Amazon announced that its satellite broadband project called Project Kuiper will now be known as Amazon Leo. GeekWire reports: Leo is a nod to "low Earth orbit," where Amazon has so far launched more than 150 satellites as part of a constellation that will eventually include more than 3,200. In a blog post, Amazon said the 7-year-old Project Kuiper began "with a handful of engineers and a few designs on paper" and like most early Amazon projects "the program needed a code name." The team was inspired by the Kuiper Belt, a ring of asteroids in the outer solar system.

A new website for Amazon Leo proclaims "a new era of internet is coming," as Amazon says its satellites can help serve "billions of people on the planet who lack high-speed internet access, and millions of businesses, governments, and other organizations operating in places without reliable connectivity." Amazon said it will begin rolling out service once it's added more coverage and capacity to the network. Details about pricing and availability haven't been announced.

A critical security flaw in Chromium's Blink rendering engine can crash billions of browsers within seconds. Security researcher Jose Pino discovered the vulnerability and created a proof-of-concept exploit called Brash to demonstrate the bug affecting Chrome, Edge, OpenAI's ChatGPT Atlas, Brave, Vivaldi, Arc, Dia, Opera and Perplexity Comet.

The flaw, reports The Register, exploits the absence of rate limiting on document.title API updates in Chromium versions 143.0.7483.0 and later. The attack injects millions of DOM mutations per second and saturates the main thread. When The Register tested the code on Edge, the browser crashed and the Windows machine locked up after about 30 seconds while consuming 18GB of RAM in one tab. Pino disclosed the bug to the Chromium security team on August 28 and followed up on August 30 but received no response. Google said it is looking into the issue.

An Icelandic programmer successfully ran Doom on the European Space Agency's OPS-SAT satellite, proving that the iconic 1993 shooter can now run not just everywhere on Earth -- but in orbit. ZDNet reports: Olafur Waage, a senior software developer from Iceland who now works in Norway, explained at Ubuntu Summit 25.10 how he, a self-described "professional keyboard typist" and maker of funny videos, ended up making what is perhaps the game's most outlandish port yet: Doom running on a real satellite in orbit, the European Space Agency (ESA) OPS-SAT satellite. OPS-SAT, a "flying laboratory" for testing novel onboard computing techniques, was equipped with an experimental computer approximately 10 times more powerful than the norm for spacecraft. Waag explained, "OPS-SAT was the first of its kind, devoted to demonstrating drastically improved mission control capabilities when satellites can fly more powerful onboard computers. The point was to break the curse of being too risk-averse with multi-million-dollar spacecraft." (The satellite was decommissioned in 2024.) [...]

Running Doom in orbit was partly a challenge of portability and partly a challenge of the limitations of space hardware and mission control. The on-board ARM dual-core Cortex-A9 processor, while hot stuff for space computing hardware (which tends to be low-powered and radiation-hardened), was slow even by Earth-bound standards. Waage chose Chocolate Doom 2.3, a popular open-source version of Doom, for its compatibility with the Ubuntu 18.04 Long Term Support (LTS) distro, which was already running on OPS-SAT. Besides, Waage noted, "We picked Chocolate Doom 2.3 because of the libraries available for 18.04 -- that was the last one that would actually build.

Updating software in orbit is extremely difficult, so relatively little code would have to be uploaded. As Waage said, "Doom is relatively straightforward C with a few external dependencies." In other words, it's easy to port. [...] The only sign that Doom was running in space at first was a lone log entry. So, the team used the satellite's camera to snap real-time images of the Earth, then swapped Doom's Mars skybox for actual satellite photos. "The idea was to take a screenshot from the satellite and use that as the sky, all rendered in software using the game's restricted 256-color palette," explained Waage. Even this posed unexpected difficulties: "Trying to draw all of these beautiful colors with those colors," said Waage, "it's probably not going to work right off. But we tried gradient tests, NASA demo photos. It took quite a bit of tweaking." Eventually, instead of a fantasy Mars as the sky background, they got a good-looking, real Earth in the game's sky. The game itself ran flawlessly. After all, Waage said, "It ran beautifully. It's on Ubuntu."

"It's not just you: Flatpak flat-out doesn't work in the new Ubuntu 25.10 release," writes the blog OMG Ubuntu: While Flatpak itself can be installed using apt, trying to install Flatpaks with Flatpak from the command-line throws a "could not unmount revokefs-fuse filesystem" error, followed by "Child process exited with code 1". For those who've installed the Ubuntu 'Questing Quokka' and wanted to kit it out with their favourite software from Flathub, it's a frustrating road bump.

