Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.
I'm conflicted, confused and afraid, HN. Look at what I just wrote, yet I use claude and deepseek and all the skills and complex harnesses and MCPs and whatnot... But all now seems like a transition phase. Transition to f-ing what though?
A lot of questions cannot be answered unless we dedicate a meaning to our lives. Human touch? Too late? Also: I liked a song and it was sonos. I unliked it after discovering. I feel so stupid, so often.
Sorry for the unhinged digression.
I love Ladybird (have a sticker on my laptop to prove!), I hope they thrive.
It feels like being in the middle of a tornado. But I think it helps to turn off screens, sit in a desk, and calmly remember first principles and consider them slowly.
Quoting obama, "reality has a way of catching up with you".
I see a lot of talk, but iOS is not delivering a decade of features and fixes on each yearly release. Literally no one does, if anything people are complaining that existing functionality is breaking down. So it can't be true that we're at 10x productivity, and this fact will eventually catch up with us.
Let's be human, and remember that many people are emotionally invested. Juniors want this to be a chance to shine in a market that otherwise rejected them. CEOs placed their bet on AI and don't want to walk that back. Seniors want to signal that they are not obsolete. AI companies will poison discourse. But all this smoke will eventually clear.
These "contributions", while they did exist in small quantities, mostly were not actually what you've described there.
Instead, those boiled down to unsolicited opinions, hostile takeover attempts, value extraction, general drama and just overall overhead over simply building code.
This was not always the case, but the GitHub model of building FOSS (and removal of all friction) certainly made it the new default.
Said model was always unsustainable, but the burn rate made it sustainable enough so that we could just throw more humans at the problem to replace the burnt-out ones.
AI pushed the burn rate over the replacement rate.
=> We will likely see more projects adapt this or a similar stance I think.
I don't really have anything useful to add here, I think, just that you aren't alone in feeling conflicting feelings here. New things usually are like that, comes with incredible benefits in some areas yet seem to strip humanity away from others, some people use it to produce fluff and crap, others essentially gain new abilities and use those to build even better stuff. I don't think there is any universal truths here, sadly.
As in cheer for the humans because they've been liberated from the drudgery they have lost?
The future is a bit fuzzy, always. That said, here's my take on it.
> Transition to f-ing what though?
Not jobs. Those will be gone once ai can do them cheaper than humans. ai can already do many (most?) of them better than humans. The jury is still out on the cost aspect. Judging by r/LocalLlama, the lower cost is not that far off. There may be some structural adjustments around compute pricing before that happens, though.
In the EU, humans will probably be ok. They have a strong tradition of focus on human needs. Because of lower average salaries [1] than the US [2], human employment will likely carry on longer as well.
In the US, those folks that have capital will likely be ok. They'll be able to purchase services from ai companies and invest in ai companies and corporate armed forces (ai-populated, not human) to protect the Haves. Those that don't have capital? Who knows? America hates poor people, women and minorities.
China? No idea. Though I hear that their demographics are upside-down, so there'll be fewer people to support over the long-term. That they'll supply the robotics and goods for the rest of the world is not in doubt: cheaper electricity from solar/wind, advanced ai and robotic tech, science and industry moving forward while the US regresses, hard.
India? Hard to say. No social net of any consequence. Not enough capital to go full ai/robotics, human labor way cheaper than ai/robotic labor at the moment, so maybe they'll survive as that last major bastion of human work for some time to come. But their economy is growing, and they have a lot of people, so at some point they'll come to that same fork in the road. Hopefully they'll have serious social safety nets by that time.
Africa? In a lot of ways, they're similar to India on the human labor costs side, so their future hasn't been written yet either. India can probably fend off an invasion by rapacious US corporates with ai/robotic armies looking for resources because of sheer numbers, but Africa, fragmented, is a different story. Maybe China will be their friend? If you think this scenario is outlandish, look into the history of European companies colonizing the world. You didn't think the East India Company with its massive private armies were government-owned, did you? Likewise with the Spanish/Dutch/Portugese expansions. The govt. takeovers didn't happen until much later, tens of decades later.
South America? They're an interesting case. Brazil may take a trajectory similar to the EU. Chile, Ecuador, Uruguay too. The others are a ?
