Daniel Stenberg, creator and maintainer of curl, has had enough of the neverending torrent of “AI”-generated security reports the curl project has to deal with.

That’s it. I’ve had it. I’m putting my foot down on this craziness.

1. Every reporter submitting security reports on Hackerone for curl now needs to answer this question: “Did you use an AI to find the problem or generate this submission?” (and if they do select it, they can expect a stream of proof of actual intelligence follow-up questions)

2. We now ban every reporter INSTANTLY who submits reports we deem AI slop. A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time.

We still have not seen a single valid security report done with AI help.

↫ Daniel Stenberg

This is the real impact of “AI”: streams of digital trash real humans have to clean up. While proponents of “AI” keep claiming it will increase productivity, actual studies show this not to be the case. Instead, what “AI” is really doing is create more work for others to deal with by barfing useless garbage into other people’s backyards. It’s like the digital version of the western world sending its trash to third-world countries to deal with.

The best possible sign that “AI” is a toxic trash heap you wouldn’t want to have anything to do with are the people fighting for team “AI”.

In Zuckerberg’s vision for a new digital future, artificial-intelligence friends outnumber human companions and chatbot experiences supplant therapists, ad agencies and coders. AI will play a central role in the human experience, the Facebook co-founder and CEO of Meta Platforms has said in a series of recent podcasts, interviews and public appearances.

↫ Meghan Bobrowsky at the WSJ

Mark Zuckerberg, who built his empire by using people’s photos without permission so he could rank who was hotter, who used Facebook logins to break into journalists’ email accounts because they were about to publish a negative story about him, who called Facebook users “dumb fucks” for entrusting their personal information to him, is on the forefront fighting for “AI”. If that isn’t the ultimate proof there’s something deeply wrong and ethically unsound about “AI”, I don’t know what is.

The Trinity Desktop Environment, the continuation of the final KDE 3.x release updated and maintained for modern times, consists of more than just the KDE bits you may think of. The project also maintains a fork of Qt 3 called TQt3, which it obviously needs to be able to work on and improve TDE itself, which is based on it. In the beginning, this fork consisted mainly of renaming things, but in recent years, more substantial changes meant that the code diverged considerably from the original Qt 3. As such, a small name change is in order.

TQt3 was born as a fork of Qt3 and for many years it was little more than a mere renaming effort. Over the past few years, many changes were made and the code has significantly diverged from the original Qt3, although still sharing the same roots. With more changes planned ahead and with the intention of better highlighting such difference, the TDE team has decided to drop the ‘3’ from the repository name, which is now simply called ‘TQt‘.

↫ TDE on Mastodon

The effect this has on users is rather minimal – users of the current 14.1.x release branch will still see 3s around in file paths and package names, but in future 14.2.x releases, all of these will have been removed, completing the transition.

This seems like a small change, and that’s because it is, but it’s interesting simply because it highlights that a project that seems relatively straightforward on the outside – maintain and carefully modernise the final KDE 3.x release – encompasses a lot more than that. Maintaining an entire Qt 3 fork certainly isn’t a small feat, but it’s kind of required to keep a project like TDE going.

Can someone please stop these months from coming and going, because I’m getting dizzy with yet another monthly report of all the progress made by Redox. Aside from the usual swath of improvements to the kernel, relibc, drivers, and so on, this month saw the completion of the userspace process manager.

In monolithic kernels this management is done in the kernel, resulting in necessary ambient authority, and possibly constrained interfaces if a stable ABI is to be guaranteed. With this userspace implementation, it will be easier to manage access rights using capabilities, reduce kernel bugs by keeping it simpler, and make changes where both sides of the interface can be updated simultaneously.

↫ Ribbon and Ron Williams

Students at Georgia Tech have been hard at work this winter on Redox as well, building a system health monitoring and recovery daemon and user interface. The Redox team has also done a lot of work to improve the build infrastructure, fixing a number of related issues along the way. The sudo daemon has now replaced the setuid bit for improved user authentication security, and a ton of existing ports have been fixed and updated where needed.

Redox’ monthly progress is kind of stunning, and it’s clear there’s a lot of interesting in the Rust-based operating system from outside the project itself as well. I wonder at what point Redox becomes usable for at least some daily, end-user tasks. I think it’s not quite there yet, especially when it comes to hardware support, but I feel like it’s getting there faster than anyone anticipated.