AppArmor, the tool that enforces Ubuntu's security policies for apps, is causing the issue. According to the bug report on Launchpad, the AppArmor profile for fusermount3 lacks the privileges it needs to work properly in Ubuntu 25.10. Fusermount3 is a tool Flatpak relies on to mount and unmount filesystems... This is a bug and it is being worked on. Although there's no timeframe for a fix, it is marked as critical, so will be prioritised.
The bug was reported in early September, but not fixed in time for this week's Ubuntu 25.10 release, reports Phoronix: Only [Friday] an updated AppArmor was pushed to the "questing-proposed" archive for testing. Since then... a number of users have reported that the updated AppArmor from the proposed archive will fix the Flatpak issues being observed. From all the reports so far it looks like that proposed update is in good shape for restoring Flatpak support on Ubuntu 25.10. The Ubuntu team is considering pushing out this update sooner than the typical seven day testing period given the severity of the issue.
More details from WebProNews: Industry insiders point out that AppArmor, Ubuntu's mandatory access control system, was tightened in this release to enhance security... This isn't the first time AppArmor has caused friction; similar issues plagued Telegram Flatpak apps in Ubuntu 24.04 LTS earlier this year, as noted in coverage from OMG Ubuntu.

An anonymous reader quotes a report from BleepingComputer: The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. Redis (short for Remote Dictionary Server) is an open-source data structure store used in approximately 75% of cloud environments, functioning like a database, cache, and message broker, and storing data in RAM for ultra-fast access. The security flaw (tracked as CVE-2025-49844) is caused by a 13-year-old use-after-free weakness found in the Redis source code and can be exploited by authenticated threat actors using a specially crafted Lua script (a feature enabled by default). Successful exploitation enables them to escape the Lua sandbox, trigger a use-after-free, establish a reverse shell for persistent access, and achieve remote code execution on the targeted Redis hosts.

After compromising a Redis host, attackers can steal credentials, deploy malware or cryptocurrency mining tools, extract sensitive data from Redis, move laterally to other systems within the victim's network, or use stolen information to gain access to other cloud services. "This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments," said Wiz researchers, who reported the security issue at Pwn2Own Berlin in May 2025 and dubbed it RediShell.

While successful exploitation requires attackers first to gain authenticated access to a Redis instance, Wiz found around 330,000 Redis instances exposed online, with at least 60,000 of them not requiring authentication. Redis and Wiz urged admins to patch their instances immediately by applying security updates released on Friday, "prioritizing those that are exposed to the internet." To further secure their Redis instances against remote attacks, admins can also enable authentication, disable Lua scripting and other unnecessary commands, launch Redis using a non-root user account, enable Redis logging and monitoring, limit access to authorized networks only, and implement network-level access controls using firewalls and Virtual Private Clouds (VPCs).

An anonymous reader quotes a report from the BBC: US scientists have, for the first time, made early-stage human embryos by manipulating DNA taken from people's skin cells and then fertilizing it with sperm. The technique could overcome infertility due to old age or disease, by using almost any cell in the body as the starting point for life. It could even allow same-sex couples to have a genetically related child. [...]

The Oregon Health and Science University research team's technique takes the nucleus -- which houses a copy of the entire genetic code needed to build the body -- out of a skin cell. This is then placed inside a donor egg that has been stripped of its genetic instructions. So far, the technique is like the one used to create Dolly the Sheep -- the world's first cloned mammal -- born back in 1996. However, this egg is not ready to be fertilized by sperm as it already contains a full suite of chromosomes.

You inherit 23 of these bundles of DNA from each of your parents for a total of 46, which the egg already has. So the next stage is to persuade the egg to discard half of its chromosomes in a process the researchers have termed "mitomeiosis" (the word is a fusion of mitosis and meiosis, the two ways cells divide). The study, published in the journal Nature Communications, showed 82 functional eggs were made. These were fertilized with sperm and some progressed onto the early stages of embryos development. None were developed beyond the six-day-stage.

The technique is far from polished as the egg randomly chooses which chromosomes to discard. It needs to end up with one of each of the 23 types to prevent disease, but ends up with two of some and none of others. There is also a poor success rate (around 9%) and the chromosomes miss an important process where they rearrange their DNA, called crossing over. Prof Mitalipov, a world-renowned pioneer in the field, told me: "We have to perfect it. "Eventually, I think that's where the future will go because there are more and more patients that cannot have children."

After the nonprofit Ruby Central removed all RubyGems' maintainers from its GitHub repository, André Arko — who helped build Bundler — wrote a new blog post on Thursday "detailing Bundler's relationship with Ruby Central," according to this update from The New Stack. "In the last few weeks, Ruby Central has suddenly asserted that they alone own Bundler," he wrote. "That simply isn't true. In order to defend the reputation of the team of maintainers who have given so much time and energy to the project, I have registered my existing trademark on the Bundler project."

