Steven J. Vaughan-Nichols files this report from Tokyo: At the invitation-only Linux Kernel Maintainers Summit here, the top Linux maintainers decided, as Jonathan Corbet, Linux kernel developer, put it, "The consensus among the assembled developers is that Rust in the kernel is no longer experimental — it is now a core part of the kernel and is here to stay. So the 'experimental' tag will be coming off." As Linux kernel maintainer Steven Rosted told me, "There was zero pushback." This has been a long time coming. This shift caps five years of sometimes-fierce debate over whether the memory-safe language belonged alongside C at the heart of the world's most widely deployed open source operating system... It all began when Alex Gaynor and Geoffrey Thomas at the 2019 Linux Security Summit said that about two-thirds of Linux kernel vulnerabilities come from memory safety issues. Rust, in theory, could avoid these by using Rust's inherently safer application programming interfaces (API)... In those early days, the plan was not to rewrite Linux in Rust; it still isn't, but to adopt it selectively where it can provide the most security benefit without destabilizing mature C code. In short, new drivers, subsystems, and helper libraries would be the first targets... Despite the fuss, more and more programs were ported to Rust. By April 2025, the Linux kernel contained about 34 million lines of C code, with only 25 thousand lines written in Rust. At the same time, more and more drivers and higher-level utilities were being written in Rust. For instance, the Debian Linux distro developers announced that going forward, Rust would be a required dependency in its foundational Advanced Package Tool (APT). This change doesn't mean everyone will need to use Rust. C is not going anywhere. Still, as several maintainers told me, they expect to see many more drivers being written in Rust. In particular, Rust looks especially attractive for "leaf" drivers (network, storage, NVMe, etc.), where the Rust-for-Linux bindings expose safe wrappers over kernel C APIs. Nevertheless, for would-be kernel and systems programmers, Rust's new status in Linux hints at a career path that blends deep understanding of C with fluency in Rust's safety guarantees. This combination may define the next generation of low-level development work.

Read more of this story at Slashdot.

With the popularity of AI coding tools rising among some software developers, their adoption has begun to touch every aspect of the process, including the improvement of AI coding tools themselves.

In interviews with Ars Technica this week, OpenAI employees revealed the extent to which the company now relies on its own AI coding agent, Codex, to build and improve the development tool. “I think the vast majority of Codex is built by Codex, so it’s almost entirely just being used to improve itself,” said Alexander Embiricos, product lead for Codex at OpenAI, in a conversation on Tuesday.

Codex, which OpenAI launched in its modern incarnation as a research preview in May 2025, operates as a cloud-based software engineering agent that can handle tasks like writing features, fixing bugs, and proposing pull requests. The tool runs in sandboxed environments linked to a user’s code repository and can execute multiple tasks in parallel. OpenAI offers Codex through ChatGPT’s web interface, a command-line interface (CLI), and IDE extensions for VS Code, Cursor, and Windsurf.

Read full article

Comments

© Mininyx Doodle via Getty Images

On Tuesday, French AI startup Mistral AI released Devstral 2, a 123 billion parameter open-weights coding model designed to work as part of an autonomous software engineering agent. The model achieves a 72.2 percent score on SWE-bench Verified, a benchmark that attempts to test whether AI systems can solve real GitHub issues, putting it among the top-performing open-weights models.

Perhaps more notably, Mistral didn’t just release an AI model, it released a new development app called Mistral Vibe. It’s a command line interface (CLI) similar to Claude Code, OpenAI Codex, and Gemini CLI that lets developers interact with the Devstral models directly in their terminal. The tool can scan file structures and Git status to maintain context across an entire project, make changes across multiple files, and execute shell commands autonomously. Mistral released the CLI under the Apache 2.0 license.

It’s always wise to take AI benchmarks with a large grain of salt, but we’ve heard from employees of the big AI companies that they pay very close attention to how well models do on SWE-bench Verified, which presents AI models with 500 real software engineering problems pulled from GitHub issues in popular Python repositories. The AI must read the issue description, navigate the codebase, and generate a working patch that passes unit tests. While some AI researchers have noted that around 90 percent of the tasks in the benchmark test relatively simple bug fixes that experienced engineers could complete in under an hour, it’s one of the few standardized ways to compare coding models.

Read full article

Comments

© Mistral / Benj Edwards

As Gen Alpha’s attention drifts from TV and movies, video creators like Alan Chikin Chow are eager to fill the void.

© Philip Cheung for The New York Times

Thirty years ago today, Netscape Communications and Sun Microsystems issued a joint press release announcing JavaScript, an object scripting language designed for creating interactive web applications. The language emerged from a frantic 10-day sprint at pioneering browser company Netscape, where engineer Brendan Eich hacked together a working internal prototype during May 1995.

While the JavaScript language didn’t ship publicly until that September and didn’t reach a 1.0 release until March 1996, the descendants of Eich’s initial 10-day hack now run on approximately 98.9 percent of all websites with client-side code, making JavaScript the dominant programming language of the web. It’s wildly popular; beyond the browser, JavaScript powers server backends, mobile apps, desktop software, and even some embedded systems. According to several surveys, JavaScript consistently ranks among the most widely used programming languages in the world.

