Longtime Slashdot reader internet-redstar writes: Nearly a trillion dollars has been wiped from software stocks in 2026, with hedge funds making billions shorting Salesforce, HubSpot, and Atlassian. At FOSDEM 2026, cURL maintainer Daniel Stenberg shut down his bug bounty program after AI-generated slop overwhelmed his team. A new article on HackerNoon argues that most commercial SaaS could inevitably become OpenSource, not out of ideology but economics. The author points to Proxmox replacing VMware at enterprise scale and startups like Holosign replicating DocuSign at $19/month flat as evidence. The catch, the article claims, is that maintainers who refuse to embrace AI tools risk being forked, or simply replicated from scratch, by those who do.

Private equity firm EQT AB is reportedly exploring a sale of SUSE that could value the open-source Linux pioneer at up to $6 billion, roughly doubling the valuation since EQT took the company private in 2023. Reuters reports: EQT "has hired investment bank Arma Partners to sound out a group of private equity investors for a possible sale of the company, said the sources, who requested anonymity to discuss confidential matters. The deliberations are at "an early stage and there is no certainty that EQT will proceed with "a transaction, the sources said. [...] The potential deal comes amid a broader selloff in software stocks, which has disrupted mergers and acquisitions activity. Investors are "concerned that new artificial intelligence tools could displace many existing software products, weighing on technology "valuations and making deals harder to price.

Some investors, however, see Luxembourg-headquartered SUSE as a potential beneficiary of AI adoption, arguing that demand for enterprise-grade infrastructure software is likely to grow as companies build and deploy more AI applications. The company generates about $800 million in revenue and more than $250 million in earnings before interest, taxes, depreciation, and amortization (EBITDA) and could fetch between $4 billion and $6 billion in a sale, the sources said.

An anonymous reader quotes a report from Heise: Pay securely with an Android smartphone, completely without Google services: This is the plan being developed by the newly founded industry consortium led by the German Volla Systeme GmbH. It is an open-source alternative to Google Play Integrity. This proprietary interface decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run on a smartphone.

Obstacles and tips for paying with an Android smartphone without official Google services have been highlighted by c't in a comprehensive article. The European industry consortium now wants to address some problems mentioned. To this end, the group, which includes Murena, which develops the hardened custom ROM /e/OS, Iode from France, and Apostrophy (Dot) from Switzerland, in addition to Volla, is developing a so-called "UnifiedAttestation" for Google-free mobile operating systems, primarily based on the Android Open-Source Project (AOSP).

According to Volla, a European manufacturer and a leading manufacturer from Asia, as well as European foundations such as the German UBports Foundation, have also expressed interest in supporting it. Furthermore, developers and publishers of government apps from Scandinavia are examining the use of the new procedure as "first movers." In its announcement, Volla explains that Google provides app developers with an interface called Play Integrity, which checks whether an app is running on a device with specific security requirements. This primarily affects applications from "sensitive areas such as identity verification, banking, or digital wallets -- including apps from governments and public administrations".

The company criticizes that the certification is exclusively offered for Google's own proprietary "Stock Android" but not for Android versions without Google services, such as /e/OS or similar custom ROMs. "Since this is closely intertwined with Google services and Google data centers, a structural dependency arises -- and for alternative operating systems, a de facto exclusion criterion," the company states. From the consortium's perspective, this also leads to a "security paradox," because "the check of trustworthiness is carried out by precisely that entity whose ecosystem is to be avoided at the same time". The UnifiedAttestation system is built around three main components: an "operating system service" that apps can call to check whether the device's OS meets required security standards, a decentralized validation service that verifies the OS certificate on a device without relying on a single central authority, and an open test suite used to evaluate and certify that a particular operating system works securely on a specific device model.

