A lot of open source folks are going to be very skeptical, rightly so, of this group of players.
> ... to find, fix, and responsibly disclose vulnerabilities in critical open source software ...
How this is implemented is going to be key. Are they going to contribute through (a) existing channels, pull requests etc. or (b) are they going to fork the projects under the guise of 'security' or (c) offer bug bounties or (d) contribute financially?
Approach (a) brings the community along. (b) alienates the community, splits resources, and in the long term will likely cause many open-source projects to die. (c) has potential but timing and speed can be unfavorable for critical bugs, and doesn't mesh with 'responsible disclosure'. (d) can be ineffective for critical bugs unless paired with support for maintainers, which can be incredibly helpful for the opensource ecosystem.
That's a feature to them, not a bug. They want the software and don't want the community.
People talk about contributing financially, but how and to what end? Most projects aren't set up to accept or utilise donations. That said, I would say we should be providing all OSS projects with significant access to AI in order to review their codebases and PRs and hopefully relieve some of the maintenance burden. I know there are some initiatives in this area already.
I read this they would build the patches privately (or with maintainers if confidential) and then share amongst their supporters before public release.
I expect we’ve got a future of “undo forks” as I’ve called them which is rolling back to pre-insanity times and rethinking again. That’s only something people unencumbered by commercial requirements can do.
Instead, millions of developers now gift corporations their work by releasing everything under MIT or Apache, and those corporations take from that treasure trove what they want and give back what they want, which is very often nothing.
Keep in mind I am not a coder/engineer, I’m just kind of a tourist in that world, so if I can do it it’s clearly very achievable for many people.
No reason to throw up your hands in defeat. We don’t need everyone to shift over everything. We just need to make sure there’s always space and demand for open source software to keep it alive.
Gnome and Systemd is a fine example of how fucked up this can get.
I barely have to do it, but imho, this is how software should work and what running a computer should feel like.
> Keep in mind I am not a coder/engineer
How do you control and audit something you don’t understand? What specific steps are you taking?
I prefer easy.
If you prefer difficult, more power to you.
Clearly you don’t feel that strongly about it. You know what would’ve been easier than making an account just to post that comment? Not doing that.
Have you also stopped working, paying your bills, showering, eating, interacting with other people? Not doing any of that is easier than doing it.
There goes all the credibility of this post
So things do get fixed, but it is not due to their graciousness.
> participants will contribute engineering resources
If it works out as planned, we will see. Apart from this, I am not overwhelmed by the claim of this project. It favors centralization and corporate circles, exactly the opposite of what the hacker ethics promotes for good reasons.
> exactly the opposite of what the hacker ethics promotes for good reasons.
Yup. Seems kind of like those zombie plants in the movie "Invasion of the Body Snatchers" (the first remake; though the original is also great, but it was more about communism as threat, whereas the first remake added a bit of alien horror motifes).
You can complain about supply chain problems, or you can actually try to work on it. They're trying to work on it.
Probably not as impressive to a non-Greek, but to a Greek person it creates very strong imagery.
> The akritai (singular akrites) is a term used in the Byzantine Empire in the 9th–11th centuries to denote the frontier soldiers guarding the Empire's eastern border, facing the Muslim states of the Middle East. (Wikipedia)
Akron means edge or border, so "frontiersman" or "those of the border".
EDIT: Commenters seem upset about the Muslim part, I didn’t mean to imply anything, you cannot just copy-paste contemporary disputes and prejudices a thousand years ago. In the historical context it’s just like most borders between different civilizations. The point is that they were a collective organization getting together to defend their land.
So, in terms of a security project an Akritas would be you running an EDR agent on a machine that you own, not some of the signatory companies who basically do not own anything on the edge (end user equipment).
if true, then choosing this name was a very bad decision.
Imagine how Muslims would feel, demonizing them even more, before they were terrorists, now they are attacking open source and hence some organizations need akrites to defend from them.
I really wish such organizations which try to demonize anyone, to fail miserably
But still, the name is a bad, uninformed choice.
It's not Muslim related even at the time they exists.
I mean I guess we have stop calling things the Great Wall because it repelled incursions from the Manchurians and maybe those people who live in their ancestral lands who were defeated and incorporated into modern Chinese society might feel a tinge of anger…
[1] https://en.wikipedia.org/wiki/Mark_Carney%27s_Davos_speech
Thank you very much, but I remember what Google is doing with Android this September (closing third party installs using .apk).
