Version 1.96.0 of the Rust programming language has been released. Changes include a new set of Copy-implementing Range types, assertions with pattern matching, a number of stabilized APIs, and two Cargo vulnerability fixes.

Gentoo developer Michał Górny has written a lengthy article explaining the philosophy and purpose of the Gentoo Linux distribution, in response to a thread on Mastodon:

Gentoo is a source-first distribution, which means the primary method of installing software is to build it from source. Of course, that doesn't mean manually building stuff, following some kind of how-to: finding all the dependencies, installing them manually, going through a series of magical incantations, and eventually ending up no better than if we were installing a binary package. The package manager takes care of all the necessary steps and more, making package installs easy; well, at least unless something fails. But I'm digressing...

[...] We try to build a friendly and welcoming community around Gentoo, and we truly want using Gentoo be an enjoyable experience. We want it to be a system that doesn't betray you.

In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Amir Goldstein wanted to discuss his proposed documentation on adding new filesystems to the kernel. There are a number of unmaintained and untestable filesystems already in the kernel, which are a burden to VFS-layer developers who are trying to make sweeping changes, such as switching to folios and the "new" mount API. Goldstein's document is an attempt to head off the addition of filesystems that may increase that burden down the road.

IBM has sent out a press release touting a claimed $5 billion investment into an operation called Project Lightwell:

Project Lightwell will establish a trusted enterprise clearinghouse combined with a global force of engineers to identify and fix vulnerabilities at scale. The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to validate and test fixes across an unprecedented volume of open source code. These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management.

Toward the bottom, it does also mention sharing vulnerability information with upstream projects.

The kernel's memory-management subsystem is currently partway through a multi-year project to replace the page structure (which represents a page of physical memory) with memory descriptors. At the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Vishal Moola ran a fast-paced session in the memory-management track to describe the current state of that work and what is likely to happen next.

Security updates have been issued by AlmaLinux (firefox, gdk-pixbuf2, glibc, gnutls, kernel, libexif, mysql8.4, postgresql16, postgresql18, python3.14, ruby:3.3, and ruby:4.0), Debian (krb5, roundcube, starlette, unbound, and varnish), Fedora (kernel, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-js-challenge, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, perl-Imager, poppler, python-uv-build, rrdtool, rust-astral-tokio-tar, rust-astral_async_http_range_reader, rust-astral_async_zip, uv, and xen), Oracle (.NET 10.0, .NET 9.0, glibc, ruby:3.3, and thunderbird), Red Hat (.NET 10.0, .NET 8.0, .NET 9.0, containernetworking-plugins, gvisor-tap-vsock, podman, runc, and skopeo), SUSE (agama, alloy, bubblewrap, cockpit, cups, dnsmasq, emacs, glibc, gnutls, go1.25, go1.25-openssl, go1.26, go1.26-openssl, google-guest-agent, hplip, ibus-rime, librime, kernel, libarchive, libzypp, nginx, openexr, openssh, php7, postgresql14, postgresql15, postgresql16, python311-pytest-html, redis, redis7, rsync, tree-sitter, valkey, xen, and yq), and Ubuntu (cableswig, commons-beanutils, dnsmasq, ffmpeg, foomuuri, gst-plugins-good1.0, libcaca, libgcrypt20, mediawiki, memcached, papers, postorius, tgt, and tika).

Inside this week's LWN.net Weekly Edition:

• Front: Dirk and Linus talk; BPF and GCC; private memory modes; BPF page-cache policies; major page faults; LLM kernel review; tiered-memory support; transparent huge pages; page mappings; Model Openness Tool.
• Briefs: Stenberg security stress; GTK PDF problems; Morton 2004 keynote; OpenBSD 7.9; Bambu's AGPLv3 violations; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The Linux Foundation will be hosting a live interview with LWN co-founder Jonathan Corbet. The event will take place on Tuesday, June 2 at 8:00AM Pacific daylight time (UTC-7). Registration is open for those who would like to attend.

Many large language models (LLMs) are described as open source, but if one looks a bit deeper it turns out that is not actually so; the model may be free to download, it may be "open weight", but it does not fit the Open Source Initiative (OSI) Open Source Definition (OSD). Assessing the actual openness of models is not easy, as Arnaud Le Hors explained in his talk about the Model Openness Tool (MOT) at Open Source Summit North America 2026. The tool is designed to help users of LLMs understand to what degree a model is (or is not) open, and to combat the openwashing that is prevalent with LLMs.