[1] https://en.wikipedia.org/wiki/Economy_of_the_European_Union [2] https://en.wikipedia.org/wiki/Economy_of_the_United_States
This is asinine. Keep depriving yourself of things you enjoy I guess?
how was open source managed before GitHub ? you had to find a mailing list, be involved in the mailing list - ask questions, make a proposal, then create code after -- code goes through x rounds in the mailing list. finally it is merged if it suits direction of the project.
this willy nilly of opening pr's while not being an active member of a community I would say decimated open source.
Maybe, just maybe, you're not thinking rationally/logically about the situation and instead are mostly operating on emotion and feelings?
It's kinda surprising to me that even the people who are all in on ai haven't internalized that there's no inherent value in producing a big lump of code. They've massively decreased the work they put in but still expect the same pre-ai reaction/gratitude when submitting a big PR.
In that context, I wouldn't expect an idiot (of which there has always been far too many in this industry) to change their behaviour in a post-ai world. They were always out of line & continue to be.
Fwiw, a non-technical employee in my workplace has begun submitting ai-generated prs to internal repos I maintain & they're of excellent quality, with review feedback graciously received & expediently addressed, so this isn't a matter of the idiots not being technical, it's an attitude problem.
It is seen in the way they approach contributions but also in regular language. I created X, insistence that their 'curation' was very influencial to the output, difficulty to mention LLM contribution, attitude of 'I care about building while others lose time in details', refusal to engage with potential flaws, and so on.
It is surprisingly different to what I'm used to from senior devs, which behave like they always suspect their own work is flawed and half assed. Like impostor syndrome was reversed.
It's 100% an issue with the people with submitting these PRs. So, if someone has a history of having no issue with breaking project rules (let alone being arrogant about it), it should be a massive red flag about the person for any possible employer or future collaborator checking their profile, etc.
Why people are wilfully destroying their own reputation like that is beyond me. It's infinitely better to have no activity at all on your profile than to create a track record of bad behaviour.
Why is it surprising that some people who expect results without spending any effort also feel entitled to receiving gratitude without putting in any thought?
There tend to be a lot of drive-by AI PRs attempt to “re-add” the feature, often not quite addressing the situation comprehensively. It seems like a bit of a local minima trap for the bots. [3]
[1] https://app.opire.dev/issues/01J8YJ06HPSY7ZAMAW08T83YBD
[2] https://godotengine.org/article/live-from-godotcon-boston-we...
I would be more sympathetic if they actually spent meaningful time on these contributions and could maybe see an argument for wanting their work to be given due consideration (lots of caveats here), but from what I’ve seen that’s the exception rather than the rule with a lot of these case.
I don't think that follows. They expect things to improve, they do something about it and might (unreasonably) be frustrated by what they think is a policy that stands in the way of quicker progress. The first part is certain, the second part less so, and the third is just speculation.
It's clear that open source project are struggling to understand what is going on and coming up with plans – like everyone else – but clearly there are better and worse ways to proceed in this new world, if popularity, adoption and progress are things you want to focus on.
I dunno. If that lump of code makes the program do things it wasn't doing before, I'd say there's a lot of value in it. We can definitely scrutinize the code's quality but there's no way anyone can argue with working code that makes the program better or more featureful than it was before.
If a feature and ignored, it can forked to provide more value to the users.
If unaccepted bugfixes, the maintainers are just silly. They need to be forked off.
> Outside involvement still matters: clear bug reports
So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Instead they have to re-figure it out. The team must be thrilled to re-do work they know was already put in by others, repeatedly.
As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software? It seems much easier to use Firefox or Chromium, where my fixes actually meet open ears.
It was very useful for me in the past when a new Chromium version crashed on my product, that I could go and suggest a fix to V8, and it was rolled out in the next Chromium release so my product worked again (https://github.com/v8/v8/commit/4f8a70adca01c). Without this, maybe Chromium developers would have never bothered to fix it because of lack of time to figure it out.
> a pull request no longer tells us as much as it used to about the person submitting it
Nobody should need to know anything about any person submitting a pull request. Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review.
Reviewing code fixes is strictly easier than coming up with them yourself.
This holds true automatically: In any situation where it isn't, you can just write the code yourself and done.
As a project you can always ignore or close a PR you want to write yourself instead. But it seems unwise to bar yourself from the _option_ of reviewing an outside contribution, or using it as input for your own re-write.
Pin pointing the issue is way more than valuable than code. If you wrote a fix, you have analyzed the bug. The value is there, not in the fix. Sharing your fine analysis is the maximized contribution. Code is an optional bonus at most.
