HN

Need help?
<- Back
We All Depend on Open Source. We Will Defend It Together

We All Depend on Open Source. We Will Defend It Together

dhruv3006

Comments (122)

  • ninjagoo
    > We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and ZscalerA lot of open source folks are going to be very skeptical, rightly so, of this group of players.> ... to find, fix, and responsibly disclose vulnerabilities in critical open source software ...How this is implemented is going to be key. Are they going to contribute through (a) existing channels, pull requests etc. or (b) are they going to fork the projects under the guise of 'security' or (c) offer bug bounties or (d) contribute financially?Approach (a) brings the community along. (b) alienates the community, splits resources, and in the long term will likely cause many open-source projects to die. (c) has potential but timing and speed can be unfavorable for critical bugs, and doesn't mesh with 'responsible disclosure'. (d) can be ineffective for critical bugs unless paired with support for maintainers, which can be incredibly helpful for the opensource ecosystem.
  • cryo32
    No we won’t. We’ll make grand statements about it, leave it for commercial entities to corrupt it, then complain loudly about the state of it when we really did nothing about it.I expect we’ve got a future of “undo forks” as I’ve called them which is rolling back to pre-insanity times and rethinking again. That’s only something people unencumbered by commercial requirements can do.
  • brynet
    Defending open source should begin with real, tangible support for both the projects and its developers. Not just words.With my OpenBSD developer hat on, getting new hardware in the hands of developers is really important, many of us are hacking on 5-10 year old thinkpads that need replacing.https://www.openbsd.org/want.htmlThe OpenBSD foundation is ~50% away from its fundraising goal for 2026!https://www.openbsdfoundation.org/campaign2026.html
  • bingemaker
    > We are joined by Amazon Web Services ...There goes all the credibility of this post
  • seanclayton
    I yearn for the day I see a headline like "We All Depend on Open Source. We Will Fund It Together"
  • zx8080
    This reads as centralization and control effort. It will only provide the power to control opensource to whoever Akrites is (with the major bigtech including Google).Thank you very much, but I remember what Google is doing with Android this September (closing third party installs using .apk).
  • smartmic
    The most important information is this:> participants will contribute engineering resourcesIf it works out as planned, we will see. Apart from this, I am not overwhelmed by the claim of this project. It favors centralization and corporate circles, exactly the opposite of what the hacker ethics promotes for good reasons.
  • madprops
    Concerning globo-list. Centralization/takeover, aka an eventual "we will manage you"; which might be the true colors of the Linux Foundation. Forks would just get absorbed and used internally instead of depending on the performance of random informal earth citizens. The site is not even pleasant to read with that font. Villainy is parodied in this world heavily, names like Discord, Palantir, AI Companies talking about doom scenarios and enjoying it: so it's cool and expected to be a villain, to wrestle with the other kinds of power. I just want some fresh choices to polish the kind of company I want to get around me, which would likely be the opposite of who signed that letter.
  • tpoacher
    Nice name, "Akrites".Probably not as impressive to a non-Greek, but to a Greek person it creates very strong imagery.
  • Ekaros
    Seems like obvious solution for issues that CRA and RED causes. Have to fix those vulnerabilities one way or an other. Having a team or making teams using those to fix them when absolutely necessary is something they need. And that that point have to have way to push that stuff upstream so stuff can be marked resolved in tools...So things do get fixed, but it is not due to their graciousness.
  • witx
    Unforteuately I think it's moot to post this on hacker news. The majority of people here drink deep from the AI pool and just don't care.Besides many of the companies on the list are suspext numero uno for the state of open source
  • bitlad
    You can start by paying maintainers really really well.
  • highway900
    This is fear that humans will stop software development. Think about it, the backbone of modern enterprise is open source. What if maintainers just stopped, the free ride big tech has had would be left with the slop the maintainers have to deal with now. Which without checks and balances would introduce vulnerabilities.
  • luipugs
    Interestingly no Apple. *edit: Or any non-American companies for that matter .
  • jdw64
