I've been looking a lot at Godot (another big open source project) PRs lately, and there's been kind of a surge of wholy ai-generated PRs (both code and description). This is agains project-policy, so people creating these PRs usually get mildly told off. What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.

It's kinda surprising to me that even the people who are all in on ai haven't internalized that there's no inherent value in producing a big lump of code. They've massively decreased the work they put in but still expect the same pre-ai reaction/gratitude when submitting a big PR.

   "A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds."

I believe this is the key point the article makes and it's valid for most projects out there

On the one hand, if you grew up in the baazzar, moving to the cathedral might feel like the "death of open source" even if it is really just a return to an earlier way of working.

On the other hand, while not accepting external code contributions will certainly improve their security posture it will also make it more difficult to identify who to invite to join the priesthood.

> There will not be a [..] process for submitting patches by [any] means

> Outside involvement still matters: clear bug reports

So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.

Instead they have to re-figure it out. The team must be thrilled to re-do work they know was already put in by others, repeatedly.

As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software? It seems much easier to use Firefox or Chromium, where my fixes actually meet open ears.

It was very useful for me in the past when a new Chromium version crashed on my product, that I could go and suggest a fix to V8, and it was rolled out in the next Chromium release so my product worked again (https://github.com/v8/v8/commit/4f8a70adca01c). Without this, maybe Chromium developers would have never bothered to fix it because of lack of time to figure it out.

> a pull request no longer tells us as much as it used to about the person submitting it

Nobody should need to know anything about any person submitting a pull request. Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review.

Reviewing code fixes is strictly easier than coming up with them yourself.

This holds true automatically: In any situation where it isn't, you can just write the code yourself and done.

As a project you can always ignore or close a PR you want to write yourself instead. But it seems unwise to bar yourself from the _option_ of reviewing an outside contribution, or using it as input for your own re-write.

Stuff like this makes me wish AI had never happened.

An open-source projects losing the ability to find and mentor new maintainers is so disappointing.

Fascinating to see that Chromium/Gecko/WebKit are now more "open" browser engines than Ladybird, at least in one important respect.

(Servo is arguably in the middle, accepting outside contributions as long as you don't use AI.)

It's understandable that a team without much funding would have to close off contributions to spare on labor costs. But, it makes me feel that people don't give Google/Mozilla/Apple enough credit for the economic resources they put into enabling openness.

(Personal bias/experience alert: I'm currently retired, but formerly worked at Google on Chrome. I saw many of my coworkers nurture outside contributors, and did some of that myself, both informally and through programs like internships.)

I can understand where they come from. If most of the pull-requests were AI-coded, well, the maintainers are equally capable of prompting Claude Code themselves.

I think the whole game of software engineering, open source or not, has completely changed. A lump of code doesn't mean or imply the same thing as it did 2 years ago.

When AI first happened, I was afraid I was going to eventually lose my job. And while I've been lucky since, many did, and that hurt a lot. When people are losing something to automation, regardless of the economics of the situation, you cheer for the humans, or at least hope that society keeps being fair to those who are most affected.

Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.

I'm conflicted, confused and afraid, HN. Look at what I just wrote, yet I use claude and deepseek and all the skills and complex harnesses and MCPs and whatnot... But all now seems like a transition phase. Transition to f-ing what though?

A lot of questions cannot be answered unless we dedicate a meaning to our lives. Human touch? Too late? Also: I liked a song and it was sonos. I unliked it after discovering. I feel so stupid, so often.

Sorry for the unhinged digression.

I love Ladybird (have a sticker on my laptop to prove!), I hope they thrive.

Reading this leaves a weird taste in my mouth, since the author tends to regularly make nontrivial >1k LOC PRs (sometimes several per day) and merge them on the same day with no reviews at all. This is even ignoring the LLM aspect; I don't know what % of them are assisted, but even if it was 0%, this isn't the pace of development I'd be comfortable with.

LLMs might be part of why Ladybird is making this decision, but they aren’t the only possible one: SQLite, for example, has been developed this way pretty much forever. To each their own, I guess.

It's inevitable that more projects follow this path.

The elephant in the room is so many projects already operate like this without formally announcing it.