There might be value in your bugfix, but maybe that value is not greater than the cost of reviewing and accepting it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
This is completely false, for any sufficiently complex project. The fix might be a single line change, but the consequences might be far reaching.
> As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software?
Please don't! You don't owe the project anything. The other side of that equation is that the project also doesn't owe you anything. As simple as.
Firefox and Chromium are running much larger teams, let alone the Linux kernel, that other people suggested as a model. Maybe they can afford accepting your contributions.
You state these things as if they are facts, but they are completely contrary to the lived experience of open source maintainers - not only my own and the TFA's but quite a large number of others who have shared similar pieces.
Would you mind sharing a link to one of the open source project you've been maintaining and reviewing contributions on for years that forms the basis of your expertise on this matter?
You're allowed, they'll just ignore it. Same as how sqlite and some other projects operate.
Exactly. You want others to change to fulfill your needs. Their priorities and needs are different. In this case, it was evaluated and found not to be useful (cost > benefits).
You can do all that, and make a bug report with a fix.
What happens next is up to the maintainers. If they reimplement from everything you gave them, and sculpted the fix into its final shape, that’s a great outcome for everyone.
Yes, and this has always been the case - see also: XY problem
> Reviewing code fixes is strictly easier than coming up with them yourself.
This wasn't even the case before the slopocalypse.
You can still submit a bug report and tell them exactly how you did it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
Unless it's hundreds or thousands of AI slop PRs each pretending "here's a bug I fixed it"
On the other hand, while not accepting external code contributions will certainly improve their security posture it will also make it more difficult to identify who to invite to join the priesthood.
Before the rise of github, open source projects were heavily walled gardens. Little clubs that gave you a stare when you entered the room. Github commoditized getting in touch and lowered the barrier for how much effort you have to put in or even how much you have to care before you contribute. This is gone now and you have to build trust now before you can contribute to anything.
This isn't the death of open source. It's the death of the global village were everybody can freely roam and it's easy to interact. It's the resurrection of small, social, trusted communities. I hope this spreads to all of the internet.
(Also, as a sibling comment implied, the archetypal "bazaars", like the Linux kernel project, now appear quite cathedral-like in conparison to the free-for-all GitHub model!)
The point that this announcement is trying to make is, of course, that AI has already made that particular signal approximately worthless for that purpose.
So I do not see a problem with Ladybirds decision, in contrary, IMHO it strengthens the human aspect of software development and puts the brakes on AI free riders
How about this. Somebody forks the project and submits their patches to the fork . If the fork is successful (there are users actively using it), upstream can selectively go fish for the patches themselves. The maintainer of the fork eventually gets recognized.
Not ideal, I know, but building a reputation is meant to take time.
I suspect if you exclude by default but have a manual process for requesting access and permissive standards for granting access, you can eliminate most of the bullshit without really excluding anyone.
I think the whole game of software engineering, open source or not, has completely changed. A lump of code doesn't mean or imply the same thing as it did 2 years ago.
A few years ago, if I send a complex PR that compiles and passes tests, that implies a certain amount of time and cognitive investment on my part. It seems likely that I wouldn't invest that if I didn't also understand the codebase, the feature or bug I'm working on, etc.
Now, that understanding is roughly as expensive as before, but AI has vastly reduced the cost of generating the code that compiles and passes tests.
Probably-well-intentioned community members are happy to contribute the cheap thing( Claude Code tokens) but, because it's so cheap, it's not a good indicator they've contributed the expensive thing (human understanding).
I see this position a bit: the notion that AI-generated code has no value. I think it's easy to generate zero-value code, but I don't agree that all AI-generated code is zero-value. I've been working on my side projects in OpenCode, and I spend quite a bit of time prompting, setting up the right files, descriptions of the product I'm trying to build, and the roadmap for it. I have a tight validation loop that lets me run through a bunch of automated checks after each change, and then I do a bunch of manual testing through edge cases that the generated feature might screw up, and then I iterate. It's a different kind of work, but I can make progress more quickly than I could coding by hand. Validation loops are the main critical component.
My experience doing this over the past months is that using AI to code is a skill, and I learn new techniques and get better at it as I try stuff. But that also suggests that, when done well, it can produce something of value.