He adds that trademarks do not affect copyright, which stays with the original contributors unchanged. "Trademarks only impact one thing: Who is allowed say that what they make is named 'Bundler,'" he wrote. "Ruby Central is welcome to the code, just like everyone else. They are not welcome to the project name that the Bundler maintainers have painstakingly created over the last 15 years."

He is, however, not seeking the trademark for himself, noting that the "idea of Bundler belongs to the Ruby community." "Once there is a Ruby organization that is accountable to the maintainers, and accountable to the community, with openly and democratically elected board members, I commit to transfer my trademark to that organization," he said. "I will not license the trademark, and will instead transfer ownership entirely. Bundler should belong to the community, and I want to make sure that is true for as long as Bundler exists."
The blog It's FOSS also has an update on Spinel, the new worker-owned collective founded by Arko, Samuel Giddins [who Giddins led RubyGems security efforts], and Kasper Timm Hansen (who served served on the Rails core team from 2016 to 2022 and was one of its top contributors): These guys aren't newcomers but some of the architects behind Ruby's foundational infrastructure. Their flagship offering is rv ["the Ruby swiss army knife"], a tool that aims to replace the fragmented Ruby tooling ecosystem. It promises to [in the future] handle everything from rvm, rbenv, chruby, bundler, rubygems, and others — all at once while redefining how Ruby development tools should work... Spinel operates on retainer agreements with companies needing Ruby expertise instead of depending on sponsors who can withdraw support or demand control. This model maintains independence while ensuring sustainability for the maintainers.
The Register had reported Thursday: Spinel's 'rv' project aims to supplant elements of RubyGems and Bundler with a more modular, version-aware manager. Some in the Ruby community have already accused core Rails figures of positioning Spinel as a threat. For example, Rafael FranÃa of Shopify commented that admins of the new project should not be trusted to avoid "sabotaging rubygems or bundler."

The Shai-Hulud malware campaign impacted hundreds of npm packages across multiple maintainers, reports Koi Security, including popular libraries like @ctrl/tinycolor and some packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows.
Koi Security created a table of packages identified as compromised, promising it's "continuously updated" (and showing the last compromise detected Tuesday). Nearly all of the compromised packages have a status of "removed from NPM". Attackers published malicious versions of @ctrl/tinycolor and other npm packages, injecting a large obfuscated script (bundle.js) that executes automatically during installation. This payload repackages and republishes maintainer projects, enabling the malware to spread laterally across related packages without direct developer involvement. As a result, the compromise quickly scaled beyond its initial entry point, impacting not only widely used open-source libraries but also CrowdStrike's npm packages.

The injected script performs credential harvesting and persistence operations. It runs TruffleHog to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for AWS, GCP, and Azure. It also writes a hidden GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) that exfiltrates secrets during CI/CD runs, ensuring long-term access even after the initial infection. This dual focus on endpoint secret theft and backdoors makes Shai-Hulud one of the most dangerous campaigns ever compared to previous compromises.
"The malicious code also attempts to leak data on GitHub by making private repositories public," according to a Tuesday blog post from security systems provider Sysdig: The Sysdig Threat Research Team (TRT) has been monitoring this worm's progress since its discovery. Due to quick response times, the number of new packages being compromised has slowed considerably. No new packages have been seen in several hours at the time...
Their blog post concludes "Supply chain attacks are increasing in frequency. It is more important than ever to monitor third-party packages for malicious activity."

Some context from Tom's Hardware: To be clear: This campaign is distinct from the incident that we covered on Sept. 9, which saw multiple npm packages with billions of weekly downloads compromised in a bid to steal cryptocurrency. The ecosystem is the same — attackers have clearly realized the GitHub-owned npm package registry for the Node.js ecosystem is a valuable target — but whoever's behind the Shai-Hulud campaign is after more than just some Bitcoin.

An anonymous reader quotes a report from the Associated Press: For decades, scientists believed Prochlorococcus, the smallest and most abundant phytoplankton on Earth, would thrive in a warmer world. But new research suggests the microscopic bacterium, which forms the foundation of the marine food web and helps regulate the planet's climate, will decline sharply as seas heat up. A study published Monday in the journal Nature Microbiology found Prochlorococcus populations could shrink by as much as half in tropical oceans over the next 75 years if surface waters exceed about 82 degrees Fahrenheit (27.8 Celsius). Many tropical and subtropical sea surface temperatures are already trending above average and are projected to regularly surpass 86 degrees Fahrenheit (30 Celsius) over that same period.