If you look at Blender, one of the biggest and most successful OSS projects out there, it's effectively run as source available. Some PRs make it through, but for the most part there have been heavy barriers to entry to get your work into the product. In this example, it's been key to such a large and complex project with millions of users staying afloat. It's an inconvenient truth.

It's one of those unspoken things in open source - the bigger the project the less you can accept or vet contributions. The less able you are to respond to users because there are too many. The amount of code you need to own balloons. The signal to noise to too much. LLMs have massively exacerbated this issue.

It saddens me to see the communities surrounding free software projects going dark because of the threat posed by AI tools, but I don't know what other solutions there are that would mitigate the threat, particularly when browsers are such a compelling target. Perhaps some kind of trust system a la arxiv.org, where existing users have to vouch for new submissions before a user is themselves trusted? Definitely still vulnerable to abuse, but perhaps less so.

This seems quite misguided and is sad to see. They have every right to do this, but I was looking forward to continuing testing Ladybird as it improves and contributing in the future. I hope servo stays open to contributions, as it seems like it's all we have left.

This rather feels like it's completely stepping away from the thing that made the community around Serenity and Ladybird so good.

I manage multiple open source Github enterprises for the Linux Foundation. Something like this is under discussion in all of them - the amount of terrible PRs and issues being filed is overwhelming.

Wasn't the entire goal of Ladybird to have an open and independent browser engine? Making it effectively closed to contributions makes it.. Not independent anymore. It's now dependent, on few people who work on it, just like any other closed-source or corporate-controlled browser.

Crappy timing for me. Ladybird has never built on musl based systems. I got that working just a couple of days ago (on Chimera Linux) and was hoping to push the changes to the project. I guess I am maintaining that myself now.

Why don’t they take the Linux approach? A browser is like an OS. Linux continues to accept public contributions, through an esoteric process that discourages lazy contributors: https://www.kernel.org/doc/html/latest/process/submitting-pa...

I think from what I can understand about Serenity OS and Ladybird from afar and the kind of Cathedral culture that Andreas Kling values and feels Apple benefits from I'm not wholly surprised that the development of Ladybird took this course.

What I am curious about as someone who has been kind of cheering off on the sidelines is if there's any way that folks could get involved still in the future or if this is in practice permanently a closed project?

BSDs are more cathedral style and getting maintainer status is usually pretty onerous from what I understand but there are at least routes to it available to people willing to make an appropriate level of investment.

I'm not at a point in my life where I can meaningfully provide that kind of time and energy into serenity or ladybird but if my circumstances changed it's the kind of open source project that I would love to dedicate my time and energy towards in the future and I'm sure I'm not alone in feeling that way.

Goodhart's law, again.

I feel like 1/10 comment I make on HN are about this.

So merged PR were until LLMs a good proxy for the ability to code and contribute to a software project. Consequently they were used to estimate if a candidate was potentially good for a position. Merged PR on popular project were thus precious credentials one could "trade" for potential work. Since then the desire to provide PR changed from contributing to a project for its own sake, to make the actual project progress, to signalling.

A new proxy must be found to establish the ability to contribute to a project.

I am old enough to remember what happened to GCC. It was also developed by a closed group of maintainers, because "it couldn't work" as a bazaar-style development. Then EGCS fork happened and became more successful.

I think closing contributions (due) to AI will be looked at in a similar way. Forks open to AI will appear, and take over. And people will return to the open model. I think it needs more proliferation of AI coding and reviewing tools, so that AI contributions can be automatically independently reviewed for quality.

It's surprising to me how many people here seem offended that someone might just not want their code.

I guess it takes quite a lot of experience as a maintainer to realize that 'free' in 'free code contributions by strangers' is like 'free' in 'free puppy'.

I don't like this, but I understand it. I've contributed to the LB project several times, and I have made friends IRL with people who have also contributed to the project. ( we are now friends at uni ) It feels like a stepback because instead of 30-45 contributors every month, you have 15...

i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.

> Ladybird remains open source. The source code will continue to be publicly available under an open source license.

We usually call open source software without open collaboration source available software.

