FRESH

Hacker News

Home

We all depend on open source. We will defend it together

462 points by dhruv3006

by ninjagoo

11 subcomments

> We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler
A lot of open source folks are going to be very skeptical, rightly so, of this group of players.
> ... to find, fix, and responsibly disclose vulnerabilities in critical open source software ...
How this is implemented is going to be key. Are they going to contribute through (a) existing channels, pull requests etc. or (b) are they going to fork the projects under the guise of 'security' or (c) offer bug bounties or (d) contribute financially?
Approach (a) brings the community along. (b) alienates the community, splits resources, and in the long term will likely cause many open-source projects to die. (c) has potential but timing and speed can be unfavorable for critical bugs, and doesn't mesh with 'responsible disclosure'. (d) can be ineffective for critical bugs unless paired with support for maintainers, which can be incredibly helpful for the opensource ecosystem.

by romaniv

2 subcomments

Nonsensical corporate posturing.
"Microsoft will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities"
As a reminder, Microsoft runs NPM and GitHub. Microsoft has access to the best AI models and massive data centers. Despite that, their own products are rapidly getting worse at security and their services are central hubs through which various exploits are propagated. They are not making things better, they are actively and rapidly making things worse.
--
For a great example of how Microsoft deals with security issues within their own Open-Source projects, I recommend reading this GitHub thread:
https://github.com/dotnet/efcore/issues/38257
EF core currently distributes a version of SQLite that has a severe vulnerability. The issue was discovered over a year ago. It was fixed by SQLite within one week. EF core didn't mark their driver as vulnerable until a user recently reported it, got bounced around and argued with developers. The current stable version of .NET core will only get a fix in roughly two months.

by cryo32

7 subcomments

No we won’t. We’ll make grand statements about it, leave it for commercial entities to corrupt it, then complain loudly about the state of it when we really did nothing about it.
I expect we’ve got a future of “undo forks” as I’ve called them which is rolling back to pre-insanity times and rethinking again. That’s only something people unencumbered by commercial requirements can do.

by brynet

2 subcomments

Defending open source should begin with real, tangible support for both the projects and its developers. Not just words.
With my OpenBSD developer hat on, getting new hardware in the hands of developers is really important, many of us are hacking on 5-10 year old thinkpads that need replacing.
https://www.openbsd.org/want.html
The OpenBSD foundation is ~50% away from its fundraising goal for 2026!
https://www.openbsdfoundation.org/campaign2026.html

by zx8080

1 subcomments

This reads as centralization and control effort. It will only provide the power to control opensource to whoever Akrites is (with the major bigtech including Google).
Thank you very much, but I remember what Google is doing with Android this September (closing third party installs using .apk).

by bingemaker

1 subcomments

> We are joined by Amazon Web Services ...
There goes all the credibility of this post

by Fizz43

3 subcomments

It seems to me as someone who wasn't paying attention to open source 10 or 20 years ago that its no longer a real community effort. Projects are maintained by their maintainers and get very little from the community. Commercial open source gets even less from the community. The only real value generated is corporate supported projects sharing with corporate supported projects. The average person is happy because they can also use these projects but ultimately they do nothing with it. The only people benefiting is the corporations that use this to build their products.
I dont know if this is a good thing or not. On paper it seems fine but there is something that feels wrong about it and I dont know exactly what.

by smartmic

2 subcomments

The most important information is this:
> participants will contribute engineering resources
If it works out as planned, we will see. Apart from this, I am not overwhelmed by the claim of this project. It favors centralization and corporate circles, exactly the opposite of what the hacker ethics promotes for good reasons.

by seanclayton

2 subcomments

I yearn for the day I see a headline like "We All Depend on Open Source. We Will Fund It Together"

by tpoacher

3 subcomments

Nice name, "Akrites".
Probably not as impressive to a non-Greek, but to a Greek person it creates very strong imagery.

by witx

2 subcomments

Unforteuately I think it's moot to post this on hacker news. The majority of people here drink deep from the AI pool and just don't care.
Besides many of the companies on the list are suspext numero uno for the state of open source

by tsoukase

1 subcomments

Akrites were the Byzantine border defenders. If they defend the OSS community against AI then they have to try hard, because Ottomans won at last.
https://en.wikipedia.org/wiki/Akritai

by luipugs

1 subcomments

Interestingly no Apple. *edit: Or any non-American companies for that matter .

