📰 NewsMonitor

Data centers disconnecting from the grid, solar PV efficiency records, repairs for the Strategic Petroleum Reserve, Ford’s EV missteps, former OpenAI CTO’s new startup.

FOR IMMEDIATE RELEASE Contact: working-groups@osfc.org Subject: Open Source Foundations Consortium Announces Seven New Working Groups Embargo: None The Open Source Foundations Consortium (OSFC) has formed seven new working groups for open source ecosystem governance. The working groups were approved by the OSFC Steering Committee following a six-month consultation period during which fourteen comments were received, twelve of which were from bots. Each working group operates under the OSFC Charter and reports to the Technical Advisory Board, which reports to the Governing Board, which reports to the Executive Director, who reports to the Steering Committee, which chartered the working groups. Supply Chain Health Assessment and Monitoring Entity SHAME is chartered to develop a standardized scoring methodology for open source project health, producing a single numeric score between 0 and 850 that reflects a project’s maintenance status, security posture, community governance, and bus factor. Each project’s SHAME score will be published to the registry alongside package metadata. Projects scoring below 300 will receive a yellow banner in package manager search results. Projects below 150 will receive a red banner and a recommendation to “consider alternatives.” SHAME scores are updated weekly and there is no appeals process, though an appeals process working group has been proposed and referred to YAGNI. Early drafts of the rubric weight “time since last commit” heavily enough that finished software may be penalized, a concern that has been noted for a future meeting. Package Availability Notification and Incident Coordination PANIC coordinates the ecosystem response when a package maintainer goes silent, mass-transfers ownership, or mass-deletes packages. PANIC maintains a 24/7 hotline staffed by volunteers in compatible time zones, though the hotline number is not yet public because the voicemail system requires a procurement decision that has been deferred to the next Governing Board meeting. In the interim, incidents can be reported by opening a GitHub issue on the PANIC repository, which is monitored during business hours, Pacific time. The working group is developing a taxonomy of maintainer disappearance events, ranging from Level 1 (“maintainer is on vacation and will return”) through Level 5 (“maintainer has mass-transferred all packages to an unrecognized account”). Most incidents are Level 1, but the ecosystem’s response to all levels is currently identical. Barely Resourced Open-source Kind Enthusiasts BROKE represents the interests of unfunded open source maintainers within the OSFC governance structure and has no budget, which is consistent with standard OSFC working group policy. Members serve on a voluntary basis. The working group is producing a report on open source sustainability titled “The State of Open Source Funding,” which is also the title of four previous reports by other organizations that reached similar conclusions. The report was not commissioned and has no designated audience. BROKE meetings conflict with SHAME meetings on the calendar, and a scheduling request has been filed. Cross-Upstream Registry Security Evaluation CURSE conducts security evaluations across package registries. Unlike existing advisory databases, which are voluntary, CURSE findings are binding and can result in package removal, credential revocation, or formal censure. Once a CURSE evaluation is opened, it cannot be closed without a finding, as there is no “no issue found” outcome in the current process. Evaluations are conducted by a rotating panel of three auditors who are required to have published at least one CVE or to have been the subject of at least one CVE, as both qualifications are accepted. Evaluations take between three weeks and fourteen months, during which the package is listed as “under CURSE review” in registry metadata. Packages under review have seen a measurable decline in downloads, which the working group considers outside its scope. CURSE has completed nine evaluations and issued findings against all nine. An early draft advisory recommending the removal of all packages matching the regex is-[a-z]+-[a-z]+ from npm was tabled after it was determined this would affect 14,000 packages. Best-practice Initiative for Kubernetes, Engineering Standards, Habitual Endless Discussion BIKESHED is the OSFC standards body, responsible for defining best practices across the open source ecosystem, and has been in formation since 2023 while its charter remains under review by BIKESHED. The format for BIKESHED standards documents was drafted in Markdown, but a motion was raised to use AsciiDoc, which led to a six-month evaluation period that concluded both formats were acceptable, after which a motion was raised to define “acceptable” more precisely. BIKESHED currently has 340 open issues, 12 approved standards, and one published standard, which is the standard for how to propose a standard. That standard is under revision because it references itself and the self-reference creates an ambiguity in section 4.2 that three members have filed competing amendments to resolve. Yet Another Governance & Naming Initiative YAGNI is the meta-governance working group, overseeing the creation, naming, and dissolution of all other OSFC working groups. YAGNI voted to establish itself in a unanimous vote from which several members abstained. YAGNI also approves working group names, evaluating proposed names for “clarity, professionalism, and alignment with OSFC values.” All seven names announced today passed the naming review, though YAGNI does not evaluate acronyms. Label Governance and Trust Marks LGTM administers a trust mark programme for open source packages. Packages that complete the LGTM review process receive a trust mark displayed in registry search results and CI output, confirming that the package has been reviewed per the criteria in LGTM Standard 001. To date, all packages that have applied for a trust mark have received one, which the working group attributes to the quality of applicants. Three PRs have been accidentally merged as a result of discussions about LGTM governance in code review threads, and a proposal to rename the working group was submitted to YAGNI and rejected. Getting Involved Working group meetings are open to OSFC members at the Contributor tier and above. Meeting times are listed on the OSFC community calendar, which is hosted on a shared Google Calendar. Non-members may observe working group meetings but may not speak, vote, or appear on camera. Written comments may be submitted to the working group mailing list, which is moderated. Moderation turnaround is approximately three weeks. The OSFC is a 501(c)(6) trade association incorporated in Delaware. The consortium’s mission is to promote the sustainability, security, and governance of open source software through multi-stakeholder collaboration, working group formation, and the publication of standards, reports, and other deliverables that the ecosystem may find useful.

