Ubuntu under attack, Big flaw affects all Linux distros, Linux beats Windows - Linux Weekly News

Added: 2026-05-09

[00:00:00]Hey everyone, and we have a big one this week because first, Ubuntu's entire infrastructure is or was under attack from a let's call it activist group. We also have Linux beating Windows in two key areas, performance, but also sales for framework. And we also have Abuntu saying that they're going to add AI to the desktop distro and to their development process. We have some more news on age verification and a bunch of other interesting stuff, including this message from our sponsor. This video is sponsored by Squarespace. And if you need a website these days, you probably have heard about them. They are your all-in-one platform to build, to customize, to run, and to maintain your own online presence and of course your website. Squarespace has super easy tools to make sure that anyone that doesn't know how to code or knows how to code can make a very fast, very nicel lookinging, and very well optimized website. They have what they call their blueprint system. It lets you pick from a variety of templates that are pre-built. They let you build anything from a blog, a video platform, a personal page, a portfolio, an online store, whatever. Those templates are, of course, optimized to give you solid SEO.

[00:01:13]They also have the SEO tools that you need to make sure that your website stays relevant in search results. And on top of that, they have their own design engine that lets you tweak all those templates with a simple drag and drop system, letting you change the colors, the fonts, the placement of elements on the page. Or you can just answer a few questions and have Squarespace just build the entire website for you. And of course, once you're satisfied with that design, you can add some extra features on top. You can set up a donations page, a membership page. You can have an online store complete with multiple payment methods supported. You also have tools to design your own logo, to book your own domain name, to have your own business email on that same domain name.

[00:01:55]It's your real complete solution to handle all your website needs. So check out squarespace.com/thelininuxperiment.

[00:02:02]You can start a 14 days trial and you can also get a 10% discount off of your first purchase or domain name. So it looks like Ubuntu's infrastructure was targeted this week. It was a deliberate attack from what it looks like, resulting in 503 errors for users trying to access ubuntu.com, the main repos, and a bunch of other websites that Ubuntu runs or canonical runs, including the main canonical website. The country mirrors for packages are still up, but the main official Ubuntu repos aren't.

[00:02:34]The documentation is also still up.

[00:02:36]Apparently, this comes from a cyber group from Iraq who claimed this attack.

[00:02:40]They sent a direct message to Canonical asking them to open a negotiation unless they want the attack to continue. Now, this is probably an attempt at extorting them out of some money. At the time I'm recording this, we don't know if Abuntu has negotiated or will ever do that. But the main issue is that this puts a bunch of servers at risk. Potential vulnerabilities that could have been patched might not be for servers that depend on the main Ubuntu repos. So the longer this attack continues, the longer servers become vulnerable and other attacking groups could take advantage of the situation or the same attacking group could also take advantage of this.

[00:03:18]And we'll see in this episode that we have something called copy fail, which is a big flaw that needs to be patched on all Linux distros, including Ubuntu.

[00:03:27]So the timing is pretty bad or pretty intentional. Saturday morning, Nick here. This story has evolved since I recorded this yesterday. It looks like most of Abuntu's infrastructure is now up and running. At least their website is. Their package archive seems to be, which will mitigate most of the impact.

[00:03:45]They still have the announcement saying that they are under attack up on their discourse. So, it looks like things might not be fully settled yet, but at least everything seems accessible. And they also seem to have a patch available for the copy fail vulnerability, which we'll talk about now. And speaking of exploits, there's a nasty new one for all Linux systems that lets an attacker grab root access. It is called copy fail, and it is a kernel bug that is apparently very easy to exploit. A tiny script is apparently all you need to move up from a regular process running in user space as an unprivileged user all the way up to root. and it affects every single Linux distro out there, unless maybe you have a very very old Linux kernel that doesn't have the vulnerability. The way it works is that it corrupts the kernel page cache and it doesn't affect any specific file on your system, meaning it is basically impossible to detect, at least by conventional tools, and nothing looks like it's been corrupted and changed.

[00:04:44]The change happens in memory, which is where the kernel gets its info anyway.

[00:04:49]An attacker could also jump from a container to the host system using this or from a container to another one. So any small process running without privileges could turn into a nightmare for the entire server and all the containers in it. This is all based on a bug in the kernel that was undetected for years. Fortunately, a fix has already been published and is already committed to the kernel since early April to remove the performance optimization that allows for this to happen. Now, just because the fix has been committed to the mainline kernel does not mean that your system has been updated. So, double or triple check if your DRO, your servers, if your desktop, if your laptop has received said update.

