We all depend on open source. We will defend it together
akrites.org405 points by dhruv3006 13 hours ago
405 points by dhruv3006 13 hours ago
> We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler
A lot of open source folks are going to be very skeptical, rightly so, of this group of players.
> ... to find, fix, and responsibly disclose vulnerabilities in critical open source software ...
How this is implemented is going to be key. Are they going to contribute through (a) existing channels, pull requests etc. or (b) are they going to fork the projects under the guise of 'security' or (c) offer bug bounties or (d) contribute financially?
Approach (a) brings the community along. (b) alienates the community, splits resources, and in the long term will likely cause many open-source projects to die. (c) has potential but timing and speed can be unfavorable for critical bugs, and doesn't mesh with 'responsible disclosure'. (d) can be ineffective for critical bugs unless paired with support for maintainers, which can be incredibly helpful for the opensource ecosystem.
Keep in mind that while I am employed by the Linux Foundation, I know nothing of the internals of this project; I will speak, instead, of what the projects I support do.
I have found (c) to be high noise, low signal. We're winding down our HackerOne program.
D: we do this in a couple ways. For PQCA, for instance, we use credits from AWS to get access to hardware to run proofs and CI on. PQCA also has a paid mentorship program.
For OWF, we do the same with AWS credits, as well as provide hosting for projects to run services on for testing.
For LFDT, we offer paid mentorships, have paid for Trail of Bits to do reviews, and run events. We had a maintainer summit in New York in January so our maintainers could meet for two days face-to-face. We fund large GitHub CI runners for projects as well.
I know it doesn't answer everything, but our team is only a few people and we really do work hard to help developers. What I'll call the devrel team for OWF/PQCA/LFDT is three FTE, one contractor, and our manager.
LFDT: https://www.lfdecentralizedtrust.org/
OWF: https://openwallet.foundation/
PQCA: https://pqca.org/
PQCA benchmarks, for instance: https://pq-code-package.github.io/mldsa-native/dev/bench/
It doesn't help that "Akrides" sound like a Bond villain EvilCorp run by Dr Ambergris whose face is horribly disfigured from a series botched face lifts that's plotting to populate Mars with big boobed clones running around dressed only in brassieres, just like his lead concubine, Dorothy "Dirty" Sanchez (Don't blame me for Kam Fleming's knack for double entendres...) who leads his team of equally big boobed secret helicopter pilotresses.
This is, of course, ridiculous, and Dr. Ambergris is just an amalagam of Muammar al-Gaddafi and some 2nd rate wannabe strongmen not worth mentioning that I made up for fun.
> A lot of open source folks are going to be very skeptical, rightly so, of this group of players.
You say this as if these players aren't members of "the open source folks". It's not an exclusive club.
I don't see how that was implied? Just because someone is part of the "club" doesn't mean many other "members" can't be skeptical of their role.
In fact, it doesn't even seem difficult to simultaneously acknowledge and commend the valuable role they play, while also expressing concern over the influence they wield and how it might contrast with desires and goals of the wider community.
They are the wider community. Programmers working on behalf of corporate actors write open source code in the commons because their organizations have discovered competing on some parts of the stack isn't as viable as collaborating on parts of the stack.
I won't pretend to speak to specific numbers, but a huge amount of work and maintenance is from these programmers, or funded via the corporate actors which employ these programmers. Those actors are either on this list, or don't have a problem with this list.
What remains are the handful of truly independent contributors, which are a minority in terms of LoC (though they often have an outsized impact), and the peanut gallery.
Open source wasn't always this way, it would be a different discussion 30 years ago when independents were the only guys in town, but it is now.
My best understanding from reading this is a) where possible and b) where necessary. This is the Linux Foundation, so it must put OSS and community first, surely.
People talk about contributing financially, but how and to what end? Most projects aren't set up to accept or utilise donations. That said, I would say we should be providing all OSS projects with significant access to AI in order to review their codebases and PRs and hopefully relieve some of the maintenance burden. I know there are some initiatives in this area already.
> This is the Linux Foundation, so it must put OSS and community first, surely.
Linux Foundation is run by the said called corporates from the list. So is Rust Foundation. Linux in itself is safe cos Linus controls it. Not the rest of the projects LF controls.
So far, the Linux Foundation, from what I have seen, has pretty darn good track record of keeping the projects under its umbrella open source, even going against corporate sponsors to do so. For a recent example, see the recent NATS tuffle. (And I should.recognize that Synadia, finally, did the right thing and backed down).
To add to this, I've experienced all sides of the LF and they are the only organization I trust at this point. Donating a project to them is A Good Thing.
There's bureaucracy of course but the mission is clear. Highly recommend working with them in any capacity.
Remember when google set up a whole project to find vulnerabilities but never sent any fix and unpaid developers were basically having to fix things that an entire team of people was hired to find… yeah maybe they could have just made an offer to some maintainers instead of burning them out?
Is this an oblique reference to OSS Fuzz, or something else?
It seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.
The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.
They are contributing back, which is a good thing. Other companies just fork, fix, and forbid to contribute back.
Burning out maintainers isn't "contributing back".
Do you have any examples of Google submitting vulnerabilities and refusing to assist maintainers create a patch when asked to do so?
Wasn’t that a story with ffmpeg a few months ago? And people were getting roasted for even the suggestion that google should contribute patches?
People were getting rightly roasted for calling google a leech when A) google does donate money to ffmpeg and B) that bug was in a weird format google almost certainly has disabled so they're not reporting it to get free labor.
Um, the Linux Foundation is an industry body, not a user or community group. You seem confused?
No, not really, and I don't think you need to be snarky.
It may be an industry body, but it runs multiple community conferences and projects which support Open Source. A notable example in this case being the OpenSSF https://openssf.org/
The LF is not perfect, but I would expect them to come from an OSS and community angle on this.
I am pretty sure that these industries use the open source projects the Linux Foundation maintains. So it is pretty clear the Linux Foundation is indeed a user community group, too.
> one confidential, trusted place to coordinate discovery, remediation, and disclosure
I read this they would build the patches privately (or with maintainers if confidential) and then share amongst their supporters before public release.
> alienates the community
That's a feature to them, not a bug. They want the software and don't want the community.
Option (c) is now thoroughly outdated in the age of AI. Offering a bug bounty attracts the kind of people who think they can make a quick buck using AI and then flood you with bogus bugs found by non-SOTA models. See curl.