"These are keystone species -- very important ones," said Francois Ribalet, a research associate professor at the University of Washington's School of Oceanography and the study's lead author. "And when a keystone species decreases in abundance, it always has consequences on ecology and biodiversity. The food web is going to change." Prochlorococcus inhabit up to 75% of Earth's sunlit surface waters and produce about one-fifth of the planet's oxygen through photosynthesis. More crucially, Ribalet said, they convert sunlight and carbon dioxide into food at the base of the marine ecosystem. "In the tropical ocean, nearly half of the food is produced by Prochlorococcus," he said. "Hundreds of species rely on these guys."

Though other forms of phytoplankton may move in and help compensate for the loss of oxygen and food, Ribalet cautioned they are not perfect substitutes. "Evolution has made this very specific interaction," he said. "Obviously, this is going to have an impact on this very unique system that has been established." The findings challenge decades of assumptions that Prochlorococcus would thrive as waters warmed. Those predictions, however, were based on limited data from lab cultures. For this study, Ribalet and his team tested water samples while traversing the Pacific over the course of a decade.

Cybersecurity company ESET thought they'd discovered the first AI-powered ransomware in the wild, which they'd dubbed "PromptLock". But it turned out to be the work of university security researchers...

"Unlike conventional malware, the prototype only requires natural language prompts embedded in the binary," the researchers write in a research paper, calling it "Ransomware 3.0: Self-Composing and LLM-Orchestrated." Their prototype "uses the gpt-oss:20b model from OpenAI locally" (using the Ollama API) to "generate malicious Lua scripts on the fly." Tom's Hardware said that would help PromptLock evade detection: If they had to call an API on [OpenAI's] servers every time they generate one of these scripts, the jig would be up. The pitfalls of vibe coding don't really apply, either, since the scripts are running on someone else's system.
The whole thing was actually an experiment by researchers at NYU's Tandon School of Engineering. So "While it is the first to be AI-powered," the school said in an announcement, "the ransomware prototype is a proof-of-concept that is non-functional outside of the contained lab environment."

An NYU spokesperson told Tom's Hardware a Ransomware 3.0 sample was uploaded to malware-analsys platform VirusTotal, and then picked up by the ESET researchers by mistake: But the malware does work: NYU said "a simulation malicious AI system developed by the Tandon team carried out all four phases of ransomware attacks — mapping systems, identifying valuable files, stealing or encrypting data, and generating ransom notes — across personal computers, enterprise servers, and industrial control systems." Is that worrisome? Absolutely. But there's a significant difference between academic researchers demonstrating a proof-of-concept and legitimate hackers using that same technique in real-world attacks. Now the study will likely inspire the ne'er-do-wells to adopt similar approaches, especially since it seems to be remarkably affordable.

"The economic implications reveal how AI could reshape ransomware operations," the NYU researchers said. "Traditional campaigns require skilled development teams, custom malware creation, and substantial infrastructure investments. The prototype consumed approximately 23,000 AI tokens per complete attack execution, equivalent to roughly $0.70 using commercial API services running flagship models."

As if that weren't enough, the researchers said that "open-source AI models eliminate these costs entirely," so ransomware operators won't even have to shell out the 70 cents needed to work with commercial LLM service providers...
"The study serves as an early warning to help defenders prepare countermeasures," NYU said in an announcement, "before bad actors adopt these AI-powered techniques."

ESET posted on Mastodon that "Nonetheless, our findings remain valid — the discovered samples represent the first known case of AI-powered ransomware."

And the ESET researcher who'd mistakenly thought the ransomware was "in the wild" had warned that looking ahead, ransomware "will likely become more sophisticated, faster spreading, and harder to detect.... This makes cybersecurity awareness, regular backups, and stronger digital hygiene more important than ever."

The latest status report from the FreeBSD Project says no thanks to code generated by LLM-based assistants. From a report: The FreeBSD Project's Status Report for the second quarter of 2025 contains updates from various sub-teams that are working on improving the FreeBSD OS, including separate sub-projects such as enabling FreeBSD apps to run on Linux, Chinese translation efforts, support for Solaris-style Extended Attributes, and for Apple's legacy HFS+ file system.

The thing that stood out to us, though, was that the core team is working on what it terms a "Policy on generative AI created code and documentation." The relevant paragraph says: "Core is investigating setting up a policy for LLM/AI usage (including but not limited to generating code). The result will be added to the Contributors Guide in the doc repository. AI can be useful for translations (which seems faster than doing the work manually), explaining long/obscure documents, tracking down bugs, or helping to understand large code bases. We currently tend to not use it to generate code because of license concerns. The discussion continues at the core session at BSDCan 2025 developer summit, and core is still collecting feedback and working on the policy."

