When AI first happened, I was afraid I was going to eventually lose my job. And while I've been lucky since, many did, and that hurt a lot. When people are losing something to automation, regardless of the economics of the situation, you cheer for the humans, or at least hope that society keeps being fair to those who are most affected.
Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.
I'm conflicted, confused and afraid, HN. Look at what I just wrote, yet I use claude and deepseek and all the skills and complex harnesses and MCPs and whatnot... But all now seems like a transition phase. Transition to f-ing what though?
A lot of questions cannot be answered unless we dedicate a meaning to our lives. Human touch? Too late? Also: I liked a song and it was sonos. I unliked it after discovering. I feel so stupid, so often.
Sorry for the unhinged digression.
I love Ladybird (have a sticker on my laptop to prove!), I hope they thrive.
embedding-shape 10 minutes ago [-]
First off, to have conflicting feelings about something is really normal and doesn't immediately point to a problem, it's extremely human, and I feel similar to you to. I'm a creative + programmer, I hate to see what's happening in some communities yet I too use agents for development, it'd be like avoiding Google + SO when they first appeared, feels like there is a clear "before/after" moments with those, and with LLMs as well.
I don't really have anything useful to add here, I think, just that you aren't alone in feeling conflicting feelings here. New things usually are like that, comes with incredible benefits in some areas yet seem to strip humanity away from others, some people use it to produce fluff and crap, others essentially gain new abilities and use those to build even better stuff. I don't think there is any universal truths here, sadly.
sdevonoes 6 minutes ago [-]
It doesn’t help to know that using and supporting private LLMs is only making openai/anthropic/google/etc even richer. I myself cannot justify its usage.
Fraterkes 1 hours ago [-]
I've been looking a lot at Godot (another big open source project) PRs lately, and there's been kind of a surge of wholy ai-generated PRs (both code and description).
This is agains project-policy, so people creating these PRs usually get mildly told off. What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.
It's kinda surprising to me that even the people who are all in on ai haven't internalized that there's no inherent value in producing a big lump of code. They've massively decreased the work they put in but still expect the same pre-ai reaction/gratitude when submitting a big PR.
lucideer 52 minutes ago [-]
The pre-ai reaction was also unwarranted: committing a massive amount of potentially unmaintainable handwritten code isn't a necessarily positive contribution and any decent engineer (or person tbh) would understand that & not expect gratitude, no matter how concerted their effort.
In that context, I wouldn't expect an idiot (of which there has always been far too many in this industry) to change their behaviour in a post-ai world. They were always out of line & continue to be.
Fwiw, a non-technical employee in my workplace has begun submitting ai-generated prs to internal repos I maintain & they're of excellent quality, with review feedback graciously received & expediently addressed, so this isn't a matter of the idiots not being technical, it's an attitude problem.
Fraterkes 2 minutes ago [-]
Gratitude was maybe the wrong word. As the article mentions, before ai I think larger PRs, while sometimes inconsiderate, at least implied some amount of care / effort / good faith. In my experience, that was often rewarded with the maintainers at least taking a look at the code. I meant it's odd to have the same expectation when you dump 3000 lines in a pr that you won't even personally write a description for.
DrewADesign 33 minutes ago [-]
Sure, but I think we should judiciously avoid the false equivalence yielded by only looking at this on a developer-by-developer basis, rather than systemically. The truth is that in practice, AI is not a neutral force. Obviously AI can enhance the output of smart, experienced developers and improve the efficiency of code reviews, mitigating the effects of garbage PRs. However, it increases the percentage of PRs contributed by entirely inexperienced and/or not-smart devs from zero to, potentially, the majority. It entirely removes the barriers inherent to coding that kept Dunning-Krueger cases from submitting ill-conceived or poorly constructed changes— actually getting them to run in some way, even poorly. That makes them much more difficult to distinguish from well-constructed PRs than those from, say, someone cargo-culting code from tutorials.
Moreover, as these tools become more expensive, people with money to blow on tokens will be able to drown maintainers that don’t have enough token-cash to help them deal with it. People see this as mostly a matter of time and energy, but I reckon it will soon be a financial issue.
abirch 19 minutes ago [-]
I see AI as a barrier remover. Unfortunately barriers are good or minimally necessary.
I think we'll need to revert to artificial barriers such as bonds, e.g., if you want to do a PR to my repository you need to pay a 10 dollar bond. If the PR is good and I want future PRs, you keep your bond. If it's slop and spam, I get 10 dollars for my time.
DrewADesign 17 minutes ago [-]
I agree with the bond in theory, but that would entirely stop contributions from people in economies where a shady maintainer could keep their code, and their weekly food budget.
torben-friis 25 minutes ago [-]
There is certainly a certain... entitlement? (It's not the perfect word, but I fail to find a proper term) from some of the vibe crowd. Like an attachment to the output and refusal to accept that most of the work was not theirs.
It is seen in the way they approach contributions but also in regular language. I created X, insistence that their 'curation' was very influencial to the output, difficulty to mention LLM contribution, attitude of 'I care about building while others lose time in details', refusal to engage with potential flaws, and so on.
It is surprisingly different to what I'm used to from senior devs, which behave like they always suspect their own work is flawed and half assed. Like impostor syndrome was reversed.
progbits 7 minutes ago [-]
I've experienced the following sequence more than once at work, and I remain baffled by it each time:
- Receive a huge vibecoded PR for complicated new feature.
- Complain that this needs some design doc to figure out the right approach first.
- Author says no need for design doc, easier to have vibed implementation and discuss the concrete code instead of abstract document.
- I disagree (obviously), but review the PR with feedback along the lines: this entire approach is flawed, throw this out and start over.
- Author gets defensive, says "but this is already working and ready, let's just merge".
- I tell them there is no chance in hell this is getting merged. They go sulk to their manager that I'm not interested in helping them launch.
artyom 19 minutes ago [-]
I agree it's not "entitlement" specifically but there's something there. I guess by now everyone has experienced that type of person that "tries to help" by copy/pasting a bunch of AI slop and expecting you to work through the cognitive load of validating it.
The original post sums it pretty well, such big output inherently meant big effort, which was a proxy for good faith. Now that's gone.
cpcallen 1 hours ago [-]
On the one hand, if you grew up in the baazzar, moving to the cathedral might feel like the "death of open source" even if it is really just a return to an earlier way of working.
On the other hand, while not accepting external code contributions will certainly improve their security posture it will also make it more difficult to identify who to invite to join the priesthood.
javawizard 42 minutes ago [-]
> it will also make it more difficult to identify who to invite to join the priesthood
The point that this announcement is trying to make is, of course, that AI has already made that particular signal approximately worthless for that purpose.
anilakar 1 hours ago [-]
If you grew up in a junkyard, getting adjusted to the social norms of a bazaar might feel like your way of life is being threatened.
cassianoleal 53 minutes ago [-]
In your analogy, is the junkyard the development model of vibe coding?
I look forward to the book: The Cathedral, The Bazaar and The Junkyard.
pelagicAustral 40 minutes ago [-]
fwiw I asked Claude to look at GP's post and write me a story titled "The Cathedral, the bazaar and the junkyard" and I have a pretty good time reading his riff.
multjoy 9 minutes ago [-]
“Its riff”
koteelok 2 hours ago [-]
Stuff like this makes me wish AI had never happened.
