| ▲ | alephnerd 6 hours ago | |||||||
I've been chatting with CISOs, CTOs, maintainers, and other peers for the past few weeks (some of whom are F50s) about this, and their default gameplan now is to pause OSS contribution and usage until AppSec teams reach a point where they can easily validate and fix issues within a day. Traditionally, end-to-end response times were in the 8-10 day range which clearly cannot hold today. I don't think it's the death of open source, but it shows how the economics of open source turned into a tragedy of the commons, with maintainers not being provided the resources needed to sustainably operate projects. It also is an admission of how organizations never prioritized security for decades both within engineering and organizationally, but that's a separate conversation that HNers are not equipped to discuss looking at the lacking calibre of conversations on here. If OSS lovers actually care, then they need to put their money where their mouth is, stop being idealistic, and think about either going open core or getting formalized funding and sponsorship. Adopting much more restrictive licenses that also allow commercialization by project owners is also critical. The majority of GNU style project that exists on the goodwill of a couple of ideologically aligned individuals will not survive, becuase contributors also need to be paid. Edit: can't reply > What do you mean by that? They can't possibly stop using Linux/Kubernetes/Chrome (including Edge)/almost all programming languages/nginx/... Meaning they will freeze all dependencies and libraries being used going forward, and will not release source code until end-to-end vuln remediation can be done within 24 hours. Teams are also seriously considering forking core projects and dependencies to use in-house and not contribute upstream out of fear that upstream contributions could be tainted or introduce additional vulnerabilities. | ||||||||
| ▲ | MattSayar 5 hours ago | parent | next [-] | |||||||
I like simonw's take that open source should be more valuable [0] >An interesting result of this is that open source libraries become more valuable, since the tokens spent securing them can be shared across all of their users. This directly counters the idea that the low cost of vibe-coding up a replacement for an open source library makes those open source projects less attractive. I can understand why the reflexive move to fork the code and move it in-house, but how sustainable will that be when eng teams have MORE code to manage and mitigate vulnerabilities for? [0] https://simonwillison.net/2026/Apr/14/cybersecurity-proof-of... | ||||||||
| ||||||||
| ▲ | progval 5 hours ago | parent | prev [-] | |||||||
> pause OSS contribution and usage What do you mean by that? They can't possibly stop using Linux/Kubernetes/Chrome (including Edge)/almost all programming languages/nginx/... | ||||||||