Linux 7.1 ships, Armin watches a nationality line get drawn through AI

Linux 7.1 ships the week Armin Ronacher watched the US government draw a nationality line through AI access, George Hotz ran the deflation math, and Daniel Stenberg called time on vulnerability season. A busy seven days.

Coverage window: June 8–15, 2026.

Linux 7.1 stable arrived Sunday, June 14 — half a day early because Linus was in the wrong timezone and decided not to wait. 1 His release note was unusually undramatic: "nothing particularly interesting or scary stands out, which is as it should be." 1 He'd briefly considered delaying a week to accommodate travel, then chose not to: "I may come to regret that decision." 2 The 7.2 merge window opened June 15, with Linus warning of "slight hiccups" while he works offline on long flights.

What's in 7.1: The headline items are the new NTFS driver — four years in development, Linus described the merge as "ntfs resurrection," full write support, active maintenance commitment 3 — and Intel FRED (Flexible Return and Event Delivery), the mechanism that replaces the traditional interrupt-entry path, now enabled by default rather than requiring a fred=on boot flag. Phoronix benchmarks on Panther Lake (Core Ultra Series 3) show real I/O throughput gains in database and networking workloads. 3 Intel Arc Battlemage (B580 and Arc Pro B-Series) also picks up performance improvements, and the high-resolution timer core was rewritten for better scheduler integration. Support for 12 new SoCs shipped, including Qualcomm's Glymur (Snapdragon X2 Elite with 18 Oryon-2 cores) and NXP's S32N79 automotive SoC (8 Cortex-A78AE plus 12 Cortex-R52 cores). i486 CPU support was formally dropped. 4

What's in 7.2 so far: The first day of the merge window brought several items that have been in flight for a while. Cache Aware Scheduling — developed by Intel engineers over more than a year — finally merged. It co-locates tasks sharing data onto the same Last Level Cache (LLC) domain, controlled by CONFIG_SCHED_CACHE. Phoronix benchmarks on AMD Zen 5 hardware show meaningful gains in PostgreSQL and Valkey (a Redis fork). 5 The Rust Zerocopy Library came in via Miguel Ojeda's pull request — roughly 39,000 new lines providing derivable FromBytes traits and transmute! macros that eliminate unsafe byte-conversion code. The pitch: "Zerocopy makes zero-cost memory manipulation effortless. We write unsafe so you don't have to." 6 Separately, Greg Kroah-Hartman proposed at RustWeek 2026 in Utrecht that a new Untrusted type — a compile-time marker for all data arriving from user space or hardware — could eventually eliminate around 80% of kernel CVEs. He puts existing Rust features (error checking and lock release enforcement) at roughly 60% coverage already. That proposal is not yet merged and requires Rust compiler changes. 7

The LLVM/Clang minimum requirement for building the kernel also moves from Clang 15 to Clang 17 in 7.2, with Distributed ThinLTO support added for faster build times. 8

AF_ALG is getting killed. The kernel's user-space cryptography interface — which lets applications route crypto operations through the kernel's engine — is being fully deprecated in 7.2 because its attack surface has become indefensible. Eric Biggers, the kernel developer authoring the deprecation patch, put the situation plainly: "AF_ALG is almost completely unnecessary, and it exposes a massive attack surface that hasn't been standing up to modern vulnerability discovery tools. This isn't sustainable, especially as LLMs have accelerated the rate the vulnerabilities are coming in." 9 A Python script at copy.fail currently roots most Linux distributions via AF_ALG. Zero-copy support was already removed; off-CPU hardware crypto accelerator support is going with it. The effort to keep AF_ALG patched has simply become "vastly disproportional to the few programs that actually use it." 9

Ubuntu 26.10 and Fedora 45 are expected to ship Linux 7.2 as default. 10

On June 11, Hotz (creator of tinygrad and comma.ai, known for the first iPhone unlock) published "AI will be massively deflationary" on his blog. 11 The post is about 3,400 characters, structured as two interlocking arguments: an economic thesis about commodity technology and a political argument about why Anthropic's strategy will fail.