What worked is to remove the bounty and simply allow people to report bugs responsibly. This attracts the kind of altruistic volunteers who want more secure software for ideological rather than financial reasons. They still use AI but you won’t see slop.
Note that the LF of today is basically just like any other global corporation with its own political agenda. You can just follow the money, and see that it is controlled by corporations. They neutered Torvalds, are very woke, and generally a nightmare to work with.
I always advice aspiring open source enthusiasts to stay far, far away from the Linux Foundation. It has become a barrier to software freedom these days, rather than an enabler.
You realize that the companies listed employ many of the core open source maintainers for large projects? It is project-specific, but 80% of Linux kernel development is from paid corporate employees. Similar for kubernetes. All the load bearing infrastructure is already handled by these companies... literally no one else is going to have the resources or experience to redirect large efforts on securing F/OSS.
What would you propose otherwise?
Nonsensical corporate posturing.
"Microsoft will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities"
As a reminder, Microsoft runs NPM and GitHub. Microsoft has access to the best AI models and massive data centers. Despite that, their own products are rapidly getting worse at security and their services are central hubs through which various exploits are propagated. They are not making things better, they are actively and rapidly making things worse.
--
For a great example of how Microsoft deals with security issues within their own Open-Source projects, I recommend reading this GitHub thread:
https://github.com/dotnet/efcore/issues/38257
EF core currently distributes a version of SQLite that has a severe vulnerability. The issue was discovered over a year ago. It was fixed by SQLite within one week. EF core didn't mark their driver as vulnerable until a user recently reported it, got bounced around and argued with developers. The current stable version of .NET core will only get a fix in roughly two months.
Before Microsoft, GitHub invented all of Electron just so they could create an IDE in JavaScript (lol)
But it was fun - and Electron became something totally different and useful. This is what tech innovation is all about.
Microsoft after acquiring them, instead of continuing these great projects with VSCode, instead paid for influencers to trash Electron (which worked for the most part, in 2026 most people think Electron sucks and can't say why - when WKWebView is way worse! Nobody cares).
So, MS builds VSCode - doesn't even fork Atom to do so. Looks identical to it. They built it from scratch. Bigger. Slower. Now with Copilot! I just went back to Atom (rather Pulsar, the last good fork).
I share this because it's exactly what Microsoft always does. They acquire based on opportunity and competitive space then rarely even use what they paid for. They get rid of all the good employees and the good code. They put a bunch of Indians in there who just hire other Indians and totally ruin the product.
But what gets me is EVERYONE uses their stuff still hahahah Guys. STOP USING MICROSOFT STUFF. Get off LinkedIn. Let's all go in on another VCS. Until open source developers put their money with their mouth is, Microsoft will continue to suck in more ways than one.
> So, MS builds VSCode - doesn't even fork Atom to do so. Looks identical to it. They built it from scratch. Bigger. Slower.
Someone needs to fix a memory leak here.
Atom was famously slow. Even among people using it and championing it.
VSCode totally wowed people not just because it was faster, but because it was essentially the first «real» Electron-app which proved Electron-apps could have near native performance.
You got this part 100% backwards.
> proved Electron-apps could have near native performance
I don't think that's true at all. Try running Zed or Sublime.
> Atom was famously slow
It's your linter
And Electron apps do not have near native performance lmao Not even close. And neither does VS Code haha. Definitely slow just like Atom.
You missed the point
No we won’t. We’ll make grand statements about it, leave it for commercial entities to corrupt it, then complain loudly about the state of it when we really did nothing about it.
I expect we’ve got a future of “undo forks” as I’ve called them which is rolling back to pre-insanity times and rethinking again. That’s only something people unencumbered by commercial requirements can do.
In a certain way, moving from "Free Software" to "Open Source" started this transition and it's not slowing down.
Imagine if the AGPL had become the default license for open source projects, as it was intended to when the service provider loophole in the GPL became apparent. The software industry would be unrecognizable.
Instead, millions of developers now gift corporations their work by releasing everything under MIT or Apache, and those corporations take from that treasure trove what they want and give back what they want, which is very often nothing.
Some projects , like Godot are MIT so contributors can use it for their own commercial projects.
Occasionally, EA for example, a big corp will donate some money to. Apple has created PRS to add support for Vision Pro.
If Godot was GPL it would be useless for most commercial game devs.
You are absolutely allowed to use GPL software in commercial products, why are you deliberately lying or misleading?
GitHub could only exist because it was built on top of git, which is also GPL licensed. This is not the only example but should be the immediate one since nearly a vast majority of devs touch git on a daily basis.
Maybe stop listening to your legal team and actually think for a moment. GPL doesn't prevent commercialization, what it does is make sure everyone contributes to the same project equally. Shocker, corporations do not want to contribute to the common good they want to rat fuck it into submission for profit.
You have to then contribute all your changes back.
The Godot foundation picked MIT for a good reason. If your legal team says no GPL then no GPL. This has been standard practice for decades.
Just because you have to follow the legal team doesn't mean they're making good decisions for the business.
The changes you make to a game engine are almost never the important part of your game's IP.
Depending on who you ask an GPL game engine can only produce GPL games.
I guess you could sell the game ready to play, and then upload its source code without needed assets somewhere else.
Most companies aren’t going to be ok with this.
I know when I write a project, I just MIT license it. If some of the code I wrote helps you get your job done, go for it.
I believe Open Source software sold developers the dream of "to be hired for what they have developed" and cash-in the effort they have spent as a future, stable employment.
Many die on the hill of "developing something required for free with permissive licenses for recognition which will help with their future endeavors", which is the same with other creative lines of work. As a result they are milked of their knowledge and forced to bear the burden of leading the project and handling the community while companies just use what's developed while quietly but strongly nudging the project's direction for their benefit.
If the developer gets rogue, the thing is forked and sometimes closed down with no downside to the company, but the community and the developer(s) are hung to dry, conveniently signaling other developers about what they might face if they disobey their overlords with iron fists in velvet gloves as a secondary effect.
I think you can get recognition just as well with share-alike licenses. Plus you leave the opportunity open to ask for money for a different license grant.
I believe strongly so, however companies doesn't like this, hence the current state we're in. Also it's part of the "advertising" done by the companies.
Last but not the least, many people are very ill-informed about GPL and how it works. I experience this when we discuss this with peers.
