This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts.

It includes automation to derive declarative build definitions, new "build observability and verification tools" for security teams, and even "infrastructure definitions" to help organizations rebuild, sign, and distribute provenance by running their own OSS Rebuild instances. (And as part of the initiative, the team also published SLSA Provenance attestations "for thousands of packages across our supported ecosystems.") Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository. Our rebuild platform unlocks this transparency by utilizing a declarative build process, build instrumentation, and network monitoring capabilities which, within the SLSA Build framework, produces fine-grained, durable, trustworthy security metadata. Building on the hosted infrastructure model that we pioneered with OSS Fuzz for memory issue detection, OSS Rebuild similarly seeks to use hosted resources to address security challenges in open source, this time aimed at securing the software supply chain... We are committed to bringing supply chain transparency and security to all open source software development. Our initial support for the PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries — providing rebuild provenance for many of their most popular packages — is just the beginning of our journey...

OSS Rebuild helps detect several classes of supply chain compromise:

- Unsubmitted Source Code: When published packages contain code not present in the public source repository, OSS Rebuild will not attest to the artifact.

- Build Environment Compromise: By creating standardized, minimal build environments with comprehensive monitoring, OSS Rebuild can detect suspicious build activity or avoid exposure to compromised components altogether.

- Stealthy Backdoors: Even sophisticated backdoors like xz often exhibit anomalous behavioral patterns during builds. OSS Rebuild's dynamic analysis capabilities can detect unusual execution paths or suspicious operations that are otherwise impractical to identify through manual review.


For enterprises and security professionals, OSS Rebuild can...

— Enhance metadata without changing registries by enriching data for upstream packages. No need to maintain custom registries or migrate to a new package ecosystem.

— Augment SBOMs by adding detailed build observability information to existing Software Bills of Materials, creating a more complete security picture...

- Accelerate vulnerability response by providing a path to vendor, patch, and re-host upstream packages using our verifiable build definitions...


The easiest (but not only!) way to access OSS Rebuild attestations is to use the provided Go-based command-line interface.
"With OSS Rebuild's existing automation for PyPI, npm, and Crates.io, most packages obtain protection effortlessly without user or maintainer intervention."

An anonymous reader quotes a report from Tom's Hardware: At the 2025 RISC-V Summit in China, Nvidia announced that its CUDA software platform will be made compatible with the RISC-V instruction set architecture (ISA) on the CPU side of things. The news was confirmed during a presentation during a RISC-V event. This is a major step in enabling the RISC-V ISA-based CPUs in performance demanding applications. The announcement makes it clear that RISC-V can now serve as the main processor for CUDA-based systems, a role traditionally filled by x86 or Arm cores. While nobody even barely expects RISC-V in hyperscale datacenters any time soon, RISC-V can be used on CUDA-enabled edge devices, such as Nvidia's Jetson modules. However, it looks like Nvidia does indeed expect RISC-V to be in the datacenter.

Nvidia's profile on RISC-V seems to be quite high as the keynote at the RISC-V Summit China was delivered by Frans Sijsterman, who appears to be Vice President of Hardware Engineering at Nvidia. The presentation outlined how CUDA components will now run on RISC-V. A diagram shown at the session illustrated a typical configuration: the GPU handles parallel workloads, while a RISC-V CPU executes CUDA system drivers, application logic, and the operating system. This setup enables the CPU to orchestrate GPU computations fully within the CUDA environment. Given Nvidia's current focus, the workloads must be AI-related, yet the company did not confirm this. However, there is more.

Also featured in the diagram was a DPU handling networking tasks, rounding out a system consisting of GPU compute, CPU orchestration, and data movement. This configuration clearly suggests Nvidia's vision to build heterogeneous compute platforms where RISC-V CPU can be central to managing workloads while Nvidia's GPUs, DPUs, and networking chips handle the rest. Yet again, there is more. Even with this low-profile announcement, Nvidia essentially bridges proprietary CUDA stack to an open architecture, one that seems to develop fast in China. Yet, being unable to ship flagship GB200 and GB300 offerings to China, the company has to find ways to keep its CUDA thriving.

NVIDIA has released additional open-source header files for its Blackwell and Hopper GPU architectures, continuing its effort to support open-source drivers like Nouveau/NVK and the NOVA Rust driver. Phoronix reports: Last week NVIDIA open-sourced 12k lines of C header files for Blackwell GPUs to help in the open-source driver efforts, namely for Nouveau / NVK and the in-development NOVA Rust driver. On Friday they made public some additional header files for helping in the Blackwell and Hopper open-source driver enablement.