All of this is to say: while I take issue with your first sentence, I completely agree with your second sentence. What we've lost is the ability to distinguish easily between something well-thought out and something generated thoughtlessly. Focusing on cheap validation would help here immensely, as well.
I see all projects moving this direction. Makes more sense to hash out a plan together.
I'm 100% on the side of maintainers here, but this is BS. If you could "just prompt Claude yourself" the AI productivity boosts would be in hundreds if not thousands of percent, which is demonstrably and self-evidently not the case (at least as of June 2026).
Initially I thought AI would be great for FOSS because suddenly open source projects could get up to speed with paid options. UIs could get better (albeit boring/soulless) with Claude Design, etc.
But then I guess someone has to pay for all of those tokens. It's "easier" to devote your time but much harder to justify spending $300/mo on contributions to open source.
So maybe some people see this almost as a donation? Hey, I paid for tokens and generated a PR - be grateful for my donation!
And then they completely disregard the fact that reviewing the generated slop becomes way too much for the contributors. They would probably have appreciated a monetary donation more.
As a Servo maintainer, I'd like to remind people that @ServoDev continues to welcome contributions from everyone. We actively mentor newcomers, help people learn Rust and browser engine development, and review community PRs.
It means they’ll never grow modules or the codebase beyond what the team can reasonably maintain.
However on the other hand.. What does this mean for the existing team, are maintainers now worth considerably more to the project? What does this mean for the codebase, or the momentum of the project?
It’s an approach I would have expected for the likes of curl, or single-purpose libraries. But this is a mammoth decision for a mammoth project.
I guess we’ll just have to see.
Does it? Seems the only sane option. The other being being drowned in AI slop PRs.
Why? This seems to be a strengthening move, not a weakening one.
"A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds."
We still need some mechanism for determining which humans have enough long-term commitment to become maintainers. Source contributions are no longer a reliable signal for that, and I don't know what future signal we'll use going forward. That's going to be a hard problem.
But, who knows, if AI really does make programmers radically more productive, maybe successful open source projects don't need a large maintainer team.
An open-source projects losing the ability to find and mentor new maintainers is so disappointing.
(Servo is arguably in the middle, accepting outside contributions as long as you don't use AI.)
It's understandable that a team without much funding would have to close off contributions to spare on labor costs. But, it makes me feel that people don't give Google/Mozilla/Apple enough credit for the economic resources they put into enabling openness.
(Personal bias/experience alert: I'm currently retired, but formerly worked at Google on Chrome. I saw many of my coworkers nurture outside contributors, and did some of that myself, both informally and through programs like internships.)
I do not think we should be eternally grateful for monopoly building.
Chromium? You mean the browser engine controlled by the Be-Evil corporation Google, which recently killed support for a huge swatch of important extensions (manifest-v2)? And thus prevents much of adblocking?
Gecko... now that's something less people are aware of, but let's just say if you know how the Mozilla ecosystem is governed internally, I believe you would be rather aghast.
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
On the other hand, Ladybird is gearing up to become a production-ready browser for real users. Adding fun features for the sake of it, and hand-rolling code to parse PNGs and the like, has become a liability for the project.
Any rando armed with an LLM is not a community.
Also they are not changing the licence or preventing forks.
It is a pragmatic solution to a real problem that can really clog down progress on the project. I hope they (and other open source projects) will figure out how to filter in good, responsible contributors but I guess it will take time.
We usually call open source software without open collaboration source available software.
This is terrible news, defeating core beliefs people had in Ladybird. Not an open browser I wished for.
1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author’s Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral
Not at all. You are of today’s lucky 10,000 [0]. Open source refers to OSI-compliant licenses, not open to contributions. SQLite is open source but not open to contributions.
This is just the cathedral model to open source, as opposed to the bazaar you clearly prefer, but it's still open source.
Integrating some kind of proof-of-stake system might be a way forward for open source. Nobody wants to shuffle through a pile of low-quality PRs written by LLM.
They may, at this point, go ahead and remove "get involved" block from their website https://ladybird.org/, since it's not possible to contribute anymore.
> Source-available software is software released through a source code distribution model that includes arrangements where the source can be viewed, and in some cases modified, but without necessarily meeting the criteria to be called open-source.
https://en.wikipedia.org/wiki/Source-available_software
> Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Open-source software may be developed in a collaborative, public manner.
https://en.wikipedia.org/wiki/Open-source_software
And as said here, SQLite was operating like this forever.
