Full Episode Script
INTRO (Jure — 20 seconds)
“Welcome back to Source by Source. It’s Thursday, June 11th, 2026. This week we’ve got a serious Linux kernel zero-day with a nine-year shelf life, open source’s fork wars reaching a boiling point, and Bitcoin still stuck in a brutal drawdown. Let’s jump in.”
SEGMENT 1 — Story of the Week: Linux Kernel Root Privilege Escalation (CVE-2026-46333)
Voice: en_paul_confident | Target: ~4 minutes
“Nine years. That’s how long a local privilege escalation vulnerability sat in the Linux kernel before anyone noticed. It’s tracked as CVE-2026-46333, and it lives in the ptrace path — specifically the __ptrace_may_access function. Here’s what makes it dangerous: any unprivileged local user on a vulnerable system can gain root access, or steal credentials from set-UID processes. That means SSH host keys. That means /etc/shadow. That means full account takeover on any multi-user host.
The bug was introduced in Linux mainline v4.10-rc1 in November 2016, meaning nine years of enterprise kernels, cloud images, and container hosts have carried the bug. Qualys’ Threat Research Unit found it and built four working exploits against real targets: chage, ssh-keysign, pkexec, and accounts-daemon. Each one demonstrates a different attack path, and all of them work on unpatched systems.
The recommended immediate mitigation is setting kernel.yama.ptrace_scope = 2. That restricts ptrace so that only child processes can trace their parents, which blocks the most common exploitation path. But patches are already available from Debian, Fedora, Red Hat, SUSE, and AlmaLinux, so the real fix is updating your kernel.
This one is worth prioritizing. Local access doesn’t mean low impact. Any shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root. If you run multi-user Linux systems — especially exposed servers or shared CI runners — patch this week. And for the homelab crowd: if you run Proxmox, or a VPS with multiple users, or any container host where containers share the kernel, this is a must-patch. The attack surface is broader than the ‘local’ label suggests.”
SEGMENT 2 — June Patch Tuesday: More Linux Kernel CVEs
Voice: en_paul_neutral | Target: ~3 minutes
“While CVE-2026-46333 is getting the headlines, it’s not the only kernel vulnerability in the news this month. Canada’s Cyber Centre issued AL26-011 for two additional flaws: CVE-2026-43284 and CVE-2026-43500. The latter is a local privilege escalation in the RxRPC subsystem — a network filesystem protocol that’s been part of the kernel for decades and is still enabled on most default installs. RxRPC is the backend for AFS and some NFS configurations, so if you’re running network filesystems on multi-user systems, this one matters beyond the typical desktop or container use case.
The Automox June Patch Tuesday roundup also flags HTTP.sys kernel RCE alongside Secure Boot and BitLocker-related flaws in the same monthly cycle. These aren’t exotic researcher bugs; they are exploitable code paths that enterprises, homelab hosts, and container fleets hit daily. The BitLocker bypass in particular is worth noting because it affects full-disk encryption — the very thing admins rely on when a laptop or server is physically compromised.
For listeners who run multi-user Linux: now is a good week to review your patch status, audit local user accounts, and consider restricting unprivileged user namespaces. Kernel updates are available across all major distributions. This is not theoretical — these CVEs are in the wild, and exploit code is public. If you run a VPS, a Proxmox node, a NAS with multi-user access, or even a shared development server, schedule your patch window this week.”
SEGMENT 3 — Open Source Drama: The Fork Wars Escalate
Voice: gb_jane_sarcasm | Target: ~3 minutes
“Open source governance had a rough week. Four separate legal and governance fights are playing out simultaneously, and the common thread is that social contracts are breaking faster than licenses can keep up.
The Document Foundation purged over 30 Collabora developers from LibreOffice governance, ending a 16-year partnership. That’s not a typical contributor dispute. It involves paid engineering resources, sponsor relationships, and years of technical trust. Collabora has been the primary engineering backbone behind LibreOffice for more than a decade. Losing that capacity is a governance crisis, not a PR hiccup.