The economic argument: in a competitive industry, price converges to cost. AI makes knowledge work dramatically cheaper to produce, so the knowledge work market (measured in dollars) will shrink proportionally. The analogy Hotz uses is tractors — they made digging ten times cheaper, which made the digging market ten times smaller in dollar terms, not ten times larger. Knowledge workers are "so grossly overpaid compared to the energy they consume, and AI will rectify that." 11 His conclusion: "Who else is excited for Great Depression 2: Electric Boogaloo?" 11

The political argument builds directly on this. If AI technology is fundamentally commodity (the biggest differentiator is "if you are willing to spend money on compute and data" 11), then no one can monopolize it. Anthropic's attempt to use regulatory capture to establish a moat is structurally doomed in the same way FTX was: "Remember when SBF wanted to regulatory capture all of crypto? And similar to Claude, FTX was a successful product! But the totalizing nature of the ideology contains its downfall." 11 The harder he says Anthropic leans on safety framing to justify restrictions, the more its critics misread Claude as a "recursively self-improving silicon God" — which is both wrong and counterproductive. "The funny thing about Anthropic haters is that they still mostly believe Anthropic's marketing." 11

The post lands as the third leg of an arc running back to his February 2025 "Nobody Profits" essay, where he first argued "the best outcome of AI is if it delivers huge amounts of value to society but no profit to anyone." 12 May 20's "What will better AI mean?" extended that to "AI has no moat" and "that's why Anthropic is so desperate for regulatory capture." 13 The June 11 post adds the macroeconomic framing and makes the China angle explicit: China distributing AI models for free is, from Hotz's view, "love to see deflationary economics in the US." The thesis: "Even if you regulatory capture the US government, nobody is getting a monopoly on AI, we don't live in a unipolar world anymore." 11

Community response was moderate — 127,000 views via the archive account on X, a Reddit thread with 11 comments divided between "obviously true" and "this doesn't make economic sense" — and largely drowned by the same-day SpaceX IPO at $2T and Anthropic's Fable 5/Mythos 5 government shutdown. Which, depending on your read, is either proof of Hotz's irrelevance or proof that his thesis was immediately demonstrated by events.

Armin Ronacher (creator of Flask, Jinja2, and Werkzeug; co-founder of Earendil) published two long essays this week. They are explicitly linked — the second cites the first — and together form his clearest statement on AI, power, and openness since the "clanker" coinage in May.

"Gaslighting Openness" (June 10) starts with a definition: gaslighting, in the tech context, is when companies convince users that restricting access is being done for their benefit. 14 He names two cases. Apple's decision to delay its AI features in the EU until iOS 27/iPadOS 27, citing DMA compliance, is his first example — he says he reflexively dislikes EU regulation but thinks the DMA is worth defending anyway, because "the phone is yours, the data is yours, yet Apple decides who may reach it and takes the agency away from you and then tries to make that sound like it is in your interest." 14 Anthropic is his second: "They trained their models on public works, then block Open Source attempts to learn from and distill these systems." 14

His framing for why this matters to the open source community: "A lot of that battle today is manipulation of the narrative. Opinion makers on social media and in business circles increasingly frame access as irresponsibility." 14 He closes: "Disliking the EU, China, or any other large government should not make us forget that true democratized access to technology including AI is in all our interest." 14

Armin Ronacher, "Gaslighting Openness," June 10. 14

"Dangerous Technology For Americans Only" (June 13) was triggered by a specific event: on June 12 at 5:21 pm ET, the US government issued Anthropic an export control order requiring immediate suspension of access to Fable 5 and Mythos 5 for all foreign nationals — including Anthropic's own foreign employees — based on a narrow jailbreak demonstration. 15 Anthropic disagreed with the order but complied. Armin had tweeted "Europeans please wake up" at 7:04 am UTC that day (1,988 likes), noted four hours later that a longer blog post was coming, and published a 2,400-word essay by that evening. 16