"We don't want to centralize trust, but organize it transparently and publicly verifiable. When companies check competitors' products, we can strengthen that trust," says Dr. Jorg Wurzer, CEO of Volla Systeme GmbH and initiator of the consortium. The goal is to increase digital sovereignty and break free from the control of any one, single U.S. company, he says.

Even after its acquisition by Qualcomm, the EFF believes Arduino "isn't imposing any new bans on tinkering with or reverse engineering Arduino boards," (according to Mitch Stoltz, EFF director for competition and IP litigation). While Adafruit's managing editor Phillip Torrone had claimed to 36,000+ followers on LinkedIn that Arduino users were now "explicitly forbidden from reverse engineering," Arduino corrected him in a blog post, noting that clause in their Terms & Conditions was only for Arduino's Software-as-a-Service cloud applications. "Anything that was open, stays open."

And this week EE Times spoke to Guneet Bedi, SVP of Arduino, "who was unequivocal in saying that Arduino's governance structure had remained intact even after the acquisition." "As a business unit within Qualcomm, Arduino continues to make independent decisions on its product portfolio, with no direction imposed on where it should or should not go," Bedi said. "Everything that Arduino builds will remain open and openly available to developers, with design engineers, students and makers continuing to be the primary focus.... Developers who had mastered basic embedded workflows were now asking how to run large language models at the edge and work with artificial intelligence for vision and voice, with an open source mindset," he said. According to Bedi, this was where Qualcomm's technology became relevant. "Qualcomm's chipsets are high performance while also being very low power, which comes from their mobile and Android phone heritage. Despite being great technology, it is not easily accessible to design engineers because of cost and complexity. That made this a strong fit," he said.

The most visible outcome of this acquisition is Uno Q, which Bedi described as being comparable to a mid-tier Android phone in capability, starting at a price of $44. For Arduino, this marked a shift beyond microcontrollers without abandoning them. "At the end of the day, we have not gone away from our legacy," Bedi said. "You still have a real-time microcontroller, and you still write code the way Arduino developers are used to. What we added is compute, without forcing people to change how they work." Uno Q combines a Linux-based compute system with a real-time microcontroller from the STM32 family. "You do not need two different development environments or two different hardware platforms," Bedi added... Rather than introducing a customized operating system, Arduino chose standard Debian upstream. "We are not locking developers into anything," Bedi said. "It is standard Debian, completely open...." Pre-built models covering tasks like object detection and voice recognition run locally on the board....

While the first reference design uses Qualcomm silicon, Bedi was careful to stress that this does not define the roadmap. "There is zero dependency on Qualcomm silicon," he said. "The architecture is portable. Tomorrow, we can run this on something else." That distinction matters, particularly for developers wary of vendor lock-in following the acquisition. Uno Q does compete directly with platforms like Raspberry Pi and Nvidia Jetson, but Bedi framed the difference less in terms of raw performance and more in flexibility. "When you build on those platforms, you are locked to the board," he said. "Here, you can build a prototype, and if you like it, you can also get access to the chip and design your own hardware." With built-in storage removing the need for external components, Uno Q positions itself less as a faster board and more as a way to simplify what had become an increasingly messy development stack...

Looking a year ahead, Bedi believes developers should experience continuity rather than disruption. The familiar Arduino approach to embedded and real-time systems remains unchanged, while extending naturally into more compute-intensive applications... Taken together, Bedi's comments suggest that Arduino's post-acquisition direction is less about changing what Arduino is, and more about expanding what it can realistically be used for, without abandoning the simplicity that made it relevant in the first place.
"We want to redefine prototyping in the age of physical artificial intelligence," Bedi said...

The nonprofit Open Source Initiative offers "enriched" license pages with "relevant metadata to provide deeper insights and better support".

So which pages got the most pageviews in 2025? The MIT license, Apache 2.0 license, BSD licenses (3-clause and 2-clause), and GNU General Public license:

mit	(1.5M)
apache-2-0	(344k)
bsd-3-clause	(214k)
bsd-2-clause	(128k)
gpl-2-0	(76k)
gpl-3-0	(55k)
isc-license-txt	(35k)
lgpl-3-0	(34k)
OFL-1.1	(31k)
lgpl-2-1	(24k)
.	.

