TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

75% Positive

Analyzed from 1080 words in the discussion.

Trending Topics

#source#software#open#code#closed#maintainers#don#project#last#companies

Discussion (21 Comments)Read Original on HackerNews

cryo32•about 1 hour ago
No we won’t. We’ll make grand statements about it, leave it for commercial entities to corrupt it, then complain loudly about the state of it when we really did nothing about it.

I expect we’ve got a future of “undo forks” as I’ve called them which is rolling back to pre-insanity times and rethinking again. That’s only something people unencumbered by commercial requirements can do.

rjzzleep•about 3 hours ago
I'm extremely concerned about the state of Open Source. The gamification of the whole thing & devstats means that people that are good at gaming metrics are rising up the ranks and people that are genuine high quality contributors and pushed to the sidelines unless they have a very popular profile. Mass generated AI slop and AI content gives people massive devstats boosts.
throw_a_grenade•about 1 hour ago
Will they hire the actual maintainers of the software in question, to have time dedicated to the project, or will they as usual, dump AI-generated patches unto maintainers, but this time with even more time pressure to merge, lest them consider projects “unmaintained” if they don't push a fix in 3 femtoseconds, and use it as a rationale to take over the project?
LaSombra•40 minutes ago
I'm pretty sure it'll be an AI dump fest with barely any humans except the long term maintainers having to cope with it all.
throw_a_grenade•24 minutes ago
I mean, it won't be neither the first nor the last slopdump, but it's the first that's backed by a threat of project takeover.

“Maintainers of last resort”, my [back].

witx•about 2 hours ago
Unforteuately I think it's moot to post this on hacker news. The majority of people here drink deep from the AI pool and just don't care.

Besides many of the companies on the list are suspext numero uno for the state of open source

fithisux•21 minutes ago
All voices have a place.
cryo32•15 minutes ago
Some should be at the bottom of a well.
witx•5 minutes ago
Ok, and? Where did I say otherwise?
fithisux•3 minutes ago
I just asserted you statement. I did not attack you.
shevy-java•3 minutes ago
I don't drink the AI slop and I also don't see where you derive to this conclusion. Most of the comments are very much against the AI slop.

> Besides many of the companies on the list are suspext numero uno for the state of open source

On this I agree. This seems indeed just promo advertising to white-wash these companies. They don't really care about ethics in open source.

einpoklum•about 3 hours ago
> We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler

Many of the names on the list makes the initiative rather suspect. Companies who do a lot to undermine free and open-source software, who hide critical software behind their walls, preventing both its scrutiny and its adaptation and improvement, and two of the LLM giants - they'll "defend open source"? I don't know about that.

> Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend on

So, a bunch of large corporations - some of who are known to be in bed with the US government - will share vulnerabilities among themselves, out of the public eye? Fishy.

Fordec•about 3 hours ago
Yeah, a bunch of the worst free riders and malicious consumers all in one place.

All they're really missing is Oracle and Bambu Lab.

Brian_K_White•about 3 hours ago
Anything they "maintainer of last resort" would actually be forks, or collectively a distribution. We already have hundreds of distributions acting as maintainer of last resort many times over, only with actual developers and not presuming to make themselves the new upstream for anyone else.
sakjur•about 2 hours ago
Microsoft controls NPM and GitHub. I would not put it past them to truly take over a project if they gauged it in their best interest (though it would be a massive violation of trust, so I'd imagine they'd tread carefully before going there).

If it's sent to Akrites, they can even pretend it's done responsibly – even though only megacorps get a seat around that table.

trashb•about 1 hour ago
Well, they did invent EEE after all. Why would they thread carefully? They own the product/service they can shut it down, no need for explanations.

https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

charcircuit•about 3 hours ago
Why only a focus on Open Source? I feel like vulnerabilities in closed source products like Microsoft Office, Microsoft Windows, and Google Chrome to name a few can be just as essentially and foundational as other open source software for many businesses.
dofm•about 3 hours ago
I think the idea is that automated source code processing is making it possible to find vulnerabilities at great speed and in an overwhelming way in software that does not have paid maintainers, whereas closed source software in active use has both less accessible code and paid maintainers.

A charitable foundation might be plausible to help companies secure their closed for-profit software but it doesn’t really have the same urgency for the fabric of the internet (or the same moral clarity)

graemep•about 1 hour ago
Its a worry, but its too early to be sure what the long term effects will be. We will have many eyes on a lot more code. There might be a rush of reports that slows as all the old vulnerabilities are found.

Closed software still has many people with access to the code. Governments or researchers have been given access to lots of critical source code. It can also be leaked. I wonder whether attackers are going to be more willing to bribe people with access to source now they have better odds of finding vulnerabilities with limited effort.

dofm•about 1 hour ago
> Closed software still has many people with access to the code.

But in the examples cited (and really any other large closed piece of code of any significance in this era) it also has owners with money, and they should be compelled to fix their own stuff.

Or open the source code to be fixed, I guess ;-)

charcircuit•about 2 hours ago
>both less accessible code

Yet still important to be secured due to the impact vulnerabilities can have. And LLMs can work without source code access via utilizing things like debug symbols, disassembly, reverse engineering, etc.

>paid maintainers

Just like open source maintainers their time is already being spent on other things which they see as more important over making the project 100% security bug free. Just because they are being paid, that doesn't make security their number 1 priority.

dofm•about 1 hour ago
> that doesn't make security their number 1 priority.

Well perhaps the companies who employ them to make that software they sell for profit should let them do that first rather than tokenmaxxing, and the great big non-profit effort can get round to them to help a little bit later after it has helped secure all the open-source stuff the internet actually runs on.

behindsight•about 1 hour ago
Project Glasswing is already a thing, and the other labs have started their own initiatives too if they want to collaborate and work on securing closed-source software.

Still not addressed the moral clarity point being brought up, nor the ramifications of the Linux Foundation choosing which closed source projects to focus on and alienating their mission statement.

Again, your idea is noble but why should the Linux Foundation be saddled with it when those other options exist? OSS needs their focus as their mission outlines.

dmitrygr•about 3 hours ago
> Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion.

Ambitious and interesting. I wonder how long this will last and on whose dime and time? Akrites employs no engineers, so who will make the fixes and who'll pay them?

wwind123•about 1 hour ago
Yeah, very commendable. Now I just wish the closed-source software that have lost support could similarly be supported this way, with the help from AI, so we don't have to throw away that many hardwares when their software can no longer be updated.
npodbielski•about 3 hours ago
Who they employ then? AI?
NSUserDefaults•about 2 hours ago
> Today, the undersigned commit real resources — engineering talent, security expertise, and funding — to harden the software we share
fmbb•41 minutes ago
Human talent or LLM talent?