[00:05:29]Your DRO probably has a page listing all vulnerabilities and fixes that they apply. Go check that to see if your system is up to date. Now, let's talk about Linux winning against Windows in two areas. The first one is on the sales of the new Framework Laptop Pro because it seems to sell better with Linux pre-installed than the Windows model does. Framework said that the Ubuntu configurations are out selling the Windows ones, which in itself is not surprising. The Linux mentality measures very well with hardware that is repairable, upgradable, and gives control back to the user. We tend to value things and software that lets us tweak, customize, and generally just control how things work. And there aren't many laptops out there that give you as much control over the hardware as what frameworks do. Even if you don't take advantage of that, in the end, the modularity of the device is pretty much unmatched. It's also not that surprising that we're beating Windows because Linux is growing quite fast these days.

[00:06:28]Windows has a really bad image problem.

[00:06:30]So, you might also draw in people who want to try something different. And it's really good to see Linux doing that. Well, it is from a manufacturer where you would expect Linux to do better than Windows because those match pretty well. It's not like it's Acer or Asus out selling with their Linux laptops, their Windows laptops, but it's still a pretty big win here. And Linux keeps winning as well in terms of performance. Foronx did their usual Ubuntu LTS versus Windows 11 benchmark.

[00:06:58]And as usual, Linux seems to soundly beat Windows in most performance metrics that were tested for. They conducted their tests on a big workstation using a Thread Ripper Pro CPU, an Nvidia RTX 6000 Max Q card with 32 gigs of RAM, and they compare 26.04 LTS to Windows 11 Pro, both on clean installs with their default configuration. The average gives Ubuntu a 9% performance advantage, but they also tested native Linux installed on bare metal versus WSL, so the Windows subsystem for Linux. And here again, native Linux takes the cake, beating WSL in compilation tests, in database related tests, and in HTTPS performance for servers. The only places where Windows outperformed Ubuntu was in graphics benchmark like Gravity Mark or 3D Mark, probably due to better Nvidia drivers on Windows than on Linux, I would say. And even there, Ubuntu beat Windows or matched it in most other graphics tests, especially when using Vulcan or OpenGL. Now, this is the usual result for these benchmarks. Linux is just a better optimized system than Windows. We have fewer services running in the background, fewer ads, a less demanding operating system in general in terms of resources. And imagine if Ubuntu LTS beats Windows 11 Pro. Imagine what stuff like Cashios or more specialized and optimized distros could do. So, yeah, another win for Linux.

[00:08:24]Now, let's go back to Ubuntu because they are apparently going all in on AI in the DRO. They said that first Canonical as a company will be adopting AI where it makes sense. They're going to let teams pick what they would like to use and they'll give them time to try and integrate this into their workflows.

[00:08:42]They're giving themselves six months to look at the potential use cases. They say that they will not use any measurement on how much teams use AI more on how well these tools help the teams deliver what is expected of them.

[00:08:54]They also said that AI will not replace engineering jobs at Canonicle. They said that they want to be considered to avoid the SLO contributions and the slop pull requests and also that they will look at the various models licenses. They're saying that models with open weights aren't really open source. they're not as open as what we would want to use in the open source community. So they will focus on models where the licensing terms are the most compatible with what they call canonicals values and also they have a preference for things that will run locally. Now on top of their development process they're also looking at integrating AI features inside of the DRO itself. specifically talking about texttospech and speech to text, saying that these aren't really AI features, but more accessibility features and that those can be done locally and accurately. But they also said that they're looking at agentic workflows to create new documents, new apps, automatic troubleshooting or automating personal tasks and daily recaps. This will be handled through snaps, what they call inference snaps, which already exist. Uh these are local AI models installed as snaps and presumably optimized for your hardware. These would use snaps strict confinement so things are relatively secure. And they're also saying that they could use this for server management for fleet management.

[00:10:12]And finally they say that of course since you're going to be running things locally it means that capable hardware will be needed. So they will look at efficiency as well as actual features.