Google’s accelerated Android release cycle will soon deliver a new version of the software, and it might look quite different from what you’d expect. Amid rumors of a major UI overhaul, Google seems to have accidentally published a blog post detailing “Material 3 Expressive,” which we expect to see revealed at I/O later this month. Google quickly removed the post from its design site, but not before the Internet Archive saved it.

↫ Ryan Whitwam at Ars Technica

Google seems to be very keen on letting us know this new redesign is based on a lot of user research and metrics, which always sets off alarm bells in my mind when it comes to user interfaces. Every single person uses their smartphone and its applications a little differently, and using tons of metrics and data to average all of this out can make it so that anyone who strays to far from that average is going to have a bad time. This is compounded by the fact that each and every one of us is going to stray form the average in at least a few places.

Google also seems to be throwing consistency entirely out of the window with this redesign, which chills me to the bone. One of the reasons I like the current iteration of Material Design so much is that it does a great job of visually (and to a less extent, behaviourally) unifying the operating system and the applications you use, which I personally find incredibly valuable. I very much prefer consistency over disparate branding, and the screenshots and wording I’m seeing here seem to indicate Google considers that a problem that needs fixing.

As with everything UI, screenshots don’t tell the whole story, so maybe it won’t be so bad. I mean, it’s not like I’ve got anywhere else to go in case Google messes this up. Monopolies (or duopolies) are fun.

Bootc and associated tools provide the basis for building a personalised desktop. This article will describe the process to build your own custom installation.

↫ Daniel Mendizabal at Fedora Magazine

The fact that atomic distributions make it relatively easy to create custom “distributions” is s really interesting bonus quality of these types of Linux distributions. The developers behind Blue95, which we talked about a few weeks ago, based their entire distribution on this bootc personalised desktop approach using Fedora, and they argue that the term “distribution” probably isn’t the correct term here:

Blue95 is a collection of scripts and YAML files cobbled together to produce a Containerfile, which is built via GitHub Actions and published to the GitHub Container Registry. Which part of this process elevates the project to the status of a Linux distribution? What set of RUN commands in the Containerfile take the project from being merely a Fedora-based OCI image to a full-blown Linux distribution?

↫ Adam Fidel

While this discussion is mostly academic, I still find it interesting how with the march of technology, and with the aid of new ideas, it’s becoming easier and easier to spin up a customised version of you favourite Linux distribution, making it incredibly easy to have your own personal ISO, with all your settings, themes, and customisations applied. This has always been possible, but it seems to be getting easier.

Atomic, immutable distributions are not for me, personally, but I firmly believe most distributions focusing on average, normal users – Ubuntu, Fedora, SUSE – will eventually move their immutable variants to the prime spot on their web sites. This will make a whole lot of people big mad, but I think it’s inevitable. Of course, traditional Linux distributions won’t be going away, but much like how people keep complaining about systemd despite the tons alternatives, I’m guessing the same will happen with immutable distributions.

This week’s This Week in GNOME mentions that Blueprint will become part of GNOME.

Blueprint is now part of the GNOME Nightly SDK and is expected to be part of the GNOME 49 SDK. This means, apps relying on Blueprint won’t have to install it manually anymore.

Blueprint is an alternative to defining GTK/Libadwaita user interface via .ui XML-files (GTK Builder files). The goal of blueprint is to provide UI definitions that require less boilerplate than XML and are easier to learn. Blueprint also provides a language server for IDE integration.

↫ Sophie Herold

Quite a few applications already make use of Blueprint, and even some Core GNOME applications use it, so it seems logical to make it part of the default GNOME installation.

A European Union privacy watchdog fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation found that the video sharing app’s data transfers to China put users at risk of spying, in breach of strict EU data privacy rules.

Ireland’s Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent and ordered the company to comply with the rules within six months.

↫ Kelvin Chan for AP News

In case you’re wondering what Ireland’s specific role in this case is, TikTok’s European headquarters are located in Ireland, which means that any EU-wide privacy violations by TikTok are handled by Ireland’s privacy watchdog.

Anyway, sounds like a big fine, right? Let’s do some math.

TikTok’s global revenue last year is estimated at €20 billion. This means that a €530 million fine is 2.65% of TikTok’s global yearly revenue. Now let’s make this more relatable for us normal people. The yearly median income in Sweden is €34365 (pre-taxes), which means that if the median income Swede had to pay a fine with the same impact as the TikTok fine, they’d have to pay €910.

