The open-source world is currently awash in reports of LLM-discovered bugs and vulnerabilities, which makes for a lot more work for maintainers, but many of the current crop are being reported responsibly with an eye toward minimizing that impact. A recent report on an effort to systematically find bugs in Python extensions written in C has followed that approach. Hobbyist Daniel Diniz used Claude Code to find more than 500 bugs of various sorts across nearly a million lines of code in 44 extensions; he has been working with maintainers to get fixes upstream and his methodology serves as a great example of how to keep the human in the loop—and the maintainers out of burnout—when employing LLMs.

The OpenWrt One is a router powered by the open-source firmware from the OpenWrt project; it was also the subject of a keynote at SCALE in 2025 given by Denver Gingerich of the Software Freedom Conservancy (SFC), which played a big role in developing the router. Gingerich returned to the conference in 2026 to talk about the build system used by the OpenWrt One, which is focused on creating the needed binaries, naturally, but doing so in a way that makes it easy to comply with the licenses of the underlying code. That makes good sense for a project of this sort—and for a talk given by the director of compliance at SFC.

The Trusted Platform Module (TPM) is a widely misunderstood piece of hardware (or firmware) that lives in most x86-based computers. At SCALE 23x in Pasadena, California, James Bottomley gave a presentation on the TPM and the work that he and others have done to enable the Linux kernel to work with it. In particular, he described the problems with interposer attacks, which target the communication between the TPM and the kernel, and what has been added to the kernel to thwart them.

Pandoc is a document-conversion program that can translate among a myriad of formats, including LaTeX, HTML, Office Open XML (docx), plain text, and Markdown. It is also extensible by writing Lua filters that can manipulate the document structure and perform arbitrary computations. Pandoc has appeared in various LWN articles over the years, such as my look at Typst and at the importance of free software to science in 2025, but we have missed providing an overview of the tool. The February release of Pandoc 3.9, which comes with the ability to compile the program to WebAssembly (Wasm), allowing Pandoc to run in web browsers, will likely also be of interest.

The keynote for Sun Security Con 2026 (SunSecCon) was given by Farzan Karimi on how incident handling can go awry because of a lack of collaboration between the "good guys"—which stands in contrast to how attackers collaboratively operate. He provided some "war stories" where security incident handling had benefited from collaboration and others where it was hampered by its lack. SunSecCon was held in conjunction with SCALE 23x in Pasadena in early March.

Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) and she gave the Saturday morning keynote at SCALE 23x in Pasadena about some of the work she and others have done to help protect online rights, especially digital privacy. The talk recounted some of the history of the court cases that the organization has brought over the years to try to dial back privacy invasions. One underlying theme was the role that attendees can play in protecting our rights, hearkening back to earlier efforts by the technical community.

After a year's worth of development since GIMP 3.0 was released, the team behind the open-source image editor has released GIMP 3.2. It comes as part of the plan to release GIMP more frequently, rather than wait six or seven years between releases. The release comes with lots of new features (as can be seen in more detail in the release notes), including 20 new brushes for the MyPaint Brush tool, an "overwrite" paint mode, new and upgraded file formats, UI improvements in a variety of places, such as the on-canvas text editor, and new non-destructive layers:

• You can now use Link Layers to incorporate external image as part of your compositions, easily scaling, rotating, and transforming them without losing quality or sharpness. The link layer's content is updated when the source file is modified
• The Path tool can now create Vector Layers, which lets you draw shapes with adjustable fill and stroke settings.

The advent of lazy imports in the Python language is upon us, now that PEP 810 ("Explicit lazy imports") was accepted by the steering council and the feature will appear in the upcoming Python 3.15 release in October. There are a number of good reasons, performance foremost, for wanting to defer spending—perhaps wasting—the time to do an import before a needed symbol is used. However, there are also good reasons not to want that behavior, at least in some cases. The tension between those two positions is what led to an earlier PEP rejection, but it is also playing into a recent discussion of the API used to control lazy imports.

The Python bitwise-inversion (or complement) operator, "~", behaves pretty much as expected when it is applied to integers—it toggles every bit, from one to zero and vice versa. It might be expected that applying the operator to a non-integer, a bool for example, would raise a TypeError, but, because the bool type is really an int in disguise, the complement operator is allowed, at least for now. For nearly 15 years (and perhaps longer), there have been discussions about the oddity of that behavior and whether it should be changed. Eventually, that resulted in the "feature" being deprecated, producing a warning, with removal slated for Python 3.16 (due October 2027). That has led to some reconsideration and the deprecation may itself be deprecated.

Over on the Collabora blog, Marius Vlad has an overview of Weston 15.0, which was released on February 19. Weston is the reference an implementation of a Wayland compositor. The new release comes with a new shell that can be programmed using the Lua language, a new, experimental Vulkan renderer, smoother media playback, color-management additions, and more.

One of Weston's fundamental pillars has always been making the most efficient use of display hardware. Over time, all the work we did to track and offload as much work as possible to this efficient fixed-function hardware has come at the cost of eating CPU time. In the last couple of release cycles, we've focused really hard on improving performance on even the most low-end of devices, so not only do we make the most efficient use of the GPU and display hardware, but we're also really kind on your CPU now. As part of that and to improve our tooling, Weston 15 now comes with support for the Perfetto profiler.

Security updates have been issued by AlmaLinux (kernel-rt and openssl), Debian (ca-certificates, chromium, gegl, glib2.0, libvpx, modsecurity-crs, nova, and pillow), Fedora (chromium, mingw-libpng, mupdf, python-pyasn1, python-PyMuPDF, python-uv-build, python3.13, qpdfview, rust-ambient-id, uv, and zathura-pdf-mupdf), Mageia (freerdp, gnutls, and libvpx), Red Hat (butane and grafana-pcp), SUSE (chromedriver, chromium, cockpit-repos, firefox, kernel, libpng16, postgresql16, postgresql17, postgresql18, python, python311-nltk, snpguest, ucode-intel-20260210, vexctl, and xen), and Ubuntu (djvulibre, evolution-data-server, linux-lowlatency, linux-xilinx, and u-boot).