Following the previously-covered open-source header activity, on Friday this commit was pushed to their open-source documentation repository that provides Hopper and Blackwell DMA-copy class header files. [...] In turn the code has already been imported into Mesa Git.

Twitter co-founder/Block CEO Jack Dorsey isn't just vibe coding new apps like Bitchat and Sun Day. He's also "invested $10 million in an effort to fund experimental open source projects and other tools that could ultimately transform the social media landscape," reports TechCrunch," funding the projects through an online collective formed in May called "andOtherStuff: [T]he team at "andOtherStuff" is determined not to build a company but is instead operating like a "community of hackers," explains Evan Henshaw-Plath [who handles UX/onboarding and was also Twitter's first employee]. Together, they're working to create technologies that could include new consumer social apps as well as various experiments, like developer tools or libraries, that would allow others to build apps for themselves.

For instance, the team is behind an app called Shakespeare, which is like the app-building platform Lovable, but specifically for building Nostr-based social apps with AI assistance. The group is also behind heynow, a voice note app built on Nostr; Cashu wallet; private messenger White Noise; and the Nostr-based social community +chorus, in addition to the apps Dorsey has already released. Developments in AI-based coding have made this type of experimentation possible, Henshaw-Plath points out, in the same way that technologies like Ruby on Rails, Django, and JSON helped to fuel an earlier version of the web, dubbed Web 2.0.

Related to these efforts, Henshaw-Plath sat down with Dorsey for the debut episode of his new podcast, revolution.social with @rabble... Dorsey believes Bluesky faces the same challenges as traditional social media because of its structure — it's funded by VCs, like other startups. Already, it has had to bow to government requests and faced moderation challenges, he points out. "I think [Bluesky CEO] Jay [Graber] is great. I think the team is great," Dorsey told Henshaw-Plath, "but the structure is what I disagree with ... I want to push the energy in a different direction, which is more like Bitcoin, which is completely open and not owned by anyone from a protocol layer...."

Dorsey's initial investment has gotten the new nonprofit up and running, and he worked on some of its initial iOS apps. Meanwhile, others are contributing their time to build Android versions, developer tools, and different social media experiments. More is still in the works, says Henshaw-Plath.

"There are things that we're not ready to talk about yet that'll be very exciting," he teases.

BrianFagioli shares a report from NERDS.xyz: Intel has quietly pulled the plug on Clear Linux OS, officially ending support for the once-promising Linux distribution that it had backed for nearly a decade. Effective immediately, the company says it will no longer provide any updates, security patches, or maintenance for the operating system. In a final blow, the Clear Linux OS GitHub repository is now archived in read-only mode.

The move was announced with little fanfare, and for users still relying on Clear Linux OS, there's no sugarcoating it... you need to move on. Intel is urging everyone to migrate to an actively maintained Linux distribution as soon as possible to avoid running unpatched software. "Rest assured that Intel remains deeply invested in the Linux ecosystem, actively supporting and contributing to various open-source projects and Linux distributions to enable and optimize for Intel hardware," the company said in a statement. "A heartfelt thank you to every developer, user, and contributor who helped shape Clear Linux OS over the last 10 years. Your feedback and contributions have been invaluable."

Longtime Slashdot reader bobdevine shares a report from OSTechNix: For the first time, Linux has officially broken the 5% desktop market share barrier in the United States of America! It's a huge milestone for open-source and our fantastic Linux community. While many might think of Linux as a niche choice, this new data shows a significant shift is happening.

According to the latest StatCounter Global Stats for June 2025, Linux now holds 5.03% of the desktop operating system market share in the United United States of America. This is fantastic news! [...] One truly satisfying detail for me? Linux has finally surpassed the "Unknown" category in the USA! It shows that our growth is clear and recognized. "It took eight years to go from 1% to 2% (by April 2021), then just 2.2 years to reach 3% (June 2023), and a mere 0.7 years to hit 4% (February 2024)," notes the report. "Now, here we are, at over 5% in the USA! This exponential growth suggests that we're on a promising upward trend."

An anonymous reader quotes a report from Phoronix: Merged yesterday to the latest development code for the LibreOffice open-source office suite is now recognizing Bitcoin "BTC" as a supported currency for use within the Calc spreadsheet program and elsewhere within this cross-platform free software office suite. Stemming from a recent bug report requesting Bitcoin as an official currency option within LibreOffice Calc, the necessary additions are now in place so it's a built-in preset like USD and EUR. Thus easier managing of Bitcoin transactions and the like from within LibreOffice Calc.