    After reading this. I realize how different Asian and Western consciousness really are.My entire technology stack was built on Microsoft's ecosystem, not on open source. This was Microsoft's attempt to expand their base for the corporate hiring market and OS market share.Conversely, open source was a huge barrier for me. When I have a product I've built, I have to get past open source, but accessing open source comes with the barrier of English. And once you get past the English barrier, you hit the cultural barrier.My hobby projects do integrate with open source, but all the technology that actually makes me money depends entirely on the Microsoft ecosystem. Most of the Asian developers around me are also tied to specific vendors. On the other hand, the Korean companies that do have a culture of contributing to open source are large corporations, and entry is determined by academic pedigree.Because the entire context of open source is in English, and learning English reliably is expensive in itself. So to properly work as a developer in Korea, you actually need to be vendor dependent. The corporate ecosystem is not oppression; it is the only viable path to education and survival. If you want to grasp the latest trends, you ultimately need curation from a specific company. Some people say Hangul is a great writing system, but to me, this is where it becomes a curse and a shackle.So when I read Hacker News, I feel just how large the gap in thinking is between the West and the East. The Japanese developers I have talked to mostly talk about coding within corporate environments rather than open source, and Chinese developers are also shaped by their corporate environments. But the posts on HN talk about their 'gardens' being ruined and absorbed by corporations, and they resist that. But since I was raised in a corporate environment from the start, I cannot imagine a different one, so this resistance tends to feel like an aristocratic hobby to me.On the flip side, HN might see corporations as predators. Technology should be a commons, and developers should be free, not tenant farmers of a platform.But the irony I personally feel is that to protect this 'garden commons,' they end up creating centralized, non-public coordination mechanisms with the very corporations that plunder the commons. That feels contradictory to me.For security vulnerability response, non-public coordination may be necessary. If a vulnerability is disclosed before a patch is ready, attackers can create exploits. But the principle of open source is transparency and open discussion, while the Akrites-style security principle is non-public coordination and a single point of contact.On top of that, corporations used open source as free infrastructure, and now that the risk has grown, they are building corporate-led governance systems based on that risk. That feels ambiguous to me. Of course, open source sponsorship has always had some tension, but if that was buying a craftsman's work, this looks more like buying the craftsman's workshop.I wonder how Westerners would read this. I am curious. To me, this looks like a political struggle to take control of governance over the commons. Do Westerners see it as the Avengers? The difference in mindset is sometimes painful.
  • einpoklum
    > We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and ZscalerMany of the names on the list makes the initiative rather suspect. Companies who do a lot to undermine free and open-source software, who hide critical software behind their walls, preventing both its scrutiny and its adaptation and improvement, and two of the LLM giants - they'll "defend open source"? I don't know about that.> Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend onSo, a bunch of large corporations - some of who are known to be in bed with the US government - will share vulnerabilities among themselves, out of the public eye? Fishy.
  • rjzzleep
    I'm extremely concerned about the state of Open Source. The gamification of the whole thing & devstats means that people that are good at gaming metrics are rising up the ranks and people that are genuine high quality contributors and pushed to the sidelines unless they have a very popular profile. Mass generated AI slop and AI content gives people massive devstats boosts.
  • hatefulheart
    This is clearly a ploy to normalise slop PRs, slop in the FOSS world more generally and the timing is telling. We are in the midst of large open source projects rejecting LLM contributions, this is a response.
  • fhub
    If members of Google Project Zero team are involved then I have hope. If they are not then I have many doubts.
  • javascripthater
    yeah open source is cool and all but can we talk about how literally everything is written in javascript now. even your toaster probably runs on node. its an infection.
  • rurban
    So they spend tokens to fix their backbones. Only fair. even required for GPL.
  • Brian_K_White
    Anything they "maintainer of last resort" would actually be forks, or collectively a distribution. We already have hundreds of distributions acting as maintainer of last resort many times over, only with actual developers and not presuming to make themselves the new upstream for anyone else.