"From a side project in Amsterdam to powering AI at the world's biggest companies — this is the story of Python," says the description of a new 84-minute documentary.

Long-time Slashdot reader destinyland writes: It traces Python all the way back to its origins in Amsterdam back in 1991. (Although the first time Guido van Rossum showed his new language to a co-worker, they'd typed one line of code just to prove they could crash Python's first interpreter.) The language slowly spread after van Rossum released it on Usenet — split across 21 separate posts — and Robin Friedrich, a NASA aerospace engineer, remembers using Python to build flight simulations for the Space Shuttle. (Friedrich says in the documentary he also attended Guido's first in-person U.S. workshop in 1994, and "I still have the t-shirt...")

Dropbox's CEO/founder Drew Houston describes what it was like being one of the first companies to use Python to build a company reaching millions of users. (Another success story was YouTube, which was built by a small team using Python before being acquired by Google). Anaconda co-founder Travis Oliphant remembers Python's popularity increasing even more thanks to the data science/macine learning community. But the documentary also includes the controversial move to Python 3 (which broke compatability with earlier versions). Though ironically, one of the people slogging through a massive code migration ended up being van Rossum himself at his new job at Dropbox. The documentary also includes van Rossum's resignation as "Benevolent Dictator for Life" after approving the walrus operator. (In van Rossum's words, he essentially "rage-quit over this issue.")

But the focus is on Python's community. At one point, various interviewees even take turns reciting passages from the "Zen of Python" — which to this day is still hidden in Python as an import-able library as a kind of Easter Egg.
"It was a massive undertaking", the documentary's director explains in a new interview, describing a full year of interviews. (The article features screenshots from the documentary — including a young Guido van Rossum and the original 1991 email that announced Python to the world.) [Director Bechtle] is part of a group that's filmed documentaries on everything from Kubernetes and Prometheus to Angular, Node.js, and Ruby on Rails... Originally part of the job platform Honeypot, the documentary-makers relaunched in April as Cult.Repo, promising they were "100% independent and more committed than ever to telling the human stories behind technology."
Honeypot's founder Emma Tracey bought back its 272,000-subscriber YouTube channel from Honeypot's new owners, New Work SE, and Cult.Repo now bills itself as "The home of Open Source documentaries."

Over in a thread at Python.org, language creator Guido van Rossum has identified the Python community members in the film's Monty Python-esque poster art. And core developer Hugo van Kemenade notes there's also a video from EuroPython with a 55-minute Q&A about the documentary.

alternative_right shares a report from Phys.org: Now, for the first time, quantum scientists at the Quantum Control Laboratory at the University of Sydney Nano Institute have demonstrated a type of quantum logic gate that drastically reduces the number of physical qubits needed for its operation. To do this, they built an entangling logic gate on a single atom using an error-correcting code nicknamed the "Rosetta stone" of quantum computing. It earns that name because it translates smooth, continuous quantum oscillations into clean, digital-like discrete states, making errors easier to spot and fix, and importantly, allowing a highly compact way to encode logical qubits.

The curiously named Gottesman-Kitaev-Preskill (GKP) code has for many years offered a theoretical possibility for significantly reducing the physical number of qubits needed to produce a functioning "logical qubit." Albeit by trading efficiency for complexity, making the codes very difficult to control. Research published in Nature Physics demonstrates this as a physical reality, tapping into the natural oscillations of a trapped ion (a charged atom of ytterbium) to store GKP codes and, for the first time, realizing quantum entangling gates between them.

Led by Sydney Horizon Fellow Dr. Tingrei Tan at the University of Sydney Nano Institute, scientists have used their exquisite control over the harmonic motion of a trapped ion to bridge the coding complexity of GKP qubits, allowing a demonstration of their entanglement. "Our experiments have shown the first realization of a universal logical gate set for GKP qubits," Dr. Tan said. "We did this by precisely controlling the natural vibrations, or harmonic oscillations, of a trapped ion in such a way that we can manipulate individual GKP qubits or entangle them as a pair." [...] Across three experiments described in the paper, Dr. Tan's team used a single ytterbium ion contained in what is known as a Paul trap. This uses a complex array of lasers at room temperature to hold the single atom in the trap, allowing its natural vibrations to be controlled and utilized to produce the complex GKP codes. This research represents an important demonstration that quantum logic gates can be developed with a reduced physical number of qubits, increasing their efficiency.

This week workers on Blizzard's "Story and Franchise Development" team "strongly voted" to join America's largest communications and media labor union, the Communications Workers of America.