An open-source projects losing the ability to find and mentor new maintainers is so disappointing.
postepowanieadm 42 minutes ago [-]
They have rewritten a huge change of their project using llms.
gregoriol 1 hours ago [-]
How is it really related to AI? there have been issues with open-source and maintainers for a long long time
ufo 59 minutes ago [-]
In the post, the ladybird maintainers say that they trust pull requests less than they used to, because many pull requests are authored by AI now. A big pull request no longer signals that the submitter put in a lot of work into it and it's committed to developing and maintaining quality code.
jaapz 58 minutes ago [-]
Not sure if this happened to ladybird, but the amount of junk vibecoded AI-slop pull requests has been putting an immense amount of strain on many open-source maintainers. Reviewing stuff like that is intensely energy draining an most of the time your comments will just be copy-pasted into claude code and the "contributor" will put in 0 effort themselves to try to make the code readable or maintainable.
Before AI, being open source and having to manage issues and PR's was already a huge task, burning out maintainers left and right. Now with AI, anyone with a terminal and a claude code subscription can open PR's...
ares623 59 minutes ago [-]
My friend, the very article we are talking about this mentions this directly
risyachka 58 minutes ago [-]
This is direct result of AI as you can see in many other public repos.
before AI like 1 in 1000 would spend their time fixing something they had no idea about and even then considering how much time you spent and how few of those happened it made sense to review/talk about it.
now every "dev" with claude submits prs having absolutely no idea what they are even doing.
most of them would not even be able to create PR without AI in the first place.
and on top of that add slop bots that "fix" issues in the loop and create hundreds of PRs daily
ath3nd 54 minutes ago [-]
[dead]
domenicd 57 minutes ago [-]
Fascinating to see that Chromium/Gecko/WebKit are now more "open" browser engines than Ladybird, at least in one important respect.
(Servo is arguably in the middle, accepting outside contributions as long as you don't use AI.)
It's understandable that a team without much funding would have to close off contributions to spare on labor costs. But, it makes me feel that people don't give Google/Mozilla/Apple enough credit for the economic resources they put into enabling openness.
(Personal bias/experience alert: I'm currently retired, but formerly worked at Google on Chrome. I saw many of my coworkers nurture outside contributors, and did some of that myself, both informally and through programs like internships.)
Hendrikto 36 minutes ago [-]
Those corporations are not doing that out of the good of their hearts. They are doing so to assert control, in order to protect their business value. If it stopped being economical for them, they would stop tomorrow.
I do not think we should be eternally grateful for monopoly building.
tgv 55 minutes ago [-]
Chrome is Google's loss leader.
TeriyakiBomb 12 minutes ago [-]
It's inevitable that more projects follow this path.
The elephant in the room is so many projects already operate like this without formally announcing it.
If you look at Blender, one of the biggest and most successful OSS projects out there, it's effectively run as source available. Some PRs make it through, but for the most part there have been heavy barriers to entry to get your work into the product. In this example, it's been key to such a large and complex project with millions of users staying afloat. It's an inconvenient truth.
It's one of those unspoken things in open source - the bigger the project the less you can accept or vet contributions. The less able you are to respond to users because there are too many. The amount of code you need to own balloons. The signal to noise to too much. LLMs have massively exacerbated this issue.
mabedan 2 hours ago [-]
I can understand where they come from. If most of the pull-requests were AI-coded, well, the maintainers are equally capable of prompting Claude Code themselves.
I think the whole game of software engineering, open source or not, has completely changed. A lump of code doesn't mean or imply the same thing as it did 2 years ago.
dm_ 49 minutes ago [-]
I think this is the key point.
A few years ago, if I send a complex PR that compiles and passes tests, that implies a certain amount of time and cognitive investment on my part. It seems likely that I wouldn't invest that if I didn't also understand the codebase, the feature or bug I'm working on, etc.
Now, that understanding is roughly as expensive as before, but AI has vastly reduced the cost of generating the code that compiles and passes tests.
Probably-well-intentioned community members are happy to contribute the cheap thing( Claude Code tokens) but, because it's so cheap, it's not a good indicator they've contributed the expensive thing (human understanding).
"Writing Code vs. Shipping Code: Productivity Effects Across Generations of AI Coding Tools"
As the FT summarizes,
> They found an explosive impact at the top of this funnel — coders created or edited almost 300 per cent more files — but that boost was halved to 150 per cent by the time they got to the number of discrete pieces of work submitted for review, and that in turn shrunk fivefold to a roughly 30 per cent uplift in the number of full software releases.
So as I wrote, AI vastly improves labor productivity on _coding_, but not nearly as much on code _review_ or other parts of the release pipeline.
And, unfortunately, for many open source projects, it's easy for volunteers to send code for review, but hard for them to volunteer reviewing PRs, managing releases, etc.
hombre_fatal 1 hours ago [-]
The code just isn’t the main effort of work anymore. Anyone can generate the implementation, so it makes more sense than ever to instead hammer out the what, why, and how that underlies any code change.
I see all projects moving this direction. Makes more sense to hash out a plan together.
satvikpendem 29 minutes ago [-]
As they say, just send me the prompt instead, at least that's more useful.
rjh29 16 minutes ago [-]
For anything but the most trivial change, a prompt is not enough though. There's a long iterative process of generating the right code, reviewing it, testing it, experimenting with UX or design for maintainability, fixing bugs... even a predominantly AI-generated PR can capture a lot of value. But apparently trying to distinguish those from the 'one-shot' vibe coded PRs is too much work for the Ladybird team.
asdaqopqkq 1 hours ago [-]
yeah but they could get free token usage from the community
tmountain 28 minutes ago [-]
Yeah, but then it’s either an arduous manual review or incurring a bunch of token usage to review something that may be slop.
nh2 1 hours ago [-]
> There will not be a [..] process for submitting patches by [any] means
> Outside involvement still matters: clear bug reports
So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Instead they have to re-figure it out. The team must be thrilled to re-do work they know was already put in by others, repeatedly.
As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software? It seems much easier to use Firefox or Chromium, where my fixes actually meet open ears.
It was very useful for me in the past when a new Chromium version crashed on my product, that I could go and suggest a fix to V8, and it was rolled out in the next Chromium release so my product worked again (https://github.com/v8/v8/commit/4f8a70adca01c). Without this, maybe Chromium developers would have never bothered to fix it because of lack of time to figure it out.
> a pull request no longer tells us as much as it used to about the person submitting it
Nobody should need to know anything about any person submitting a pull request.
Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review.
Reviewing code fixes is strictly easier than coming up with them yourself.
This holds true automatically: In any situation where it isn't, you can just write the code yourself and done.
As a project you can always ignore or close a PR you want to write yourself instead.
But it seems unwise to bar yourself from the _option_ of reviewing an outside contribution, or using it as input for your own re-write.
tuyiown 60 minutes ago [-]
> So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Pin pointing the issue is way more than valuable than code. If you wrote a fix, you have analyzed the bug. The value is there, not in the fix. Sharing your fine analysis is the maximized contribution. Code is an optional bonus at most.
haspok 24 minutes ago [-]
Reviewing code in PRs is not a no-effort action. If there are 3 people working in the project, and thousands of people submitting bugfixes, then no matter how useful those bugfixes might be, the 3 people will be totally overwhelmed by the sheer number of PRs.