It’s MIT licensed, and the maintainers are always grateful for bug reports, but all the code in the project was written by just 3 people.
I feel like 1/10 comment I make on HN are about this.
So merged PR were until LLMs a good proxy for the ability to code and contribute to a software project. Consequently they were used to estimate if a candidate was potentially good for a position. Merged PR on popular project were thus precious credentials one could "trade" for potential work. Since then the desire to provide PR changed from contributing to a project for its own sake, to make the actual project progress, to signalling.
A new proxy must be found to establish the ability to contribute to a project.
Ladybird’s blog post is arguing that it used to be tolerable to spend the amount of time evaluating this for every PR, now it’s just unmaintainable for their effort-time.
I think closing contributions (due) to AI will be looked at in a similar way. Forks open to AI will appear, and take over. And people will return to the open model. I think it needs more proliferation of AI coding and reviewing tools, so that AI contributions can be automatically independently reviewed for quality.
EGCS was created because Cygnus, a company whose business was based on GCC, wasn't getting their patches to GCC, maintained by non-company FSF.
Cygnus outcompeted FSF by so much that FSF folded and made EGCS maintainers new maintainers of GCC.
I just don't see average open source project being forked and improved by so much that it eliminates the original.
This requires 3 rare things to happen:
- the project is important enough
- the project is half-dead
- someone is willing to out-compete the original project
That won't happen to e.g. Laydbird. Yes, it's important but it's making rapid progress and they also use ai, so you can't outcompete them just using ai. It's a full-time project for at least one person (Andreas Kling) so unless you manage to find a band of great, unemployed programmers I don't see how you would compete.
Just to make a point: I could throw out SQLite as a project that bans open contributions and is wildly successful.
Also, as others pointed out, Linux is technically open contribution bazaar style by 2000s standards. But if you look at how to actually get involved, there’s way more friction compared to the average GitHub project.
I actually think GCC falls into the same category. Even though it’s technically open contribution these days, it’s not exactly a free for all where any AI agent can open a GitHub pull request and get it reviewed.
You have to mail patches to a mailing list and follow a bunch of super specific and arcane rules set by the grey beards.
I guess it takes quite a lot of experience as a maintainer to realize that 'free' in 'free code contributions by strangers' is like 'free' in 'free puppy'.
Is this a sponsored project where maintainers are just hired?
I guess they will have to introduce some kind of trust-based system.
If AI is the problem, the solution would be introducing an AI policy, community trust management system or something like that. Definitely not a closed development process.
The policy makes sense to me given the security concerns for the project.
I do think closing off contributions is a big step and would rather most projects find a middle ground, but it's definitely understandable why they did this.
Make a better Ladybird successfully to the point the original contributors take notice. If the barriers to doing that are truly lower, then it should be easier.
I don’t disagree with their choice, but it’s not sustainable in the long term.
The elephant in the room is so many projects already operate like this without formally announcing it.
If you look at Blender, one of the biggest and most successful OSS projects out there, it's effectively run as source available. Some PRs make it through, but for the most part there have been heavy barriers to entry to get your work into the product. In this example, it's been key to such a large and complex project with millions of users staying afloat. It's an inconvenient truth.
It's one of those unspoken things in open source - the bigger the project the less you can accept or vet contributions. The less able you are to respond to users because there are too many. The amount of code you need to own balloons. The signal to noise to too much. LLMs have massively exacerbated this issue.
Not just the changes, you'd push the responsibility, too, for supporting a whole new compilation target. I don't know how big this is, but if it's a big enough hassle to keep maintaining this yourself, then consider that this maintenance work is really what you were hoping to push. So, depeding on which, you might be fine maintaining this, or the maintainers might have rejected the change, anyway.
i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.
They probably could do that as part of the hiring process.
And then if someone wants to do a larger contribution, they could have a process like making an issue, discussing the approach and then collaborating with a maintainer to get it in.
Blocking public contributions means that they want to have complete control of the project and AI is likely a good excuse to do that.
Why is it so hard to just accept that AI PRs suck and create an enormous amount of toil?
You're always going to have to trust some core same-privilege code--a browser renderer is a great example of this: it has to be able to see the entirety of the DOM it's rendering, right?
Higher-level languages can still help code review--for example, memory safety makes it harder to hide a backdoor via unsafe memory operations leading to code injection. But you're still, fundamentally, trusting these community contributions.