From the union's announcement: The Story and Franchise Development team is Blizzard's in-house cinematics, animation, and narrative team, producing the trailers, promotional videos, in-game cutscenes, and other narrative content for Blizzard franchises — as well as franchise archival workers and historians. These workers will be the first in-house cinematic, animation, and narrative studio to form a union in the North American game industry, joining nearly 3,000 workers at Microsoft-owned studios who have organized with CWA to build better standards across the video game industry after Microsoft acquired Activision Blizzard in 2023...

The announcement is the latest update in organizing the tech and video game industry, as over 6,000 workers in the United States and Canada have organized with the Campaign to Organize Digital Employees (CODE-CWA) since launching over five years ago. Last week, workers at Raven Software secured a historic contract with Microsoft, joining ZeniMax QA developers at CWA, who also secured a contract with the company in June.
"CWA says that Blizzard owner Microsoft has recognized the union," reports the gaming news site Aftermath, in accordance with the labor neutrality policy Microsoft agreed to in 2022, leading to several other union game studios at Microsoft: In July 2024, 500 workers on Blizzard-owned World of Warcraft formed a union that they called "the largest wall-to-wall union at a Microsoft-owned studio," alongside Blizzard QA workers in Austin. Other studios across Microsoft have also unionized in recent years, including at Bethesda, ZeniMax Online Studios, and ZeniMax QA, the latter of which finally reached a contract in May after nearly two years of bargaining. Unionized workers at Raven Studios reached a contract with Microsoft earlier this month.
The CWA's announcement this week included this quote from one organizing committee member (and a cinematic producer). "I'm excited that we have joined together in forming a union to protect my colleagues from things like misguided policies and instability as a result of layoffs."

Matt Asay answered questions from Slashdot readers in 2010 as the then-COO of Canonical. Today he runs developer marketing at Oracle (after holding similar positions at AWS, Adobe, and MongoDB).

And this week Asay contributed an opinion piece to InfoWorld reminding us of open source contributions from companies where "enlightened self-interest underwrites the boring but vital work — CI hardware, security audits, long-term maintenance — that grassroots volunteers struggle to fund." [I]f you look at the Linux 6.15 kernel contributor list (as just one example), the top contributor, as measured by change sets, is Intel... Another example: Take the last year of contributions to Kubernetes. Google (of course), Red Hat, Microsoft, VMware, and AWS all headline the list. Not because it's sexy, but because they make billions of dollars selling Kubernetes services... Some companies (including mine) sell proprietary software, and so it's easy to mentally bucket these vendors with license fees or closed cloud services. That bias makes it easy to ignore empirical contribution data, which indicates open source contributions on a grand scale.
Asay notes Oracle's many contributions to Linux: In the [Linux kernel] 6.1 release cycle, Oracle emerged as the top contributor by lines of code changed across the entire kernel... [I]t's Oracle that patches memory-management structures and shepherds block-device drivers for the Linux we all use. Oracle's kernel work isn't a one-off either. A few releases earlier, the company topped the "core of the kernel" leaderboard in 5.18, and it hasn't slowed down since, helping land the Maple Tree data structure and other performance boosters. Those patches power Oracle Cloud Infrastructure (OCI), of course, but they also speed up Ubuntu on your old ThinkPad. Self-interested contributions? Absolutely. Public benefit? Equally absolute.

This isn't just an Oracle thing. When we widen the lens beyond Oracle, the pattern holds. In 2023, I wrote about Amazon's "quiet open source revolution," showing how AWS was suddenly everywhere in GitHub commit logs despite the company's earlier reticence. (Disclosure: I used to run AWS' open source strategy and marketing team.) Back in 2017, I argued that cloud vendors were open sourcing code as on-ramps to proprietary services rather than end-products. Both observations remain true, but they miss a larger point: Motives aside, the code flows and the community benefits.

If you care about outcomes, the motives don't really matter. Or maybe they do: It's far more sustainable to have companies contributing because it helps them deliver revenue than to contribute out of charity. The former is durable; the latter is not.
There's another practical consideration: scale. "Large vendors wield resources that community projects can't match."

Asay closes by urging readers to "Follow the commits" and "embrace mixed motives... the point isn't sainthood; it's sustainable, shared innovation. Every company (and really every developer) contributes out of some form of self-interest. That's the rule, not the exception. Embrace it." Going forward, we should expect to see even more counterintuitive contributor lists. Generative AI is turbocharging code generation, but someone still has to integrate those patches, write tests, and shepherd them upstream. The companies with the most to lose from brittle infrastructure — cloud providers, database vendors, silicon makers — will foot the bill. If history is a guide, they'll do so quietly.