[00:10:22]Of course, a lot of the Linux and open source community did not take this news well and started speculating on whether Ubuntu would force feed AI down our throats and so they clarified. So first they said that there will not be a global kill switch for AI features in Ubuntu like what Firefox offers. Instead the kill switch is to not enable them cuz at first at least they will be opt in or if you opted in you can just uninstall uh the inference snaps. And so if you don't have any models, you also cannot really use the AI features using these models. So they said this will be opt in as preview in 26.10 for initial testing. And as things mature, they will add a step in the initial setup tour. So users can decide to enable those things or not. Those snaps will not be part of the default install probably because they would be way too big. So users will have to voluntarily request them to install them on the system. They also clarified that their plan doesn't include setting any logs to the cloud.

[00:11:21]All will be local by default. They also said that you will need to explicitly configure stuff yourself to use a cloud-based solution because you would have to enter your API token or your own credentials. Finally, they said that they do not want to force AI on all desktops. They just want to add features where it makes sense in a way that the user can trust and that is well integrated with the system. Again they talked about text to speech, speech to text, uh managing the camera focus and the like. Still they said that they will ship code that is written or assisted by AI since most other projects including the Linux kernel are doing it anyway.

[00:11:59]That is the direction everyone is going towards these days adding AI features.

[00:12:04]It's just unavoidable. It's really annoying to me because this doesn't solve the main ethical problem with all large language models. They are not open. Their data set are not open and they're not sourced with consent from the actual authors of everything that has been used for accessibility features. It's good I guess at least because it means that we can replace the awful robotic voices on Linux with actual working ones which will be pretty useful. Doesn't solve the ethical problem though. And I guess at least as long as it stays optin and nothing comes pre-installed on your system that you can't really remove. And if everything is local, that at least solved the privacy nightmare of most AI agents.

[00:12:48]Now, the EU app that was developed to handle age verification had already some flaws discovered in 2 minutes after the source code was made public. The security researcher who found this specific flaw managed to just find that the application saves the user's PIN which is used to unlock access to that digital wallet. Uh well that PIN is stored unencrypted in a specific configuration file. Meaning anyone have with access to the devices file system which is not that hard to do can delete the original PIN values, restart the application and set up a brand new PIN and then impersonate anyone they want.

[00:13:25]This was of course fixed right afterwards uh after it was disclosed.

[00:13:30]But there are still problems. For example, the application is badly protected against brute force pin guessing, meaning it fails to really lock out users that try to type multiple pins until stuff works. And the configuration file, which is unencrypted, also lets attackers switch a single word from true to false to remove the entire biometric authentication, which is absolutely terrible. Now, this has been fixed quickly, but the security researcher who found the flaw said that the fix can be bypassed easily, and he said that the EU tries to fix a problem that they just don't understand. The European Commission said that they are ready to improve what can be improved. But here, we're not talking about improvement.

[00:14:12]We're talking about crucial security. In short, the application could become the prime target for hackers because it is where all EU citizens could potentially store their IDs or biometric data. So, it needs to be hackerproof and that's basically impossible. The researcher says that the very concept of the app is flawed by storing these credentials on device by not deleting them afterwards and that even if the implementation was perfect, storing the credentials just defeats the entire purpose. And the very idea of this app existing and maybe being mandatory in some places might push malicious actors to try and build fake applications that steal users IDs or that it will push people to less regulated and less secure platforms altogether to bypass the entire age verification process. There are also other concerns like for example excluding from the digital world people without official documentation like refugees. It could also lead to identity verification instead of just age verification. Basically, the reaction seems to be you're placing the burden of age verification and of security on actual citizens, not on the companies that need to check the age, which is not the right response. Of course, this week Valve announced the Steam controllers price and pre-order date. It will cost $99, which is not cheap for a controller, and it will be available on May the 4th. We don't know about the Steam frame and Steam Machine yet, but the controller at least looks very interesting with magnetic sticks with the two touch pads similar to what the deck has, four haptic motors, about 35 hours of gameplay on a single charge, and a magnetic charger that lets you play at the same time as you're charging. There's also gyro support, grip buttons like on the deck, and the same button layout and additional buttons like quick access and Steam button. It will support Steam input so you can customize your layouts. It works on any device, whether it's Windows, Mac, Linux, the Steam Deck, the frame, the machine, whatever. Initial reviews seemed pretty good, saying that the design is solid, that the battery life is great. And also pointing out the lack of an audio jack as a negative, because this could be a bummer for people looking for a console-like experience with a set of headphones that you then have to go and plug into your TV maybe or into your your computer or use Bluetooth stuff, which tends to have a little bit of latency. Although the Steam controller is also connected through Bluetooth in most cases, unless you use their special adapter, so the latency might be here as well. As for the price, it is high at $100, but compared to the Pro Controllers that the PS5 or the Xbox Series X has, those other ones that come with the back paddles and all the nice features, then you see that the Steam Controller is actually way cheaper than them.