This is why I only use copyleft (or non-commercial/share-alike) licenses on what I build/produce/put out.
If you share your code with me under a copy left license, I will share my contributions under the same copy left license... you will not then be free to ask for money for things built on top of or with my contributions. You may be okay with that, but it is a decision you have to make.
A common misunderstanding with the GPL and other copy left licences is that they care about money and monetary transactions.
They mostly do not.
They only demand that you offer the source code to anyone that asks for it if you also distribute any kind of executable (you may even charge to cover the costs of the distribution).
The AGPL expands this to SaaS's too to close that loophole.
lying about the license to linus probably wasn't a smart move for AGPLv3 adoption. In my experience the virality clause is the main reason those projects don't get used therefor sponsored.
Its worse. Open source will be hijacked by hype warfare companies to extract free labour and build the things they want instead of the things we want.
Oh that ship sailed over a decade ago. Industry appeasement is a big part of what killed Drupal.
What killed Drupal, and what replaced it? WordPress?
The Drupal Association and its mismanagement of the community? I don't know how dead Drupal is, but I used to actively use and promote it and I have long since moved on, due in part to the Drupal Associations shenanigans.
I glanced at D.O the other day and was depressed to find they're reporting 400k active installs. I remember when that was 16M and growing. We're talking a loss of 97.5% of active sites. I'm betting the few that remain are mostly small government and nonprofit websites that haven't managed to put together the budget for a migration away from the platform. So yeah pretty dead. And yeah I blame the Drupal Association by way of Aquia and Microsoft. I left the project with a clear conscience after explaining in detail to an entire roomful of core developers that objectifying the codebase a la Laravel would kill the project stone dead within 5 years. Predictably they offered the typical "community developers are bad and don't want to learn" sneer as their primary defense of the decision. RIP.
But surely the death of any large chunk of PHP leaving the stage is cause for applause and boisterous shouts of joy?
Having coded back end projects in PHP, Perl, Python, and Node idk wtf folks who make comments like this are on about. Node took all of the worst aspects of JavaScript and spread them to back end development. Someone should have ended up on trial in the Hague for that particular crime against humanity and PHP is what you're grumbling about? Seriously?
Idk I swapped to a Linux-only PC last April and have been steadily shifting over to open source software for basically everything in my life. I haven’t done everything, I doubt I ever will hit 100%, but well over half the stuff I use on a daily basis I have real control over now and can audit.
Keep in mind I am not a coder/engineer, I’m just kind of a tourist in that world, so if I can do it it’s clearly very achievable for many people.
No reason to throw up your hands in defeat. We don’t need everyone to shift over everything. We just need to make sure there’s always space and demand for open source software to keep it alive.
One of the reasons why a source-based system like Gentoo is particularly nice is that you can compile your binaries with debug flags, so if you hit bad behavior you can inspect, write a patch, compile into your running system, and then push the same patch upstream.
I barely have to do it, but imho, this is how software should work and what running a computer should feel like.
It's worth noting that even more staid distributions like Debian provide you with the means to do this. It's arguably bit more complicated, but saves you a lot of time and hassle on the happy path.
I use OpenBSD and it’s actually the same thing with the additional niceties of binary packages. A bug or an issue with any program (including the kernel and drivers)? Patch and rebuild.
I'm doing exactly the same but you really don't have as much control as you may wish. I mean look at Freedesktop which is basically Redhat staff. The biggest Kernel contributor in SLOC a while back was MSFT.
Gnome and Systemd is a fine example of how fucked up this can get.
I’m on bazzite which isn’t perfect but it’s lightyears ahead of windows.
You can always find bad examples. The good news is there’s still lots of good ones out there right now. No point in being defeatist about it, just do what you can
> I have real control over now and can audit.
> Keep in mind I am not a coder/engineer
How do you control and audit something you don’t understand? What specific steps are you taking?
I depend on the community tbh. Poor phrasing, it implies I personally audit it. But ultimately if I want to I can and I know plenty of folks scour repos/compile code themselves, so if something is wrong it’ll likely come out. It’s open source, they can’t hide it from people who are looking. Also I’m not entirely ignorant - I can sometimes see when something is up, I am comfortable using a CLI, I know my way around a computer better than most.
Wouldn’t you say that’s way better than the status quo with windows/macOS?
Commercial entities are 95% of useful open-source (Linux, Postgres and similar — excluding leftstr-type of utilities).
Commercial entities latch onto useful open-source because it is a successful product they simply cannot compete with.
why would they compete with it when its open?
To secure network effects for themselves. This is one of the reasons the ASF was founded.
https://httpd.apache.org/ABOUT_APACHE.html
> We realize that it is often seen as an economic advantage for one company to "own" a market - in the software industry, that means to control tightly a particular conduit such that all others must pay for its use. This is typically done by "owning" the protocols through which companies conduct business, at the expense of all those other companies. To the extent that the protocols of the World Wide Web remain "unowned" by a single company, the Web will remain a level playing field for companies large and small. Thus, "ownership" of the protocols must be prevented.
They wouldn't. But the GPP seemed to be implying that we should be grateful to commercial entities for the existence of those useful open projects, when in fact if the commercial entities had their preferred way the projects would not be (as) open.
Note that the LF of today is basically just like any other global corporation with its own political agenda. You can just follow the money, and see that it is controlled by corporations. They neutered Torvalds, are very woke, and generally a nightmare to work with.
I always advice aspiring open source enthusiasts to stay far, far away from the Linux Foundation. It has become a barrier to software freedom these days, rather than an enabler.
Defeatism is easy
Which is a large part of why what cryo32 said will come to pass.
Acknowledging the result of defeatism should push us toward a different mindset, not more defeatism. Over the long run, humanity has a pretty good record, carried by the people who refuse to give up.
Only if people succumb to defeatism. There have been documented instances of that not happening.
> Defeatism is easy
I prefer easy.
If you prefer difficult, more power to you.
It's the same easy as falling out of a plane without a parachute. Gravity will do all the work but you'll not like what happens at the bottom.
Isn't it easier just not to board the plane, who really enjoys being at an airport?
You were never at an airport. You fell asleep in your bed and woke up on the plane. Fighting the people taking you somewhere you don't want to go is definitely more work than falling out of the plane. It just has a specific advantage.
> who really enjoys being at an airport?