I think the real problem (as others noted here) is that:
- writing code is now much, much cheaper than ever
- understanding and designing code is still fairly expensive
So doing the former (in the form of a PR that compiles and passes CI) is not a good "staking mechanism" to prove someone has done the latter.
Though in retrospect we should have seen it. It's been an angle of attack since forever, it only took a lot of effort.
Of course, Ladybird is not production ready yet. Feature-wise, it is getting close. I can use it to do most of the things I want to do with a browser. Speed and reliability are another matter. I has gotten dramatically faster but normal users would still find it slow. But the biggest problem is reliability. I would not use it in its current form for anything that matters.
But for a complicated application that was started from scratch, not being ready yet is not an indictment. They claim it will be ready for regular users to try sometime this year and, from where I type, this seems realistic.
It's heartbreaking, my two favorite things about the internet are dying off because human interaction can't outscale AI slop.
Newspapers are adopting it too, so soon we may see slop dominate even high brow publications.
Feels like a huge shift in human intellectual capabilities. Honestly quite worrying, I don’t think it’s a Luddite position to say that removing writing is removing thinking.
As far as I can tell, architecture, i.e. sound, precise definitions of exactly what a software artifact must do, is now critical. And with LLMs, it's now feasible to begin implementing such things, though many brownfield projects may be intrinsically unsound in ways that their creators are unaware of. In such a world, contributions simply require a modified proof that the software does what it must do, with perhaps additional claims that the maintainers provide.
If we were at all competent we would have focused on the issues you mentioned. Architecture, intent, definitions, validation, actual proof that our work does what it needs to do. We didn't care because we were too busy showing ourselves and the people we look down on - the "suits" and other programmers using different styles/languages/frameworks - how superior we are and how clever we are that we can internalize and navigate Rust's syntax and C++'s foot-guns.
Unfortunately, or perhaps fortunately depending on your perspective, I think that strategy is dying. It might be best for us to keep the eyes on the ball. What does the system need to do and how do we validate that it in fact does what it says on the tin? All the rest is noise and that includes "code". If a million monkeys on typewriters get the job done within acceptable parameters so be it.
That way new contributors are forced to start small.
This is the way to go to reduce supply chain vulnerabilities and to reduce time of mainters reviewing LLM slop.
That's not entirely true. It's certainly the case that Ladybird is still under an open-source license, but the whole idea of the "Open Source" label was to move the emphasis away from having a free license to actually being open to patches in practice.
Feature requests are valuable because they tell you what users want.
Error reports are valuable because they tell you under which circumstances the code fails.
But the code that implements those features and fixes those errors can now be written by AI. AI follows all the rules for how code is supposed to be written in your project. Is already producing very high quality code. And soon it will produce a quality that no human can match.
For an open source project that isn't a business, that's really the only way to recruit people
It’s controversial to say, and I may be downvoted, but I’ll share this as a pov: OSS is essentially giving away our work for free. Did that ever really make sense? If it does, why don’t graphic designers give their work away for free? Why don’t authors do that? UX designers?
It’s a very peculiar thing to us nerds.
And the strangest thing is, we may have unwittingly built the data source required to make our skills redundant, as models are trained on the work we gave away for free.
I think this is an interesting narrative.
The point of OSS though isn’t that nobody gets paid. It’s that if they charge for contributions, they get paid to release their work as Open Source software. They get paid for the labor of producing the artifact, and not necessarily paid a royalty for future sales of the copies.
Sometimes the discussions on PRs are equally valuable to see how a commit was arrived at, and I'd be sad if that got lost in this change.
https://ladybird.org/#contribute
I hate this change and agree with your PR comment. This change makes me sad as well.
My hope is that public contributions can resume in the future. Part of their justification for this step is that they are trying to stabalize the project to produce a stable public alpha. Fair enough. And many Open Source projects have begun to voice concerns over the burden that the massive increase in contributions is causing, often from AI. Linus Torvalds has certainly been flagging this. The Open Source world in general is going to have to navigate this and come to a solution that works without the entire Open Source ecosystem becoming read only.
Once Ladybird ships a "stable" browser out to the world, I am hoping they can adopt whatever the "best practice" for Open Source has become to be able to accept public participation again.
What I am curious about as someone who has been kind of cheering off on the sidelines is if there's any way that folks could get involved still in the future or if this is in practice permanently a closed project?