This is terrible news, defeating core beliefs people had in Ladybird. Not an open browser I wished for.

They could make two kinds of pull requests and add much more strict criteria for public contributions. For example, they could say that the PR has to be smaller in size and well-documented for human review, otherwise it's closed by an automation.

And then if someone wants to do a larger contribution, they could have a process like making an issue, discussing the approach and then collaborating with a maintainer to get it in.

Blocking public contributions means that they want to have complete control of the project and AI is likely a good excuse to do that.

I don’t understand how you’re supposed to cultivate new maintainers if you shut down contribution.

Is this a sponsored project where maintainers are just hired?

It says something about the fragility of contemporary software that a fragment of bad code could result in doom. I think we need to move to much more restrictive computation architectures, inherently partitioned, functionally pure, and resistant to type confusion, pointer manipulation, memory issues etc.

The core problem is that we don't have a PR respect system. 10kLOC from an unfamiliar person with empty GitHub is much different from a pal regularly contributing that you personally know.

Integrating some kind of proof-of-stake system might be a way forward for open source. Nobody wants to shuffle through a pile of low-quality PRs written by LLM.

As much as I wanted to see another browser alternative succeed, Ladybird has lost my trust. Using LLMs to rewrite the entire codebase was already extreme. But eliminating external contributors is a precursor to a rug pull. And rewriting the entire codebase can now be seen as another step in a rug pull.

"A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds."

This is probably the best, most succinct explanation of what we're seeing happening in the OS world right now.

Very confusing statement. It is definitely true that OSS is on the verge of a crisis because of AI agents, but they clearly said AI is not the reason to reject external contributors: "Whether code was typed by hand is beside the point."

If AI is the problem, the solution would be introducing an AI policy, community trust management system or something like that. Definitely not a closed development process.

"Gain trust through plausible contributions" is a new angle on AI-produced PRs I haven't seen yet.

Though in retrospect we should have seen it. It's been an angle of attack since forever, it only took a lot of effort.

This project gets a lot of publicity for the product it has to show (which, as far as I know, is effectively still inexistent).

Interesting how this post coincides with the Leyden declaration in mathematics: both documents are abot how human-human trust ("in good faith") is eroded by large language models, because a substantially-sized artifact does not necessarily attest to substantial human effort and skills.

I do wish they had left a window open for criteria to whitelist developers who can create PRs. By closing off their developer circle, they are losing the best parts of open-source - new software developers eager to solve large problems with novel approaches.

I develop/maintain several a few small FOSS libraries. I've not received any AI-generated patches/PRs - that I know of, anyway - but I have always had a bias against people coming out of the blue with a PR, as opposed to:

1. Opening an issue. 2. Talking about what they want/need that's not catered to right now. 3. Asking for my thoughts or suggestions - even if they already have a potential PR to submit.

and that is for a small codebase where changes are rarely that big of a deal in terms of amount of effort.

I've gotten a few decent 'cold-submit' PRs as well, but my bias has usually borne out, in that these are usually PRs to reject, and only some of the time get adapted into something useful, following some back-and-forth of course.

So, on the one hand, the measure the LB people are taking seems extreme to me; but the previous state of affairs they allude to seems equally weird. (I mean, unless it's a "here is a two-liner fix for a bug" kind of patches).

For every person wanting to do good in the world there are ten windup merchants of which at least one has darker motives

Recently I got a PR that is (1) genuinely correct and useful, and (2) not from someone who uses the software in question at all. A happy outcome, but clearly the economics of open source contribution have changed.

Although I no way suspect this particular individual of anything untoward, of course it's always possible it could be part of one of the long-term goodwill-generation campaigns mentioned by the Ladybird team. Generating credibility by making seemingly difficult genuine contributions over a long period, then abusing that credibility. But in our particular project we're not in the habit of delegating approval authority, so I'm less concerned about that.

So the new way to contribute is to fork

Make a better Ladybird successfully to the point the original contributors take notice. If the barriers to doing that are truly lower, then it should be easier.

On the whole AI has been a destructive force.

LLMs are killing open source just like they're killing online discussion forums.

It's heartbreaking, my two favorite things about the internet are dying off because human interaction can't outscale AI slop.