Besides many of the companies on the list are suspext numero uno for the state of open source
> Besides many of the companies on the list are suspext numero uno for the state of open source
On this I agree. This seems indeed just promo advertising to white-wash these companies. They don't really care about ethics in open source.
I think they are predicting that free-software projects are in freefall and no longer attract good people.
I recall reading a Linus Torvalds interview in which he said that Git's killer feature was its current maintainer.
It sounds like a realization that you can only leech off the host so much, and once your host is dead, there is nobody else to leech from.
My entire technology stack was built on Microsoft's ecosystem, not on open source. This was Microsoft's attempt to expand their base for the corporate hiring market and OS market share.
Conversely, open source was a huge barrier for me. When I have a product I've built, I have to get past open source, but accessing open source comes with the barrier of English. And once you get past the English barrier, you hit the cultural barrier.
My hobby projects do integrate with open source, but all the technology that actually makes me money depends entirely on the Microsoft ecosystem. Most of the Asian developers around me are also tied to specific vendors. On the other hand, the Korean companies that do have a culture of contributing to open source are large corporations, and entry is determined by academic pedigree.
Because the entire context of open source is in English, and learning English reliably is expensive in itself. So to properly work as a developer in Korea, you actually need to be vendor dependent. The corporate ecosystem is not oppression; it is the only viable path to education and survival. If you want to grasp the latest trends, you ultimately need curation from a specific company. Some people say Hangul is a great writing system, but to me, this is where it becomes a curse and a shackle.
So when I read Hacker News, I feel just how large the gap in thinking is between the West and the East. The Japanese developers I have talked to mostly talk about coding within corporate environments rather than open source, and Chinese developers are also shaped by their corporate environments. But the posts on HN talk about their 'gardens' being ruined and absorbed by corporations, and they resist that. But since I was raised in a corporate environment from the start, I cannot imagine a different one, so this resistance tends to feel like an aristocratic hobby to me.
On the flip side, HN might see corporations as predators. Technology should be a commons, and developers should be free, not tenant farmers of a platform.
But the irony I personally feel is that to protect this 'garden commons,' they end up creating centralized, non-public coordination mechanisms with the very corporations that plunder the commons. That feels contradictory to me.
For security vulnerability response, non-public coordination may be necessary. If a vulnerability is disclosed before a patch is ready, attackers can create exploits. But the principle of open source is transparency and open discussion, while the Akrites-style security principle is non-public coordination and a single point of contact.
On top of that, corporations used open source as free infrastructure, and now that the risk has grown, they are building corporate-led governance systems based on that risk. That feels ambiguous to me. Of course, open source sponsorship has always had some tension, but if that was buying a craftsman's work, this looks more like buying the craftsman's workshop.
I wonder how Westerners would read this. I am curious. To me, this looks like a political struggle to take control of governance over the commons. Do Westerners see it as the Avengers? The difference in mindset is sometimes painful.
If you ask american/european/english-speaking developers about coding, it will mostly be about/in the context of corporate environments rather than open source too! The majority do not actively or primarily contribute to open source projects, but instead corporate environments as well.
In an alternative timeline where the lingua franca isn't english, I can still see open source culture exist; I don't think the desire to publish and cooperate in public is an inherently "western" culture. It will also run into the same conflict of interest between Open-Source and Corporate: one prefers transparency and full-disclosure, the other prefers privy sharing in the interest of minimizing risk.
The language barrier is interesting, there is more Chinese open source now too, but yes so much is English. I remember using google translate for Nginx from Russian back in the day, and openresty from Chinese, but yes we are lucky,
Many of the names on the list makes the initiative rather suspect. Companies who do a lot to undermine free and open-source software, who hide critical software behind their walls, preventing both its scrutiny and its adaptation and improvement, and two of the LLM giants - they'll "defend open source"? I don't know about that.
> Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend on
So, a bunch of large corporations - some of who are known to be in bed with the US government - will share vulnerabilities among themselves, out of the public eye? Fishy.
All they're really missing is Oracle and Bambu Lab.
Just another opaque and exclusive subproject of the Linux Foundation.
It might not be the idealistic flavour of open source you prefer, but it's the flavour of open source that's actively in use in most tech companies, and that also forms the makeup of most corporate open source participation (e.g. also the top corporate Linux contributors).
Since a lot of places are close in proximity, companies sometimes run private fiber lines and such to let peers download updates without competing with the entire world lol.
Everyone's fighting the same fight. Sharing and collaborating are normal things.
If it's sent to Akrites, they can even pretend it's done responsibly – even though only megacorps get a seat around that table.