by einpoklum

7 subcomments

> We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler
Many of the names on the list makes the initiative rather suspect. Companies who do a lot to undermine free and open-source software, who hide critical software behind their walls, preventing both its scrutiny and its adaptation and improvement, and two of the LLM giants - they'll "defend open source"? I don't know about that.
> Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend on
So, a bunch of large corporations - some of who are known to be in bed with the US government - will share vulnerabilities among themselves, out of the public eye? Fishy.

by playorizaya

0 subcomment

What a list! Maybe they meant "defund".
Everyone who took part in the layoff spree to boost valuation should be shut down like Enron.

by rjzzleep

0 subcomment

I'm extremely concerned about the state of Open Source. The gamification of the whole thing & devstats means that people that are good at gaming metrics are rising up the ranks and people that are genuine high quality contributors and pushed to the sidelines unless they have a very popular profile. Mass generated AI slop and AI content gives people massive devstats boosts.

by madprops

0 subcomment

Concerning globo-list. Centralization/takeover, aka an eventual "we will manage you"; which might be the true colors of the Linux Foundation. Forks would just get absorbed and used internally instead of depending on the performance of random informal earth citizens. The site is not even pleasant to read with that font. Villainy is parodied in this world heavily, names like Discord, Palantir, AI Companies talking about doom scenarios and enjoying it: so it's cool and expected to be a villain, to wrestle with the other kinds of power. I just want some fresh choices to polish the kind of company I want to get around me, which would likely be the opposite of who signed that letter.

by bitlad

0 subcomment

You can start by paying maintainers really really well.

by jdw64

6 subcomments

After reading this. I realize how different Asian and Western consciousness really are.
My entire technology stack was built on Microsoft's ecosystem, not on open source. This was Microsoft's attempt to expand their base for the corporate hiring market and OS market share.
Conversely, open source was a huge barrier for me. When I have a product I've built, I have to get past open source, but accessing open source comes with the barrier of English. And once you get past the English barrier, you hit the cultural barrier.
My hobby projects do integrate with open source, but all the technology that actually makes me money depends entirely on the Microsoft ecosystem. Most of the Asian developers around me are also tied to specific vendors. On the other hand, the Korean companies that do have a culture of contributing to open source are large corporations, and entry is determined by academic pedigree.
Because the entire context of open source is in English, and learning English reliably is expensive in itself. So to properly work as a developer in Korea, you actually need to be vendor dependent. The corporate ecosystem is not oppression; it is the only viable path to education and survival. If you want to grasp the latest trends, you ultimately need curation from a specific company. Some people say Hangul is a great writing system, but to me, this is where it becomes a curse and a shackle.
So when I read Hacker News, I feel just how large the gap in thinking is between the West and the East. The Japanese developers I have talked to mostly talk about coding within corporate environments rather than open source, and Chinese developers are also shaped by their corporate environments. But the posts on HN talk about their 'gardens' being ruined and absorbed by corporations, and they resist that. But since I was raised in a corporate environment from the start, I cannot imagine a different one, so this resistance tends to feel like an aristocratic hobby to me.
On the flip side, HN might see corporations as predators. Technology should be a commons, and developers should be free, not tenant farmers of a platform.
But the irony I personally feel is that to protect this 'garden commons,' they end up creating centralized, non-public coordination mechanisms with the very corporations that plunder the commons. That feels contradictory to me.
For security vulnerability response, non-public coordination may be necessary. If a vulnerability is disclosed before a patch is ready, attackers can create exploits. But the principle of open source is transparency and open discussion, while the Akrites-style security principle is non-public coordination and a single point of contact.
On top of that, corporations used open source as free infrastructure, and now that the risk has grown, they are building corporate-led governance systems based on that risk. That feels ambiguous to me. Of course, open source sponsorship has always had some tension, but if that was buying a craftsman's work, this looks more like buying the craftsman's workshop.
I wonder how Westerners would read this. I am curious. To me, this looks like a political struggle to take control of governance over the commons. Do Westerners see it as the Avengers? The difference in mindset is sometimes painful.

by remywang

0 subcomment

Currently the worst assault on open source is PR spam and the collapse of trust and culture that comes with it. Focus on that if you really want to defend open source.

by ykonstant

0 subcomment

Unacceptable! If Oracle doesn't enter the consort, there is no way I am trusting it to be a legitimate defender of open source!