Not every airport is a huge commercial building with hundreds of people (also, you wouldn’t visit one of those to parachute jump). Some are akin to cozy shacks without a lot of traffic where you’re in and out in no time.
> I prefer easy.
Clearly you don’t feel that strongly about it. You know what would’ve been easier than making an account just to post that comment? Not doing that.
Have you also stopped working, paying your bills, showering, eating, interacting with other people? Not doing any of that is easier than doing it.
Do you have any concrete plan to make things better that doesn’t involve magical thinking or pseudo-appeals like “everyone just needs to…”?
Defending open source should begin with real, tangible support for both the projects and its developers. Not just words.
With my OpenBSD developer hat on, getting new hardware in the hands of developers is really important, many of us are hacking on 5-10 year old thinkpads that need replacing.
https://www.openbsd.org/want.html
The OpenBSD foundation is ~50% away from its fundraising goal for 2026!
Also in addition to funding the open source projects you use, if you can, please consider directly supporting individual contributors/developers personally who work on those projects, many are volunteers and even a small monthly contribution could mean the difference.
> We are joined by Amazon Web Services ...
There goes all the credibility of this post
This reads as centralization and control effort. It will only provide the power to control opensource to whoever Akrites is (with the major bigtech including Google).
Thank you very much, but I remember what Google is doing with Android this September (closing third party installs using .apk).
This is my concern as well. If critical open source packages become dependent on these corporations for "secure" releases, does that enable them to force ID verification into packages, for example? Related, but most of the smart folk I know think Open Source AI means Anthropic and OpenAI are financially impossible. A lot of the companies signed onto this are heavily, heavily leveraged by those two, and have significant incentive to disrupt Open Source AI before all their customers get sticker shock. I've been waiting to see what their move would be, and this might be part of it.
Akrites were the Byzantine border defenders. If they defend the OSS community against AI then they have to try hard, because Ottomans won at last.
I yearn for the day I see a headline like "We All Depend on Open Source. We Will Fund It Together"
Many of these bigger companies are "funding open source" by paying their employees to participate. Look at all of the corporate email addresses on the LKML for instance...
How about they actually fund open source in the sense of letting the public dictate the direction of software for the country, not a cabal of unelected people that only care for pushing changes that benefit corporations.
Open source would look drastically different, for the better I might add, if devs had a real choice in what to invest in.
Corporate control of open sources has not benefited devs or society as it stands. Continuing to let corporations control should not continue to stand. There is no reason why big tech can have taxes imposed on them where the public can decide what is best for them and not the devs at Meta that are fine with profiting from a genocide or mass misery.
You are absolutely welcome to start a project and exclude anyone who you think is unworthy of contributing. Software is not and never was a public good.
The most important information is this:
> participants will contribute engineering resources
If it works out as planned, we will see. Apart from this, I am not overwhelmed by the claim of this project. It favors centralization and corporate circles, exactly the opposite of what the hacker ethics promotes for good reasons.
Doesn't seem very inclusive. Seems to be another layer to centralize the inbound vulns, gather intelligence and handle them in secret.
It may also turn into another source of pressure. Maybe they manage to sort out the real vulns, but then they come in as high priority to the maintainers.
Many maintainers are already exhausted from their normal work, sans AI noise. Even if they supply fixes, it still requires review.
In best case they could reduce noise but the work is still there. The industry needs to generally fund OS projects to give them the agency to handle it on their own. That's is likely best for quality. If there is still need to filter AI noise then they can add that, but not as a secret opaque thing that controls it all.
You can even shorten that. This is some corporate hollo-bollers takes-your-time-and-gives-nothing-in-return fakery-roo.
> exactly the opposite of what the hacker ethics promotes for good reasons.
Yup. Seems kind of like those zombie plants in the movie "Invasion of the Body Snatchers" (the first remake; though the original is also great, but it was more about communism as threat, whereas the first remake added a bit of alien horror motifes).
Silicon Valley is not as large as it might seem, and knowledge sharing and consortiums and working groups happen a lot.
You can complain about supply chain problems, or you can actually try to work on it. They're trying to work on it.
Nice name, "Akrites".
Probably not as impressive to a non-Greek, but to a Greek person it creates very strong imagery.
To save others a search:
> The akritai (singular akrites) is a term used in the Byzantine Empire in the 9th–11th centuries to denote the frontier soldiers guarding the Empire's eastern border, facing the Muslim states of the Middle East. (Wikipedia)
Akron means edge or border, so "frontiersman" or "those of the border".
EDIT: Commenters seem upset about the Muslim part, I didn’t mean to imply anything, you cannot just copy-paste contemporary disputes and prejudices a thousand years ago. In the historical context it’s just like most borders between different civilizations. The point is that they were a collective organization getting together to defend their land.
Then it's perhaps not the best name, given what happened in the end to the empire's eastern border.
This is a very simplified and uninformed view of what the Akritai were. The name choice is so wrong, it cannot even be called out as cultural appropriation, because it is far worse than that. LF just stick with languages you understand.
I would be glad to learn if you are willing to explain, this what I found from trusted sources, but it would be great to know if there’s additional nuance.
Akritai were locals who were to be used as the defenders of the borders instead of deploying regular Army or mercenaries. For this reason they were given land (so as to have skin in the game) and tax breaks. When the tax breaks stopped the Akritai rapidly vanished. These are also mentioned in Wikipedia pages.
So, in terms of a security project an Akritas would be you running an EDR agent on a machine that you own, not some of the signatory companies who basically do not own anything on the edge (end user equipment).
Com'on, it's not that bad. The idea of these organizations is that, since they're using and testing this software, "we'll see any issues first, we'll let you know, and we'll deal with it." The quoted part bears some resemblance to the tasks of Akrites.
Remains to be seen whether history will repeat itself: when the tax breaks/ free AI use stops, will anyone keep doing this?
Disclaimer: I have had nothing to do with this initiative, and was not consulted on the name.
> facing the Muslim states of the Middle East.
if true, then choosing this name was a very bad decision.
Imagine how Muslims would feel, demonizing them even more, before they were terrorists, now they are attacking open source and hence some organizations need akrites to defend from them.
I really wish such organizations which try to demonize anyone, to fail miserably
To be fair, the Akritai was the Byzantine Empire's effort to use the local population to defend the land, instead of having to deploy regular Army or mercenaries. It happened to be Muslim states that was the border. It bears no anti-muslim connotations as a word in Greek. In fact the epic of Digenes Akritas, speaks of Basil, an Akritas of a Greek mother and an Arab father (hence the name Digenes, of two descents).