In crafting JavaScript, Netscape wanted a scripting language that could make webpages interactive, something lightweight that would appeal to web designers and non-professional programmers. Eich drew from several influences: The syntax looked like a trendy new programming language called Java to satisfy Netscape management, but its guts borrowed concepts from Scheme, a language Eich admired, and Self, which contributed JavaScript’s prototype-based object model.

Read full article

Comments

© Netscape / Benj Edwards

"Security, development, and AI now move as one," says Microsoft's director of cloud/AI security product marketing. Microsoft and GitHub "have launched a native integration between Microsoft Defender for Cloud and GitHub Advanced Security that aims to address what one executive calls decades of accumulated security debt in enterprise codebases..." according to The New Stack: The integration, announced this week in San Francisco at the Microsoft Ignite 2025 conference and now available in public preview, connects runtime intelligence from production environments directly into developer workflows. The goal is to help organizations prioritize which vulnerabilities actually matter and use AI to fix them faster. "Throughout my career, I've seen vulnerability trends going up into the right. It didn't matter how good of a detection engine and how accurate our detection engine was, people just couldn't fix things fast enough," said Marcelo Oliveira, VP of product management at GitHub, who has spent nearly a decade in application security. "That basically resulted in decades of accumulation of security debt into enterprise code bases." According to industry data, critical and high-severity vulnerabilities constitute 17.4% of security backlogs, with a mean time to remediation of 116 days, said Andrew Flick, senior director of developer services, languages and tools at Microsoft, in a blog post. Meanwhile, applications face attacks as frequently as once every three minutes, Oliveira said. The integration represents the first native link between runtime intelligence and developer workflows, said Elif Algedik, director of product marketing for cloud and AI security at Microsoft, in a blog post... The problem, according to Flick, comes down to three challenges: security teams drowning in alert fatigue while AI rapidly introduces new threat vectors that they have little time to understand; developers lacking clear prioritization while remediation takes too long; and both teams relying on separate, nonintegrated tools that make collaboration slow and frustrating... The new integration works bidirectionally. When Defender for Cloud detects a vulnerability in a running workload, that runtime context flows into GitHub, showing developers whether the vulnerability is internet-facing, handling sensitive data or actually exposed in production. This is powered by what GitHub calls the Virtual Registry, which creates code-to-runtime mapping, Flick said... In the past, this alert would age in a dashboard while developers worked on unrelated fixes because they didn't know this was the critical one, he said. Now, a security campaign can be created in GitHub, filtering for runtime risk like internet exposure or sensitive data, notifying the developer to prioritize this issue. GitHub Copilot "now automatically checks dependencies, scans for first-party code vulnerabilities and catches hardcoded secrets before code reaches developers," the article points out — but GitHub's VP of product management says this takes things even further. "We're not only helping you fix existing vulnerabilities, we're also reducing the number of vulnerabilities that come into the system when the level of throughput of new code being created is increasing dramatically with all these agentic coding agent platforms."

Read more of this story at Slashdot.

A promotional video for Amazon's Kiro software development system took a unique approach, writes GeekWire. "Instead of product diagrams or keynote slides, a crew from Seattle's Packrat creative studio used action figures on a miniature set to create a stop-motion sequence..." "Can the software development hero conquer the 'AI Slop Monster' to uncover the gleaming, fully functional robot buried beneath the coding chaos?" Kiro (pronounced KEE-ro) is Amazon's effort to rethink how developers use AI. It's an integrated development environment that attempts to tame the wild world of vibe coding... But rather than simply generating code from prompts [in "vibe mode"], Kiro breaks down requests into formal specifications, design documents, and task lists [in "spec mode"]. This spec-driven development approach aims to solve a fundamental problem with vibe coding: AI can quickly generate prototypes, but without structure or documentation, that code becomes unmaintainable... The market for AI-powered development tools is booming. Gartner expects AI code assistants to become ubiquitous, forecasting that 90% of enterprise software engineers will use them by 2028, up from less than 14% in early 2024... Amazon launched Kiro in preview in July, to a strong response. Positive early reviews were tempered by frustration from users unable to gain access. Capacity constraints have since been resolved, and Amazon says more than 250,000 developers used Kiro in the first three months... Now, the company is taking Kiro out of preview into general availability, rolling out new features and opening the tool more broadly to development teams and companies... During the preview period, Kiro handled more than 300 million requests and processed trillions of tokens as developers explored its capabilities, according to stats provided by the company. Rackspace used Kiro to complete what they estimated as 52 weeks of software modernization in three weeks, according to Amazon executives. SmugMug and Flickr are among other companies espousing the virtues of Kiro's spec-driven development approach. Early users are posting in glowing terms about the efficiencies they're seeing from adopting the tool... startups in most countries can apply for up to 100 free Pro+ seats for a year's worth of Kiro credits. Kiro offers property-based testing "to verify that generated code actually does what developers specified," according to the article — plus a checkpointing system that "lets developers roll back changes or retrace an agent's steps when an idea goes sideways..." "And yes, they've been using Kiro to build Kiro, which has allowed them to move much faster."