BrianFagioli shares a report from NERDS.xyz: Blender 4.5 has arrived and it's a long-term support release. That means users get two full years of updates and bug fixes, making it a smart choice for anyone looking for stability in serious projects. Whether you're a solo artist or part of a studio pipeline, this version is built to last. Here's a list of key features and changes in this release:

- Vulkan backend replaces OpenGL (faster, smoother UI)
- Adaptive subdivision up to 14x faster with multithreading
- New Geometry Nodes: Camera Info, Instance Bounds
- GPU-accelerated compositor nodes with standardized inputs
- New Boolean solver: Manifold (cleaner, faster mesh operations)
- UV maps visible in Object Mode + improved selection behavior
- Grease Pencil render pass and Geometry Nodes integration
- Improved file import support: PLY, OBJ, STL, CSV, VDB
- Deprecations: Collada, Big Endian, legacy .blend, Intel Mac support
- Cycles OptiX now requires NVIDIA driver v535+
- New shader variants for add-on developers (POLYLINES_*, POINT_*)
~500 bug fixes across all major systems

"Steam quietly welcomed another indie game this week, but this one is distinctly different for a lot of reasons," writes Notebookcheck: Dogwalk, which debuted on July 11, is the kind of short, gentle experience that almost forces you to smile. Developed by Blender Studio, the game introduces players to a gorgeous winter landscape. You play as a cute, fluffy dog, with a small child in tow...

What's particularly interesting here is that Dogwalk is more than just another charming indie project. It's Blender Studio's showcase for what's possible using fully open-source tools. The entire project — assets, animations, and code — is made with Blender and the popular Godot Game Engine. Unlike industry giants such as Unity or Unreal, Godot is completely open source, meaning it doesn't require developers to pay royalties or follow strict licensing agreements. This should make it great for small studios and independent creators, as it lowers the entry barrier to game creation.

Dogwalk is 100% free, which fits neatly into its open-source philosophy

An anonymous reader quotes a report from ZDNet: The Linux Foundation announced at the Open Source Summit in Denver that it will now host the Agent2Agent (A2A) protocol. Initially developed by Google and now supported by more than 100 leading technology companies, A2A is a crucial new open standard for secure and interoperable communication between AI agents. In his keynote presentation, Mike Smith, a Google staff software engineer, told the conference that the A2A protocol has evolved to make it easier to add custom extensions to the core specification. Additionally, the A2A community is working on making it easier to assign unique identities to AI agents, thereby improving governance and security.

The A2A protocol is designed to solve one of AI's most pressing challenges: enabling autonomous agents -- software entities capable of independent action and decision-making -- to discover each other, securely exchange information, and collaborate across disparate platforms, vendors, and frameworks. Under the hood, A2A does this work by creating an AgentCard. An AgentCard is a JavaScript Object Notation (JSON) metadata document that describes its purpose and provides instructions on how to access it via a web URL. A2A also leverages widely adopted web standards, such as HTTP, JSON-RPC, and Server-Sent Events (SSE), to ensure broad compatibility and ease of integration. By providing a standardized, vendor-neutral communication layer, A2A breaks down the silos that have historically limited the potential of multi-agent systems.

For security, A2A comes with enterprise-grade authentication and authorization built in, including support for JSON Web Tokens (JWTs), OpenID Connect (OIDC), and Transport Layer Security (TLS). This approach ensures that only authorized agents can participate in workflows, protecting sensitive data and agent identities. While the security foundations are in place, developers at the conference acknowledged that integrating them, particularly authenticating agents, will be a hard slog. Antje Barth, an Amazon Web Services (AWS) principal developer advocate for generative AI, explained what the adoption of A2A will mean for IT professionals: "Say you want to book a train ride to Copenhagen, then a hotel there, and look maybe for a fancy restaurant, right? You have inputs and individual tasks, and A2A adds more agents to this conversation, with one agent specializing in hotel bookings, another in restaurants, and so on. A2A enables agents to communicate with each other, hand off tasks, and finally brings the feedback to the end user."

Jim Zemlin, executive director of the Linux Foundation, said: "By joining the Linux Foundation, A2A is ensuring the long-term neutrality, collaboration, and governance that will unlock the next era of agent-to-agent powered productivity." Zemlin expects A2A to become a cornerstone for building interoperable, multi-agent AI systems.