But still, the name is a bad, uninformed choice.
Α better translation is "defender of the borders" or "Knights of the borders". Form "Akri" = edge, border.
It's not Muslim related even at the time they exists.
That's who they had the border with, dude.
I wish malicious interpretations like yours would fail miserably. The word for the soldiers is about them, not who they fought.
Apache is doing pretty well despite them being deathly foes to the Comanche and Texans but I doubt either Texans or Comanches object to the name because of something that happened hundreds of years ago.
I mean I guess we have stop calling things the Great Wall because it repelled incursions from the Manchurians and maybe those people who live in their ancestral lands who were defeated and incorporated into modern Chinese society might feel a tinge of anger…
A more recent example would be Mark Carney's Davos speech [1], specifically "middle powers must act together because if we're not at the table, we're on the menu."
[1] https://en.wikipedia.org/wiki/Mark_Carney%27s_Davos_speech
To UK oldies it probably reminds them of the sitcom Open All Hours with Ronnie Barker.
Unforteuately I think it's moot to post this on hacker news. The majority of people here drink deep from the AI pool and just don't care.
Besides many of the companies on the list are suspext numero uno for the state of open source
I don't drink the AI slop and I also don't see where you derive to this conclusion. Most of the comments are very much against the AI slop.
> Besides many of the companies on the list are suspext numero uno for the state of open source
On this I agree. This seems indeed just promo advertising to white-wash these companies. They don't really care about ethics in open source.
All voices have a place.
Ok, and? Where did I say otherwise?
Do you pay for the opensource projects which the "AI" companies used to train your LLMs?
Used them first to train LLMs to earn money, then exploit them again?
It seems to me as someone who wasn't paying attention to open source 10 or 20 years ago that its no longer a real community effort. Projects are maintained by their maintainers and get very little from the community. Commercial open source gets even less from the community. The only real value generated is corporate supported projects sharing with corporate supported projects. The average person is happy because they can also use these projects but ultimately they do nothing with it. The only people benefiting is the corporations that use this to build their products.
I dont know if this is a good thing or not. On paper it seems fine but there is something that feels wrong about it and I dont know exactly what.
> It seems to me as someone who wasn't paying attention to open source 10 or 20 years ago that its no longer a real community effort.
I would disagree with this, it's the same amount of community effort as it's always been. Big projects have big governance, and receive lots of patches. Smaller projects receive fewer patches. The community generally happens in Discord or IRC or on mailing lists, but it definitely exists.
The real threat to "community effort" are drive-by low-effort LLM-generated Pull requests that decrease the signal-to-noise ratio by a lot and make managing open source projects such a slog
I fully understand that I may be completely wrong but I just dont see that a lot of effort comes from outside a projects core maintainers. Its always a core maintainer group usually paid by some company doing 95% of the work and the patches contributed are localizations, small bug fixes and weird edge cases.
I'm not an open source maintainer so I could be completely off base here.
This perception comes from a high amount of trust required to take big submissions; If I know and trust the submitter, I'm more willing to accept a bigger patch. If you really want to contribute big changes to a project, it usually involves communicating with the core maintainers a lot, and essentially becoming one of them. Pion/webrtc is my favorite example of a project with a maintainer group who are employed by many different companies. Sean Dubois is the primary maintainer of that project, and does a good job of welcoming people into the fold.
Thanks Woodrow :)
Accepting 'Big Changes' from people is VERY frustrating. These thoughts run through my head.
* Idea is usually good! Even if I don't understand it could help lots of others users.
* The contributor is very focused on just getting their feature in. The impact on the larger project isn't as much a concern.
* New contributors often don't have the grit to see it out. They will disappear before things are done. So I am left picking up the pieces (which is harder then doing it all myself)
----
What I try and remember is that their happiness/experience matters more then any code. I try to help the contributor learn/grow as much as possible and even see some career benefits out of it. Pion will cease to matter eventually, so I hope to help as many programmers with it as possible.
There never was "a community". The vast majority of all open source software is written by people paid by some corporation to do so.
Just because people are paid to participate doesn't mean there's not a community; those paid contributors still generally have to build trust and maintain etiquette among people outside of their organizational structure.
Currently the worst assault on open source is PR spam and the collapse of trust and culture that comes with it. Focus on that if you really want to defend open source.
What a list! Maybe they meant "defund".
Everyone who took part in the layoff spree to boost valuation should be shut down like Enron.
Concerning globo-list. Centralization/takeover, aka an eventual "we will manage you"; which might be the true colors of the Linux Foundation. Forks would just get absorbed and used internally instead of depending on the performance of random informal earth citizens. The site is not even pleasant to read with that font. Villainy is parodied in this world heavily, names like Discord, Palantir, AI Companies talking about doom scenarios and enjoying it: so it's cool and expected to be a villain, to wrestle with the other kinds of power. I just want some fresh choices to polish the kind of company I want to get around me, which would likely be the opposite of who signed that letter.
Interestingly no Apple. *edit: Or any non-American companies for that matter .
You can start by paying maintainers really really well.
> We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler
Many of the names on the list makes the initiative rather suspect. Companies who do a lot to undermine free and open-source software, who hide critical software behind their walls, preventing both its scrutiny and its adaptation and improvement, and two of the LLM giants - they'll "defend open source"? I don't know about that.
> Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend on
So, a bunch of large corporations - some of who are known to be in bed with the US government - will share vulnerabilities among themselves, out of the public eye? Fishy.
Yeah, a bunch of the worst free riders and malicious consumers all in one place.
All they're really missing is Oracle and Bambu Lab.
> All members must be current Linux Foundation members and sign the participation agreement and NDA.
Just another opaque and exclusive subproject of the Linux Foundation.
That's just your typical list that makes up the Linux foundation.
It might not be the idealistic flavour of open source you prefer, but it's the flavour of open source that's actively in use in most tech companies, and that also forms the makeup of most corporate open source participation (e.g. also the top corporate Linux contributors).
It won't be out of the public eye if it is part of Linux Foundation, it will be open.
Not...really? It's pretty normal. Tech companies share intelligence and knowledge all the time -- there are a lot of birds of a feather and consortium groups out there.
Since a lot of places are close in proximity, companies sometimes run private fiber lines and such to let peers download updates without competing with the entire world lol.