There might be value in your bugfix, but maybe that value is not greater than the cost of reviewing and accepting it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
This is completely false, for any sufficiently complex project. The fix might be a single line change, but the consequences might be far reaching.
> As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software?
Please don't! You don't owe the project anything. The other side of that equation is that the project also doesn't owe you anything. As simple as.
Firefox and Chromium are running much larger teams, let alone the Linux kernel, that other people suggested as a model. Maybe they can afford accepting your contributions.
layer8 1 hours ago [-]
You can still tell them how you did it, just not in the form of code/patches. You should be able to describe it in prose so that the maintainer understands your solution approach.
LeFantome 5 minutes ago [-]
Not necessarily. I just fixed the Ladybird build process so it will successfully build on a system that uses musl instead of glibc. By far the most compact way of explaining what needed to be changed is to share the changes themselves. It is a set of very small changes to a number of individual files.
q3k 1 hours ago [-]
> So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
You're allowed, they'll just ignore it. Same as how sqlite and some other projects operate.
troupo 58 minutes ago [-]
> So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
You can still submit a bug report and tell them exactly how you did it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
Unless it's hundreds or thousands of AI slop PRs each pretending "here's a bug I fixed it"
nathell 2 hours ago [-]
LLMs might be part of why Ladybird is making this decision, but they aren’t the only possible one: SQLite, for example, has been developed this way pretty much forever. To each their own, I guess.
pansa2 57 minutes ago [-]
Lua is the same IIRC: open source but not open development.
It’s MIT licensed, and the maintainers are always grateful for bug reports, but all the code in the project was written by just 3 people.
VortexLain 27 minutes ago [-]
Ladybird going source-available is quite unfortunate, seems like Gecko is the only production-ready independent browser engine we're left with.
They may, at this point, go ahead and remove "get involved" block from their website https://ladybird.org/, since it's not possible to contribute anymore.
afdbcreid 11 minutes ago [-]
That's not source-available, that's still open-source. Quoting Wikipedia:
> Source-available software is software released through a source code distribution model that includes arrangements where the source can be viewed, and in some cases modified, but without necessarily meeting the criteria to be called open-source.
> Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Open-source software may be developed in a collaborative, public manner.
And as said here, SQLite was operating like this forever.
MarsIronPI 15 minutes ago [-]
It's not source available, source available implies some restrictions on what you can do with the source, or with any resulting binaries. This isn't a rugpull; all they're doing is closing off contributions, which has nothing to do with the license of the code.
andrewchambers 19 minutes ago [-]
This is not the same as source available - you can fork it, the license didn't change.
pulsartwin 2 hours ago [-]
This seems quite misguided and is sad to see. They have every right to do this, but I was looking forward to continuing testing Ladybird as it improves and contributing in the future. I hope servo stays open to contributions, as it seems like it's all we have left.
apimade 2 hours ago [-]
It makes sense when you have a somewhat fixed core team size. Frankly, in some regards, this is the responsible thing to do.
It means they’ll never grow modules or the codebase beyond what the team can reasonably maintain.
However on the other hand.. What does this mean for the existing team, are maintainers now worth considerably more to the project? What does this mean for the codebase, or the momentum of the project?
It’s an approach I would have expected for the likes of curl, or single-purpose libraries. But this is a mammoth decision for a mammoth project.
I guess we’ll just have to see.
noIdeaTheSecond 15 minutes ago [-]
"A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds."
I believe this is the key point the article makes and it's valid for most projects out there
Deukhoofd 2 hours ago [-]
This rather feels like it's completely stepping away from the thing that made the community around Serenity and Ladybird so good.
rjh29 13 minutes ago [-]
I'd argue that was what made Serenity good - a toy OS that anyone can code anything for. Want to spend ages working on a painting program? Make screensavers? Add drivers for your printer? Port Doom? Improve font support because it sounds fun? etc. It celebrated coding for coding's sake, which is the antithesis of AI. There's no point vibe coding features for Serenity because there is no real product there.
On the other hand, Ladybird is gearing up to become a production-ready browser for real users. Adding fun features for the sake of it, and hand-rolling code to parse PNGs and the like, has become a liability for the project.
conaclos 1 hours ago [-]
I lost all trust in the project since the LLM rewrite. This new step is another red flag to me.
siwatanejo 56 minutes ago [-]
what rewrite? I thought it would switch to Rust but I still see it to be C++
afdbcreid 2 minutes ago [-]
They are adopting Rust (https://ladybird.org/posts/adopting-rust/) and use LLMs to help with the rewrite, but not all code was migrated yet. Also it's definitely not a big-bang-rewrite-the-world-with-Claude like Bun.
Linux has WAY more maintainers, and many of them just reviewed other people's commits for years. They had a crazy amount of contributions even before AI.
AdamN 2 hours ago [-]
The only problem with that nowadays might be that AI can do all the incantations that formerly acted as gates to contributors.
rzmmm 1 hours ago [-]
Maybe not. Sqlite has some kind of hand-written license-agreement waiver procedure.
delusional 2 hours ago [-]
The Linux approach is under pressure too. Maintainers are beginning to warn about too many contributions and too much churn to review it all.
tux3 2 hours ago [-]
I think we're past beginning to warn, we've now reached the point of accepting Linux needs to remove drivers and features, because the maintainers just can't keep up.
This is not helped by everyone using the same LLMs to find the same vulnerabilities and flooding maintainers with duplicate reports to be the first to get that CVE and branded vuln on their resume.
afandian 2 hours ago [-]
I know is a naive question, but it's genuine!
Is this the direct result of a monolithic kernel? And would moving more drivers out-of-tree mitigate this?
dwaite 25 minutes ago [-]
Not really - it changes how the lines are drawn between components, rather than removing any of them.
The EXT4 filesystem driver as an example contains most of the same code whether it is part of the kernel process or is a user process. A virtual filesystem abstraction is needed between the two in either case as well.
The kernel also already has a module system to support loading externally maintained code. You won't necessarily see a benefit from separately maintained drivers that wouldn't already be present.
afandian 16 minutes ago [-]
Behind my question was another one: is there too much in the source tree that doesn't _strictly_ need to be?
Maybe not?
I just got the impression that there are a _lot_ of obscure drivers that have to be carried, and are eventually removed causing annoyance. An ABI for the people who cared about that random driver might localise the maintenance burden.
kibwen 1 hours ago [-]
There are numerous advantages of microkernels over monoliths, but even if Linux were a microkernel it wouldn't necessarily change the review pressure that the above commenter is talking about, because you still have the same number of components (filesystem, networking, drivers, etc) to develop and review patches for (although you do have more well-defined interfaces between components, which eases security).
jsmailes 2 hours ago [-]
It saddens me to see the communities surrounding free software projects going dark because of the threat posed by AI tools, but I don't know what other solutions there are that would mitigate the threat, particularly when browsers are such a compelling target. Perhaps some kind of trust system a la arxiv.org, where existing users have to vouch for new submissions before a user is themselves trusted? Definitely still vulnerable to abuse, but perhaps less so.