[00:16:57]Interestingly, Valve also confirmed that they're hard at work on a Steam Deck, too, saying that they are not interested in having the same battery life, but with a 20 to 50% better performance gap.

[00:17:08]They want something more than that.

[00:17:10]Pieru Griff at Valve said that they have a good idea of what the new deck will be, but that there is basically no hardware currently, uh, no APU available that they would like to use to reach what they want to accomplish. I will likely not get a review unit of the Steam Controller. If I had to have one, I would probably already have received it. I still reached out to my contact at Valve for maybe a review unit of the Steam Machine and Steam Frame. We'll see. I'll probably still buy the Steam controller cuz I play on a PC and that controller has the same layout and options as the Steam Deck, which I'm very used to. So, I think that's going to be good. Anthropic is now sponsoring Blender. A few AI companies have started doing this kind of stuff, injecting money in free and open source projects, probably in a bid to appear more friendly to the open source community, even though their work is often not open source, and the real reason is to interface with what is generally viewed as a standard of open-source software.

[00:18:06]Anthropic joined the Blender Foundation as a corporate patron, which apparently doesn't give them any power to decide where the project goes or what it gets to work on. The Blender Foundation still decides what is getting done and in which order. As they say, these donations do not imply any alignment of Blender with the donor's mission, product, or strategy. So, they're not endorsing Anthropic or Claude by accepting the donation, although they sort of are still cuz you're accepting the money. The donation is apparently €240,000 potentially yearly if it's renewed. And this money will be apparently directed towards developing a better Python API to automate and script Blender use. And by sheer coincidence, Enthropic will use this Python API to make their AI assistant available to interact with Blender scenes. Anthropic announced the development of set connectors for Ableton, for Adobe products, for Affinity, for Autodesk Fusion, for SketchUp Splice, and of course for Blender. So while the donation doesn't force Blender to do anything with Claude or integrate it or or work with them, the money is still headed towards developing something that will absolutely help Enthropic invade Blender. So it kind of seems like there's some form of dependency here, which I'm not a big fan of. But on the other hand, it is still a very sizable donation for Blender. It is a lot of money. Whether the Blender project has a lot more than this usually or not, it's still a quarter million dollars. So, it is still pretty useful to develop some stuff. And Saturday morning, Nick is back at it again because this story also evolved since I recorded it yesterday.

[00:19:46]Facing user backlash, Blender decided to amend the deal. They Darthoth Vader styled it. And basically, Anthropic will no longer be a full-on sponsor. They're just going to give the money as a donation. meaning they are not sponsored by Anthropic. Anthropic just donated some money. It looks like it's still going to be used for the same kind of purposes, but at least uh this doesn't entail any form of collaboration between the two companies, which of course a lot of people don't like. And on top of that, Blender also said that they are going to change their funding policy to amend how they accept money from whom and which rights does it grant to anyone. So, it's way clearer on how the money coming in will affect Blender's decision process. And they specifically targeted or at least talked about AI companies, which means that they are probably going to have to take a stance on generative AI and have a clear policy around this, which I think is for the best. I think every project should position themselves as we accept AI generated stuff. We want to collaborate with Genai, we don't want Genai at all because that gives a strong statement.

[00:20:51]It is not just a technical issue. It is an entire ethical issue and so every project having a stance on that that users can refer to is I think very helpful. Now this week Fedora 44 was released after a two weeks delay. Of course it runs on Gnome 50 or plasma 6.6 six for the other official edition of Fedora. And of course, the various spins got updates to the same base and to their latest available version of their chosen desktop or window manager. Fedora 44 runs on the kernel 6.19 which is already end of life. So at some point they will probably move to the kernel 7.0. Although it has been pointed out to me that this kernel currently has a problem with certain databases which is probably why they didn't use the kernel 7 and went with the end of life one.

[00:21:39]Notable changes in the DRO base and spins include the Fedora game spin, moving to KDE instead of using XFCE, the automatic device tree selection for ARM builds of the DRO, so installing Fedora on an ARM device should be a bit easier.