Perhaps we should start to describe projects as Open Contributions from now on. With maybe a few Open Contributions Standards to distinguish how this works.

Having read the blog post and then the comments here, I'm rather astonished. Do we understand our craft so little that our only realistic option is to ban LLMs (so-called AI)? Has everyone forgotten we've been in a software crisis for almost sixty years?[0] Have we so internalized the sweat-of-the-brow we've accumulated for decades that it's now part of the identity of being a programmer, and the only reliable signal of whether a contribution is beneficial?

As far as I can tell, architecture, i.e. sound, precise definitions of exactly what a software artifact must do, is now critical. And with LLMs, it's now feasible to begin implementing such things, though many brownfield projects may be intrinsically unsound in ways that their creators are unaware of. In such a world, contributions simply require a modified proof that the software does what it must do, with perhaps additional claims that the maintainers provide.

[0]https://en.wikipedia.org/wiki/Software_crisis

So basically it will become more or less similar to the structure for SQlite and Fossil by Dr.Richar Hipp et al , basically seems most projects that have the requisite manpower/maturity will end up at that kind of structure. In the long run may be interesting from a chain of trust (human as well as code) and interop as any dev from these projects (guilds?) would already have some trust build in.

Surely you can just autoclose any PRs from 1. People you don't know and 2. That are over 100 or even 50 lines?

That way new contributors are forced to start small.

The GenAI mess has delivered a new form of Eternal September[0] but for the software development communities.

I wonder what it will be referred to as, after the dust settles?

[0] https://en.wikipedia.org/wiki/Eternal_September

this is a move in wrong direction, its sad and a bad solution. Ladybird implements specs that must be compliant, making compliance harder is the way to go, proving the code changes does what they are intended for should be made better instead of gate keeping from malicious and "honest" contributors

I wasn't aware of the Ladybird project before this story, and probably would never have reason to use it. But it portends the beginning of the end of software collaboration and the community that goes along with it. If AI is going to do all the coding, then it becomes a pointless exercise. The software tools that we use today will be obsolete in a few years. Nevermind the need for a browser - the paradigm of the GUI desktop won't be necessary either. It will all be verbal instruction. The remaining programmers will just serve a caretaker role during the transition period until their services will no longer be necessary.

I feel like the project just died.

What I fail to understand: Who or how are these AI generated pull requests paid for? There is nothing to gain financially by creating all these AI generated pull requests - yet the increasingly more expensive tokens have to be paid for somehow. How is it paid for? Or are these authors using all their free GPT5.4-mini tokens from Github until hitting the rate limit, day after day? Or are they running some local AI model on their GPU like Qwen and heating the room in they work in, day after day?

I wasn’t around much before GitHub so. I believe I tried submitting patches to the XFCE project but I didn’t get anything accepted to FOSS before GitHub.

In this type of system, if I am competent and can contribute how to do I? By reviewing the maintainers PRs, helping fill out more info for bug reports / root causing?

There had to be some way for a competent user to get involved enough to become a familiar handle to the maintainers and be seen as a possible future maintainer/ expert contributor right?

Opensource doesn't mean open to contributions. The source code is available, you can fork it and apply your patches there.

This is the way to go to reduce supply chain vulnerabilities and to reduce time of mainters reviewing LLM slop.

For an open source project, is there any reason to still accept code contributions?

Feature requests are valuable because they tell you what users want.

Error reports are valuable because they tell you under which circumstances the code fails.

But the code that implements those features and fixes those errors can now be written by AI. AI follows all the rules for how code is supposed to be written in your project. Is already producing very high quality code. And soon it will produce a quality that no human can match.

I paid for Kagi's Orion (even though it's actually a little crappy) because I want options in the browser landscape. I'm really rooting for Ladybird, and just in case they don't offer a paid version in the future, here's a link to how you can sponsor its development: https://opencollective.com/ladybird

Ladybird going source-available is quite unfortunate, seems like Gecko is the only production-ready independent browser engine we're left with.

They may, at this point, go ahead and remove "get involved" block from their website https://ladybird.org/, since it's not possible to contribute anymore.

> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.