An anonymous reader quotes a report from ScientificAmerican: After a brain stem stroke left him almost entirely paralyzed in the 1990s, French journalist Jean-Dominique Bauby wrote a book about his experiences -- letter by letter, blinking his left eye in response to a helper who repeatedly recited the alphabet. Today people with similar conditions often have far more communication options. Some devices, for example, track eye movements or other small muscle twitches to let users select words from a screen. And on the cutting edge of this field, neuroscientists have more recently developed brain implants that can turn neural signals directly into whole words. These brain-computer interfaces (BCIs) largely require users to physically attempt to speak, however -- and that can be a slow and tiring process. But now a new development in neural prosthetics changes that, allowing users to communicate by simply thinking what they want to say.

The new system relies on much of the same technology as the more common "attempted speech" devices. Both use sensors implanted in a part of the brain called the motor cortex, which sends motion commands to the vocal tract. The brain activation detected by these sensors is then fed into a machine-learning model to interpret which brain signals correspond to which sounds for an individual user. It then uses those data to predict which word the user is attempting to say. But the motor cortex doesn't only light up when we attempt to speak; it's also involved, to a lesser extent, in imagined speech. The researchers took advantage of this to develop their "inner speech" decoding device and published the results on Thursday in Cell. The team studied three people with amyotrophic lateral sclerosis (ALS) and one with a brain stem stroke, all of whom had previously had the sensors implanted. Using this new "inner speech" system, the participants needed only to think a sentence they wanted to say and it would appear on a screen in real time. While previous inner speech decoders were limited to only a handful of words, the new device allowed participants to draw from a dictionary of 125,000 words. To help keep private thoughts private, the researchers implemented a code phrase "chitty chitty bang bang" that participants could use to prompt the BCI to start or stop transcribing.

Thursday saw the release of Rust 1.89.0 But this week the Rust Foundation also released its second comprehensive annual technology report.

A Rust Foundation announcement shares some highlights: - Trusted Publishing [GitHub Actions authentication using cryptographically signed tokens] fully launched on crates.io, enhancing supply chain security and streamlining workflows for maintainers.

- Major progress on crate signing infrastructure using The Update Framework (TUF), including three full repository implementations and stakeholder consensus.

- Integration of the Ferrocene Language Specification (FLS) into the Rust Project, marking a critical step toward a formal Rust language specification [and "laying the groundwork for broader safety certification and formal tooling."]

- 75% reduction in CI infrastructure costs while maintaining contributor workflow stability. ["All Rust repositories are now managed through Infrastructure-as-Code, improving maintainability and security."]

- Expansion of the Safety-Critical Rust Consortium, with multiple international meetings and advances on coding guidelines aligned with safety standards like MISRA. ["The consortium is developing practical coding guidelines, aligned tooling, and reference materials to support regulated industries — including automotive, aerospace, and medical devices — adopting Rust."]

- Direct engagement with ISO C++ standards bodies and collaborative Rust-C++ exploration... The Foundation finalized its strategic roadmap, participated in ISO WG21 meetings, and initiated cross-language tooling and documentation planning. These efforts aim to unlock Rust adoption across legacy C++ environments without sacrificing safety.
The Rust Foundation also acknowledges continued funding from OpenSSF's Alpha-Omega Project and "generous infrastructure donations from organizations like AWS, GitHub, and Mullvad VPN" to the Foundation's Security Initiative, which enabled advances like including GitHub Secret Scanning and automated incident response to "Trusted Publishing" and the integration of vulnerability-surfacing capabilities into crates.io.

There was another announcement this week. In November AWS and the Rust Foundation crowdsourced "an effort to verify the Rust standard library" — and it's now resulted in a new formal verification tool called "Efficient SMT-based Context-Bounded Model Checker" (or ESBMCESBMC) This winning contribution adds ESBMC — a state-of-the-art bounded model checker — to the suite of tools used to analyze and verify Rust's standard library. By integrating through Goto-Transcoder, they enabled ESBMC to operate seamlessly in the Rust verification workflow, significantly expanding the scope and flexibility of verification efforts...

This achievement builds on years of ongoing collaboration across the Rust and formal verification communities... The collaboration has since expanded. In addition to verifying the Rust standard library, the team is exploring the use of formal methods to validate automated C-to-Rust translations, with support from AWS. This direction, highlighted by AWS Senior Principal Scientist Baris Coskun and celebrated by the ESBMC team in a recent LinkedIn post, represents an exciting new frontier for Rust safety and verification tooling.

This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts.