by Ekaros

0 subcomment

Seems like obvious solution for issues that CRA and RED causes. Have to fix those vulnerabilities one way or an other. Having a team or making teams using those to fix them when absolutely necessary is something they need. And that that point have to have way to push that stuff upstream so stuff can be marked resolved in tools...
So things do get fixed, but it is not due to their graciousness.

by highway900

1 subcomments

This is fear that humans will stop software development. Think about it, the backbone of modern enterprise is open source. What if maintainers just stopped, the free ride big tech has had would be left with the slop the maintainers have to deal with now. Which without checks and balances would introduce vulnerabilities.

by ChrisMarshallNY

0 subcomment

Good stuff.
> We are joined by Amazon Web Services…
Does that include anything more than soundbites? This effort is likely to require organizational support, and funding.
It’s not clear to me, that the organizations supplying the quotes, are “undersigned.” Not all of the quotes make it clear that the organization is doing anything more than asking an LLM to generate some text.

by lilerjee

0 subcomment

Do you pay for the opensource projects which the "AI" companies used to train your LLMs?
Used them first to train LLMs to earn money, then exploit them again?

by dmitrygr

3 subcomments

> Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion.
Ambitious and interesting. I wonder how long this will last and on whose dime and time? Akrites employs no engineers, so who will make the fixes and who'll pay them?

by Brian_K_White

1 subcomments

Anything they "maintainer of last resort" would actually be forks, or collectively a distribution. We already have hundreds of distributions acting as maintainer of last resort many times over, only with actual developers and not presuming to make themselves the new upstream for anyone else.

by fhub

0 subcomment

If members of Google Project Zero team are involved then I have hope. If they are not then I have many doubts.

by bmitch3020

0 subcomment

There's a massive difference between "big open source" and "small open source". LF has been doing a great job at representing their member companies, each of which has a significant investment in big open source projects, most of which are well funded and staffed. Presumably there's some transitive support given to their dependencies too.
But then there is the very long tail of small open source projects, maintained by a single developer in their spare time, which collectively support the entire software ecosystem. And in every one of these announcements, there's rarely anything being done for this group.
Changing this wouldn't be difficult. AI based vulnerability scanning of projects could be opt-in, where reports are only sent to the security contact listed in the project. This would avoid the risk of malicious actors scanning open source projects with the tool, and avoid sending reports to those projects that don't want them, while supporting the OSS software that doesn't make the "critical" threshold in LFs current criteria.
Unfortunately that would also mean spending LF member funds on projects that may not directly benefit those LF members, so I'm not holding my breath.

by rurban

0 subcomment

So they spend tokens to fix their backbones. Only fair. even required for GPL.

by javascripthater

0 subcomment

yeah open source is cool and all but can we talk about how literally everything is written in javascript now. even your toaster probably runs on node. its an infection.

by xpct

0 subcomment

Frankly, this year has shown that what's remaining of Open Source will be used for license laundering, and at a great scale. If you don't have a community backing you, there's almost no incentive remaining to start new OSS projects.

by hatefulheart

0 subcomment

This is clearly a ploy to normalise slop PRs, slop in the FOSS world more generally and the timing is telling. We are in the midst of large open source projects rejecting LLM contributions, this is a response.

by antran22

0 subcomment

Unrelated: the frontpage says: > the root of the name [Akritai] is the same word that gives us critical — which is exactly the software this effort exists to defend.
This is pure corporate slop feels good bullshit generated by an LLM. “critical” comes from “kritikós” which means “related to judgement”. “Akritai” comes from “akron/ἄκρον” which means border.
To be fair the article doesn’t sit well with me on its own, but making crappy, etymologically-untrue claim? Not on my watch.

by dbvn

0 subcomment

sponsored by: all the bad guys

by benj111

0 subcomment

I'm not really a Stallman fanboy but I do find the Free software / Open source distinction really stick out in situations like this.
There isn't a call out for contributors. This is all done behind closed doors. It's the antithesis of free/open source software, presented as defending it.
I don't particularly have any better ideas. And I'm not particularly criticising. It's just a lot of the time the terms are synonymous, but here they starkly different.

by charcircuit

2 subcomments

Why only a focus on Open Source? I feel like vulnerabilities in closed source products like Microsoft Office, Microsoft Windows, and Google Chrome to name a few can be just as essentially and foundational as other open source software for many businesses.