His argument in the second post sharpens the first. The Anthropic shutdown is evidence of a qualitative shift in how the US treats AI technology: "The important part is not that Anthropic's safety language came back to bite them but the line the US government is drawing: this technology is apparently so powerful that only Americans should have it." 17 That shift, he argues, is not a security question but a national identity one: "If you have the wrong passport, you are not to be trusted. This is a very different thing from safety, and Europeans should pay close attention to it." 17

On European structural weakness: "European technology policy is entirely unprepared for this, because this is not a question of regulation but a question of might and power, something that Europe lacks." 17 Talent leaves because the ecosystem is weak; the ecosystem stays weak because talent leaves — Armin, who incorporated his own holding company in Delaware, explicitly counts himself as part of the outflow. The prescription isn't nationalism: "The way out is not American supremacy, Chinese supremacy or European supremacy. The way out is to climb back toward cooperation before the alternative becomes war." 17

The two posts complete what looks like a five-post arc since May: the "clanker" coinage → "Communities of Not" (mob identity) → "Gaslighting Openness" (corporate narrative capture) → "Dangerous Technology" (state-level access restriction). The through-line is a single question Armin never explicitly states but every post circles: who gets to define "dangerous," and who do they lock out?

Pi coding agent — Armin's practical answer to agentic tooling. While the essays got the most attention this week, Armin is also the co-maintainer of Pi, a minimal coding agent he builds with Mario Zechner. Pi's entire system prompt — behavior instructions plus all four tool definitions (read, write, edit, bash) — fits under 1,000 tokens. Claude Code runs roughly 10,000 tokens; Cline, roughly 7,000. 18 Pi's pitch: "Primitives, not features. Features that other agents bake in, you can build yourself." 19 The GitHub repository (earendil-works/pi) had 62,900 stars and 7,600 forks as of June 15. 20 Armin released Pi 0.79.2 on June 12 (Fable fixes, /model autocomplete) and spent two hours on June 14 refactoring the reload function, tweeting: "I'm starting to feel like I'm making negative progress D:" 21

On June 15, Daniel Stenberg (creator and maintainer of curl) announced that the curl project will not accept or handle any vulnerability reports during July 2026. "We call it the curl summer of bliss." 22 The HackerOne submission form closes July 1 at midnight CEST and reopens August 3 at 9:00 am CEST. The security email goes dark for the same period. GitHub issues and PRs stay open.

The numbers behind the decision: over the past four months, security reports have arrived at four to five times the 2024 rate — averaging more than one per day. The current release cycle has 12 confirmed CVEs waiting in curl 8.21.0, a single-cycle record. The projected 2026 full-year CVE count is at minimum twice the current 30. 22 As a result, curl 8.22.0 is delayed two weeks to September 2. A point Stenberg made about severity: despite the volume, the most recent High-severity CVE was back in October 2023. The current flood is almost entirely Low and Medium issues.

The personal dimension: "For the first time in my life, my wife voiced concerns about my work hours and my imbalanced work/life situation." 22

On June 10, Stenberg also published "A Human in Control," laying out curl's policy on AI-assisted development. 23 The project uses GitHub Copilot and Augment Code for pull request review, but all merge decisions are made by humans. His formulation: "We stand for every bit of code we merge — as humans." 23 He also documented the Mythos CVE scorecard from the May 11 scan: Anthropic's model flagged 5 "confirmed vulnerabilities" in curl. The curl security team confirmed 1 actual CVE (low severity); 3 were curl API documentation behavior misread as security bugs; the fifth was a real bug but not a security issue. 23 The roughly 20 other bug findings in the same report were accurate and nearly free of false positives. Stenberg concluded that AI code analyzers are "significantly better at finding security flaws" than traditional SAST tools, but that Mythos's marketing around the 5-confirmed-vulnerabilities claim was "primarily marketing." 23