JimBlackwood 2 hours ago [-]
I think a trust system is the only way. Ladybird will need new/different maintainers at some point in the future. How are you going to find them now?
I don’t disagree with their choice, but it’s not sustainable in the long term.
MarsIronPI 12 minutes ago [-]
Maybe it is, if they can somehow vet potential new contributors in-person at e.g. conferences.
stuaxo 1 hours ago [-]
This is needed for more projects than just ladybird, and I'm sure will be worked out.
For now this makes sense.
LeFantome 10 minutes ago [-]
Crappy timing for me. Ladybird has never built on musl based systems. I got that working just a couple of days ago (on Chimera Linux) and was hoping to push the changes to the project. I guess I am maintaining that myself now.
net01 38 minutes ago [-]
I don't like this, but I understand it.
I've contributed to the LB project several times, and I have made friends IRL with people who have also contributed to the project. ( we are now friends at uni )
It feels like a stepback because instead of 30-45 contributors every month, you have 15...
i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.
jiehong 20 minutes ago [-]
Perhaps we should start to describe projects as Open Contributions from now on. With maybe a few Open Contributions Standards to distinguish how this works.
splittydev 2 hours ago [-]
Wasn't the entire goal of Ladybird to have an open and independent browser engine? Making it effectively closed to contributions makes it.. Not independent anymore. It's now dependent, on few people who work on it, just like any other closed-source or corporate-controlled browser.
mehs 8 minutes ago [-]
It is still independent in sense that it doesn't depend on Google Search money and Chrome/Firefox code as most of the alternative browsers. Depending on your definition of dependency, it will always going to be dependent on something.
Also they are not changing the licence or preventing forks.
It is a pragmatic solution to a real problem that can really clog down progress on the project. I hope they (and other open source projects) will figure out how to filter in good, responsible contributors but I guess it will take time.
dgellow 2 hours ago [-]
I don’t think that changes the project independence, when a project is open to PRs you have the same dependency on maintainers accepting changes into main. And the project is still open source. But that does make it less community oriented
siwatanejo 36 minutes ago [-]
But opensource has always been about community. This way it becomes "source-open", even if you could make changes to it and run those changes yourself, the latter doesn't sound "opensourcy" to me.
dgellow 21 minutes ago [-]
Open source is about rights/freedom, the community aspect is downstream from that. You have “source available” projects with active communities and external contributors (see elastic license v2.0 projects), and open source projects that only rely on core developers. With open source freedoms comes a culture of community oriented development but what makes a project open is the license, nothing else. The right to fork, read, run, edit is what matters.
Unfortunately AI tools are breaking the open community dynamics, it has become more and more expensive to run open community oriented projects due to the noise, it’s really a shame. It’s a lot to expect volunteer project members to triage the increasing amount of AI garbage
dwaite 19 minutes ago [-]
The open source definition does not mention community at all - it is a set of licensing requirements that certain rights to modify code must be maintained, not that upstream will accept your change or (for that matter) that you need to package it up and hand it to them.
And submitting a PR is almost wholly dissimilar from a conversation between friends over dinner or drinks. If you want to have a community around an open source project, it always has taken more than just accepting patches.
1 hours ago [-]
siwatanejo 40 minutes ago [-]
Exactly! It's not opensource anymore: it's fork-or-transparent source.
Hendrikto 26 minutes ago [-]
Accepting contribution has never been a requirement for open source.
siwatanejo 16 minutes ago [-]
I know, but opensource was not just about freedoms, it was about community.
boneskull 44 minutes ago [-]
I don’t understand how you’re supposed to cultivate new maintainers if you shut down contribution.
Is this a sponsored project where maintainers are just hired?
Hendrikto 28 minutes ago [-]
You are also not cultivating any new contributors by just accepting slop the submitter did not write or understand.
I guess they will have to introduce some kind of trust-based system.
28 minutes ago [-]
angry_octet 1 hours ago [-]
It says something about the fragility of contemporary software that a fragment of bad code could result in doom. I think we need to move to much more restrictive computation architectures, inherently partitioned, functionally pure, and resistant to type confusion, pointer manipulation, memory issues etc.
dm_ 52 minutes ago [-]
I don't disagree with the desire for more inherently secure architectures, but I don't think it's the most relevant issue here.
You're always going to have to trust some core same-privilege code--a browser renderer is a great example of this: it has to be able to see the entirety of the DOM it's rendering, right?
Higher-level languages can still help code review--for example, memory safety makes it harder to hide a backdoor via unsafe memory operations leading to code injection. But you're still, fundamentally, trusting these community contributions.
I think the real problem (as others noted here) is that:
- writing code is now much, much cheaper than ever
- understanding and designing code is still fairly expensive
So doing the former (in the form of a PR that compiles and passes CI) is not a good "staking mechanism" to prove someone has done the latter.
tetris11 2 hours ago [-]
For every person wanting to do good in the world there are ten windup merchants of which at least one has darker motives
WhyIsItAlwaysHN 2 hours ago [-]
They could make two kinds of pull requests and add much more strict criteria for public contributions. For example, they could say that the PR has to be smaller in size and well-documented for human review, otherwise it's closed by an automation.
And then if someone wants to do a larger contribution, they could have a process like making an issue, discussing the approach and then collaborating with a maintainer to get it in.
Blocking public contributions means that they want to have complete control of the project and AI is likely a good excuse to do that.
habinero 1 hours ago [-]
That doesn't solve the volume or quality problem. LLMs can split one giant PR into 50 smaller PRs just as easily and "well-documented" isn't something you can determine automatically.
Why is it so hard to just accept that AI PRs suck and create an enormous amount of toil?
xyzsparetimexyz 2 hours ago [-]
Surely you can just autoclose any PRs from 1. People you don't know and 2. That are over 100 or even 50 lines?
That way new contributors are forced to start small.
ssenssei 2 hours ago [-]
I think it's not the issue with the added PR count, but the fact they have to review them. 1 big PR review is the same as 5 small PR reviews if you have to look at how it holds, edge cases and what not...
nextaccountic 1 hours ago [-]
Well, then add some backpressure. Each contributor gets only a few small PRs a month, until they prove themselves. Contributors that don't have a credible online presence are automatically rejected. Etc
steve1977 2 hours ago [-]
This project gets a lot of publicity for the product it has to show (which, as far as I know, is effectively still inexistent).
LeFantome 23 minutes ago [-]
This is not really a valid criticism for an Open Source project. I built Ladybird from source yesterday and I am typing this comment in it now. So, I assure you that the Ladybird browser exists.
Of course, Ladybird is not production ready yet. Feature-wise, it is getting close. I can use it to do most of the things I want to do with a browser. Speed and reliability are another matter. I has gotten dramatically faster but normal users would still find it slow. But the biggest problem is reliability. I would not use it in its current form for anything that matters.
But for a complicated application that was started from scratch, not being ready yet is not an indictment. They claim it will be ready for regular users to try sometime this year and, from where I type, this seems realistic.
ashkulz 1 hours ago [-]
Are they going to be using gerrit or a private repo and push changes back regularly?