BSDs are more cathedral style and getting maintainer status is usually pretty onerous from what I understand but there are at least routes to it available to people willing to make an appropriate level of investment.
I'm not at a point in my life where I can meaningfully provide that kind of time and energy into serenity or ladybird but if my circumstances changed it's the kind of open source project that I would love to dedicate my time and energy towards in the future and I'm sure I'm not alone in feeling that way.
This is probably the best, most succinct explanation of what we're seeing happening in the OS world right now.
1. Opening an issue. 2. Talking about what they want/need that's not catered to right now. 3. Asking for my thoughts or suggestions - even if they already have a potential PR to submit.
and that is for a small codebase where changes are rarely that big of a deal in terms of amount of effort.
I've gotten a few decent 'cold-submit' PRs as well, but my bias has usually borne out, in that these are usually PRs to reject, and only some of the time get adapted into something useful, following some back-and-forth of course.
So, on the one hand, the measure the LB people are taking seems extreme to me; but the previous state of affairs they allude to seems equally weird. (I mean, unless it's a "here is a two-liner fix for a bug" kind of patches).
Although I no way suspect this particular individual of anything untoward, of course it's always possible it could be part of one of the long-term goodwill-generation campaigns mentioned by the Ladybird team. Generating credibility by making seemingly difficult genuine contributions over a long period, then abusing that credibility. But in our particular project we're not in the habit of delegating approval authority, so I'm less concerned about that.
I wonder what it will be referred to as, after the dust settles?
In this type of system, if I am competent and can contribute how to do I? By reviewing the maintainers PRs, helping fill out more info for bug reports / root causing?
There had to be some way for a competent user to get involved enough to become a familiar handle to the maintainers and be seen as a possible future maintainer/ expert contributor right?
Applies so, so widely. Glad they’re taking (very necessary) action here.
http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...
Without one they will slowly lose all maintainers by attrition.
Of course, if they are also concerned about the quality of external PRs then that does not help.
Trust is key.
What should probably be done is PRs are treated as “reimplement requests”.
“You had your agent write some code? Great, we’ll take it from here, and reimplement it ourselves.”
"I would have written a shorter letter, but I did not have the time." -- Pascal, 1657
Think about it. Anthropic just reported that their codebase is now improving itself. We're moments away from every open source repo being able to do the same. Think of it like torrenting — you'll be able to open your repo to the public, and have a stream of code flow in from millions of contributors. More code than you could ever write in ten lifetimes, uploaded to your repository in a matter of days.
Ladybird doesn't know it yet, but they just left themselves in the dust.
"green" and "the right artifact exists" drift apart faster than expected with more automation. exit code wasn't enough for us — had to make the output file the thing that proves a run happened.
And this we should have had already before AI.
they can vibe-code their own browser, there's no need for the public to access every single open-source project anymore, you need to find people you can actually trust
What the Ladybird maintainers did here was messy and a punch in the gut to actual contributors who liked the project and the openness of it. There was no effort to shore things up, just a boilerplate message from a maintainer account then closing of your PR. Of course, Ladybird maintainers have no obligation to outside contributors but it shows a lack of grace nonetheless.
Reading between the lines, there seems to have been a stark shift in attitude from Andreas which is concerning. Ladybird started from SerenityOS (a hobby OS) and he always encouraged everyone to submit a patch. Sure, LLMs have increased the amount of slop PRs, but I feel like those are easy to spot and close accordingly. I don't have links handy, but maintainers would point to a section about AI usage in their CONTRIBUTING.md then close the PR whenever obvious slop was submitted. This idea that people "own" the code they contribute is strange to me; the code would be determined worthy of acceptance at review time, why does someone have to "own" it?
All that is to say: I think there's much darker things going on here and AI+security is a nice scapegoat. Time will tell, but this reeks of a rugpull in the future. Disappointing day.
Yes, Ladybird is facing a wall of slop... no... A tsunami of slop overwhelms core maintainers. Probably safe to generalize to other popular open source projects.
The project is important and the code is beautiful! I spent many happy hours trying to understand the code, browser-specs and tried to adapt to their coding style. After 18 months I ended up with a few merged PRs. Some were pure joy to write. I got to work directly with most of their core maintainers in the review cycle. They're great!! From the outside, it seems like their responsiveness to submissions slowed down in the last few months... slop.
Of course, it would be great if there was another way, but here we are.