Everyone's fighting the same fight. Sharing and collaborating are normal things.
Good stuff.
> We are joined by Amazon Web Services…
Does that include anything more than soundbites? This effort is likely to require organizational support, and funding.
It’s not clear to me, that the organizations supplying the quotes, are “undersigned.” Not all of the quotes make it clear that the organization is doing anything more than asking an LLM to generate some text.
I'm extremely concerned about the state of Open Source. The gamification of the whole thing & devstats means that people that are good at gaming metrics are rising up the ranks and people that are genuine high quality contributors and pushed to the sidelines unless they have a very popular profile. Mass generated AI slop and AI content gives people massive devstats boosts.
After reading this. I realize how different Asian and Western consciousness really are.
My entire technology stack was built on Microsoft's ecosystem, not on open source. This was Microsoft's attempt to expand their base for the corporate hiring market and OS market share.
Conversely, open source was a huge barrier for me. When I have a product I've built, I have to get past open source, but accessing open source comes with the barrier of English. And once you get past the English barrier, you hit the cultural barrier.
My hobby projects do integrate with open source, but all the technology that actually makes me money depends entirely on the Microsoft ecosystem. Most of the Asian developers around me are also tied to specific vendors. On the other hand, the Korean companies that do have a culture of contributing to open source are large corporations, and entry is determined by academic pedigree.
Because the entire context of open source is in English, and learning English reliably is expensive in itself. So to properly work as a developer in Korea, you actually need to be vendor dependent. The corporate ecosystem is not oppression; it is the only viable path to education and survival. If you want to grasp the latest trends, you ultimately need curation from a specific company. Some people say Hangul is a great writing system, but to me, this is where it becomes a curse and a shackle.
So when I read Hacker News, I feel just how large the gap in thinking is between the West and the East. The Japanese developers I have talked to mostly talk about coding within corporate environments rather than open source, and Chinese developers are also shaped by their corporate environments. But the posts on HN talk about their 'gardens' being ruined and absorbed by corporations, and they resist that. But since I was raised in a corporate environment from the start, I cannot imagine a different one, so this resistance tends to feel like an aristocratic hobby to me.
On the flip side, HN might see corporations as predators. Technology should be a commons, and developers should be free, not tenant farmers of a platform.
But the irony I personally feel is that to protect this 'garden commons,' they end up creating centralized, non-public coordination mechanisms with the very corporations that plunder the commons. That feels contradictory to me.
For security vulnerability response, non-public coordination may be necessary. If a vulnerability is disclosed before a patch is ready, attackers can create exploits. But the principle of open source is transparency and open discussion, while the Akrites-style security principle is non-public coordination and a single point of contact.
On top of that, corporations used open source as free infrastructure, and now that the risk has grown, they are building corporate-led governance systems based on that risk. That feels ambiguous to me. Of course, open source sponsorship has always had some tension, but if that was buying a craftsman's work, this looks more like buying the craftsman's workshop.
I wonder how Westerners would read this. I am curious. To me, this looks like a political struggle to take control of governance over the commons. Do Westerners see it as the Avengers? The difference in mindset is sometimes painful.
The corporate environments were here too, most companies used to run on Windows server. 20 years ago companies used to pretend they didnt use Linux, but they were, it was just introduced to places they didnt know about, as it was free so it didnt have to go through purchasing. The rise of the early web in the post dotcom years was the catalyst, Perl, PHP, Linux servers etc. Before mobile, that did bring back proprietary development to some extent, for clientside. That was the era when Microsoft said "Linux was a cancer". Many companies still have large Windows (dot Net pre dotnet core) codebases, but Java mostly runs in Linux now.
The language barrier is interesting, there is more Chinese open source now too, but yes so much is English. I remember using google translate for Nginx from Russian back in the day, and openresty from Chinese, but yes we are lucky,
Gitee in China is certainly robust, but when you think about the sponsorship system, it's closer to an incubation environment for corporate ecosystems. There are a lot of public codes intended for national projects or large enterprise collaborations, so it's actually good for grasping Chinese tech trends. I sometimes find it fascinating how free the Western GitHub system can be.
It really makes me realize just how different cultures and values can be.
Sometimes I feel like I want to be as free as you all are, but I also recognize that my own biases are deeply ingrained. There's a line in Demian that goes, 'The bird fights its way out of the egg.' It makes me strongly feel just how narrow my world really is
I think this is conflating opensource-corporate and english-non-english.
If you ask american/european/english-speaking developers about coding, it will mostly be about/in the context of corporate environments rather than open source too! The majority do not actively or primarily contribute to open source projects, but instead corporate environments as well.
In an alternative timeline where the lingua franca isn't english, I can still see open source culture exist; I don't think the desire to publish and cooperate in public is an inherently "western" culture. It will also run into the same conflict of interest between Open-Source and Corporate: one prefers transparency and full-disclosure, the other prefers control in the interest of minimizing risk.
You're right. Ultimately, the absolute number of developers matters a lot. But when it comes to coding style and paradigms, it's overwhelmingly dominated by the English-speaking world.
For example, object-oriented programming or conditional statements generally follow a What -> Action -> Target order. But my native grammar follows a What -> Target -> Action order. So I have to translate SOV logic into SVO code syntax.
The reality is that English speakers are numerous, Japanese and Korean speakers are relatively few, and while Chinese speakers are quite numerous, there's still some cognitive load due to differences in thought patterns. It's almost like a difference in the sheer volume of accessible knowledge.
Due to the cumulative cost of translation, this feels like a bigger hurdle than people realize.
So sometimes language gives a sense of identity tied to 'ethnicity' and 'nation,' but when it comes to the competition for knowledge, I feel that the number of native speakers matters more. There are points where I agree with you, and points where I don't. It's complicated
It is a distortion to frame the problem as corporate vs. open source. These corporations compete with open source but they are often sustained by it, and in any case they operate within a space that is impacted by it. A healthy open source community is generally to their benefit. The inverse is also true, to the extent that corporations support and integrate with open source, it benefits from a healthy commercial market. All too often, they take and do not give back, so many people in these comments here are pointing out the same contradiction that you have highlighted. But it is not so much a matter of predators and prey, we all share the same ecosystem.