Sometimes the discussions on PRs are equally valuable to see how a commit was arrived at, and I'd be sad if that got lost in this change.
sppfly 2 hours ago [-]
Zig is moving to this direction is well.
lukaslalinsky 42 minutes ago [-]
Indeed, while there is communication that the situation with merging external pull requests should improve, the reality is that it's easier to land a patch in Linux, than in Zig.
sourcegrift 2 hours ago [-]
[flagged]
asibahi 1 hours ago [-]
This can’t be serious.
q3k 58 minutes ago [-]
It's surprising to me how many people here seem offended that someone might just not want their code.
I guess it takes quite a lot of experience as a maintainer to realize that 'free' in 'free code contributions by strangers' is like 'free' in 'free puppy'.
lukaslalinsky 38 minutes ago [-]
What made open source great, is the fact that if you find a problem, you can patch it. It's what motivated me, anyway. Ladybird is not SQLite, it's under development and very likely will be forever. To me it looks like they are transitioning into a company, where this model makes sense.
merelydev 1 hours ago [-]
Opensource doesn't mean open to contributions. The source code is available, you can fork it and apply your patches there.
This is the way to go to reduce supply chain vulnerabilities and to reduce time of mainters reviewing LLM slop.
leoc 48 minutes ago [-]
> Opensource doesn't mean open to contributions.
That's not entirely true. It's certainly the case that Ladybird is still under an open-source license, but the whole idea of the "Open Source" label was to move the emphasis away from having a free license to actually being open to patches in practice.
Hendrikto 21 minutes ago [-]
Not even the most extreme FOSS zealots (RMS, FSF, …) ever claimed that taking public contributions was ever a part of that.
TheCoreh 35 minutes ago [-]
A bit sad to see this. Of course they are free to do it the way they prefer, and there are successful projects like this (Notably SQLite) but there has to be a reasonable middle ground between "everyone can just flood us with 30,000-line 'Claude implement feature X make no mistakes' PRs" and "we're not open to outside contributions"
b3e53bb34c0bd 26 minutes ago [-]
How would you decide what is the middle ground though? If a project allows some AI-generated PR if its good quality, then it is a burden on the reviewer on what is considered good or not.
bigupthewhole 2 hours ago [-]
We need stricter verifications / credentials behind GitHub accounts and PRs.
And this we should have had already before AI.
habinero 1 hours ago [-]
How does that help? People gladly post slop PRs under their real names.
bigupthewhole 1 hours ago [-]
It's not the only solution but it might reduce PRs by a decent amount I would think.
If you see a PR and the guy is verified, you can check his name, his linkedin and where he works, at least there is some accountability if he introduces malicious code.
If the goal is to reduce slop, define slop. As a maintainer of a project you should be able to tell if something is slop.
If you don't have time to read PRs (which is the real issue here) that's fine too.
My guess is they want to reduce the amount of PRs, and ensure that the quality of the PRs passes an extremely high bar.
MarsIronPI 8 minutes ago [-]
I suspect that rather than some kind of digital proof-of-competence, communities will shift to in-person meetups at conferences and such. Which is unfortunate for people who can't attend for whatever reason, but I think some solution to that can be worked out.
Orphis 22 minutes ago [-]
While it would help for some use-cases, it wouldn't necessarily reduce the problem that a browser is facing when dealing with malicious code in a large and complex codebase. And vetted people can be victims of supply-chain attacks, which makes it still hard to evaluate a change properly.
It's not an impossible problem, but it's a resource allocation problem, and they don't seem to have a way to address it at the moment besides closing all PRs.
siwatanejo 1 hours ago [-]
While I understand the motivation for this change, I have to highlight something: GitHub's slogan 'social coding' is becoming more and more true these days. Now opensource will become a thing that only "influential" people can contribute to. We're back to nepotism, not meritocracy. Down hill we go.
troupo 54 minutes ago [-]
> Now opensource will become a thing that only "influential" people can contribute to.
No. Having access to a slop generator doesn't entitle you to acceptance to any and all open source projects. You're still responsible for the quality of your contributions. Something that is completely lost on bullshit artists.
siwatanejo 41 minutes ago [-]
Don't put words in my ~mouth~ (keyboard) that I didn't ~say~ (type), I'm not saying I want my contributions to be accepted on equal footing even if they are generated by AI. What I'm saying is that solving this problem this way is going to make opensource much worse. We need a better way, and I'm not sure which is the better way, sorry.
troupo 15 minutes ago [-]
Opensource is already much worse and is drowning in slop. Until a better way is found (if it can be found), severely restricting contributions is the only sane response.
And it has nothing to do with the perceived "only influential people can do it". You're always welcome to fork any and all projects and run your AI on those
drivingmenuts 1 hours ago [-]
> Now opensource will become a thing that only "influential" people can contribute to. We're back to nepotism, not meritocracy. Down hill we go.
Or people can just start their own projects instead of working on someone else's. Many projects instead of potential large points of failure.
siwatanejo 51 minutes ago [-]
I don't know about you, but as for me, when I contribute to opensource it's because I find some improvement that makes the project better because it probably polishes some rough edge around a kind-of particular use case (that maybe few people face, but still, it makes the project better for them; it amplifies the range of usecases that it can span to). If everybody does the same with their small improvements, the project becomes better for everyone, but none of the contributors of these small changes would have time to embark on maintaining a fork. Mantaining a fork is hard work, not only because software breaks over time (dependencies going obsolete or insecure, builds stop working because of old toolkits), but also because not pulling the latest changes from master would mean that your fork gets stagnated (and thus not worth to run it).
mastermage 1 hours ago [-]
I truly understand why this step was taken, but it is still sad to see the death of open source or rather open contribution. Every project that turns away from open contributions is a project lost to the whims and fuckery of AI Bros.
What I realy want to know how sustainable a model like this is. How does one find new maintainers when old ones leave. When you cannot contribute anymore.
24 minutes ago [-]
fguerraz 2 hours ago [-]
I feel like the project just died.
lelanthran 2 hours ago [-]
> I feel like the project just died.
Why? This seems to be a strengthening move, not a weakening one.
fguerraz 1 hours ago [-]
Moving to a closed development model => opensource is just a gimmick, especially with a BSD licence.
lelanthran 29 minutes ago [-]
> Moving to a closed development model => opensource is just a gimmick,
How so? Many projects are open source (GPL, MIT, whatever) while closed development, and no one calls those a gimmick.
In any case, most open-source is going to move towards a closed-development model; there simply isn't the resources to review thousands of lines of PRs per hour.
pulsartwin 1 hours ago [-]
Maybe, or maybe not. But it will certainly kill the community they've built up, and squander a huge amount of goodwill. Why would anybody who's interested in supporting or using an independent browser (read: techies) choose one that's only source-available? Not to mention how the sponsors might feel about this.
lelanthran 29 minutes ago [-]
> Why would anybody who's interested in supporting or using an independent browser (read: techies) choose one that's only source-available?
It's not source-available, it's open-source.
shevy-java 2 hours ago [-]
Too early to say. Once they enter "we now accept everyone to use Ladybird as daily driver" then there will be the real test phase. And, IMO, only after that phase has started and continued for some months, perhaps even few years, can a final conclusion be made. If ladybird fails then the Google empire has won permanently. Skynet slop will then be under control of Google, just as they stole all the advertisement money.
troupo 2 hours ago [-]
"Gain trust through plausible contributions" is a new angle on AI-produced PRs I haven't seen yet.