OnlyOffice and Nextcloud, together with IONOS, are fighting over whether Euro-Office’s AGPL fork violates licensing terms. Euro-Office is explicitly aimed at EU public agencies that need to avoid US and Chinese cloud dependencies while still meeting open-source requirements. If the AGPL argument succeeds, it will redefine how sovereign forks are expected to behave in Europe — and it could chill the creation of similar EU-focused projects.
IBM is pressing OpenTofu with proprietary code claims in the wake of HashiCorp’s Terraform-to-BSL move. OpenTofu started as a community fork in response to the license change. If IBM can establish that the fork contains uncleaned proprietary contributions, it threatens the legal standing of many such transitions and could invite more aggressive litigation against open source projects perceived as competitive.
And Redis versus Valkey continues its long-running saga around license changes, governance moves, and community trust. The Redis license shift to a source-available model pushed Amazon, Google, and others to back Valkey under the Linux Foundation.
What’s interesting here isn’t any single fight — it’s that all four are happening at once. The governance layer of open source is being stress-tested by corporate realpolitik and regulatory strategy. Expect more of this, not less.”
SEGMENT 4 — Community / Systemic: AI Code in rsync
Voice: en_paul_frustrated | Target: ~3 minutes
“rsync shipped version 3.4.3, triggered regressions, and revealed that recent commits had AI-assisted origins. Maintainer Andrew Tridgell published a Medium post defending the work, but the outcome is already visible: users reporting backup failures, a fast follow-up 3.4.4 fix, and a Reddit surge framing the incident as AI poisoning.
For the homelab audience, rsync is one of those utilities that’s too important to fail. It bootstraps servers, it handles offsite backups, it’s embedded in scripts everywhere. The pattern here is becoming familiar: AI patches arrive faster than reviewers can trace whether the change is correct. Tridgell’s full response is on the record for context, but the bottom line for users is clear. If you’re running 3.4.3, move to 3.4.4.
The broader concern is not rsync itself — it’s the precedent. When core tooling can be modified by unverified machine-generated commits and merged into stable, the trust model of open source maintenance needs to evolve. The rsync incident is a canary. We’re going to see more of this, not less, as assistant tooling becomes embedded in developer workflows. Review pipelines need to adapt, and maintainers need to be transparent about AI-assisted contributions from the start.”
SEGMENT 5 — Self-Hosted Roundup: Strava API Paywall, Euro-Office, AV2
Voice: en_paul_cheerful | Target: ~3 minutes
“Strava announced a paid developer program and closed API access. For self-hosted fitness stacks, the replacement list is short but improving. ActivityPub-based FitPub is building federated activity sharing, which means you can follow friends across instances without a central authority. Endurain continues to mature as a self-hosted Strava competitor with route planning and training load metrics. And direct local export workflows from watches and apps remain viable if you’re willing to maintain the import pipeline yourself. The point is: closed APIs are forcing the self-hosted community to build alternatives, and that investment is paying off.
Euro-Office launched a sovereign office stack built on the OnlyOffice fork. It’s aimed at EU public agencies that need to avoid US and Chinese cloud dependencies while still meeting open-source requirements. This is meaningful because government procurement in the EU increasingly requires data sovereignty. Euro-Office isn’t trying to beat Microsoft 365 on features — it’s trying to beat it on jurisdiction.
And video fans get a generational upgrade: AV2 v1.0.0 is final. AOMedia’s Royalty-Free successor to AV1 promises roughly 30% better compression and adds 256x256 superblocks, neural-network loop filtering, and improved film-grain synthesis. For homelabs running Plex, Jellyfin, or even DIY encoding rigs, the practical message is the same: 4K streams that once needed 12 megabits per second can move at 8 once encoders and hardware catch up. That hardware catch-up is measured in years, not months, so expect the first wins to be on CPU decode in servers, not in living-room TVs.”
SEGMENT 6 — Bitcoin / Crypto
Voice: en_paul_confident | Target: ~3 minutes
“Bitcoin is trading in a beaten-down range. As of June 9, price hovered around 62,600 dollars, down more than 21 percent from a month earlier and down 43 percent from the prior-year level. The broader crypto market is showing mild stabilization after what press coverage calls a brutal selloff, with Bitcoin climbing back above 61,000 toward the end of the week. That is not a recovery — it is a bounce within a downtrend.
