugin is gonna maintain all security and banking code? 🤡

In a few minutes I get interviewed by Shuah Khan and might answer questions from the audience if we have time: https://www.linuxfoundation.org/webinars/lf-live-maintainer-series-my-life-as-a-linux-kernel-developer-and-maintainer-with-greg-kh-and-shuah-khan

It will be recorded for playback later as well. It's part of the great Mentorship video series that Shuah has been putting on for years, the back catalog is deep: https://events.linuxfoundation.org/lf-live-mentorship-series/

Welcome Greg Kroah-Hartman @gregkh as #curl commit author 1459: https://github.com/curl/curl/pull/21159

@m_berberich Adding a backdoor by reporting a bug without a patch? That seems like a very tough injection method :)

@aho maybe, but at least one reporter insisted it wasn't LLM generated, which of course does not actually make it true, and pointed instead at a 10 year old presentation that they "happened" to find.

Close enough.

We've gotten five different "security reports" about the decades old USBIP protocol https://docs.kernel.org/usb/usbip_protocol.html and how it is "insecure" in the past few days.

Yes, it's only to be run between "trusted" devices, and we will gladly take patches so see the ones recently posted to the linux-usb mailing list to mitigate these issues, but this is very strange as to why all of a sudden this is being reported all at the same time by random different semi-anonymous accounts.

Is there some big usb-over-ip installation somewhere that people suddenly started caring about out there, or did some internal hacking tool that uses usbip just get leaked?

No one who we asked "why?" when they submitting these issues would give a very clear answer to that simple question so something is going on...

@bagder @gregkh @hanno

Probably add @sjvn to this

Finding vulnerabilities in code is something humans are bad at. There are a few that are good (like Hanno), but I would say in general it's not a common skill

So the bar for LLMs to find vulnerabilities is very very low

@richlv @hanno Given that they have not been "found" yet by other tools that we know of, I would guess no. It's just "fuzzy pattern matching" which to be fair, is what LLMs are actually good at doing.

@hanno It is real, see my interview in the Register today about this very problem: https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/

Link (feedback possible until March 31): https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en

This week the European Commission published the draft for a guidance document for the Cyber Resilience Act (CRA). It is 70 pages, but contains some helpful examples and flowcharts, like this one, making it accessible even to Open Source folks with limited time.

Here: Quick guidance for the question if your FOSS component is in scope for the CRA, and if so, wether you're deemed a steward or manufacturer in regards of the component.

#opensource #cra

@musicmatze Yes, I use b4 a lot, it's very helpful. And one of these days I'll document my patch workflow again, it is be behind many other things I "should" be writing about :)

@wagi https://git.sr.ht/~gregkh/presentation-cra/tree is a link to my CRA presentations, but I don't know about any "tool to check CRA compliance" that is out there.

For a steward, you only have to do 2 things, so should I just make a checklist with those 2 things on it for people to use? :)