Though in retrospect we should have seen it. It's been an angle of attack since forever, it only took a lot of effort.
kristoff_it 18 minutes ago [-]
The problem statement is clear to everybody.
> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.
The solution, IMO, is a strictly worse version than what we chose in the Zig project (banning LLM contributions).
> AI tools have changed the economics of this very quickly. We use them ourselves every day, but a pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.
Things that worry me about this choice:
- open source is a tough business and you need to leverage the good things about it to make it worth doing. contributors bring in a huge amount of value that they offer you essentially for free (see contributor poker: https://kristoff.it/blog/contributor-poker-and-ai/), on top of being a hugely valuable recruitment funnel. They're rejecting all of that, which seems insane to me.
- one could argue that LLMs could fill that gap but, first of all they could have just banned LLM usage only in PRs from untrusted contributors, and second even the best LLM:
1. is a cost, not just free value, and the price of tokens is increasing
2. the code has to be reviewed anyway, unless you think that just passing tests is good enough for a browser
3. ultimately can't become a trusted core contributor able of taking ownership of a part of the codebase
- removing the influx of code that comes from PRs means that over time the whole project will have a small number of contributors that own all the code, making it easier for the project to do a license rugpull. when copyright ownership is well distributed this kind of thing is harder to pull off.
Overall, this is not good in my opinion. They're making open source a more problematic business model for them than it has to be, while at the same time making it harder to recruit more core contributors, as the code ownership coalesces to small group of people.
This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors is playing a mean game of Secret Hitler. I guess only time will tell.
nnevatie 2 hours ago [-]
This is one way to rephrase "we don't want your AI slop, thanks.".
jeroenhd 2 hours ago [-]
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
It probably accelerated the decision, but I don't think that's all of it. I think they're moving in the WebKit/Safari direction: open for you to look at, but not really an open source project.
ashkulz 1 hours ago [-]
It's still open source, but not open for public contributions. That's pretty much how it was before the advent of these forges.
jeroenhd 1 hours ago [-]
I think I didn't put the emphasis right in my comment above. The code is still fully open source, but the project that produces the code isn't. It's not dissimilar to other projects producing open source software.
This is the first time I've seen a project with this much history in community contributions close down, though. I suspect AI will cause more projects to follow in Ladybird's footsteps.
neilalexander 1 hours ago [-]
AI contributions are only a part of the issue. Another part is where a contributor decides they want a specific feature and contributes it but then disappears off into the sunset when it comes to needing maintenance later.
vrganj 2 hours ago [-]
LLMs are killing open source just like they're killing online discussion forums.
It's heartbreaking, my two favorite things about the internet are dying off because human interaction can't outscale AI slop.
brokylabs 2 hours ago [-]
Legit
scotty79 2 hours ago [-]
I think we are going to see a lot opensource project switching to Humans Need Not Apply Mode.
2 hours ago [-]
Anoian 1 hours ago [-]
[dead]
throwaway423454 2 hours ago [-]
"A browser runs untrusted input from the entire internet on the user’s machine, and one well-disguised vulnerability is all an attacker needs. We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it."
Then the linux kernel is doomed. /s
z0ltan 2 hours ago [-]
[dead]
lijok 2 hours ago [-]
[flagged]
shevy-java 2 hours ago [-]
Cool - how about fewer perma-bans on github for participating in discussions?
Also, as I have pointed out before, they seem to develop too slowly for a solid beta this year. You only have to look at the issue tracker and check for URLs not working or even crashing the browser. Ladybird may have gotten better in the last months, but imagine if 50.000 people are using it, you will see more bugs. How do they then handle bug reports?
cuu508 2 hours ago [-]
Can we see some discussions that got people perma-banned?
1 hours ago [-]
lukaslalinsky 45 minutes ago [-]
I wonder how can a new browser engine survive with the source available model. Like, why would anyone support this, unless they have business association with the Ladybird developers?
bayindirh 42 minutes ago [-]
It's not source available. It's OpenSource(TM) because of the BSD-2 license.
This is not unheard of. The most famous models are emacs & SQLite. SQLite doesn't accept outside patches, emacs is developed opaquely and only releases are put forward.
You can do this with GPL, too. You put out tarballs of the releases only.
There's a great misconception between Free Software, Open Source, and Open Development (bazaar model). They complement each other, but they are completely independent things.
Addenda: Looks like emacs' Git repo is publicly accessible now, but it's not a requirement for GPL or Free or Open Source software.
lukaslalinsky 23 minutes ago [-]
It's actually common, many companies develop their products this way. The source is available, you can see the VCS, but you can't participate in the development. That's why I see this as signal that it's going to turn into a company.
Rendered at 10:21:27 GMT+0000 (Coordinated Universal Time) with Vercel.
Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.
I'm conflicted, confused and afraid, HN. Look at what I just wrote, yet I use claude and deepseek and all the skills and complex harnesses and MCPs and whatnot... But all now seems like a transition phase. Transition to f-ing what though?
A lot of questions cannot be answered unless we dedicate a meaning to our lives. Human touch? Too late? Also: I liked a song and it was sonos. I unliked it after discovering. I feel so stupid, so often.
Sorry for the unhinged digression.
I love Ladybird (have a sticker on my laptop to prove!), I hope they thrive.
I don't really have anything useful to add here, I think, just that you aren't alone in feeling conflicting feelings here. New things usually are like that, comes with incredible benefits in some areas yet seem to strip humanity away from others, some people use it to produce fluff and crap, others essentially gain new abilities and use those to build even better stuff. I don't think there is any universal truths here, sadly.
It's kinda surprising to me that even the people who are all in on ai haven't internalized that there's no inherent value in producing a big lump of code. They've massively decreased the work they put in but still expect the same pre-ai reaction/gratitude when submitting a big PR.
In that context, I wouldn't expect an idiot (of which there has always been far too many in this industry) to change their behaviour in a post-ai world. They were always out of line & continue to be.
Fwiw, a non-technical employee in my workplace has begun submitting ai-generated prs to internal repos I maintain & they're of excellent quality, with review feedback graciously received & expediently addressed, so this isn't a matter of the idiots not being technical, it's an attitude problem.
Moreover, as these tools become more expensive, people with money to blow on tokens will be able to drown maintainers that don’t have enough token-cash to help them deal with it. People see this as mostly a matter of time and energy, but I reckon it will soon be a financial issue.
I think we'll need to revert to artificial barriers such as bonds, e.g., if you want to do a PR to my repository you need to pay a 10 dollar bond. If the PR is good and I want future PRs, you keep your bond. If it's slop and spam, I get 10 dollars for my time.
It is seen in the way they approach contributions but also in regular language. I created X, insistence that their 'curation' was very influencial to the output, difficulty to mention LLM contribution, attitude of 'I care about building while others lose time in details', refusal to engage with potential flaws, and so on.
It is surprisingly different to what I'm used to from senior devs, which behave like they always suspect their own work is flawed and half assed. Like impostor syndrome was reversed.