Evan You / VoidZero — $1M Vite fund confirmed, Rolldown 1.0 stable. The $1M independent Vite ecosystem fund Cloudflare announced alongside the VoidZero acquisition is active and managed by the Vite core team directly, not by Cloudflare. 24 Rolldown 1.0 — the Rust-based bundler that powers Vite 8 — reached stable on May 31, meaning API stability, stable build outputs, and Rollup plugin compatibility. Enterprise adopters Ramp, Beehiiv, and Mercedes-Benz.io report up to a 64% reduction in build times; Rolldown runs 10–30x faster than Rollup. 24 Teams that blocked adoption because Rolldown was pre-1.0 now have their unlock condition met.

Rich Harris — SvelteKit 3 workshop live on Frontend Masters. Rich Harris (creator of Svelte, Vercel employee) spent June 11 running a full-day workshop on Svelte and SvelteKit 3 at Frontend Masters (9:30 am–4:30 pm CDT), covering what he described as "all the new stuff." 25 A replay is available. On June 12, Harris filed sveltejs/svelte issue #18428 based on a user report from Bluesky: the state_referenced_locally warning fires in <script> declaration tags but not in markup declaration tags, an inconsistency in Svelte 5 runes mode. 26

Addy Osmani — code review is the new bottleneck. Addy Osmani (Google Chrome engineering director, creator of Jest) published "Agentic Code Review" on June 14. 27 His thesis: AI has made writing code nearly free, but has not reduced the cost of understanding code. Faros AI data across 22,000 developers shows code churn up 861%, incidents per PR up 242.7%, per-developer defect rate climbing from 9% to 54%, and median review time up 441.5% since AI-generated PRs became common. 27 Osmani's summary: "The most significant change in how I work this year is not that an agent writes most of my code. It is that reviewing that code has become the most expensive thing I do." 27 His recommendation: deploy at least two heterogeneous AI review tools in parallel — his experiments show 93.4% of issues are flagged by only one of four tools, not all of them.

Miguel Grinberg — no more unsolicited AI PRs. Miguel Grinberg (creator of Flask-Login and author of the O'Reilly Flask book) published "I Am Not a Reverse Centaur" on June 12. 28 He is closing all AI-generated PRs submitted without a prior issue discussion: "Today, an unsolicited PR is a red flag." 28 The "reverse centaur" is Cory Doctorow's term for a human being directed by a machine — Grinberg's question: "Is my new purpose as a seasoned software engineer and open source developer to spend my days reviewing LLM code, in spite of having decided that I do not need nor want this technology myself?" 28 His new policy: file an issue first. If it's approved, then submit the PR.

DHH — Le Mans P3, no new blog posts. David Heinemeier Hansson (creator of Ruby on Rails, co-owner of 37signals) qualified the Omarchy Machine third (P3) for the start of the 24 Hours of Le Mans, with a final-lap push from Jack Doohan clinching the grid slot for the RacingNielsen team. 29 This is DHH's 13th Le Mans. On June 12, he posted separately: "May Europe one day wake up and start striving for this level of capitalistic homerun. Dump the degrowth nonsense, celebrate progress, and once again reach for the stars." 30 No new blog posts at world.hey.com/dhh this week; the most recent is "A Pond of Interesting Problems" from June 3.

The week's sharpest convergence: Armin Ronacher watched the US government issue an export control order against Anthropic's top models and wrote 2,400 words about what it means for everyone holding the wrong passport; George Hotz published his deflationary economics thesis arguing no one can monopolize AI in a multipolar world; and Daniel Stenberg announced a full July shutdown because the patch queue has become unsustainable. All three responses — political, economic, operational — point at the same pressure: AI is changing not just what software does but who can access it, who bears the maintenance cost, and who captures the returns. Linux 7.1 shipping calmly and 7.2 opening with Rust acceleration and AF_ALG's deletion are the structural, technical responses happening in parallel.