by debamitro

0 subcomment

As of now the site looks like a waitlist generation mechanism. Which itself is not a secure thing to do any more. Why would thousands of people give their email addresses to a website which doesn't even describe what they are going to do

by shimman

0 subcomment

A bunch of corporations that don't want their taxes to go up (which a sliver of which could be used to fund public software), along with their acolytes that will never mention worker solidarity or improving the material outcomes of developers. I'll hold my breath.
Open source movement has been a massive success in devaluing skilled workers to except peanuts while American corporations suck up as much value as possible while giving less than half a percent in return.
There needs to be a backlash against this corporate white washing.

by jrm4

0 subcomment

"Confidentiality"
Yeah, nah, I'm good. That's not "open-source."
Or maybe it is, but it's not "Free Software," the better thing.

by dev1ycan

0 subcomment

It's time to ban every big player from contributing, it's clearly they're all malicious, this is just a way to force in AI code into open source.

by fithisux

1 subcomments

Corporates terrorized people with the financial crisis they created and the unemployment weapon.
They terrorized them to abandon their free time. They terrorized them to find easy solutions in the workplace instead of coming up with solutions that require technical expertise and deep thinking. They terrorized people to not conform to standards, or create standards but instead patch around lack of standardization. They terrorized people to not question, but accept. To become slaves. They did not help them get wide knowledge but be specific on the work, like mass produced meat. They swept all problems under the carpet and said "This time it will be different". No victories, just silence on the defeats.
It has been happening in the past, has accelerated and made worse as they seized more power.
The leap to AI era is the latest and more violent step of this attack on fundamental human rights.
The problem is political in my opinion. People ought to demand a better life and more free time to work on open source or do their hobbies. They ought to demand human centric laws that stop the greed and by enforcing the laws at last.
Free time is not for consumption, but for production of higher intellectual artefacts.

0 subcomment

by henry2266

0 subcomment

can someone explain me what is this page about?

by blueTiger33

0 subcomment

Yeeeeeeeeeeeaaaaaaaaaaaaaahhhhhhhhhhhhhhhhh

by throw_a_grenade

1 subcomments

Will they hire the actual maintainers of the software in question, to have time dedicated to the project, or will they as usual, dump AI-generated patches unto maintainers, but this time with even more time pressure to merge, lest them consider projects “unmaintained” if they don't push a fix in 3 femtoseconds, and use it as a rationale to take over the project?

by shevy-java

0 subcomment

So this corporate project wants to spam down more repositores via AI slop. No, I don't like it. And no, I am not feeling encouraged to "defend it together" at the slightest, even more so as many of these companies don't really contribute anything at all back.

by doublerabbit

0 subcomment

All those open statements are just business wank.
> Amazon Web Services
We really don't give a shit, We will continue to not give a shit. We might give you a credit if threatened by the EU but really? We don't give a shit. Keep sending us that sweet dosh for AWS.
> Anthropic
We underpin the front page of the internet with Ai and in so we allow it to train upon the collective with no recognition. It's great to take and not give back. By the way your vibe coded app is looking ownage.
> Cisco
We are Cisco and we'll license you if we could. We invented the subscription model to charge you per Ethernet port on your router. Opensource is great, we don't even have to contribute upstream. We did once upon a time, isn't that enough?
> Citi
In partnership with Linux Foundation, we will do nothing and keep doing nothing. Linus enjoys his dosh and handjob now and then.
> CNCF
Working on the right fixes before the window closes, we prefer that to be left to the developers and we are very proud to support that effort. Unfortunately, no treats for the developers is written in to our company policy. How does pizza sound?
> RedHat
Open source is the foundation of modern software innovation so we hide answers behind a paywall. We sold ourselves to IBM so we could keep lubing that stripper pole to fill our filthy pockets. Larry Ellison will be here soon for his next lap-dance.
> Microsoft & GitHub
We decided to throw legal action at a security analyst for finding exploits in our OS for laughs. Open source all the way, we don't even allow you to search on GitHub without a rate limit; it's healthy to laugh. How's your mother doing? She seems a keen user of Windows 11 and as she is very important to us, we've removed that feature she uses most.

by red1oon

0 subcomment

[flagged]

by ecoglad

0 subcomment

[dead]

by epicsagas

0 subcomment

[flagged]

by pedromlsreis

0 subcomment

[flagged]

by pedromlsreis

0 subcomment

[dead]

by taintlord

0 subcomment

[dead]

by opentestudox

0 subcomment

[dead]

0 subcomment

by taintlord

0 subcomment

[dead]