Applies so, so widely. Glad they’re taking (very necessary) action here.

I feel like every time I hear something about Ladybird its literally anything but a working browser to actually play around with.

In the age of AI, perhaps it will be more common to see major forks of open-source projects emerge, with the upstream back-porting a few of the larger features themselves because they're impressed at what the fork is able to do, as opposed to the fork making PR's back into the upstream.

Zig is moving to this direction is well.

What is the process for becoming a maintainer?

Without one they will slowly lose all maintainers by attrition.

The cathedral vs. the bazaar. Makes sense to me.

http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...

I wonder, if they are really only concerned about trust, will accepting external PRs but never giving commit access to external contributors work for them?

Of course, if they are also concerned about the quality of external PRs then that does not help.

I once submitted a PR to Ladybird, but even in early AI days there were so many open PRs that mine got lost in the noise. I don't really blame the maintainers here. Once the open PRs get to a certain point, it becomes unmanageable.

> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.

Trust is key.

I see this as the slow death of OpenSource.

It’s controversial to say, and I may be downvoted, but I’ll share this as a pov: OSS is essentially giving away our work for free. Did that ever really make sense? If it does, why don’t graphic designers give their work away for free? Why don’t authors do that? UX designers?

It’s a very peculiar thing to us nerds.

And the strangest thing is, we may have unwittingly built the data source required to make our skills redundant, as models are trained on the work we gave away for free.

I think this is an interesting narrative.

This is strictly worse than any of the alternatives.

What should probably be done is PRs are treated as “reimplement requests”.

“You had your agent write some code? Great, we’ll take it from here, and reimplement it ourselves.”

Are they going to be using gerrit or a private repo and push changes back regularly?

Sometimes the discussions on PRs are equally valuable to see how a commit was arrived at, and I'd be sad if that got lost in this change.

This feels like a new phase for open source. I think screening people to join development efforts will become the norm, at least for resource-constrained projects. Trust will have to be earned.

Brevity is a more accurate indicator of effort than length.

"I would have written a shorter letter, but I did not have the time." -- Pascal, 1657

I wonder if adding an artificial barrier in form of a donation could help. That's probably the only remaining way to show the good faith.

Their loss.

Think about it. Anthropic just reported that their codebase is now improving itself. We're moments away from every open source repo being able to do the same. Think of it like torrenting — you'll be able to open your repo to the public, and have a stream of code flow in from millions of contributors. More code than you could ever write in ten lifetimes, uploaded to your repository in a matter of days.

Ladybird doesn't know it yet, but they just left themselves in the dust.

To be honest, judging by their repository, it doesn't look like they've stopped accepting third-party PRs.

curious what the "did the pipeline actually do what we think" story looks like now.

"green" and "the right artifact exists" drift apart faster than expected with more automation. exit code wasn't enough for us — had to make the output file the thing that proves a run happened.

it's fair, especially because if people want to contribute to something so badly, they can make their own fork or version of it

they can vibe-code their own browser, there's no need for the public to access every single open-source project anymore, you need to find people you can actually trust

We need stricter verifications / credentials behind GitHub accounts and PRs.

And this we should have had already before AI.

That sucks, I would have hoped that they at least allow previous contributors to somehow make PRs still.

I think there's a lot of confirmation bias in this thread coming from two groups: anti-AI activists and cathedral-development proponents. They take what was written at face value and use it to further their narratives that AI is ruining the world and "social coding" is unsustainable, respectively.

What the Ladybird maintainers did here was messy and a punch in the gut to actual contributors who liked the project and the openness of it. There was no effort to shore things up, just a boilerplate message from a maintainer account then closing of your PR. Of course, Ladybird maintainers have no obligation to outside contributors but it shows a lack of grace nonetheless.

Reading between the lines, there seems to have been a stark shift in attitude from Andreas which is concerning. Ladybird started from SerenityOS (a hobby OS) and he always encouraged everyone to submit a patch. Sure, LLMs have increased the amount of slop PRs, but I feel like those are easy to spot and close accordingly. I don't have links handy, but maintainers would point to a section about AI usage in their CONTRIBUTING.md then close the PR whenever obvious slop was submitted. This idea that people "own" the code they contribute is strange to me; the code would be determined worthy of acceptance at review time, why does someone have to "own" it?