That’s how utterly bullshit this fine is. €910 isn’t nothing if you make €34000 per year, but would you call this a true punishment for TikTok? Any time you read about any of these coporate fines, you should do math like this to get an idea of what the true impact of the fine really amounts to. You’ll be surprised to learn to just how utterly toothless they are.

Back in the late ’90s and early 2000s, if you installed a comprehensive office suite on Windows, such as Microsoft’s own Office or something like WordPerfect Office or IBM Lotus SmartSuite, it would often come with a little icon in the system tray or a floating toolbar to ensure the applications were preloaded upon logging into Windows. The idea was that this preloading would ensure that the applications would start faster.

It’s 2025, and Microsoft is bring it back. In a message in the Microsoft 365 Message Center Archive, which is a real thing I didn’t make up, the company announced a new Startup Boost task that will preload Office applications on Windows to reduce loading times for the individual Office applications.

We are introducing a new Startup Boost task from the Microsoft Office installer to optimize performance and load-time of experiences within Office applications. After the system performs the task, the app remains in a paused state until the app launches and the sequence resumes, or the system removes the app from memory to reclaim resources. The system can perform this task for an app after a device reboot and periodically as system conditions allow.

↫ MC1041470 – New Startup Boost task from Microsoft Office installer for Office applications

This new task will automatically be added to the Task Scheduler, but only on PCs with 8GB of RAM or more and at least 5GB of available disk space. The task will run 10 minutes after logging into Windows, will be disabled if the Energy Saves feature is enabled, and will be removed if you haven’t used Office in a while. The initial rollout of this task will take place in May, and will cover Word only for now. The task can be disabled manually through Task Scheduler or in Word’s settings.

Since this is Microsoft, every time Office is updated, the task will be re-enabled, which means that users who disable the feature will have to disable it again after each update. This particular behaviour can be disabled using Group Policy. Yes, the sound you’re hearing are all the “AI” text generators whirring into motion as they barf SEO spam onto the web about how to disable this feature to speed up your computer.

I’m honestly rather curious who this is for. I have never found the current crop of Office applications to start up particularly slowly, but perhaps corporate PCs are so full of corpo-junkware they become slow again?

Chips and Cheese takes a very detailed look at the latest processor design from Zhaoxin, the Chinese company that inherited VIA’s x86 license and has been making new x86 chips ever since. Their latest design, 世纪大道 (Century Avenue), tries to take yet another step closer to current designs chips form Intel and AMD, and while falling way short, that’s not really the point here.

Ultimately performance is what matters to an end-user. In that respect, the KX-7000 sometimes falls behind Bulldozer in multithreaded workloads. It’s disappointing from the perspective that Bulldozer is a 2011-era design, with pairs of hardware thread sharing a frontend and floating point unit. Single-threaded performance is similarly unimpressive. It roughly matches Bulldozer there, but the FX-8150’s single-threaded performance was one of its greatest weaknesses even back in 2011. But of course, the KX-7000 isn’t trying to impress western consumers. It’s trying to provide a usable experience without relying on foreign companies. In that respect, Bulldozer-level single-threaded performance is plenty. And while Century Avenue lacks the balance and sophistication that a modern AMD, Arm, or Intel core is likely to display, it’s a good step in Zhaoxin’s effort to break into higher performance targets.

↫ Chester Lam at Chips and Cheese

I find Chinese processors, like the x86-based ones from Zhaoxin or the recent LoongArch processors (which you can buy on AliExpress), incredibly fascinating, and would absolutely love to get my hands on one. A board with two of the most recent LoongArch processors – the 3c6000 – goes for about €4000 at the moment, and I’m keeping my eye on that price to see if there’s ever going to be a sharp drop. This is prime OSNews material, after all.

No, they’re not competitive with the latest offerings from Intel, AMD, or ARM, but I don’t really care – they interest me as a computer enthusiast, and since it’s highly unlikely we’re going to see anyone seriously threaten Intel, AMD, and ARM here in the west, you’re going to have to look at China if you’re interested in weird architectures and unique processors.

If RISC-V ever manages to take off, this is going to be an important tool in RISC-V users’ toolbox: felix86 is an x86-64 userspace emulator for RISC-V.

felix86 emulates an x86-64 CPU running in userspace, which is to say it is not a virtual machine like VMware, rather it directly translates the instructions of an application and mostly uses the host Linux kernel to handle syscalls.

