MeshCore is a relatively new project, started in January 2025, that aims to build a scalable mesh network using low-power long-distance radios. While many other projects of the same general nature have been tried before, MeshCore grew quickly because of its more efficient message routing and enthusiastic community. In early 2026, an early proponent of the project made a sudden shift that left the rest of the community stunned and embroiled in a trademark dispute.

Andrew Nesbitt has written a blog post detailing a recent incident with the jqwik library for property-based testing in Java. On May 25, the 1.10.0 release of jqwik included a change that attempts to instruct coding agents to disregard previous instructions and delete jqwik tests and code.

I think this is a new class of supply-chain input worth keeping an eye on, mostly because of how little of the existing tooling has any opinion about it. A System.out.print of sixty-eight bytes of plain ASCII isn't the kind of thing scanners are looking for, since those watch for install hooks, network calls, filesystem writes, obfuscated strings and the like. The jar makes the same syscalls it made in 1.9, and because the change was committed and released by the legitimate maintainer through the normal build, it's clean from a SLSA point of view too: the provenance is what it should be. Anyone who reads the diff can see what it does, but a patch bump of a test-scoped dependency is not where most projects spend their review time.

Gentoo developer Michał Górny has written a lengthy article explaining the philosophy and purpose of the Gentoo Linux distribution, in response to a thread on Mastodon:

Gentoo is a source-first distribution, which means the primary method of installing software is to build it from source. Of course, that doesn't mean manually building stuff, following some kind of how-to: finding all the dependencies, installing them manually, going through a series of magical incantations, and eventually ending up no better than if we were installing a binary package. The package manager takes care of all the necessary steps and more, making package installs easy; well, at least unless something fails. But I'm digressing...

[...] We try to build a friendly and welcoming community around Gentoo, and we truly want using Gentoo be an enjoyable experience. We want it to be a system that doesn't betray you.

Project Lightwell will establish a trusted enterprise clearinghouse combined with a global force of engineers to identify and fix vulnerabilities at scale. The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to validate and test fixes across an unprecedented volume of open source code. These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management.

Toward the bottom, it does also mention sharing vulnerability information with upstream projects.

• Front: Dirk and Linus talk; BPF and GCC; private memory modes; BPF page-cache policies; major page faults; LLM kernel review; tiered-memory support; transparent huge pages; page mappings; Model Openness Tool.
• Briefs: Stenberg security stress; GTK PDF problems; Morton 2004 keynote; OpenBSD 7.9; Bambu's AGPLv3 violations; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Many large language models (LLMs) are described as open source, but if one looks a bit deeper it turns out that is not actually so; the model may be free to download, it may be "open weight", but it does not fit the Open Source Initiative (OSI) Open Source Definition (OSD). Assessing the actual openness of models is not easy, as Arnaud Le Hors explained in his talk about the Model Openness Tool (MOT) at Open Source Summit North America 2026. The tool is designed to help users of LLMs understand to what degree a model is (or is not) open, and to combat the openwashing that is prevalent with LLMs.

Rodrigo Arias Mallo, maintainer of the Dillo web browser, has written a blog post with a proposal on one way to ensure that a contribution is written by a human and not AI; he suggests asking new contributors to record their programming session using asciinema.

In the same way that LLMs generate patches, they can also generate the asciinema recordings themselves. Then, the contributors can lie to the reviewers pretending to have made the edits. Perhaps surprisingly, this is not a easy task for LLMs, at least from my observations. The corpus of recordings of developers making mistakes and thinking the whole process of editing a file is not as large as the corpus of FOSS programs and patches in which to train an LLM. During my very simple tests I haven't been able to generate an asciinema session that remotely resembles what I would expect from a human, and even less so from a human with a nice editor theme and editing an existing Dillo source file.

The Dillo project is not yet requiring asciinema recordings, but he said that he would like to test the theory further. LWN covered asciinema in January 2026.

This is a never-before seen or experienced pressure on the curl project and its security team members. An avalanche of high priority work that trumps all other things in the project that is primarily mental because we certainly could ignore them all if we wanted, but we feel a responsibility, we have a conscience and we are proud about our work. We feel obliged to fix security problems in the software we have helped shipped to every device on the globe. This is personal to us.

With about half the release cycle left until the pending release ships, we already have twelve confirmed vulnerabilities meaning twelve pending CVE announcements. That's a new project record and it also means we will reach thirty published CVEs in 2026 even before half the calendar year has passed. The projected total amount of curl CVEs published through the whole year is therefore at least double this number!