From the Open Source Initiative's announcement: Please note that these are aggregated pageviews from actual humans along the year of 2025... Actual humans (presumably) because the number of requests by bots or crawlers is several orders of magnitude higher (e.g. requests just for the MIT license are on the range of 10M per month).

We do provide an API service that gives access to the canonical list of OSI Approved Licenses — this is a very new service, which hopefully will be adopted by automated requests from CI/CD pipelines. One final observation is that the number of human pageviews is likely higher because we are using Plausible as our data source and a high percentage of our target audience uses Ad blockers, which by design are not accounted by Plausible. Users from China are also likely undercounted by Plausible for the same reason.

A California judge signaled support for forcing Vizio to provide the full source code for its SmartCast TV software after finding a contractual obligation under the GPL. If upheld, the case could strengthen users' rights to modify GPL-licensed software embedded in consumer electronics. The Register reports: The legal complaint from the Software Freedom Conservancy (SFC) seeks access to the SmartCast source code so that Vizio customers can make changes and improvements to the platform, something that ought to be possible for code distributed under the GPL. On Thursday, California Superior Court Judge Sandy Leal issued a tentative ruling in advance of a hearing, indicating support for part of SFC's legal challenge. The tentative ruling is not a final decision, but it signals the judge's inclination to grant the SFC's motion for summary adjudication, at least in part.

"The tentative ruling [PDF] grants SFC's motion on the issue that a direct contract was made between SFC and Vizio when SFC's systems administrator, Paul Visscher, requested the source code to a TV that SFC has purchased," the SFC said in a blog post. "This contract obligated Vizio to provide SFC the complete and corresponding source code." [...]

Karen Sandler, executive director of the SFC, told The Register in an email that the hearing went well, though Vizio's legal counsel "stridently disagreed" with the legal analysis in the tentative ruling. "Judge Leal said she would take the matter 'under submission' which means she will think about it further," Sandler said. "After the Court went off the record, Leal's clerk specifically verified the Court reporter could provide an expedited transcript, so Leal will likely review the hearing transcript soon." Sandler expects Leal will examine the filings again before issuing her opinion, which is likely to be issued in the next few weeks.

Intel has quietly stopped maintaining its open-source user-space driver stack for Gaudi accelerators. Phoronix reports: It turns out earlier this year Intel archived the SynapseAI Core open-source code and is no longer maintained by Intel. The open-source Synapse AI Core GitHub repository was archived in February and README updated with: "This project will no longer be maintained by Intel. Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project. Intel no longer accepts patches to this project. If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project."

This week System76 launched the first stable release of its Rust-based COSMIC desktop environment. Announced in 2021, it's designed for all GNU/Linux distributions — and it shipping with Pop!_OS 24.04 LTS (based on Ubuntu 24.04 LTS).

An anonymous reader shared this report from 9to5Linux: Previous Pop!_OS releases used a version of the COSMIC desktop that was based on the GNOME desktop environment. However, System76 wanted to create a new desktop environment from scratch while keeping the same familiar interface and user experience built for efficiency and fun. This means that some GNOME apps have been replaced by COSMIC apps, including COSMIC Files instead of Nautilus (Files), COSMIC Terminal instead of GNOME Terminal, COSMIC Text Editor instead of GNOME Text Editor, and COSMIC Media Player instead of Totem (Video Player).