The corporations themselves are not a monolith. Their leadership and engineering teams are made up of diverse perspectives on open source, and those perspectives can shift. These same questions are debated within the company and the balance is always shifting in a way that can either benefit or undermine open source. I'm personally skeptical for some of the reasons you described, but I wouldn't rule out the possibility of a better relationship to open source.
That's a Rihgt However, what I'm curious about is that this project governance feels more closed than open source, rather than truly being open source. Your point is valid too. I admit my thinking might be a bit too binary.
The Personal Computer culture in the SV developed from the counterculture in the valley: https://kbsm.org/technology/california-tech-culture-that-sha... It then hopped on the Free Software movement with redefining it as "open source" while the Internet was booming. And all of that is now being reaped by the corporations the "tech-hippies" themselves helped to create.
If anyone's interested in this: "From Counterculture to Cyberculture" by Fred Turner and "What the Dormouse Said" by John Markoff.
Putting my nostalgia-tinted glasses on, it's sad how far we've strayed from that.
Great comment. Really interesting to see "scratch your own itch" described as an "aristocratic hobby".
If the language barrier disappeared overnight, would the situation still be the same, do you think? What would an Eastern open source movement look like, and why hasn't one developed?
hmmm I'm not sure about Japan on this point, since I haven't communicated with Japanese developers very frequently.
But regarding Korea and China: in China, there's Gitee, which has a very robust open source environment, but it's not really 'Western style open source' it's more like corporate projects being made publicly available for free. In other words, companies release assignments and people gather to work on them. That's the dominant model. (And that becomes part of their employment portfolio. So it feels very much like an incubation system for corporate projects.)
For Korea, I think it's largely because the absolute number of Korean speakers is smaller than English speakers. As a result, Korea's tech infrastructure generally lags behind the English speaking world. It feels like: English trends emerge -> a few years later, once they stabilize, Korea starts adopting them!
The usual pattern here is that the people curating these English trends for Korea are Koreans who have worked at FAANG-like companies and come back, so they have a strong influence. But I don't necessarily agree with their perspectives, which is why I came here to see what the raw data from the West actually looks like.
On top of that, Korea's IT projects are mostly government-led (because the domestic market isn't that large), so the government essentially acts as a VC. And within this government-led incubation system, only the final winner takes everything. Given that kind of environment, I wonder if that's why open source doesn't really take off.
Seems like obvious solution for issues that CRA and RED causes. Have to fix those vulnerabilities one way or an other. Having a team or making teams using those to fix them when absolutely necessary is something they need. And that that point have to have way to push that stuff upstream so stuff can be marked resolved in tools...
So things do get fixed, but it is not due to their graciousness.
This is fear that humans will stop software development. Think about it, the backbone of modern enterprise is open source. What if maintainers just stopped, the free ride big tech has had would be left with the slop the maintainers have to deal with now. Which without checks and balances would introduce vulnerabilities.
I was going to comment exactly this.
I think they are predicting that free-software projects are in freefall and no longer attract good people.
I recall reading a Linus Torvalds interview in which he said that Git's killer feature was its current maintainer.
It sounds like a realization that you can only leech off the host so much, and once your host is dead, there is nobody else to leech from.
As of now the site looks like a waitlist generation mechanism. Which itself is not a secure thing to do any more. Why would thousands of people give their email addresses to a website which doesn't even describe what they are going to do
Unrelated: the frontpage says: > the root of the name [Akritai] is the same word that gives us critical — which is exactly the software this effort exists to defend.
This is pure corporate slop feels good bullshit generated by an LLM. “critical” comes from “kritikós” which means “related to judgement”. “Akritai” comes from “akron/ἄκρον” which means border.
To be fair the article doesn’t sit well with me on its own, but making crappy, etymologically-untrue claim? Not on my watch.
If members of Google Project Zero team are involved then I have hope. If they are not then I have many doubts.
> Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion.
Ambitious and interesting. I wonder how long this will last and on whose dime and time? Akrites employs no engineers, so who will make the fixes and who'll pay them?
I'd be interested in 1) what makes a package "critical" 2) how do you take ownership if the original author is unreachable or not cooperating? Are you going to fork it and somehow make everyone switch to your fork, even on older LTS systems?
Yeah, very commendable. Now I just wish the closed-source software that have lost support could similarly be supported this way, with the help from AI, so we don't have to throw away that many hardwares when their software can no longer be updated.
Who they employ then? AI?
> Today, the undersigned commit real resources — engineering talent, security expertise, and funding — to harden the software we share
A bunch of corporations that don't want their taxes to go up (which a sliver of which could be used to fund public software), along with their acolytes that will never mention worker solidarity or improving the material outcomes of developers. I'll hold my breath.
Open source movement has been a massive success in devaluing skilled workers to except peanuts while American corporations suck up as much value as possible while giving less than half a percent in return.
There needs to be a backlash against this corporate white washing.
Anything they "maintainer of last resort" would actually be forks, or collectively a distribution. We already have hundreds of distributions acting as maintainer of last resort many times over, only with actual developers and not presuming to make themselves the new upstream for anyone else.
Microsoft controls NPM and GitHub. I would not put it past them to truly take over a project if they gauged it in their best interest (though it would be a massive violation of trust, so I'd imagine they'd tread carefully before going there).
If it's sent to Akrites, they can even pretend it's done responsibly – even though only megacorps get a seat around that table.
Well, they did invent EEE after all. Why would they thread carefully? They own the product/service they can shut it down, no need for explanations.
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
We already saw Automattic (the owners of wordpress) do exactly that in their plugin repository for purely commercial reasons.
So they spend tokens to fix their backbones. Only fair. even required for GPL.
yeah open source is cool and all but can we talk about how literally everything is written in javascript now. even your toaster probably runs on node. its an infection.
Frankly, this year has shown that what's remaining of Open Source will be used for license laundering, and at a great scale. If you don't have a community backing you, there's almost no incentive remaining to start new OSS projects.
"Confidentiality"
Yeah, nah, I'm good. That's not "open-source."
Or maybe it is, but it's not "Free Software," the better thing.
sponsored by: all the bad guys
This is clearly a ploy to normalise slop PRs, slop in the FOSS world more generally and the timing is telling. We are in the midst of large open source projects rejecting LLM contributions, this is a response.
I'm not really a Stallman fanboy but I do find the Free software / Open source distinction really stick out in situations like this.
There isn't a call out for contributors. This is all done behind closed doors. It's the antithesis of free/open source software, presented as defending it.
