The biggest open source security investment in history just landed, MySQL got an independent foundation, and a 3D printer company found out what happens when you violate the AGPL. Here’s what matters.
IBM and Red Hat announced Project Lightwell on May 28, a $5 billion commitment to secure open source software at enterprise scale. The initiative creates a “trusted enterprise clearinghouse” staffed by over 20,000 engineers and backed by AI-driven vulnerability discovery, triage, and patch development. Enterprises subscribe to receive validated security patches — covering both Red Hat’s portfolio and independent community code — with lifecycle management and upstream disclosure baked in. Early adopters include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. The announcement explicitly cites Anthropic’s Project Glasswing and OpenAI’s Trust Access for Cyber as catalysts: AI-powered vulnerability discovery has massively increased the volume of findings, and Project Lightwell is IBM’s bet that someone needs to sit between that firehose and the enterprises drowning in it. The model is essentially Red Hat’s traditional “curate, validate, and support open source” playbook, scaled up dramatically and extended beyond their own product stack. Whether $5 billion buys meaningful upstream improvement or primarily funds a premium enterprise buffer remains the key question — but the scale of investment alone signals that open source supply chain security is now a first-tier strategic priority for the industry’s biggest players.
OurSQL Foundation launches to give MySQL an independent community home
At Percona Live 2026 (May 27-29 in Mountain View), Percona co-founder Vadim Tkachenko announced the OurSQL Foundation, a new 501(c)(6) nonprofit created to represent the MySQL community independently. The founding board includes leaders from Percona, PlanetScale, and PingCAP alongside independent consultants. The Foundation’s purpose: provide a neutral venue for users, developers, and companies to share knowledge, coordinate feedback on MySQL’s future, and collaborate with all ecosystem players — including Oracle. MySQL has long been an awkward case in open source: a community-born database owned by a corporation that doesn’t always prioritize community interests. MariaDB exists as a fork, but OurSQL takes a different approach — working with Oracle rather than around them, while giving the broader ecosystem a governance structure that doesn’t depend on any single company’s roadmap. The timing coincides with Percona’s 20th anniversary and a broader company rebrand, but the foundation is designed to outlast any one sponsor. For the millions of MySQL deployments in production worldwide, having an independent community voice is overdue.
Software Freedom Conservancy takes on Bambu Lab’s AGPLv3 violations, launches the baltobu project
The Software Freedom Conservancy published a comprehensive response to Bambu Lab’s AGPLv3 violations on May 18, and the situation has escalated throughout late May. Two violations are confirmed: Bambu ships a proprietary networking library (bambu_networking) with its Bambu Studio slicer without releasing the source code as required by AGPLv3, and the company sent legal threats to solo developer Paweł Jarczak for exercising his license rights by maintaining a fork. The SFC’s response is unusually concrete — they’ve launched baltobu, a funded project to clean-room reverse-engineer replacements for Bambu’s proprietary networking components and maintain open forks for Bambu hardware users. The $250,007 fundraising goal has already been met. Bambu Lab has partially backed down under pressure, but the SFC’s compliance investigation continues. This story matters beyond 3D printing because it tests whether copyleft licenses still have teeth in 2026 — and whether a well-funded conservancy can force compliance when a hardware company treats GPL obligations as optional. LWN covered the saga in its May 28 weekly edition, and Josef Prusa has weighed in publicly, calling Bambu’s un-auditable networking code a security risk.
Microsoft previews Azure Linux 4.0 — its first general-purpose server Linux distribution
Announced at Open Source Summit North America (May 18-20), Azure Linux 4.0 is Microsoft’s first Linux distribution designed for general-purpose server workloads, not just containers. Previous Azure Linux versions were container-optimized; 4.0 is Fedora-derived, RPM-based, and built for Azure VMs running AI, cloud-native, and traditional workloads alike. Notable additions include native AI governance tooling that integrates with Azure Policy (pre-configured modules for auditing AI workloads, enforcing RBAC on compute resources, and logging GPU utilization for compliance), Python 3.12 as the system interpreter, and a new sandboxing capability called pylock for isolating Python environments. Azure Container Linux reached GA alongside the preview, with a broader rollout expected at Microsoft Build on June 2. General availability of Azure Linux 4.0 is planned for H2 2026. Microsoft shipping a full commercial Linux distribution — open source, free to use, purpose-built for their cloud — would have been unthinkable a decade ago. Now it’s just good strategy.
Oracle shifts to monthly Critical Security Patch Updates — first CSPU ships May 28
Oracle released its first monthly Critical Security Patch Update (CSPU) on May 28, supplementing the company’s longstanding quarterly release cadence. The May CSPU covers 35 new security patches across Oracle product families, including fixes for widely-used open source components bundled in Oracle products: Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and Apache HTTP Server. Oracle explicitly cited “the increased pace of AI-assisted vulnerability disclosures” as the reason for the shift — a direct acknowledgment that the same AI-driven vulnerability discovery trend driving IBM’s Project Lightwell and Anthropic’s Project Glasswing is forcing vendors to patch faster. Monthly CSPUs are released on the third Tuesday of the “off” months (February, March, May, June, August, September, November, December), while quarterly CPUs continue on their existing schedule and roll up all prior CSPU fixes. For the open source projects embedded in Oracle’s stack, faster Oracle patching means faster disclosure cycles and a tighter feedback loop with upstream maintainers.