Also, the Pop!_Shop graphical package manager used in previous Pop!_OS releases has now been replaced by a new app called COSMIC Store.
"If you're ambitious enough, or maybe just crazy enough, there eventually comes a time when you realize you've reached the limits of current potential, and must create something completely new if you're to go further..." explains System76 founder/CEO Carl Richell: For twenty years we have shipped Linux computers. For seven years we've built the Pop!_OS Linux distribution. Three years ago it became clear we had reached the limit of our current potential and had to create something new. Today, we break through that limit with the release of Pop!_OS 24.04 LTS with the COSMIC Desktop Environment. Today is special not only in that it's the culmination of over three years of work, but even more so in that System76 has built a complete desktop environment for the open source community... I hope you love what we've built for you. Now go out there and create. Push the limits, make incredible things, and have fun doing it!

This week the Free Software Foundation honored Andy Wingo, Alx Sa, and Govdirectory with this year's annual Free Software Awards (given to community members and groups making "significant" contributions to software freedom): Andy Wingo is one of the co-maintainers of GNU Guile, the official extension language of the GNU operating system and the Scheme "backbone" of GNU Guix. Upon receiving the award, he stated: "Since I learned about free software, the vision of a world in which hackers freely share and build on each others' work has been a profound inspiration to me, and I am humbled by this recognition of my small efforts in the context of the Guile Scheme implementation. I thank my co-maintainer, Ludovic Courtès, for his comradery over the years: we are just building on the work of the past maintainers of Guile, and I hope that we live long enough to congratulate its many future maintainers."

The 2024 Award for Outstanding New Free Software Contributor went to Alx Sa for work on the GNU Image Manipulation Program (GIMP). When asked to comment, Alx responded: "I am honored to receive this recognition! I started contributing to the GNU Image Manipulation Program as a way to return the favor because of all the cool things it's allowed me to do. Thanks to the help and mentorship of amazing people like Jehan Pagès, Jacob Boerema, Liam Quin, and so many others, I hope I've been able to help other people do some cool new things, too."

Govdirectory was presented with this year's Award for Projects of Social Benefit, given to a project or team responsible for applying free software, or the ideas of the free software movement, to intentionally and significantly benefit society. Govdirectory provides a collaborative and fact-checked listing of government addresses, phone numbers, websites, and social media accounts, all of which can be viewed with free software and under a free license, allowing people to always reach their representatives in freedom...

The FSF plans to further highlight the Free Software Award winners in a series of events scheduled for the new year to celebrate their contributions to free software.

Qualcomm has acquired RISC-V startup Ventana to strengthen its CPU ambitions beyond mobile, "reinforcing its commitment and leadership in the development of the RISC-V standard and ecosystem," the company said in a press release. CRN Magazine reports: The San Diego-based company said Ventana's expertise in RISC-V, a free and open alternative to the Arm and x86 instruction set architectures, will enhance its CPU engineering capabilities and complement "existing efforts to develop custom Oryon CPU technology." Financial terms of the deal were not disclosed.

Qualcomm, which has already been using RISC-V for some products outside the PC and server markets, said Ventana's contributions will boost its "technology leadership in the AI era across all businesses," indicating the broad impact expected by this acquisition. "We believe the RISC-V instruction set architecture has the potential to advance the frontier on CPU technology, enabling innovation across products," Durga Malladi, executive vice president and general manager of technology planning, edge solutions and data center for Qualcomm, said in a statement. "The acquisition of Ventana Micro Systems marks a pivotal step in our journey to deliver industry-leading RISC-V-based CPU technology across products."

Further reading: Qualcomm Is Buying Arduino, Releases New Raspberry Pi-Esque Arduino Board

OpenAI, alongside Anthropic and Block, have launched the Agentic AI Foundation under the Linux Foundation, describing it as a neutral home for standards as agentic systems move into real production. It may sound well-meaning, but Slashdot reader and NERDS.xyz founder BrianFagioli isn't buying the narrative. In a report for NERDS.xyz, Fagioli writes: Instead of opening models, training data, or anything that would meaningfully shift power toward the community, the companies involved are donating lightweight artifacts like AGENTS.md, MCP, and goose. They're useful, but they're also the safest, least threatening pieces of their ecosystem to "open." From where I sit, it looks like a strategic attempt to lock in influence over emerging standards before truly open projects get a chance to define the space. I see the entire move as smoke and mirrors.