- Receive a huge vibecoded PR for complicated new feature.
- Complain that this needs some design doc to figure out the right approach first.
- Author says no need for design doc, easier to have vibed implementation and discuss the concrete code instead of abstract document.
- I disagree (obviously), but review the PR with feedback along the lines: this entire approach is flawed, throw this out and start over.
- Author gets defensive, says "but this is already working and ready, let's just merge".
- I tell them there is no chance in hell this is getting merged. They go sulk to their manager that I'm not interested in helping them launch.
The original post sums it pretty well, such big output inherently meant big effort, which was a proxy for good faith. Now that's gone.
On the other hand, while not accepting external code contributions will certainly improve their security posture it will also make it more difficult to identify who to invite to join the priesthood.
The point that this announcement is trying to make is, of course, that AI has already made that particular signal approximately worthless for that purpose.
I look forward to the book: The Cathedral, The Bazaar and The Junkyard.
An open-source projects losing the ability to find and mentor new maintainers is so disappointing.
Before AI, being open source and having to manage issues and PR's was already a huge task, burning out maintainers left and right. Now with AI, anyone with a terminal and a claude code subscription can open PR's...
before AI like 1 in 1000 would spend their time fixing something they had no idea about and even then considering how much time you spent and how few of those happened it made sense to review/talk about it.
now every "dev" with claude submits prs having absolutely no idea what they are even doing. most of them would not even be able to create PR without AI in the first place.
and on top of that add slop bots that "fix" issues in the loop and create hundreds of PRs daily
(Servo is arguably in the middle, accepting outside contributions as long as you don't use AI.)
It's understandable that a team without much funding would have to close off contributions to spare on labor costs. But, it makes me feel that people don't give Google/Mozilla/Apple enough credit for the economic resources they put into enabling openness.
(Personal bias/experience alert: I'm currently retired, but formerly worked at Google on Chrome. I saw many of my coworkers nurture outside contributors, and did some of that myself, both informally and through programs like internships.)
I do not think we should be eternally grateful for monopoly building.
The elephant in the room is so many projects already operate like this without formally announcing it.
If you look at Blender, one of the biggest and most successful OSS projects out there, it's effectively run as source available. Some PRs make it through, but for the most part there have been heavy barriers to entry to get your work into the product. In this example, it's been key to such a large and complex project with millions of users staying afloat. It's an inconvenient truth.
It's one of those unspoken things in open source - the bigger the project the less you can accept or vet contributions. The less able you are to respond to users because there are too many. The amount of code you need to own balloons. The signal to noise to too much. LLMs have massively exacerbated this issue.
I think the whole game of software engineering, open source or not, has completely changed. A lump of code doesn't mean or imply the same thing as it did 2 years ago.
A few years ago, if I send a complex PR that compiles and passes tests, that implies a certain amount of time and cognitive investment on my part. It seems likely that I wouldn't invest that if I didn't also understand the codebase, the feature or bug I'm working on, etc.
Now, that understanding is roughly as expensive as before, but AI has vastly reduced the cost of generating the code that compiles and passes tests.
Probably-well-intentioned community members are happy to contribute the cheap thing( Claude Code tokens) but, because it's so cheap, it's not a good indicator they've contributed the expensive thing (human understanding).
"Writing Code vs. Shipping Code: Productivity Effects Across Generations of AI Coding Tools"
As the FT summarizes,
> They found an explosive impact at the top of this funnel — coders created or edited almost 300 per cent more files — but that boost was halved to 150 per cent by the time they got to the number of discrete pieces of work submitted for review, and that in turn shrunk fivefold to a roughly 30 per cent uplift in the number of full software releases.
https://www.ft.com/content/8e9ae7a4-7209-4e2c-aa36-f3af77d6c...
So as I wrote, AI vastly improves labor productivity on _coding_, but not nearly as much on code _review_ or other parts of the release pipeline.
And, unfortunately, for many open source projects, it's easy for volunteers to send code for review, but hard for them to volunteer reviewing PRs, managing releases, etc.
I see all projects moving this direction. Makes more sense to hash out a plan together.
> Outside involvement still matters: clear bug reports
So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Instead they have to re-figure it out. The team must be thrilled to re-do work they know was already put in by others, repeatedly.
As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software? It seems much easier to use Firefox or Chromium, where my fixes actually meet open ears.
It was very useful for me in the past when a new Chromium version crashed on my product, that I could go and suggest a fix to V8, and it was rolled out in the next Chromium release so my product worked again (https://github.com/v8/v8/commit/4f8a70adca01c). Without this, maybe Chromium developers would have never bothered to fix it because of lack of time to figure it out.
> a pull request no longer tells us as much as it used to about the person submitting it
Nobody should need to know anything about any person submitting a pull request. Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review.
Reviewing code fixes is strictly easier than coming up with them yourself.
This holds true automatically: In any situation where it isn't, you can just write the code yourself and done.
As a project you can always ignore or close a PR you want to write yourself instead. But it seems unwise to bar yourself from the _option_ of reviewing an outside contribution, or using it as input for your own re-write.
Pin pointing the issue is way more than valuable than code. If you wrote a fix, you have analyzed the bug. The value is there, not in the fix. Sharing your fine analysis is the maximized contribution. Code is an optional bonus at most.
There might be value in your bugfix, but maybe that value is not greater than the cost of reviewing and accepting it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
This is completely false, for any sufficiently complex project. The fix might be a single line change, but the consequences might be far reaching.
> As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software?
Please don't! You don't owe the project anything. The other side of that equation is that the project also doesn't owe you anything. As simple as.
Firefox and Chromium are running much larger teams, let alone the Linux kernel, that other people suggested as a model. Maybe they can afford accepting your contributions.
You're allowed, they'll just ignore it. Same as how sqlite and some other projects operate.
You can still submit a bug report and tell them exactly how you did it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
Unless it's hundreds or thousands of AI slop PRs each pretending "here's a bug I fixed it"
It’s MIT licensed, and the maintainers are always grateful for bug reports, but all the code in the project was written by just 3 people.
They may, at this point, go ahead and remove "get involved" block from their website https://ladybird.org/, since it's not possible to contribute anymore.
> Source-available software is software released through a source code distribution model that includes arrangements where the source can be viewed, and in some cases modified, but without necessarily meeting the criteria to be called open-source.
https://en.wikipedia.org/wiki/Source-available_software
> Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Open-source software may be developed in a collaborative, public manner.
https://en.wikipedia.org/wiki/Open-source_software
And as said here, SQLite was operating like this forever.
It means they’ll never grow modules or the codebase beyond what the team can reasonably maintain.
However on the other hand.. What does this mean for the existing team, are maintainers now worth considerably more to the project? What does this mean for the codebase, or the momentum of the project?
It’s an approach I would have expected for the likes of curl, or single-purpose libraries. But this is a mammoth decision for a mammoth project.
I guess we’ll just have to see.
On the other hand, Ladybird is gearing up to become a production-ready browser for real users. Adding fun features for the sake of it, and hand-rolling code to parse PNGs and the like, has become a liability for the project.
This is not helped by everyone using the same LLMs to find the same vulnerabilities and flooding maintainers with duplicate reports to be the first to get that CVE and branded vuln on their resume.