All that is to say: I think there's much darker things going on here and AI+security is a nice scapegoat. Time will tell, but this reeks of a rugpull in the future. Disappointing day.

I think we are going to see a lot opensource project switching to Humans Need Not Apply Mode.

This is one way to rephrase "we don't want your AI slop, thanks.".

I don't understand why people contribute AI slop to existing projects. You move 1000x faster. Just write your own browser in 2 days.

I wonder how can a new browser engine survive with the source available model. Like, why would anyone support this, unless they have business association with the Ladybird developers?

This is a very sad day.

Yes, Ladybird is facing a wall of slop... no... A tsunami of slop overwhelms core maintainers. Probably safe to generalize to other popular open source projects.

The project is important and the code is beautiful! I spent many happy hours trying to understand the code, browser-specs and tried to adapt to their coding style. After 18 months I ended up with a few merged PRs. Some were pure joy to write. I got to work directly with most of their core maintainers in the review cycle. They're great!! From the outside, it seems like their responsiveness to submissions slowed down in the last few months... slop.

Of course, it would be great if there was another way, but here we are.

Love <3 to Andreas and the core maintainer group! Keep up the good fight! Maybe we'll meet again.

Meh. The project died for me when they started using LLMs for development in the first place.

I truly understand why this step was taken, but it is still sad to see the death of open source or rather open contribution. Every project that turns away from open contributions is a project lost to the whims and fuckery of AI Bros.

What I realy want to know how sustainable a model like this is. How does one find new maintainers when old ones leave. When you cannot contribute anymore.

I been thinking about it for a while that we need some score based system where each PR on GitHub/Gitlab grants you a review form the maintainer as well. You build your rep and the maintainers decide about the thresholds for contribution.

I'm surprised this isn't yet a thing. Heck, this can be made independent of GitHub/Gitlab, like a portal which tracks your rep. Could also help you got hired. Think Stackoverflow rep mixed with LinkedIn but for actual code contribution.

Yes I'm aware it sounds Black Mirror-ish. But we need more meritocracy in the world of OS that is otherwise highly anonymous and with very little public authority.

These posts need a BPUF that calls out LLM-generated PRs. No need to read between the lines and wax poetic with walls of text.

A bit sad to see this. Of course they are free to do it the way they prefer, and there are successful projects like this (Notably SQLite) but there has to be a reasonable middle ground between "everyone can just flood us with 30,000-line 'Claude implement feature X make no mistakes' PRs" and "we're not open to outside contributions"

While I understand the motivation for this change, I have to highlight something: GitHub's slogan 'social coding' is becoming more and more true these days. Now opensource will become a thing that only "influential" people can contribute to. We're back to nepotism, not meritocracy. Down hill we go.

One more data point that AI is ruining open source. It's disgusting what these people are doing.

undefined

The problem statement is clear to everybody.

> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.

The solution, IMO, is a strictly worse version than what we chose in the Zig project (banning LLM contributions).

> AI tools have changed the economics of this very quickly. We use them ourselves every day, but a pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.

Things that worry me about this choice:

- open source is a tough business and you need to leverage the good things about it to make it worth doing. contributors bring in a huge amount of value that they offer you essentially for free (see contributor poker: https://kristoff.it/blog/contributor-poker-and-ai/), on top of being a hugely valuable recruitment funnel. They're rejecting all of that, which seems insane to me.

- one could argue that LLMs could fill that gap but, first of all they could have just banned LLM usage only in PRs from untrusted contributors, and second even the best LLM: 1. is a cost, not just free value, and the price of tokens is increasing 2. the code has to be reviewed anyway, unless you think that just passing tests is good enough for a browser 3. ultimately can't become a trusted core contributor able of taking ownership of a part of the codebase

- removing the influx of code that comes from PRs means that over time the whole project will have a small number of contributors that own all the code, making it easier for the project to do a license rugpull. when copyright ownership is well distributed this kind of thing is harder to pull off.