Ethereum is near 1,646, Solana near 66, and XRP near 1.11. Worldcoin posted an 8.6 percent daily gain, while the so-called Official Trump token rose almost 3 percent. The narrative this week is indecision: macro conditions, ETF flows, and regulatory headlines are all acting as dampers rather than catalysts. No major ETF or corporate adoption story broke over the past several days, so this is a market waiting for a reason to move.
From a technical standpoint, Bitcoin is defending the 61 to 62 thousand dollar support zone. A break below 60 thousand opens the door to a retest of the 58 to 59 thousand area, which would be the lowest level since early 2024. Until something breaks the range, the safest read is range-bound chop with elevated volatility on any surprise macro print. Keep dry powder. The market will tell you when it is ready to move.”
SEGMENT 7 — Maintainer Crisis / Open Source Sustainability
Voice: en_paul_neutral | Target: ~3 minutes
“The 2026 State of Open Source report from the Open Source Initiative frames open source as a strategic IT concern shaped by geopolitics and security risk. The 2026 OSSRA report from Synopsys found that open source vulnerabilities have doubled to 581 per codebase, with 87 percent of repositories carrying at least one known flaw.
The OpenSSF published a v1.0 Python secure-coding guide and added five new members. But the underlying pressure remains: corporate sponsors expect open source to be free maintenance labor, and contributor burnout is structural. Christopher Robinson, CTO of the OpenSSF, is on the record saying a major AI-driven cyberattack on open source infrastructure is coming in 2026. He is not alone — CISA has been warning about this for two years.
The tension between those two facts — the sustainability gap and the incoming attack surface — is the week’s most underdiscussed story. Open source isn’t dying, but the volunteer model that built it is running against both geopolitical demand and security threat timelines that don’t care about maintainer capacity. Governance moves matter. The Document Foundation purge, IBM versus OpenTofu, Redis versus Valkey — these are not isolated. They are symptoms of the same sustainability problem playing out in legal and governance forms.”
SEGMENT 8 — Plex Social Features / Self-Hosted Privacy
Voice: gb_jane_sarcasm | Target: ~2.5 minutes
“Plex announced new social discovery and recommendation features, and the self-hosted community is not happy. The pitch is familiar: better recommendations, shared watchlists, community ratings. The implementation is a step toward telemetry and centralized engagement metrics that many self-hosters explicitly left behind.
Plex has 42 million monthly active users. Most of them do not run a self-hosted media server. Most of them do not care about the same privacy priors that drive this community. That distinction matters because Plex’s commercial incentives are aligned with the mass market, not with homelab users who treat media management as infrastructure they control.
The practical takeaway is this: if you run Plex and you value local control, review your privacy settings, disable any new social features you do not need, and consider whether Jellyfin or alternatives better match your threat model. The self-hosted feedback loop sometimes treats mainstream adoption as a sign of failure, but mainstream users are mainstream for a reason. The goal is not purity — it is informed choice.”
SEGMENT 9 — Roundup: Nostr / Freedom Tech + Self-Hosted Misc
Voice: en_paul_cheerful | Target: ~3 minutes
“A short pile of items that don’t each deserve a segment alone but together make a strong tail.
Microsoft Build 2026 brought native Linux utility support to Windows, continuing the slow mainstreaming of Linux-first developer habits. NetBSD 10 launched with a fresh TCP stack and WireGuard integration. WordPress security researchers disclosed a critical unauthenticated privilege escalation, so if you run self-hosted WordPress, patch now.
Roku released its Roku LT operating system as open source. The Vatican has a novelty TLD in rotation this week, which in the dotfurry era is somehow still the least weird fact. And if you want the most efficient possible package in the self-hosted world, PikaPods is advertising one dollar twenty per month hosting of open source apps.
And on the Nostr front — Vega development is continuing, and relay infrastructure is stabilizing. More on that in future episodes.”
OUTRO (Jure — 25 seconds + music)
“That’s it for this week’s Source by Source. Follow the show, share it with someone who cares about Linux, crypto, or self-hosted tech, and I’ll see you next week.”