With regulators paying closer attention and developer trust slipping, creating a Linux Foundation directed fund gives these companies convenient cover to say they're being transparent and collaborative. But nothing about this structure forces them to share anything substantial, and nothing about it changes the closed nature of their core technology. To me, it looks like Big Tech trying to set the rules of the game early, using the language of openness without actually embracing it. Slashdot readers have seen this pattern before, and this one feels no different.

It runs locally, a free/open source home automation platform connecting all your devices together, regardless of brand. And GitHub's senior developer calls it "one of the most active, culturally important, and technically demanding open source ecosystems on the planet," with tens of thousands of contributors and millions of installations.

That's confirmed by this year's "Octoverse" developer survey... Home Assistant was one of the fastest-growing open source projects by contributors, ranking alongside AI infrastructure giants like vLLM, Ollama, and Transformers. It also appeared in the top projects attracting first-time contributors, sitting beside massive developer platforms such as VS Code... Home Assistant is now running in more than 2 million households, orchestrating everything from thermostats and door locks to motion sensors and lighting. All on users' own hardware, not the cloud. The contributor base behind that growth is just as remarkable: 21,000 contributors in a single year...

At its core, Home Assistant's problem is combinatorial explosion. The platform supports "hundreds, thousands of devices... over 3,000 brands," as [maintainer Franck Nijhof] notes. Each one behaves differently, and the only way to normalize them is to build a general-purpose abstraction layer that can survive vendor churn, bad APIs, and inconsistent firmware. Instead of treating devices as isolated objects behind cloud accounts, everything is represented locally as entities with states and events. A garage door is not just a vendor-specific API; it's a structured device that exposes capabilities to the automation engine. A thermostat is not a cloud endpoint; it's a sensor/actuator pair with metadata that can be reasoned about.

That consistency is why people can build wildly advanced automations. Frenck describes one particularly inventive example: "Some people install weight sensors into their couches so they actually know if you're sitting down or standing up again. You're watching a movie, you stand up, and it will pause and then turn on the lights a bit brighter so you can actually see when you get your drink. You get back, sit down, the lights dim, and the movie continues." A system that can orchestrate these interactions is fundamentally a distributed event-driven runtime for physical spaces. Home Assistant may look like a dashboard, but under the hood it behaves more like a real-time OS for the home...

The local-first architecture means Home Assistant can run on hardware as small as a Raspberry Pi but must handle workloads that commercial systems offload to the cloud: device discovery, event dispatch, state persistence, automation scheduling, voice pipeline inference (if local), real-time sensor reading, integration updates, and security constraints. This architecture forces optimizations few consumer systems attempt.
"If any of this were offloaded to a vendor cloud, the system would be easier to build," the article points out. "But Home Assistant's philosophy reverses the paradigm: the home is the data center..."

As Nijhof says of other vendor solutions, "It's crazy that we need the internet nowadays to change your thermostat."

"Homebrew, the package manager for macOS and Linux, just got a handy new feature in the latest v5.0.4 update," reports How-To Geek.

Brewfile install scripts "are now more like a one-stop shop for installing software, as Flatpaks are now supported alongside Brew packages, Mac App Store Apps, and other packages." For those times when you need to install many software packages at once, like when setting up a new PC or virtual machine, you can create a Brewfile with a list of packages and run it with the 'brew bundle' command. However, the Brewfile isn't limited to just Homebrew packages. You can also use it to install Mac App Store apps, graphical apps through Casks, Visual Studio Code extensions, and Go language packages. Starting with this week's Homebrew v5.0.4 release, Flatpaks are now supported in Brewfiles as well...