An anonymous reader quotes a report from 404 Media: For someone who says she is fighting AI bot scrapers just in her free time, Xe Iaso seems to be putting up an impressive fight. Since she launched it in January, Anubis, a "program is designed to help protect the small internet from the endless storm of requests that flood in from AI companies," has been downloaded nearly 200,000 times, and is being used by notable organizations including GNOME, the popular open-source desktop environment for Linux, FFmpeg, the open-source software project for handling video and other media, and UNESCO, the United Nations organization for educations, science, and culture. [...]

"Anubis is an uncaptcha," Iaso explains on her site. "It uses features of your browser to automate a lot of the work that a CAPTCHA would, and right now the main implementation is by having it run a bunch of cryptographic math with JavaScript to prove that you can run JavaScript in a way that can be validated on the server." Essentially, Anubis verifies that any visitor to a site is a human using a browser as opposed to a bot. One of the ways it does this is by making the browser do a type of cryptographic math with JavaScript or other subtle checks that browsers do by default but bots have to be explicitly programmed to do. This check is invisible to the user, and most browsers since 2022 are able to complete this test. In theory, bot scrapers could pretend to be users with browsers as well, but the additional computational cost of doing so on the scale of scraping the entire internet would be huge. This way, Anubis creates a computational cost that is prohibitively expensive for AI scrapers that are hitting millions and millions of sites, but marginal for an individual user who is just using the internet like a human.

Anubis is free, open source, lightweight, can be self-hosted, and can be implemented almost anywhere. It also appears to be a pretty good solution for what we've repeatedly reported is a widespread problem across the internet, which helps explain its popularity. But Iaso is still putting a lot of work into improving it and adding features. She told me she's working on a non cryptographic challenge so it taxes users' CPUs less, and also thinking about a version that doesn't require JavaScript, which some privacy-minded disable in their browsers. The biggest challenge in developing Anubis, Iaso said, is finding the balance. "The balance between figuring out how to block things without people being blocked, without affecting too many people with false positives," she said. "And also making sure that the people running the bots can't figure out what pattern they're hitting, while also letting people that are caught in the web be able to figure out what pattern they're hitting, so that they can contact the organization and get help. So that's like, you know, the standard, impossible scenario."

"Microsoft has released the source code for the GitHub Copilot Chat extension for VS Code under the MIT license," reports BleepingComputer. This provides the community access to the full implementation of the chat-based coding assistant, including the implementation of "agent mode," what contextual data is sent to large language models (LLMs), and the design of system prompts. The GitHub repository hosting the code also details telemetry collection mechanisms, addressing long-standing questions about data transparency in AI-assisted coding tools...

As the VS Code team explained previously, shifts in AI tooling landscape like the rapid growth of the open-source AI ecosystem and a more level playing field for all have reduced the need for secrecy around prompt engineering and UI design. At the same time, increased targeting of development tools by malicious actors has increased the need for crowdsourcing contributions to rapidly pinpoint problems and develop effective fixes. Essentially, openness is now considered superior from a security perspective.
"If you've been hesitant to adopt AI tools because you don't trust the black box behind them, this move opensources-github-copilot-chat-vscode/offers something rare these days: transparency," writes Slashdot reader BrianFagioli" Now that the extension is open source, developers can audit how agent mode actually works. You can also dig into how it manages your data, customize its behavior, or build entirely new tools on top of it. This could be especially useful in enterprise environments where compliance and control are non negotiable.

It is worth pointing out that the backend models powering Copilot remain closed source. So no, you won't be able to self host the whole experience or train your own Copilot. But everything running locally in VS Code is now fair game. Microsoft says it is planning to eventually merge inline code completions into the same open source package too, which would make Copilot Chat the new hub for both chat and suggestions.

An anonymous reader shared this report from WebProNews: The Linux world is abuzz with news of XLibre, a fork of the venerable X11 window display system, which aims to be an alternative to X11's successor, Wayland.

Much of the Linux world is working to adopt Wayland, the successor to X11. Wayland has been touted as being a superior option, providing better security and performance. Despite Fedora and Ubuntu both going Wayland-only, the newer display protocol still lags behind X11, in terms of functionality, especially in the realm of accessibility, screen recording, session restore, and more. In addition, despite the promise of improved performance, many users report performance regressions compared to X11.