Is this the direct result of a monolithic kernel? And would moving more drivers out-of-tree mitigate this?
The EXT4 filesystem driver as an example contains most of the same code whether it is part of the kernel process or is a user process. A virtual filesystem abstraction is needed between the two in either case as well.
The kernel also already has a module system to support loading externally maintained code. You won't necessarily see a benefit from separately maintained drivers that wouldn't already be present.
Maybe not?
I just got the impression that there are a _lot_ of obscure drivers that have to be carried, and are eventually removed causing annoyance. An ABI for the people who cared about that random driver might localise the maintenance burden.
I don’t disagree with their choice, but it’s not sustainable in the long term.
For now this makes sense.
i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.
Also they are not changing the licence or preventing forks.
It is a pragmatic solution to a real problem that can really clog down progress on the project. I hope they (and other open source projects) will figure out how to filter in good, responsible contributors but I guess it will take time.
Unfortunately AI tools are breaking the open community dynamics, it has become more and more expensive to run open community oriented projects due to the noise, it’s really a shame. It’s a lot to expect volunteer project members to triage the increasing amount of AI garbage
And submitting a PR is almost wholly dissimilar from a conversation between friends over dinner or drinks. If you want to have a community around an open source project, it always has taken more than just accepting patches.
Is this a sponsored project where maintainers are just hired?
I guess they will have to introduce some kind of trust-based system.
You're always going to have to trust some core same-privilege code--a browser renderer is a great example of this: it has to be able to see the entirety of the DOM it's rendering, right?
Higher-level languages can still help code review--for example, memory safety makes it harder to hide a backdoor via unsafe memory operations leading to code injection. But you're still, fundamentally, trusting these community contributions.
I think the real problem (as others noted here) is that:
- writing code is now much, much cheaper than ever
- understanding and designing code is still fairly expensive
So doing the former (in the form of a PR that compiles and passes CI) is not a good "staking mechanism" to prove someone has done the latter.
And then if someone wants to do a larger contribution, they could have a process like making an issue, discussing the approach and then collaborating with a maintainer to get it in.
Blocking public contributions means that they want to have complete control of the project and AI is likely a good excuse to do that.
Why is it so hard to just accept that AI PRs suck and create an enormous amount of toil?
That way new contributors are forced to start small.
Of course, Ladybird is not production ready yet. Feature-wise, it is getting close. I can use it to do most of the things I want to do with a browser. Speed and reliability are another matter. I has gotten dramatically faster but normal users would still find it slow. But the biggest problem is reliability. I would not use it in its current form for anything that matters.
But for a complicated application that was started from scratch, not being ready yet is not an indictment. They claim it will be ready for regular users to try sometime this year and, from where I type, this seems realistic.
Sometimes the discussions on PRs are equally valuable to see how a commit was arrived at, and I'd be sad if that got lost in this change.
I guess it takes quite a lot of experience as a maintainer to realize that 'free' in 'free code contributions by strangers' is like 'free' in 'free puppy'.
This is the way to go to reduce supply chain vulnerabilities and to reduce time of mainters reviewing LLM slop.
That's not entirely true. It's certainly the case that Ladybird is still under an open-source license, but the whole idea of the "Open Source" label was to move the emphasis away from having a free license to actually being open to patches in practice.
And this we should have had already before AI.
If you see a PR and the guy is verified, you can check his name, his linkedin and where he works, at least there is some accountability if he introduces malicious code.
If the goal is to reduce slop, define slop. As a maintainer of a project you should be able to tell if something is slop.
If you don't have time to read PRs (which is the real issue here) that's fine too.
My guess is they want to reduce the amount of PRs, and ensure that the quality of the PRs passes an extremely high bar.
It's not an impossible problem, but it's a resource allocation problem, and they don't seem to have a way to address it at the moment besides closing all PRs.
No. Having access to a slop generator doesn't entitle you to acceptance to any and all open source projects. You're still responsible for the quality of your contributions. Something that is completely lost on bullshit artists.
And it has nothing to do with the perceived "only influential people can do it". You're always welcome to fork any and all projects and run your AI on those
Or people can just start their own projects instead of working on someone else's. Many projects instead of potential large points of failure.
What I realy want to know how sustainable a model like this is. How does one find new maintainers when old ones leave. When you cannot contribute anymore.
Why? This seems to be a strengthening move, not a weakening one.
How so? Many projects are open source (GPL, MIT, whatever) while closed development, and no one calls those a gimmick.
In any case, most open-source is going to move towards a closed-development model; there simply isn't the resources to review thousands of lines of PRs per hour.
It's not source-available, it's open-source.
Though in retrospect we should have seen it. It's been an angle of attack since forever, it only took a lot of effort.
> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.
The solution, IMO, is a strictly worse version than what we chose in the Zig project (banning LLM contributions).
> AI tools have changed the economics of this very quickly. We use them ourselves every day, but a pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.
Things that worry me about this choice:
- open source is a tough business and you need to leverage the good things about it to make it worth doing. contributors bring in a huge amount of value that they offer you essentially for free (see contributor poker: https://kristoff.it/blog/contributor-poker-and-ai/), on top of being a hugely valuable recruitment funnel. They're rejecting all of that, which seems insane to me.
- one could argue that LLMs could fill that gap but, first of all they could have just banned LLM usage only in PRs from untrusted contributors, and second even the best LLM: 1. is a cost, not just free value, and the price of tokens is increasing 2. the code has to be reviewed anyway, unless you think that just passing tests is good enough for a browser 3. ultimately can't become a trusted core contributor able of taking ownership of a part of the codebase
- removing the influx of code that comes from PRs means that over time the whole project will have a small number of contributors that own all the code, making it easier for the project to do a license rugpull. when copyright ownership is well distributed this kind of thing is harder to pull off.
Overall, this is not good in my opinion. They're making open source a more problematic business model for them than it has to be, while at the same time making it harder to recruit more core contributors, as the code ownership coalesces to small group of people.
This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors is playing a mean game of Secret Hitler. I guess only time will tell.
It probably accelerated the decision, but I don't think that's all of it. I think they're moving in the WebKit/Safari direction: open for you to look at, but not really an open source project.
This is the first time I've seen a project with this much history in community contributions close down, though. I suspect AI will cause more projects to follow in Ladybird's footsteps.
It's heartbreaking, my two favorite things about the internet are dying off because human interaction can't outscale AI slop.
Then the linux kernel is doomed. /s
Also, as I have pointed out before, they seem to develop too slowly for a solid beta this year. You only have to look at the issue tracker and check for URLs not working or even crashing the browser. Ladybird may have gotten better in the last months, but imagine if 50.000 people are using it, you will see more bugs. How do they then handle bug reports?
This is not unheard of. The most famous models are emacs & SQLite. SQLite doesn't accept outside patches, emacs is developed opaquely and only releases are put forward.
You can do this with GPL, too. You put out tarballs of the releases only.
There's a great misconception between Free Software, Open Source, and Open Development (bazaar model). They complement each other, but they are completely independent things.
Addenda: Looks like emacs' Git repo is publicly accessible now, but it's not a requirement for GPL or Free or Open Source software.