  • dmitrygr
    > Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion.Ambitious and interesting. I wonder how long this will last and on whose dime and time? Akrites employs no engineers, so who will make the fixes and who'll pay them?
  • fithisux
    Corporates terrorized people with the financial crisis they created and the unemployment weapon.They terrorized them to abandon their free time. They terrorized them to find easy solutions in the workplace instead of coming up with solutions that require technical expertise and deep thinking. They terrorized people to not conform to standards, or create standards but instead patch around lack of standardization. They terrorized people to not question, but accept. To become slaves. They did not help them get wide knowledge but be specific on the work, like mass produced meat. They swept all problems under the carpet and said "This time it will be different". No victories, just silence on the defeats.It has been happening in the past, has accelerated and made worse as they seized more power.The leap to AI era is the latest and more violent step of this attack on fundamental human rights.The problem is political in my opinion. People ought to demand a better life and more free time to work on open source or do their hobbies. They ought to demand human centric laws that stop the greed and by enforcing the laws at last.Free time is not for consumption, but for production of higher intellectual artefacts.
  • henry2266
    can someone explain me what is this page about?
  • benj111
    I'm not really a Stallman fanboy but I do find the Free software / Open source distinction really stick out in situations like this.There isn't a call out for contributors. This is all done behind closed doors. It's the antithesis of free/open source software, presented as defending it.I don't particularly have any better ideas. And I'm not particularly criticising. It's just a lot of the time the terms are synonymous, but here they starkly different.
  • charcircuit
    Why only a focus on Open Source? I feel like vulnerabilities in closed source products like Microsoft Office, Microsoft Windows, and Google Chrome to name a few can be just as essentially and foundational as other open source software for many businesses.
  • throw_a_grenade
    Will they hire the actual maintainers of the software in question, to have time dedicated to the project, or will they as usual, dump AI-generated patches unto maintainers, but this time with even more time pressure to merge, lest them consider projects “unmaintained” if they don't push a fix in 3 femtoseconds, and use it as a rationale to take over the project?
  • blueTiger33
    Yeeeeeeeeeeeaaaaaaaaaaaaaahhhhhhhhhhhhhhhhh
  • anon
    undefined
  • shevy-java
    So this corporate project wants to spam down more repositores via AI slop. No, I don't like it. And no, I am not feeling encouraged to "defend it together" at the slightest, even more so as many of these companies don't really contribute anything at all back.
  • doublerabbit
    All those open statements are just business wank.> Amazon Web ServicesWe really don't give a shit, We will continue to not give a shit. We might give you a credit if threatened by the EU but really? We don't give a shit. Keep sending us that sweet dosh for AWS.> AnthropicWe underpin the front page of the internet with Ai and in so we allow it to train upon the collective with no recognition. It's great to take and not give back. By the way your vibe coded app is looking ownage.> CiscoWe are Cisco and we'll license you if we could. We invented the subscription model to charge you per Ethernet port on your router. Opensource is great, we don't even have to contribute upstream. We did once upon a time, isn't that enough?> CitiIn partnership with Linux Foundation, we will do nothing and keep doing nothing. Linus enjoys his dosh and handjob now and then.> CNCFWorking on the right fixes before the window closes, we prefer that to be left to the developers and we are very proud to support that effort. Unfortunately, no treats for the developers is written in to our company policy. How does pizza sound?> RedHatOpen source is the foundation of modern software innovation so we hide answers behind a paywall. We sold ourselves to IBM so we could keep lubing that stripper pole to fill our filthy pockets. Larry Ellison will be here soon for his next lap-dance.> Microsoft & GitHubWe decided to throw legal action at a security analyst for finding exploits in our OS for laughs. Open source all the way, we don't even allow you to search on GitHub without a rate limit; it's healthy to laugh. How's your mother doing? She seems a keen user of Windows 11 and as she is very important to us, we've removed that feature she uses most.
  • epicsagas
    [flagged]
  • pedromlsreis
    [flagged]
  • pedromlsreis
    [dead]
  • opentestudox
    [dead]
  • anon
    undefined
  • anon
    undefined