While progress is being made, it has been slow going, especially for a project that is more than 17 years old. To make matters worse, Wayland is largely being improved by committee, with the various desktop environment teams trying to work together to further the protocol. Progress is further hampered by the fact that the GNOME developers often object to the implementation of some functionality that doesn't fit with their vision of what a desktop should be — despite those features being present and needed in every other environment.

In response, developer Enrico Weigelt has forked Xll into the XLibre project. Weigelt was already one of the most prolific X11 contributors at a time when little to no improvements or new features are being added to the aging window system... Weigelt has wasted no time releasing the inaugural version of XLibre, XLibre 25.0. The release includes a slew of improvements.
MrBrklyn (Slashdot reader #4,775) adds that Artix Linux, a rolling-release distro based on Arch Linux which does not use systemd, now offers XLibre ISO images and packages for testing and use. They're all non-systemd based, and "Its a decent undertaking by the Artix development team. The iso is considered to be testing but it is quickly moving to the regular repos for broad public use."

Steven J. Vaughan-Nichols writes in an opinion piece for The Register: Microsoft, tactically admitting it has failed at talking all the Windows 10 PC users into moving to Windows 11 after all, is -- sort of, kind of -- extending Windows 10 support for another year. For most users, that means they'll need to subscribe to Microsoft 365. This, in turn, means their data and meta-information will be kept in a US-based datacenter. That isn't sitting so well with many European Union (EU) organizations and companies. It doesn't sit that well with me or a lot of other people either.

A few years back, I wrote in these very pages that Microsoft didn't want you so much to buy Windows as subscribe to its cloud services and keep your data on its servers. If you wanted a real desktop operating system, Linux would be almost your only choice. Nothing has changed since then, except that folks are getting a wee bit more concerned about their privacy now that President Donald Trump is in charge of the US. You may have noticed that he and his regime love getting their hands on other people's data.

Privacy isn't the only issue. Can you trust Microsoft to deliver on its service promises under American political pressure? Ask the EU-based International Criminal Court (ICC) which after it issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu for war crimes, Trump imposed sanctions on the ICC. Soon afterward, ICC's chief prosecutor, Karim Khan, was reportedly locked out of his Microsoft email accounts. Coincidence? Some think not. Microsoft denies they had anything to do with this.

Peter Ganten, chairman of the German-based Open-Source Business Alliance (OSBA), opined that these sanctions ordered by the US which he alleged had been implemented by Microsoft "must be a wake-up call for all those responsible for the secure availability of state and private IT and communication infrastructures." Microsoft chairman and general counsel, Brad Smith, had promised that it would stand behind its EU customers against political pressure. In the aftermath of the ICC reports, Smith declared Microsoft had not been "in any way [involved in] the cessation of services to the ICC." In the meantime, if you want to reach Khan, you'll find him on the privacy-first Swiss email provider, ProtonMail.

In short, besides all the other good reasons for people switching to the Linux desktop - security, Linux is now easy to use, and, thanks to Steam, you can do serious gaming on Linux - privacy has become much more critical. That's why several EU governments have decided that moving to the Linux desktop makes a lot of sense... Besides, all these governments know that switching from Windows 10 to 11 isn't cheap. While finances also play a role, and I always believe in "following the money" when it comes to such software decisions, there's no question that Europe is worried about just how trustworthy America and its companies are these days. Do you blame them? I don't. The shift to the Linux desktop is "nothing new," as Vaughan-Nichols notes. Munich launched its LiMux project back in 2004 and, despite ending it in 2017, reignited its open-source commitment by establishing a dedicated program office in 2024. In France, the gendarmerie now operates over 100,000 computers on a custom Ubuntu-based OS (GendBuntu), while the city of Lyon is transitioning to Linux and PostgreSQL.

More recently, Denmark announced it is dropping Windows and Office in favor of Linux and LibreOffice, citing digital sovereignty. The German state of Schleswig-Holstein is following suit, also moving away from Microsoft software. Meanwhile, a pan-European Linux OS (EU OS) based on Fedora Kinoite is being explored, with Linux Mint and openSUSE among the alternatives under consideration.