I don't particularly have any better ideas. And I'm not particularly criticising. It's just a lot of the time the terms are synonymous, but here they starkly different.
It's time to ban every big player from contributing, it's clearly they're all malicious, this is just a way to force in AI code into open source.
Why only a focus on Open Source? I feel like vulnerabilities in closed source products like Microsoft Office, Microsoft Windows, and Google Chrome to name a few can be just as essentially and foundational as other open source software for many businesses.
I think the idea is that automated source code processing is making it possible to find vulnerabilities at great speed and in an overwhelming way in software that does not have paid maintainers, whereas closed source software in active use has both less accessible code and paid maintainers.
A charitable foundation might be plausible to help companies secure their closed for-profit software but it doesn’t really have the same urgency for the fabric of the internet (or the same moral clarity)
Its a worry, but its too early to be sure what the long term effects will be. We will have many eyes on a lot more code. There might be a rush of reports that slows as all the old vulnerabilities are found.
Closed software still has many people with access to the code. Governments or researchers have been given access to lots of critical source code. It can also be leaked. I wonder whether attackers are going to be more willing to bribe people with access to source now they have better odds of finding vulnerabilities with limited effort.
> Closed software still has many people with access to the code.
But in the examples cited (and really any other large closed piece of code of any significance in this era) it also has owners with money, and they should be compelled to fix their own stuff.
Or open the source code to be fixed, I guess ;-)
>both less accessible code
Yet still important to be secured due to the impact vulnerabilities can have. And LLMs can work without source code access via utilizing things like debug symbols, disassembly, reverse engineering, etc.
>paid maintainers
Just like open source maintainers their time is already being spent on other things which they see as more important over making the project 100% security bug free. Just because they are being paid, that doesn't make security their number 1 priority.
Project Glasswing is already a thing, and the other labs have started their own initiatives too if they want to collaborate and work on securing closed-source software.
Still not addressed the moral clarity point being brought up, nor the ramifications of the Linux Foundation choosing which closed source projects to focus on and alienating their mission statement.
Again, your idea is noble but why should the Linux Foundation be saddled with it when those other options exist? OSS needs their focus as their mission outlines.
> that doesn't make security their number 1 priority.
Well perhaps the companies who employ them to make that software they sell for profit should let them do that first rather than tokenmaxxing, and the great big non-profit effort can get round to them to help a little bit later after it has helped secure all the open-source stuff the internet actually runs on.
Corporates terrorized people with the financial crisis they created and the unemployment weapon.
They terrorized them to abandon their free time. They terrorized them to find easy solutions in the workplace instead of coming up with solutions that require technical expertise and deep thinking. They terrorized people to not conform to standards, or create standards but instead patch around lack of standardization. They terrorized people to not question, but accept. To become slaves. They did not help them get wide knowledge but be specific on the work, like mass produced meat. They swept all problems under the carpet and said "This time it will be different". No victories, just silence on the defeats.
It has been happening in the past, has accelerated and made worse as they seized more power.
The leap to AI era is the latest and more violent step of this attack on fundamental human rights.
The problem is political in my opinion. People ought to demand a better life and more free time to work on open source or do their hobbies. They ought to demand human centric laws that stop the greed and by enforcing the laws at last.
Free time is not for consumption, but for production of higher intellectual artefacts.
The French famously got the Congés Payés (paid holidays) in 1936 after the big strike. You have great pictures of entire trains of Parisians going to the beach in Deauville by droves.
Meanwhile the Germans were working overnight to manufacture bombs. That, alone, is already a sufficient explanation on why we got invaded and lost our country to one of the evilest powers of Earth. France had to be rescued by the Russian, the English and the Americans after losing millions of inhabitants. Because we literally took too much holidays.
The one who works the most reaps the entire benefits. And it’s clearly not good to ask for less work all the time. Today France is peanuts on the international market, we are second at everything. Who heard of DailyMotion, which was once as big as Youtube, or Mistral, which was supposed to be our OpenAI?
can someone explain me what is this page about?
Yeeeeeeeeeeeaaaaaaaaaaaaaahhhhhhhhhhhhhhhhh
Will they hire the actual maintainers of the software in question, to have time dedicated to the project, or will they as usual, dump AI-generated patches unto maintainers, but this time with even more time pressure to merge, lest them consider projects “unmaintained” if they don't push a fix in 3 femtoseconds, and use it as a rationale to take over the project?
I'm pretty sure it'll be an AI dump fest with barely any humans except the long term maintainers having to cope with it all.
I mean, it won't be neither the first nor the last slopdump, but it's the first that's backed by a threat of project takeover.
“Maintainers of last resort”, my [back].
So this corporate project wants to spam down more repositores via AI slop. No, I don't like it. And no, I am not feeling encouraged to "defend it together" at the slightest, even more so as many of these companies don't really contribute anything at all back.
All those open statements are just business wank.
> Amazon Web Services
We really don't give a shit, We will continue to not give a shit. We might give you a credit if threatened by the EU but really? We don't give a shit. Keep sending us that sweet dosh for AWS.
> Anthropic
We underpin the front page of the internet with Ai and in so we allow it to train upon the collective with no recognition. It's great to take and not give back. By the way your vibe coded app is looking ownage.
> Cisco
We are Cisco and we'll license you if we could. We invented the subscription model to charge you per Ethernet port on your router. Opensource is great, we don't even have to contribute upstream. We did once upon a time, isn't that enough?
> Citi
In partnership with Linux Foundation, we will do nothing and keep doing nothing. Linus enjoys his dosh and handjob now and then.
> CNCF
Working on the right fixes before the window closes, we prefer that to be left to the developers and we are very proud to support that effort. Unfortunately, no treats for the developers is written in to our company policy. How does pizza sound?
> RedHat
Open source is the foundation of modern software innovation so we hide answers behind a paywall. We sold ourselves to IBM so we could keep lubing that stripper pole to fill our filthy pockets. Larry Ellison will be here soon for his next lap-dance.
> Microsoft & GitHub
We decided to throw legal action at a security analyst for finding exploits in our OS for laughs. Open source all the way, we don't even allow you to search on GitHub without a rate limit; it's healthy to laugh. How's your mother doing? She seems a keen user of Windows 11 and as she is very important to us, we've removed that feature she uses most.
[flagged]
[flagged]
[dead]
[dead]
[dead]
[dead]