Read more of this story at Slashdot.

Linus Torvalds is "fairly positive" about vibe coding as a way for people to get computers to do things they otherwise could not. The Linux kernel maintainer made the comments during an interview at the Linux Foundation Open Source Summit in Seoul earlier this month. But he cautioned that vibe coding would be a "horrible, horrible idea from a maintenance standpoint" for production code. Torvalds told Dirk Hohndel, head of open source at Verizon, that computers have become more complicated than when he learned to code by typing in programs from computer magazines. He said vibe coding offers a path into computing for newcomers. The kernel maintainer is not using AI-assisted coding himself. He said his role has shifted from rejecting new ideas to sometimes pushing for them against opposition from longstanding maintainers who "kind of get stuck in a rut." Rust is "actually becoming a real part of the kernel instead of being this experimental thing," he said. Torvalds said AI crawlers have been "very disruptive to a lot of our infrastructure" because they gather data from kernel.org source code. Kernel maintainers receive bugs and security notices that are "made up by people who misuse AI," though the problem is smaller than for other projects such as curl.

Read more of this story at Slashdot.

Android has shared new insights into how the platform’s long-term shift toward Rust is reshaping both security and software development. The new data reflects a decisive move toward memory safety, and, unexpectedly, faster engineering cycles across the Android ecosystem.  The Android team reported that memory safety vulnerabilities have dropped below 20% of all Android vulnerabilities for the first time. This data covers code contributions across C, C++, Java, Kotlin, and Rust in both first- and third-party components. Although the report arrives before the end of 2025, the industry-standard 90-day patch window means the numbers are unlikely to shift much before the year’s end.  Rust adoption has been central to this trend. According to the Android team, Rust offers a 1000x reduction in memory safety vulnerability density when compared to C and C++. Yet the most surprising results aren’t limited to security. Rust-based changes now carry a 4x lower rollback rate and spend 25% less time on code review. 

Shifting the Balance in Systems Programming 

Android’s historical reliance on systems languages like C and C++ meant that adopting Rust was never meant to replace Java or Kotlin, but to provide a safer alternative where low-level control is required. As Rust usage rises and new C++ additions slowly decline, first-party code trends now show Rust and C++ contributing comparable volumes of new systems-level code.  This parity allows meaningful performance comparisons using the DORA framework, which evaluates engineering teams based on throughput and stability. Android engineers working in both Rust and C++ were measured using similar-sized changes and overlapping developer pools to ensure fairness. 

Throughput Improvements: Fewer Revisions, Faster Reviews 

Data stretching back to 2023 has shown consistent patterns: Rust code requires roughly 20% fewer revisions than equivalent C++ code. Rust changes also spend 25% less time in review, a trend the Android team attributes partly to rising Rust expertise between 2023 and 2024.  While these incremental gains help, the largest improvement is visible in stability metrics.  Rust’s low rollback rate continues to decline even as its adoption surpasses C++. For medium and large changes, Rust changes are rolled back at about one-quarter the rate of C++. Because rollbacks disrupt multiple teams, initiate postmortems, and trigger rebuilds, this stability substantially increases overall productivity.  A 2022 Google survey found that engineers perceived Rust as easier to review and more likely to be correct. The new data empirically supports those perceptions. 

Rust’s Footprint 

Rust’s role in Android is expanding beyond platform code: 

• Kernel: Android 6.12 is the first shipping kernel with Rust support enabled and includes the platform’s first production Rust driver. Android is also collaborating with Arm and Collabora on a Rust-based GPU driver. 
• Firmware: Rust has been deployed in firmware for years. Android and Arm are now collaborating on Rusted Firmware-A to enhance security in high-privilege firmware environments. 

First-party apps: 

• Nearby Presence uses Rust for secure Bluetooth-based device discovery. 
• MLS, the RCS messaging security protocol, is implemented in Rust and will appear in Google Messages in a future release. 
• Chromium has replaced PNG, JSON, and web-font parsers with Rust-based memory-safe implementations. 

The First Almost-Vulnerability in Rust 

Android nearly shipped what would have been its first Rust-based memory safety flaw: a linear buffer overflow in CrabbyAVIF. It never reached public release, but the team assigned it CVE-2025-48530 to track it through internal channels.  The Scudo hardened allocator prevented exploitation. Scudo’s guard pages stopped the overflow and converted what could have been silent corruption into a visible crash, though crash reporting initially lacked clarity. Android has since improved overflow.  To reduce unsafe risks further, Android is adding a new deep-dive module on unsafe Rust to its Comprehensive Rust training program, focusing on sound use of unsafe blocks, undefined behavior, safety comments, and safe abstractions. 

Conclusion 

Android’s experience with Rust shows that even with some unsafe code, memory safety improves dramatically: only one potential vulnerability across 5 million lines, compared with around 1,000 per million lines in C/C++. This shift allows development to move faster while staying secure, replacing “move fast and break things” with a model where safety and productivity reinforce each other.