Magic Lantern, the popular open-source suite of software enhancements for Canon DSLR cameras, has returned under new leadership. The revived project aims to offer regular updates and support for additional models, including compatibility for Canon's newer mirrorless cameras equipped with DIGIC X processors. PetaPixel reports: The new lead developer, names_are_hard, announced Magic Lantern's return yesterday on Magic Lantern's forums, seen by Reddit r/cinematography users and confirmed on the official Magic Lantern website. "It's been a long journey, but official Magic Lantern builds return, for all cameras," names_are_hard writes. They add that this means that there will be new, regular releases for all supported cameras and new cameras will be supported. As of now, the supported cameras are almost entirely DSLR models, save for tools for the original EOS M mirrorless camera.

However, one of the members of the core Magic Lantern team, which comprises developers g3ggo, kitor, and WalterSchulz, says the team is looking at supporting cameras with DIGIC X processors, which includes mirrorless EOS R models. "It would be awesome if they start supporting new cameras. Imaging unlocking Open Gate on the R5/R6 lines, or RAW on cameras that don't have it (like R6, R7, etc.)," writes Redditor user machado34. "I believe it will be possible. They say they're exploring up to DIGIC X," adds 3dforlife. "In fact we are," developer kitor replies. "Just DIGIC 8 is stubborn and X adds some new (undocumented) hardware on top of that." Kitor is listed as the chief DIGIC 8 and DIGIC X hacker on Magic Lantern's forums, plus kitor is chiefly in charge of the revived website and Magic Lantern's social media presence. If the team can crack mirrorless cameras, it would be a boon. [...]

The new Magic Lantern core team of devs, plus many other key players who are involved to various degrees in bringing Magic Lantern back to life, have built a new repo, formalized the code base, and developed a new, efficient build system. "Around 2020, our old lead dev, a1ex, after years of hard work, left the project. The documentation was fragmentary. Nobody understood the build system. A very small number of volunteers kept things alive, but nothing worked well. Nobody had deep knowledge of Magic Lantern code," names_are_hard writes. "Those that remained had to learn how everything worked, then fix it. Then add support for new cams without breaking the old ones."

"We have an updated website. We have a new repo. We have new supported models. We have a new build system. We have cleaner, faster, smaller code." The team is now using Git, building on modern operating systems with contemporary tools, and compiling clean. "This was a lot of work, and invisible to users, but very useful for devs. It's easier than ever to join as a dev." Alongside the exciting return, Magic Lantern has added support for numerous new Canon DSLR cameras, including the 200D, 6D Mark II, 750D, and 7D Mark II.

The Python Software Foundation ("made up of, governed, and led by the community") does more than just host Python and its documnation, the Python Package Repository, and the development workflows of core CPython developers. This week the PSF released its 28-page Annual Impact Report this week, noting that 2024 was their first year with three CPython developers-in-residence — and "Between Lukasz, Petr, and Serhiy, over 750 pull requests were authored, and another 1,500 pull requests by other authors were reviewed and merged." Lukasz Langa co-implemented the new colorful shell included in Python 3.13, along with Pablo Galindo Salgado, Emily Morehouse-Valcarcel, and Lysandros Nikolaou.... Code-wise, some of the most interesting contributions by Petr Viktorin were around the ctypes module that allows interaction between Python and C.... These are just a few of Serhiy Storchaka's many contributions in 2024: improving error messages for strings, bytes, and bytearrays; reworking support for var-arguments in the C argument handling generator called "Argument Clinic"; fixing memory leaks in regular expressions; raising the limits for Python integers on 64-bit platforms; adding support for arbitrary code page encodings on Windows; improving complex and fraction number support...

Thanks to the investment of [the OpenSSF's security project] Alpha-Omega in 2024, our Security Developer-in-Residence, Seth Larson, continued his work improving the security posture of CPython and the ecosystem of Python packages. Python continues to be an open source security leader, evident by the Linux kernel becoming a CVE Numbering Authority using our guide as well as our publication of a new implementers guide for Trusted Publishers used by Ruby, Crates.io, and Nuget. Python was also recommended as a memory-safe programming language in early 2024 by the White House and CISA following our response to the Office of the National Cyber Directory Request for Information on open source security in 2023... Due to the increasing demand for SBOMs, Seth has taken the initiative to generate SBOM documents for the CPython runtime and all its dependencies, which are now available on python.org/downloads. Seth has also started work on standardizing SBOM documents for Python packages with PEP 770, aiming to solve the "Phantom Dependency" problem and accurately represent non-Python software included in Python packages.