[00:21:53]The repos now include the Nyx package manager if you want to install that more easily. The package kit backend for installing packages. Move to DNF5 for faster installs. The NTS sync kernel driver is now enabled by default in the DRO for potentially faster gaming performance. The Azahi Remix version of Fedora for Apple Silicon Max defaults to upstream Mesa because it now includes the latest work that the Azahi team contributed. And the KD edition moved to the plasma login manager and to the plasma setup for their first run setup wizard. It is a big update for Fedora users and one that should not technically break things in the background. compared to, for example, Ubuntu 26.04 LTS which has big underlying changes compared to 24.04 or even just the previous version released 6 months ago. Interesting one. I always love Fedor. It's a really good DRO. And to conclude, there's a new campaign to try and warn people about the recent moves Google is making on Android.

[00:22:52]specifically the fact that they will put in place that developer portal that requires submitting an ID, identifying with Google, and even potentially paying a fee to be able to submit any application, whether it is on the Google Play Store or not at all, thus granting Google even more control over what runs on Android compared to what happens currently. The campaign is called Keep Android Open with a countdown to the date that this goes into effect, which is in less than 5 months. As they say, your phone is about to stop being yours because Google will have the ability to block any Android app that haven't registered with them. And while you can bypass that, it is a very convoluted process with a completely unnecessary 24-hour waiting period and it will absolutely not be achieved by most people. Now, as the website says, people buy into Android because it is more open and Google sold Android as being more open. And so this ends up being an issue for a lot of Android users because it is going to be less open than even potentially iOS. On top of that, this hurts independent developers and people who would like to learn how to make apps who might not have the capacity to pay for a registration fee or even to register if they don't have an official ID depending on the country where they live. This could also potentially completely kill alternative app stores like FDroid because FDroid cannot register every app they publish under their own name. This would grant them ownership of them. They don't have that.

[00:24:23]And they also don't want to force developers to be registered with Google because that would completely defeat the purpose of ADroid. This will also grant Google the ability to just simply comply on any government demand. If a government doesn't like a specific type of application like a VPN, Google will have the ability to block all VPNs in one go on the platform, including sideloaded apps. The site also debunks the common arguments for more app control like security because this is already handled by Google Play Protect and malware developers could absolutely register on that portal. They can already register on Google Play and publish malware on Google Play. The you can work around it argument is also not that great because this is a 9-step process that includes a 24-hour wait period. So yes, you can bypass this, but it is absolutely meant to deter people from ever doing that, and it is meant to be convoluted and difficult to scare people away from sideloading stuff that they would control. They conclude by giving a few ideas to fight back against this, mostly through regulators and signing the change.org org petition that they created as well as asking developers to not register with that portal because if developers don't use it then Google can't really enforce it.

[00:25:39]Now this feels like a losing battle.

[00:25:41]Most Android developers will register on this. Most users will just not care about sideloading anyway. But I'm also pretty sure the EU won't let this fly for too long because this is absolutely malicious compliance. The EU asked Google to open up Android to sideloading and in doing that they instead granted themselves more control over sideloaded applications which of course goes against the spirit of what the EU is trying to accomplish. So I would be very surprised if this was allowed to exist in its current form for longer at least in the EU but that's not sort and that's not the entirety of the world either. So yeah let's fight against this that sucks. This is a really bad move from Google. What would be a good move though is to check out the devices from our sponsor Tuxedo Computers. So, Tuxedo is my hardware manufacturer of choice these days because they bring laptops and desktops that ship with Linux out of the box and the hardware that they sell is highly compatible with Linux. They even contribute directly to the Linux kernel to make sure that all the little features, bits and bobs are well supported. They have a big range of computers. They're based in Germany, but they ship to most countries in the world. And you have a lot of agency on the parts that you want inside, on the keyboard layout you want on your laptop, and on the logo or no logo that you want engraved on the lid of your device as well. They're really cool. I only use their computers to do everything these days. They've been a supporter of the channel for three or four years now. And as usual, the link to their website is down in the description. Anyway, this will conclude today's episode. Thank you for watching and or listening to it. You have all the usual YouTube buttons down uh under the video. you know why you should interact with all of that and the comment section. You also have plenty of links down in the description to support the show if you want to do so. And of course, uh you'll see me in the next one next week. Bye.