Weekly sponsorships have been the top source of revenue for Daring Fireball ever since I started selling them back in 2007. They’ve succeeded, I think, because they make everyone happy. They generate good money. There’s only one sponsor per week and the sponsors are always relevant to at least some sizable portion of the DF audience, so you, the reader, are never annoyed and hopefully often intrigued by them. And, from the sponsors’ perspective, they work. My favorite thing about them is how many sponsors return for subsequent weeks after seeing the results. Sponsorships have been selling briskly, of late. There are only three weeks open between now and the end of June. But one of those open weeks is next week, starting this coming Monday: March 9–15 (next week) April 20–26 May 25–31 I’m also booking sponsorships for Q3 2026, and roughly half of those weeks are already sold. If you’ve got a product or service you think would be of interest to DF’s audience of people obsessed with high quality and good design, get in touch — especially if you can act quick for next week’s opening.  ★

Google Threat Intelligence Group, earlier this week: Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. The Coruna exploit kit provides another example of how sophisticated capabilities proliferate. Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. We then retrieved the complete exploit kit when it was later used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China. How this proliferation occurred is unclear, but suggests an active market for “second hand” zero-day exploits. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.  ★

Nick Heer, writing at Pixel Envy, uses Pages (from 2009 through today) to illustrate Apple’s march toward putting “greater focus on your content” by making window chrome, and toolbar icons, more and more invisible: Perhaps Apple has some user studies that suggest otherwise, but I cannot see how dialling back the lines between interface and document is supposed to be beneficial for the user. It does not, in my use, result in less distraction while I am working in these apps. In fact, it often does the opposite. I do not think the prescription is rolling back to a decade-old design language. However, I think Apple should consider exploring the wealth of variables it can change to differentiate tools within toolbars, and to more clearly delineate window chrome from document. This entire idea that application window chrome should disappear is madness. Some people — at Apple, quite obviously — think it looks better, in the abstract, but I can’t see how it actually makes actually using these apps more productive. Artists don’t want to use invisible tools. Clean lines between content and application chrome are clarifying, not distracting. It’s also useful to be able to tell, at a glance, which application is which. I look at Heer’s screenshot of the new version of Pages running on MacOS 26 Tahoe and not only can I not tell at a glance that it’s Pages, I can’t even tell at a glance that it’s a document word processor, especially with the formatting sidebar hidden. One of the worst aspects of Liquid Glass, across all platforms, but exemplified by MacOS 26, is that all apps look exactly the same. Not just different apps that are in the same category, but different apps from entirely different categories. Safari looks like Mail looks like Pages looks like the Finder — even though web browsers, email clients, word processors, and file browsers aren’t anything alike.  ★