Overall, this is not good in my opinion. They're making open source a more problematic business model for them than it has to be, while at the same time making it harder to recruit more core contributors, as the code ownership coalesces to small group of people.

This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors are playing a mean game of Secret Hitler. I guess only time will tell.

Honesty. WTF is Ladybird? Feel like as a normal guy doing normal software development I'm living in an alternate reality or something.

How is this the top post on my favorite website?

The cause of this is that the cost of creating plausible code contributions has gone down, so PR proposals can multiply, but flaws still threaten project security and LLMs can be confidently wrong. So human review is needed right now to maintain the integrity of the project, but it takes time and costs money. Ladybird's developers, and we as a community, can't easily evaluate "this is what we want" vs. "this is not what we want" without manual review, because we haven't settled upon a reliable representation of the meaning of our code and its side effects that is time-efficient, secure, and meaningfully interpretable at scale.

This is partly due to Ladybird building on low-level system-language primitives that make it harder to identify problems, and while they are porting to Rust it's not fair to say that C++ is single-handedly the cause of this, because regardless of the language, in a complicated interconnected codebase the complexity easily compounds. It's a real shame we don't have the option of a trust-graph filter stop-gap that can filter contributors with a social model of who is trusted for what, purely as a heuristic to reduce the risk of bad contributions (not as solid proof of soundness).

This whole situation shows the way that development has been done isn't nearly as transparent as just having the source code being available.

We haven't been able to say what we want the code to do in a way that can be tested robustly enough to make openly accepting contributions sustainable, and it's unfair to blame the team for that because on top of needing to develop and review their own changes, it's an incredibly difficult problem with only so many hours in the day. I hope we figure out the representation and social trust graph problems, and that people continue to build on their great work.

Bad actors pay good money for vulnerabilities and patient actors are invested in slowly introducing them. Agent loops like Codex or Claude, with Anthropic's Mythos model finding ~271 Firefox 0-days, and helping fix them shows both the problem and the promise.

It's bitter-sweet in a way that Ladybird is great at showing how the incidental complexity of web browsers could be vastly reduced. To protest being gagged, cryptographers made t-shirts with DeCSS DVD or RSA algorithms on them. Alan Kay suggests that t-shirt computing is actually a useful target, and STEPS by his Viewpoints Research Institute managed to really distill some parts of OS-level and desktop publishing software down into minimal, more understandable abstractions that encode the rules of the programs with more appropriate patterns for the problems at hand, that might more plausibly fit on a small wardrobe of t-shirts. Browsers really need this range of t-shirts making.

As a minority browser user (and someone wanting to build on them), I'm excited to see Ladybird get increasingly usable for real browsing, and I am hopeful that in time, the spec representation gaps, and social trust map heuristics are solvable problems that could restore the dream of open-source, or at least stop a trend of closing (with tldraw doing this much earlier, for a less risky but still thorny project).

Legit

seems reasonable.

undefined

"The Cathedral and the Baazzar"

Oh well, AI bros ruined it. I'm actually glad in some twisted way, because if more projects follow suit and close their development, it will again become an actual badge of honor to get on those teams. Having contributed to such projects will mean something.

[dead]

[dead]

"A browser runs untrusted input from the entire internet on the user’s machine, and one well-disguised vulnerability is all an attacker needs. We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it."

Then the linux kernel is doomed. /s

[dead]

[flagged]

Seems cold how they present this, but on the other hand I’ve ignored Ladybird because I just don’t think they’ll have meaningful impact, so I remain unaffected by this policy change.

undefined

Cool - how about fewer perma-bans on github for participating in discussions?

Also, as I have pointed out before, they seem to develop too slowly for a solid beta this year. You only have to look at the issue tracker and check for URLs not working or even crashing the browser. Ladybird may have gotten better in the last months, but imagine if 50.000 people are using it, you will see more bugs. How do they then handle bug reports?

Surprising how little appetite for changing norms exists here on HN. Yes, the transition to agentic coding will be difficult, but to me this is mostly exciting. Despite my AI enthusiasm, I also run into shortcomings that the agents have very often, but that's a more interesting learning experience than the status quo without AI would have been!

We'll have more such disruptions and we'll learn to live with it.