Love <3 to Andreas and the core maintainer group! Keep up the good fight! Maybe we'll meet again.
What I realy want to know how sustainable a model like this is. How does one find new maintainers when old ones leave. When you cannot contribute anymore.
I'm surprised this isn't yet a thing. Heck, this can be made independent of GitHub/Gitlab, like a portal which tracks your rep. Could also help you got hired. Think Stackoverflow rep mixed with LinkedIn but for actual code contribution.
Yes I'm aware it sounds Black Mirror-ish. But we need more meritocracy in the world of OS that is otherwise highly anonymous and with very little public authority.
> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.
The solution, IMO, is a strictly worse version than what we chose in the Zig project (banning LLM contributions).
> AI tools have changed the economics of this very quickly. We use them ourselves every day, but a pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.
Things that worry me about this choice:
- open source is a tough business and you need to leverage the good things about it to make it worth doing. contributors bring in a huge amount of value that they offer you essentially for free (see contributor poker: https://kristoff.it/blog/contributor-poker-and-ai/), on top of being a hugely valuable recruitment funnel. They're rejecting all of that, which seems insane to me.
- one could argue that LLMs could fill that gap but, first of all they could have just banned LLM usage only in PRs from untrusted contributors, and second even the best LLM: 1. is a cost, not just free value, and the price of tokens is increasing 2. the code has to be reviewed anyway, unless you think that just passing tests is good enough for a browser 3. ultimately can't become a trusted core contributor able of taking ownership of a part of the codebase
- removing the influx of code that comes from PRs means that over time the whole project will have a small number of contributors that own all the code, making it easier for the project to do a license rugpull. when copyright ownership is well distributed this kind of thing is harder to pull off.
Overall, this is not good in my opinion. They're making open source a more problematic business model for them than it has to be, while at the same time making it harder to recruit more core contributors, as the code ownership coalesces to small group of people.
This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors are playing a mean game of Secret Hitler. I guess only time will tell.
How is this the top post on my favorite website?
This is partly due to Ladybird building on low-level system-language primitives that make it harder to identify problems, and while they are porting to Rust it's not fair to say that C++ is single-handedly the cause of this, because regardless of the language, in a complicated interconnected codebase the complexity easily compounds. It's a real shame we don't have the option of a trust-graph filter stop-gap that can filter contributors with a social model of who is trusted for what, purely as a heuristic to reduce the risk of bad contributions (not as solid proof of soundness).
This whole situation shows the way that development has been done isn't nearly as transparent as just having the source code being available.
We haven't been able to say what we want the code to do in a way that can be tested robustly enough to make openly accepting contributions sustainable, and it's unfair to blame the team for that because on top of needing to develop and review their own changes, it's an incredibly difficult problem with only so many hours in the day. I hope we figure out the representation and social trust graph problems, and that people continue to build on their great work.
Bad actors pay good money for vulnerabilities and patient actors are invested in slowly introducing them. Agent loops like Codex or Claude, with Anthropic's Mythos model finding ~271 Firefox 0-days, and helping fix them shows both the problem and the promise.
It's bitter-sweet in a way that Ladybird is great at showing how the incidental complexity of web browsers could be vastly reduced. To protest being gagged, cryptographers made t-shirts with DeCSS DVD or RSA algorithms on them. Alan Kay suggests that t-shirt computing is actually a useful target, and STEPS by his Viewpoints Research Institute managed to really distill some parts of OS-level and desktop publishing software down into minimal, more understandable abstractions that encode the rules of the programs with more appropriate patterns for the problems at hand, that might more plausibly fit on a small wardrobe of t-shirts. Browsers really need this range of t-shirts making.
As a minority browser user (and someone wanting to build on them), I'm excited to see Ladybird get increasingly usable for real browsing, and I am hopeful that in time, the spec representation gaps, and social trust map heuristics are solvable problems that could restore the dream of open-source, or at least stop a trend of closing (with tldraw doing this much earlier, for a less risky but still thorny project).
Then the linux kernel is doomed. /s
We'll have more such disruptions and we'll learn to live with it.
Also, as I have pointed out before, they seem to develop too slowly for a solid beta this year. You only have to look at the issue tracker and check for URLs not working or even crashing the browser. Ladybird may have gotten better in the last months, but imagine if 50.000 people are using it, you will see more bugs. How do they then handle bug reports?