This turns Homebrew into a fantastic setup tool for macOS, Linux, and Windows Subsystem for Linux (WSL) environments. You can have one script with all your preferred software, and use 'if' statements with platform variables and existing file checks for added portability.

During last month's KubeCon North America in Atlanta, Kubernetes maintainers announced the upcoming retirement of Ingress NGINX. "Best-effort maintenance will continue until March 2026," noted the Kubernetes SIG Network and the Security Response Committee. "Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered." In a recent op-ed for The Register, Steven J. Vaughan-Nichols reflects on the decision and speculates about what might have prevented this outcome: Ingress NGINX, for those who don't know it, is an ingress controller in Kubernetes clusters that manages and routes external HTTP and HTTPS traffic to the cluster's internal services based on configurable Ingress rules. It acts as a reverse proxy, ensuring that requests from clients outside the cluster are forwarded to the correct backend services within the cluster according to path, domain, and TLS configuration. As such, it's vital for network traffic management and load balancing. You know, the important stuff.

Now this longstanding project, once celebrated for its flexibility and breadth of features, will soon be "abandonware." So what? After all, it won't be the first time a once-popular program shuffled off the stage. Off the top of my head, dBase, Lotus 1-2-3, and VisiCalc spring to my mind. What's different is that there are still thousands of Ingress NGINX controllers in use. Why is it being put down, then, if it's so popular? Well, there is a good reason. As Tabitha Sable, a staff engineer at Datadog who is also co-chair of the Kubernetes special interest group for security, pointed out: "Ingress NGINX has always struggled with insufficient or barely sufficient maintainership. For years, the project has had only one or two people doing development work, on their own time, after work hours, and on weekends. Last year, the Ingress NGINX maintainers announced their plans to wind down Ingress NGINX and develop a replacement controller together with the Gateway API community. Unfortunately, even that announcement failed to generate additional interest in helping maintain Ingress NGINX or develop InGate to replace it." [...]

The final nail in the coffin was when security company Wix found a killer Ingress NGINX security hole. How bad was it? Wix declared: "Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, which could lead to complete cluster takeover." [...] You see, the real problem isn't that Ingress NGINX has a major security problem. Heck, hardly a month goes by without another stop-the-presses Windows bug being uncovered. No, the real issue is that here we have yet another example of a mission-critical open source program no one pays to support...

Core Devices has fully open-sourced the entire Pebble software stack and confirmed the first Pebble Time 2 shipments will start in January. "This is the clearest sign yet that the platform is shifting from a company-led product to a community-backed project that can survive independently," reports Gadgets & Wearables. From the report: The announcement follows weeks of tension between Core Devices and parts of the Pebble community. By moving from 95 to 100 percent open source, the company has essentially removed itself as a bottleneck. Users can now build, run, and maintain every piece of software needed to operate a Pebble watch. That includes firmware for the watch and mobile apps for Android and iOS. This puts the entire software stack into public hands. According to the announcement, Core Devices has released the mobile app source code, enabled decentralized app distribution, and made hardware more repairable with replaceable batteries and published design files.

Thunderbird Pro has moved its Thundermail email service into production testing as the open-source email client's subscription bundle of additional services prepares for an Early Bird beta launch at $9 per month that will include email hosting, encrypted file sharing through Send, and scheduling via Appointment.

Internal team members are now testing Thundermail accounts and the new Thunderbird Pro add-on automatically adds Thundermail accounts for users who sign up through it. The project migrated its data hosting from the Americas to Germany and the EU.

Appointment received a major visual redesign being applied across all three services while Send completed an external security review and moved from its standalone add-on into the unified Thunderbird Pro add-on. The new website at tb.pro is live for signups and account management.

Microsoft has released the source code for Zork I, II, and III under the MIT License through a collaboration with Team Xbox and Activision that involved submitting pull requests to historical source repositories maintained by digital archivist Jason Scott. Each repository now includes the original source code and accompanying documentation.