Currently, translation happens during execution time, also known as just-in-time (JIT) recompilation. The JIT recompiler in felix86 is focused on fast compilation speed and performs minimal optimizations. It utilizes extensions found on the host system such as the vector extension for SIMD operations, or the B extension for emulating bit manipulation extensions like BMI. The only mandatory extensions for felix86 are G, which every RISC-V general purpose computer should already have, and v1.0 of the standard vector extension.

↫ felix86 website

The project is still in early development, but a number of popular games already work, which is quite impressive. The code’s on GitHub under the MIT license.

Sculpt OS 25.04 has been released, and with it come a number of very welcome and important improvements. What most users will care about the most is the updated version of the Falkon web browser, built atop Qt 6.2.2 and its accompanying qtwebengine release, which in turn is using version 112 of the Chromium engine. Aside from this major improvement, there’s two other things that stand out:

Usability-wise, the new version comes with two highly anticipated features. First, building upon the multi-monitor support added with the previous release, the new version takes multi-monitor awareness to the window management level, allowing for the flexible assignment of virtual desktops to physical displays, adding new window-manipulation conveniences, and supporting rotated displays. Second, a new directory browser allows the user to interactively assign arbitrary directories as file systems to components, vastly easing the fine-grained sandboxing of subsystems.

↫ Sculpt OS 25.04 release announcement

Sculpt OS 25.04 also inherits the improvements of recent Genode Framework releases, such as support for Intel’s Meteor-Lake hardware. Sculpt OS is available for PC, the PinePhone, and the MNT Reform laptop.

Time for another story from Raymond Chen, about why, in Windows 7, logging in took 30 seconds if you had set a solid colour as your background. Windows 7’s logon system needs to wait for a number of tasks to be completed, like creating the taskbar, populating the desktop with icons, and setting the background. If all of those tasks are completed or 30 seconds have passed, the welcome screen goes away.

As you can guess by the initial report mentioning having to wait for 30 seconds, one of the tasks that need to be completed isn’t reporting in, so the welcome screen is displayed for the full 30 seconds. In the case of this bug, that task is obviously setting the background.

The code to report that the wallpaper is ready was inside the wallpaper bitmap code, which means that if you don’t have a wallpaper bitmap, the report is never made, and the logon system waits in vain for a report that will never arrive.

↫ Raymond Chen

It turns out that people who enabled the setting the hide desktop icons were experiencing the same delay, and that, too, was caused by the lack of a report from, in this case, the desktop icons. Interestingly, it seems especially settings changed through group policies can cause issues like this.

Group policies are susceptible to this problem because they tend to be bolted on after the main code is written. When you have to add a group policy, you find the code that does the thing, and you put a giant “if policy allows” around it.

[…]

Oops, the scope of the “if” block extended past the report call, so if the policy is enabled, the icons are never reported as ready, and the logon system stays on the Welcome screen for the full 30 seconds.

↫ Raymond Chen

These issues were fixed very quickly after the release of Windows 7, and they disappear from the radar within a few months after the release of everyone’s favourite Windows version.

I have no idea how much relevance this short but informative rundown of how PATH works in Linux has in the real world, but I found it incredibly interesting and enlightening.

The basic gist – and I might be wrong, there’s code involved and I’m not very smart – is that Linux itself needs absolute paths to binaries, while shells and programming languages do not. In other words, the Linux kernel does not know about PATH, and any lookup you’re doing comes from either the shell or the programming language you’re using.

In practice this doesn’t matter, but it’s still interesting to know.

The majority of the traffic on the web is from bots. For the most part, these bots are used to discover new content. These are RSS Feed readers, search engines crawling your content, or nowadays AI bots crawling content to power LLMs. But then there are the malicious bots. These are from spammers, content scrapers or hackers. At my old employer, a bot discovered a wordpress vulnerability and inserted a malicious script into our server. It then turned the machine into a botnet used for DDOS. One of my first websites was yanked off of Google search entirely due to bots generating spam. At some point, I had to find a way to protect myself from these bots. That’s when I started using zip bombs.

↫ Ibrahim Diallo

I mean, when malicious bots harm your website, isn’t combating them with something like zip bombs simply just self-defense?