It includes automation to derive declarative build definitions, new "build observability and verification tools" for security teams, and even "infrastructure definitions" to help organizations rebuild, sign, and distribute provenance by running their own OSS Rebuild instances. (And as part of the initiative, the team also published SLSA Provenance attestations "for thousands of packages across our supported ecosystems.") Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository. Our rebuild platform unlocks this transparency by utilizing a declarative build process, build instrumentation, and network monitoring capabilities which, within the SLSA Build framework, produces fine-grained, durable, trustworthy security metadata. Building on the hosted infrastructure model that we pioneered with OSS Fuzz for memory issue detection, OSS Rebuild similarly seeks to use hosted resources to address security challenges in open source, this time aimed at securing the software supply chain... We are committed to bringing supply chain transparency and security to all open source software development. Our initial support for the PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries — providing rebuild provenance for many of their most popular packages — is just the beginning of our journey...

OSS Rebuild helps detect several classes of supply chain compromise:

- Unsubmitted Source Code: When published packages contain code not present in the public source repository, OSS Rebuild will not attest to the artifact.

- Build Environment Compromise: By creating standardized, minimal build environments with comprehensive monitoring, OSS Rebuild can detect suspicious build activity or avoid exposure to compromised components altogether.

- Stealthy Backdoors: Even sophisticated backdoors like xz often exhibit anomalous behavioral patterns during builds. OSS Rebuild's dynamic analysis capabilities can detect unusual execution paths or suspicious operations that are otherwise impractical to identify through manual review.


For enterprises and security professionals, OSS Rebuild can...

— Enhance metadata without changing registries by enriching data for upstream packages. No need to maintain custom registries or migrate to a new package ecosystem.

— Augment SBOMs by adding detailed build observability information to existing Software Bills of Materials, creating a more complete security picture...

- Accelerate vulnerability response by providing a path to vendor, patch, and re-host upstream packages using our verifiable build definitions...


The easiest (but not only!) way to access OSS Rebuild attestations is to use the provided Go-based command-line interface.
"With OSS Rebuild's existing automation for PyPI, npm, and Crates.io, most packages obtain protection effortlessly without user or maintainer intervention."

Google has announced OSS Rebuild, a new project designed to detect supply chain attacks in open source software by independently reproducing and verifying package builds across major repositories. The initiative, unveiled by the company's Open Source Security Team, targets PyPI (Python), npm (JavaScript/TypeScript), and Crates.io (Rust) packages.

The system, the company said, automatically creates standardized build environments to rebuild packages and compare them against published versions. OSS Rebuild generates SLSA Provenance attestations for thousands of packages, meeting SLSA Build Level 3 requirements without requiring publisher intervention. The project can identify three classes of compromise: unsubmitted source code not present in public repositories, build environment tampering, and sophisticated backdoors that exhibit unusual execution patterns during builds.

Google cited recent real-world attacks including solana/webjs (2024), tj-actions/changed-files (2025), and xz-utils (2024) as examples of threats the system addresses. Open source components now account for 77% of modern applications with an estimated value exceeding $12 trillion. The project builds on Google's hosted infrastructure model previously used for OSS Fuzz memory issue detection.

Ukrainian hacker group BO Team, with help from the Ukrainian Cyber Alliance and possibly Ukraine's military, claims to have wiped out one of Russia's largest military drone manufacturers, destroying 47TB of production data and even disabling the doors in the facility. "Or, as described by the hacking collective (per Google translate), they 'deeply penetrated' the drone manufacturer 'to the very tonsils of demilitarization and denazification,'" reports The Register. From the report: BO Team (also known as Black Owl) announced the breach on its Telegram channel, and claimed to have carried out the operation alongside fellow hackers the Ukrainian Cyber Alliance "and one very well-known organization, the mention of which makes Vanya's bottle receivers explode," according to a Google translation of the Russian text. While the "very well-known organization" isn't named, BO Team included a link to Ukraine's Ministry of Defence.

The military intelligence agency, working alongside the attackers, "carried out large-scale work to capture the entire network and server infrastructure of Gaskar Group, collect valuable information about the UAVs being produced and prospective, and then destroy the information and disable this infrastructure," the Telegram post continued. This reportedly included 47TB of technical information about the production of Russian drones, and BO Team claims to have destroyed all of the information on Gaskar's servers, including 10TB of backup files. "By the way, from the information we received, China is providing assistance in the production and training of specialists of Gaskar Group," the hackers added via Telegram. BO Team also posted what they claim to be confidential employee questionnaires [PDF].

On their own Telegram channel, the Ukrainian Cyber Alliance said they also stole "all the source code" before destroying everything. "The network went down so thoroughly that the doors in the building were blocked," the pro-Ukraine crew wrote, per Google translate. "To open them, the administration had to turn on the fire alarm. Most likely, the defense order is on the verge of failure, and thousands of drones will not get to the front in the near future."