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
Ambitious and interesting. I wonder how long this will last and on whose dime and time? Akrites employs no engineers, so who will make the fixes and who'll pay them?
A charitable foundation might be plausible to help companies secure their closed for-profit software but it doesn’t really have the same urgency for the fabric of the internet (or the same moral clarity)
Closed software still has many people with access to the code. Governments or researchers have been given access to lots of critical source code. It can also be leaked. I wonder whether attackers are going to be more willing to bribe people with access to source now they have better odds of finding vulnerabilities with limited effort.
But in the examples cited (and really any other large closed piece of code of any significance in this era) it also has owners with money, and they should be compelled to fix their own stuff.
Or open the source code to be fixed, I guess ;-)
Yet still important to be secured due to the impact vulnerabilities can have. And LLMs can work without source code access via utilizing things like debug symbols, disassembly, reverse engineering, etc.
>paid maintainers
Just like open source maintainers their time is already being spent on other things which they see as more important over making the project 100% security bug free. Just because they are being paid, that doesn't make security their number 1 priority.
Still not addressed the moral clarity point being brought up, nor the ramifications of the Linux Foundation choosing which closed source projects to focus on and alienating their mission statement.
Again, your idea is noble but why should the Linux Foundation be saddled with it when those other options exist? OSS needs their focus as their mission outlines.
Well perhaps the companies who employ them to make that software they sell for profit should let them do that first rather than tokenmaxxing, and the great big non-profit effort can get round to them to help a little bit later after it has helped secure all the open-source stuff the internet actually runs on.
“Maintainers of last resort”, my [back].
There isn't a call out for contributors. This is all done behind closed doors. It's the antithesis of free/open source software, presented as defending it.
I don't particularly have any better ideas. And I'm not particularly criticising. It's just a lot of the time the terms are synonymous, but here they starkly different.
They terrorized them to abandon their free time. They terrorized them to find easy solutions in the workplace instead of coming up with solutions that require technical expertise and deep thinking. They terrorized people to not conform to standards, or create standards but instead patch around lack of standardization. They terrorized people to not question, but accept. To become slaves. They did not help them get wide knowledge but be specific on the work, like mass produced meat. They swept all problems under the carpet and said "This time it will be different". No victories, just silence on the defeats.
It has been happening in the past, has accelerated and made worse as they seized more power.
The leap to AI era is the latest and more violent step of this attack on fundamental human rights.
The problem is political in my opinion. People ought to demand a better life and more free time to work on open source or do their hobbies. They ought to demand human centric laws that stop the greed and by enforcing the laws at last.
Free time is not for consumption, but for production of higher intellectual artefacts.
Meanwhile the Germans were working overnight to manufacture bombs. That, alone, is already a sufficient explanation on why we got invaded and lost our country to one of the evilest powers of Earth. France had to be rescued by the Russian, the English and the Americans after losing millions of inhabitants. Because we literally took too much holidays.
The one who works the most reaps the entire benefits. And it’s clearly not good to ask for less work all the time. Today France is peanuts on the international market, we are second at everything. Who heard of DailyMotion, which was once as big as Youtube, or Mistral, which was supposed to be our OpenAI?
> Amazon Web Services
We really don't give a shit, We will continue to not give a shit. We might give you a credit if threatened by the EU but really? We don't give a shit. Keep sending us that sweet dosh for AWS.
> Anthropic
We underpin the front page of the internet with Ai and in so we allow it to train upon the collective with no recognition. It's great to take and not give back. By the way your vibe coded app is looking ownage.
> Cisco
We are Cisco and we'll license you if we could. We invented the subscription model to charge you per Ethernet port on your router. Opensource is great, we don't even have to contribute upstream. We did once upon a time, isn't that enough?
> Citi
In partnership with Linux Foundation, we will do nothing and keep doing nothing. Linus enjoys his dosh and handjob now and then.
> CNCF
Working on the right fixes before the window closes, we prefer that to be left to the developers and we are very proud to support that effort. Unfortunately, no treats for the developers is written in to our company policy. How does pizza sound?
> RedHat
Open source is the foundation of modern software innovation so we hide answers behind a paywall. We sold ourselves to IBM so we could keep lubing that stripper pole to fill our filthy pockets. Larry Ellison will be here soon for his next lap-dance.
> Microsoft & GitHub
We decided to throw legal action at a security analyst for finding exploits in our OS for laughs. Open source all the way, we don't even allow you to search on GitHub without a rate limit; it's healthy to laugh. How's your mother doing? She seems a keen user of Windows 11 and as she is very important to us we've removed that feature she uses most.