The games arrived on early home computers in the 1980s as text-based adventures built on the Z-Machine, a virtual machine that allowed the same story files to run across different platforms. Infocom created the Z-Machine after discovering the original mainframe version was too large for home computers. The team split the game into three titles that all ran on the same underlying system.

The code release covers only the source files and does not include commercial packaging or trademark rights. The games remain available commercially through The Zork Anthology on Good Old Games and can be compiled locally using ZILF, a modern Z-Machine interpreter.

Blender 5.0 has been released with major upgrades including HDR and wide-gamut color support on Linux via Wayland/Vulkan, significant theme and UI improvements, new color-space tools, revamped curve and geometry features, and expanded hardware requirements. 9to5Linux reports: Blender 5.0 also introduces a working color space for Blend files, a new AgX HDR view, a new Convert to Display compositor node, new Rec.2100-PQ and Rec.2100-HLG displays that can be used for color grading for HDR video export, and new ACES 1.3 and 2.0 views as an alternative to AgX and Filmic.

A new "Jump Time by Delta" operator for jumping forward/backward in time by a user-specified delta has been introduced as well, along with a revamped Curve drawing, which better supports the new Curves object type and all of their features, and a new Geometry Attribute constraint.

Also new is a "Cylinder" option for curve display type that allows rendering thicker curves without the flat ribbon appearance, support for the Zstd (Zstandard) fast lossless compression algorithm for point caches, as well as a new "Curve Data" panel in edit mode that allows tweaking built-in curve attribute values. A full list of changes can be found here. You can download from the official website.

Android's security team published a blog post this week about their experience using Rust. Its title? "Move fast and fix things." Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in new code quickly yields durable and compounding gains. This year we look at how this approach isn't just fixing things, but helping us move faster.

The 2025 data continues to validate the approach, with memory safety vulnerabilities falling below 20% of total vulnerabilities for the first time. We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android's C and C++ code. But the biggest surprise was Rust's impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one... Data shows that Rust code requires fewer revisions. This trend has been consistent since 2023. Rust changes of a similar size need about 20% fewer revisions than their C++ counterparts... In a self-reported survey from 2022, Google software engineers reported that Rust is both easier to review and more likely to be correct. The hard data on rollback rates and review times validates those impressions.

Historically, security improvements often came at a cost. More security meant more process, slower performance, or delayed features, forcing trade-offs between security and other product goals. The shift to Rust is different: we are significantly improving security and key development efficiency and product stability metrics.

With Rust support now mature for building Android system services and libraries, we are focused on bringing its security and productivity advantages elsewhere. Android's 6.12 Linux kernel is our first kernel with Rust support enabled and our first production Rust driver. More exciting projects are underway, such as our ongoing collaboration with Arm and Collabora on a Rust-based kernel-mode GPU driver. [They've also been deploying Rust in firmware for years, and Rust "is ensuring memory safety from the ground up in several security-critical Google applications," including Chromium's parsers for PNG, JSON, and web fonts.]
2025 was the first year more lines of Rust code were added to Android than lines of C++ code...

FFmpeg, the open source multimedia framework that powers video processing in Google Chrome, Firefox, YouTube and other major platforms, has called on Google to either fund the project or stop burdening its volunteer maintainers with security vulnerabilities found by the company's AI tools. The maintainers patched a bug that Google's AI agent discovered in code for decoding a 1995 video game but described the finding as "CVE slop."

The confrontation centered on a Google Project Zero policy announced in July that publicly discloses reported vulnerabilities within a week and starts a ninety-day countdown to full disclosure regardless of patch availability. FFmpeg, written primarily in assembly language, handles format conversion and streaming for VLC, Kodi and Plex but operates without adequate funding from the corporations that depend on it. Nick Wellnhofer resigned as maintainer of libxml2, a library used in all major web browsers, because of the unsustainable workload of addressing security reports without compensation and said he would stop maintaining the project in December.