With the continued investment in 2024 by Amazon Web Services Open Source and Georgetown CSET for this critical role, our PyPI Safety & Security Engineer, Mike Fiedler, completed his first full calendar year at the PSF... In March 2024, Mike added a "Report project as malware" button on the website, creating more structure to inbound reports and decreasing remediation time. This new button has been used over 2,000 times! The large spike in June led to prohibiting Outlook email domains, and the spike in November was driven by a persistent attack. Mike developed the ability to place projects in quarantine pending further investigation. Thanks to a grant from Alpha-Omega, Mike will continue his work for a second year. We plan to do more work on minimizing time-on-PyPI for malware in 2025...

In 2024, PyPI saw an 84% growth in download counts and 48% growth in bandwidth, serving 526,072,569,160 downloads for the 610,131 projects hosted there, requiring 1.11 Exabytes of data transfer, or 281.6 Gbps of bandwidth 24x7x365. In 2024, 97k new projects, 1.2 million new releases, and 3.1 million new files were uploaded to the index.

BlueSky has grown from roughly 10 million users in early November to 36.79 million today — and its last 30 days of traffic looks very level.

But instead of calling BlueSky's traffic "level", right-leaning libertarian Megan McArdle argues instead that BlueSky's "decline shows no sign of leveling out" (comparing the stable figures from the last month to a one-time spike seven months ago so they can write "It's now down about 50 percent"). And Wednesday the conservative UK magazine Spectator also ignored the 30-day-leveling to write instead that BlueSky is somehow "sliding down a slope".

But TechCrunch thinks the "up or down" conversation is entirely missing the point of "the wider network of apps built on the open protocol that Bluesky's team spearheaded" — and how BlueSky "is only meant to be one example of what's possible within the wider AT Proto ecosystem." If you don't like the tone of the topics trending on Bluesky, you can switch to other apps, change your default feeds, or even build your own social platform using the technology. Already, people are using the protocol that powers Bluesky to build social experiences for specific groups — like Blacksky is doing for the Black online community or like Gander Social is doing for social media users in Canada. There are also feed builders like Graze and those in Surf that let you create custom feeds where you can focus on specific content you care about — like video games or baseball — and exclude others, like politics. Built into Bluesky (and other third-party clients) are tools that let you pick your default feed and add others that interest you from a range of topics. If you want to follow a feed devoted to your favorite TV show or animal, for instance, you can. In other words, Bluesky is meant to be what you make it, and its content can be consumed in whatever format you prefer best.

In addition to Bluesky itself, the wider network of apps built on the AT Protocol includes photo- and video-sharing apps, livestreaming tools, communication apps, blogging apps, music apps, movie and TV recommendation apps, and more. Other tools also let you combine feeds from Bluesky with other social networks. Openvibe, for instance, can mix together feeds from social networks like Threads, Bluesky, Mastodon, and Nostr. Apps like Surf and Tapestry offer ways to track posts on open social platforms as well as those published with other open protocols like RSS. This lets the apps pull in content from blogs, news sites, YouTube, and podcasts.
Even just considering BlueSky itself, three weeks ago Fast Company pointed out that BlueSky "grew from 11 million users to 25 million between late October and mid-December, but has added only about 10 million more since then." So how is a 10-million user increase "dying"? For a social network, being prematurely written off is a rite of passage. It's even a compliment of sorts — a sign that people are paying attention and care... When I chatted with Bluesky CEO Jay Graber this week, I wasn't surprised that she didn't seem fazed by the debate on her platform and saw the parallels with early-days Twitter. "Reports of our death are greatly exaggerated," she told me. "It's a similar thing, because with social sites, it's not straight up all the time. [Growth] comes in waves, and at each stage, there's a new era of communities being established and formed. We're still seeing a lot of community formation, and one of the most exciting things is how structurally different this is. It's not just another social site that has to be a singular winner-take-all in an ecosystem with existing incumbents...."

One other challenge that Bluesky has not yet fully confronted is monetizing itself. Onstage at Web Summit, Graber emphasized that it's working on subscription services, a healthier revenue source than stuffing feeds with ads, though potentially a tougher one to scale up to sustainability. The company announced a $15 million Series A funding round last October.
But again, the point isn't BlueSky's increasing user count or its stablizing levels of Daily Unique "Likers" — but its underlying open source protocol: [S]he was at her most passionate when discussing the company's aspiration to decentralize social networking via its open AT Protocol. It powers Bluesky — and variants such as the Pinksky photo-sharing app, which she praised onstage — but could also provide the infrastructure for further-flung social experiences. Maybe even ones catering to folks who have zero interest in participating in the Bluesky community. "The goal is to really get through that this is a Choose Your Own Adventure and Bluesky's just the beginning," she says. "The sky's the limit." Whether she'll fulfill her grandest ambitions, I'm not sure. But I already like this era of social networking better than the one when a handful of winners really did take all.