I recently presented a brief tribute to Andrew Morton at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit; it included a suggestion that reading (or re-reading) his 2004 Ottawa Linux Symposium keynote would be instructive. This talk, given immediately after the Kernel Summit session that decided to fundamentally change the kernel's development model, tells a lot about how the kernel project got to where it is today. The text of that speech was hosted on Groklaw, and has since been replaced by crypto spam, which is rather less useful. In the hopes of preserving this seminal moment, the transcript has been rescued thanks to the Wayback Machine and is presented here.

The mapcount field was created to track the number of mappings (page-table entries) that refer to the given page. Among other things, a mapcount of zero means that the page has no references and can be reclaimed. Maintaining mapcount has become increasingly challenging and expensive as the memory-management system has grown in complexity, so Hildenbrand has been looking for ways to get rid of it. This session was, he said, maybe one of the last times he will have to bring up this topic.

Security updates have been issued by AlmaLinux (bind, buildah, compat-libtiff3, compat-openssl11, containernetworking-plugins, crun, delve, dnsmasq, dovecot, edk2, firefox, freeipmi, gdk-pixbuf2, giflib, git-lfs, glib2, go-fdo-client, go-fdo-server, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free, iputils, jq, kernel, krb5, libcap, LibRaw, libsndfile, libsoup, libsoup3, libssh, libtiff, libvirt, linux-sgx, luksmeta, mingw-glib2, NetworkManager, nginx, nginx:1.24, nginx:1.26, openexr, openssh, openssl, opentelemetry-collector, p11-kit, PackageKit, podman, python-jwcrypto, python-markdown, python-tornado, python3.11, python3.12, python3.14, python3.9, qemu-kvm, rsync, skopeo, sudo, systemd, thunderbird, tomcat, unbound, vim, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Debian (imagemagick, kdenlive, memcached, node-shell-quote, and samba), Fedora (chromium, curl, editorconfig, haproxy, perl-Crypt-DSA, perl-HTTP-Tiny, poppler, rust-afterburn, rust-coreos-installer, rust-eif_build, rust-rpm-sequoia, rust-sequoia-chameleon-gnupg, rust-sequoia-git, rust-sequoia-keystore-server, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, and uriparser), Oracle (compat-libtiff3, dnsmasq, firefox, freeipmi, kernel, and uek-kernel), Slackware (mozilla), SUSE (assimp, firefox, glibc, gnutls, go1.25-openssl, go1.26-openssl, kernel, kubevirt, leancrypto, libarchive, libsndfile, mcphost, nginx, openssh, podman, python-GitPython, rsync, and samba), and Ubuntu (ayttm, dnsmasq, libssh2, linux-azure, linux-azure, linux-azure-6.17, linux-iot, linux-lowlatency-hwe-5.15, ngtcp2, onnx, opencc, protobuf, python-git, samba, xdg-dbus-proxy, and xmlrpc-c).

Rodrigo Arias Mallo, maintainer of the Dillo web browser, has written a blog post with a proposal on one way to ensure that a contribution is written by a human and not AI; he suggests asking new contributors to record their programming session using asciinema.

In the same way that LLMs generate patches, they can also generate the asciinema recordings themselves. Then, the contributors can lie to the reviewers pretending to have made the edits. Perhaps surprisingly, this is not a easy task for LLMs, at least from my observations. The corpus of recordings of developers making mistakes and thinking the whole process of editing a file is not as large as the corpus of FOSS programs and patches in which to train an LLM. During my very simple tests I haven't been able to generate an asciinema session that remotely resembles what I would expect from a human, and even less so from a human with a nice editor theme and editing an existing Dillo source file.

The Dillo project is not yet requiring asciinema recordings, but he said that he would like to test the theory further. LWN covered asciinema in January 2026.

Curl maintainer Daniel Stenberg writes about the stress of keeping up with the current flood of security reports.

This is a never-before seen or experienced pressure on the curl project and its security team members. An avalanche of high priority work that trumps all other things in the project that is primarily mental because we certainly could ignore them all if we wanted, but we feel a responsibility, we have a conscience and we are proud about our work. We feel obliged to fix security problems in the software we have helped shipped to every device on the globe. This is personal to us.

With about half the release cycle left until the pending release ships, we already have twelve confirmed vulnerabilities meaning twelve pending CVE announcements. That's a new project record and it also means we will reach thirty published CVEs in 2026 even before half the calendar year has passed. The projected total amount of curl CVEs published through the whole year is therefore at least double this number!