The Verge: Sean Hollister: What would you say the differences are between the Apple and Google cases? Tim Sweeney: I would say Apple was ice and Google was fire. The thing with Apple is all of their antitrust trickery is internal to the company. They use their store, their payments, they force developers to all have the same terms, they force OEMs and carriers to all have the same terms. Whereas Google, to achieve things with Android, they were going around and paying off game developers, dozens of game developers, to not compete. And they’re paying off dozens of carriers and OEMs to not compete — and when all of these different companies do deals together, lots of people put things in writing, and it’s right there for everybody to read and to see plainly. I think the Apple case would be no less interesting if we could see all of their internal thoughts and deliberations, but Apple was not putting it in writing, whereas Google was. You know, I think Apple is... it’s a little bit unfortunate that in a lot of ways Apple’s restrictions on competition are absolute. Thou shalt not have a competing store on iOS and thou shalt not use a competing payment method. And I think Apple should be receiving at least as harsh antitrust scrutiny as Google. Interesting interview, for sure. But I don’t see Epic’s victory in the lawsuit as a win for Android users, and I don’t think it’s much of a win for Android developers either. These new terms from Google just seem confusing and complicated, with varying rates for “existing installs” vs. “new installs”.  ★

Sean Hollister, writing for The Verge: But Google has finally muzzled Tim Sweeney. It’s right there in a binding term sheet for his settlement with Google. On March 3rd, he not only signed away Epic’s rights to sue and disparage the company over anything covered in the term sheet — Google’s app distribution practices, its fees, how it treats games and apps — he signed away his right to advocate for any further changes to Google’s app store policies, too. He can’t criticize Google’s app store practices. In fact, he has to praise them. The contract states that “Epic believes that the Google and Android platform, with the changes in this term sheet, are procompetitive and a model for app store / platform operations, and will make good faith efforts to advocate for the same.” [...] And while Epic can still be part of the “Coalition for App Fairness,” the organization that Epic quietly and solely funded to be its attack dog against Google and Apple, he can only point that organization at Apple now. Sounds like a highly credible coalition that truly stands for fairness to me.  ★

Ambassador visiting Renaissance Florence: “Where am I? None of this has existed for a thousand years.\"

Ethan W. Anderson, on Twitter/X: I’ve plotted the most expensive McDonald’s burger and the least expensive MacBook over time. This analysis projects that the most expensive burger will be more expensive than the cheapest laptop as soon as 2081. Looking to the past, if you plug $599 in today’s money into an inflation calculator, that’s just ~$190 in 1984, the year the original Macintosh with a price of $2,495 (which works out to ~$7,800 today.)  ★

John McCoy: From around 1970 to 1980, the Salem, Massachusetts-based Parker Brothers (now a brand of Hasbro) published games whose innovative and fanciful designs drew inspiration from Pop Art, Op Art, and Madison Avenue advertising. They had boxes, boards, and components that reflected the most current techniques of printing and plastics molding. They were witty, silly, and weird. The other main players in American games at the time were Milton-Bradley, whose art tended towards cartoony, corny, and flat designs, and Ideal, whose games (like Mousetrap ) were mostly showcases for their novel plastic components. Parker Brothers design stood out for its style and sophistication, and even as a young nerd I could see that it was special. In fact, I believe they were my introduction, at the age of seven, to the whole concept of graphic design. This isn’t to say that the games were good in the sense of being fun or engaging to play; a lot of them were re-skinned versions of the basic race-around-the-board type that had been popular since the Uncle Wiggly Game. But they looked amazing and they were different. These games mostly sucked but they looked cool as shit. Lot of memories for me in this post.  ★