An anonymous reader shares a report: [...] the rise in China of open technology, which relies on transparency and decentralisation, is awkward for an authoritarian state. If the party's patience with open-source fades, and it decides to exert control, that could hinder both the course of innovation at home, and developers' ability to export their technology abroad.

China's open-source movement first gained traction in the mid-2010s. Richard Lin, co-founder of Kaiyuanshe, a local open-source advocacy group, recalls that most of the early adopters were developers who simply wanted free software. That changed when they realised that contributing to open-source projects could improve their job prospects. Big firms soon followed, with companies like Huawei backing open-source work to attract talent and cut costs by sharing technology.

Momentum gathered in 2019 when Huawei was, in effect, barred by America from using Android. That gave new urgency to efforts to cut reliance on Western technology. Open-source offered a faster way for Chinese tech firms to take existing code and build their own programs with help from the country's vast community of developers. In 2020 Huawei launched OpenHarmony, a family of open-source operating systems for smartphones and other devices. It also joined others, including Alibaba, Baidu and Tencent, to establish the OpenAtom Foundation, a body dedicated to open-source development. China quickly became not just a big contributor to open-source programs, but also an early adopter of software. JD.com, an e-commerce firm, was among the first to deploy Kubernetes.

AI has lately given China's open-source movement a further boost. Chinese companies, and the government, see open models as the quickest way to narrow the gap with America. DeepSeek's models have generated the most interest, but Qwen, developed by Alibaba, is also highly rated, and Baidu has said it will soon open up the model behind its Ernie chatbot.

KDE isn't the only organization reaching out to " as Microsoft prepares to end support for Windows 10.

"Now, The Document Foundation, maker of LibreOffice, has also joined in to support the Endof10 initiative," reports the tech blog Neowin: The foundation writes: "You don't have to follow Microsoft's upgrade path. There is a better option that puts control back in the hands of users, institutions, and public bodies: Linux and LibreOffice. Together, these two programmes offer a powerful, privacy-friendly and future-proof alternative to the Windows + Microsoft 365 ecosystem."

It further adds the "real costs" of upgrading to Windows 11 as it writes:

"The move to Windows 11 isn't just about security updates. It increases dependence on Microsoft through aggressive cloud integration, forcing users to adopt Microsoft accounts and services. It also leads to higher costs due to subscription and licensing models, and reduces control over how your computer works and how your data is managed. Furthermore, new hardware requirements will render millions of perfectly good PCs obsolete.... The end of Windows 10 does not mark the end of choice, but the beginning of a new era. If you are tired of mandatory updates, invasive changes, and being bound by the commercial choices of a single supplier, it is time for a change. Linux and LibreOffice are ready — 2025 is the right year to choose digital freedom!"
The first words on LibreOffice's announcement? "The countdown has begun...."

An anonymous reader quotes a report from ZDNet: Denmark's Minister of Digitalization, Caroline Stage, has announced that the Danish government will start moving away from Microsoft Office to LibreOffice. Why? It's not because open-source is better, although I would argue that it is, but because Denmark wants to claim "digital sovereignty." In the States, you probably haven't heard that phrase, but in the European Union, digital sovereignty is a big deal and getting bigger.

A combination of security, economic, political, and societal imperatives is driving the EU's digital sovereignty moves. EU leaders are seeking to reduce Europe's dependence on foreign technology providers, primarily those from the United States, and to assert greater control over its digital infrastructure, data, and technological future. Why? Because they're concerned about who controls European data, who sets the rules, and who can potentially cut off access to essential services in times of geopolitical tension. "Money issues have also played a decisive role," writes ZDNet's Steven Vaughan-Nichols. "Copenhagen's Microsoft software bill has soared from 313 million kroner in 2018 to 538 million kroner -- about $53 million in 2023, a 72% increase in just five years.

David Heinemeier Hansson (DHH), a Dane, inventor of Ruby on Rails, and co-owner of the software developer company 37Signals, has said: "Denmark is one of the most highly digitalized countries in the world. It's also one of the most Microsoft-dependent. In fact, Microsoft is by far and away the single biggest dependency, so it makes perfect sense to start the quest for digital sovereignty there."