Huge pages can improve performance by increasing translation lookaside buffer (TLB) utilization and reducing memory-management overhead. Transparent huge pages (THPs) are supposed to make huge-page usage, well, transparent, Nico Pache said at the beginning of his session in the memory-management track of the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit. That transparency has never worked as well as many would like; he has been working on improvements to make it easier for applications to use huge pages on Linux systems. A following session, led by David Hildenbrand, was focused on how THPs could be taken away from processes that are not using them fully.

Security updates have been issued by Debian (postorius and spip), Fedora (bind, bind-dyndb-ldap, linux-firmware, tor, and unbound), Mageia (ffmpeg, nginx, perl-Imager, and tigervnc, x11-server, x11-server-xwayland), Oracle (firefox and kernel), Red Hat (buildah, git-lfs, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, gvisor-tap-vsock, java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, opentelemetry-collector, osbuild-composer, podman, rhc, rhc-worker-playbook, skopeo, and yggdrasil), SUSE (amazon-ecs-init, assimp, azure-storage-azcopy, busybox, firefox, gnutls, graphicsmagick, helm, kernel, leancrypto, libpng16, libppsdocument4_0-6, libsndfile, mcphost, nano, nginx, perl-http-tiny, perl-XML-LibXML, python-urllib3, python-urllib3_1, python311-ocrmypdf, python312, rclone, rsync, xen, and xz), and Ubuntu (dotnet8, dotnet9, dotnet10, linux-intel-iot-realtime, linux-lowlatency, linux-nvidia-6.8, linux-nvidia-tegra, linux-nvidia-tegra-igx, nltk, simpleeval, and vim).

In a plenary session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, the state of patch review using large language models (LLMs) was discussed. It is a topic that has been swirling around in the kernel community for much of the year. The plenary, which was led by Roman Gushchin, Chris Mason, Josef Bacik, and Sasha Levin, resulted in a quite bit of discussion, so much that a second filesystem-track-only (though others surely sat in) slot was used to continue it later in the day.

The Software Freedom Conservancy (SFC) published a news item on May 18 about its response to violations of the AGPLv3 by Bambu Lab in its 3D printers. The company has not provided the source code to its modifications to a 3D "slicer" program that was released under the AGPLv3 and it has also threatened Paweł Jarczak who created a fork of a different slicer (Orca Slicer) released under AGPLv3 in order to interoperate with his Bambu printer. Based on that, the SFC has created the baltobu project aimed at reverse-engineering and reimplementing the Bambu code while also hosting the Orca Slicer fork.

Bambu has behaved badly for years and made multiple, provably false public statements regarding the AGPLv3 and its requirements. The recent aggressive behavior toward Paweł Jarczak was a last straw for us: we have decided to launch a multi-pronged effort that will assist consumers and users in the short-term, and also work toward a long-term strategy to improve the software right to repair for all 3D printer consumers.

Joshua Hahn began his session in the memory-management track of the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit by saying that the memory controller for control groups is intended to provide resource allocation, accounting, and protection from interference by other tasks. But it was not really designed for tiered-memory systems; he is looking for a way to improve that situation.

Security updates have been issued by Debian (atril, evince, gnutls28, haproxy, haveged, jq, kernel, krb5, libgcrypt20, nodejs, and thunderbird), Fedora (aw-server-rust, awatcher, bind, bind-dyndb-ldap, chromium, composer, docker-buildkit, docker-buildx, dotnet10.0, dotnet8.0, dotnet9.0, evince, firefox, httpd, kernel, nodejs-aw-webui, nss, perl-Apache-Session-Browseable, pie, python-pulp-glue, python-requests, and python3.15), Slackware (kernel), SUSE (apptainer, chromium, cockpit, dnsmasq, google-guest-agent, hauler, iproute2, jfrog-cli, kernel, libecpg6, libsolv, libzypp, zypper, mcphost, oci-cli, perl-YAML-Syck, python-lxml, python-urllib3, python311-impacket, rqlite, rsync, util-linux, and xz), and Ubuntu (evince, linux-azure, linux-azure-5.4, linux-azure-fips, linux-azure-4.15, linux-azure-fips, linux-fips, linux-gcp-5.15, linux-lowlatency-hwe-5.15, linux-oracle-6.17, node-path-to-regexp, and rclone).