Changing how we develop Ladybird

Open Source
AI
Programming
Developer Tools
Security

Ladybird announced that outside code contributions are over. The code stays under an open source license and development stays visible, but only project maintainers will introduce changes. The team’s core claim is not simply “AI code is bad.” It is that pull requests used to signal commitment, understanding, and good faith because writing a substantial patch was expensive. With LLMs, that signal collapsed. For a browser engine, where one subtle vulnerability can matter, they no longer want code entering the tree from people who will not own the consequences.

Most people thought the diagnosis was dead on even if the remedy felt bleak. The discussion kept returning to the same point: code generation got radically cheaper, but understanding, reviewing, and maintaining code did not. That turns PR queues into a cost-transfer machine. Outsiders spend tokens. Maintainers spend the scarce resource, attention. Several maintainers from other projects said they are seeing the same flood of AI-written issues and PRs already, and some said external contributions were often a net negative even before LLMs. The old GitHub model only worked because generating plausible patches had enough friction to act as a rough proof of work. Where the conversation sharpened was on what this means for open source as a social system. A lot of commenters argued this is less the death of open source than a return from GitHub-era “social coding” to older cathedral-style development, where code is public but trust is earned socially and slowly. SQLite, Lua, and parts of the BSD world came up as precedents. Others pushed back that this closes off the main apprenticeship path for future maintainers, especially on ambitious projects like a browser engine. No one had a satisfying replacement. Proposals like reputation systems, issue-first workflows, manual whitelisting, in-person vetting, and contributor bonds all drew interest, but none looked ready to absorb the volume problem without creating new fairness or governance problems. A smaller but persistent argument said Ladybird may be overcorrecting. Some people insisted good drive-by fixes still matter, that reviewing a patch can be cheaper than rediscovering a bug from scratch, and that a blanket ban throws away useful contributions along with slop. That view did not carry the room. The dominant landing point was harsher: if your maintainers are overloaded and your codebase is security-sensitive, banning unsolicited code is rational triage. The broader takeaway people seemed to accept is that “open source” as a license survives, but “open contributions by default” no longer looks like a stable operating model for serious projects.

If you run a repo with meaningful security or maintenance burden, assume low-friction PR intake is no longer sustainable by default. Put more weight on bug reports, design discussion, contributor trust, and explicit ownership before code lands.

June 5, 2026
ladybird.org
Discuss on HN

Key insights

AI removed the old contribution throttle

Cheap code generation did not just make maintainers faster. It let people with little understanding or commitment produce review-shaped output at scale. That breaks the old natural filter where you had to know enough to make something compile and fit the project before you could even bother maintainers. Several people pointed out that replacing that lost friction with money, identity checks, or reputation systems creates ugly second-order problems of exclusion, surveillance, and gaming.

Do not assume better review tooling solves this by itself. You need a deliberate intake mechanism that restores some scarce signal before code review starts, whether that is proposal-first workflows, tighter scopes, or social trust.

Attribution:

DrewADesign #1
abirch #1
applfanboysbgon #1
leoc #1

LLMs broke the author-reader social contract

The useful framing here was broader than code review. People argued that LLMs undermine a norm that the writer has done more intellectual work than the reader will need to spend making sense of the artifact. That norm made long emails, essays, bug reports, and patches worth engaging with. Once generating plausible text or code is cheap, readers can no longer trust that the author paid the upfront cost, so every artifact becomes more suspicious and more expensive to consume.

Expect review processes to shift toward artifacts that reveal reasoning, not just output. Design docs, repro steps, and evidence of iteration now carry more signal than polished text or large diffs.

Attribution:

noIdeaTheSecond #1
crabmusket #1 #2
foresto #1

Issue-first workflows are becoming mandatory

One practical direction people converged on was moving the trust gate earlier than the pull request. The suggestion was to require proposals or approved issue threads before code is even considered, then automate rejection of patches that bypass that path. That does not solve every problem, but it moves maintainer attention from validating a blob of code to judging whether the idea is wanted and whether the contributor will collaborate on intent.

If your repo still accepts PRs, make unsolicited implementation the exception, not the default. Add templates, approval checkpoints, and automation that reject code without prior design or issue alignment.

Attribution:

zzzeek #1
jakolaptu #1
lucideer #1

The maintainer recruitment funnel is now broken

The strongest long-term concern was not whether Ladybird can protect itself today, but how projects find tomorrow’s core team once drive-by patches stop being useful. The old model let contributors prove themselves through a sequence of small accepted fixes. If that path is gone, projects either recruit like companies, scout maintainers from successful forks, or rely on much more explicit social onboarding. None of those are as broad or organic as the old funnel.

Projects that close contribution need a replacement path for trusted humans. If you do not define one, expect maintainer attrition to become a strategic risk even if the short-term code quality improves.

Attribution:

munificent #1
smartmic #1
appreciatorBus #1
cestith #1

Internal AI use is not the same risk

Some people called hypocrisy on Ladybird maintainers using LLMs while rejecting outside AI-assisted code. The more persuasive response was that the key variable is ownership, not whether a model touched the code. A maintainer steering an agent inside their own workflow has project context, bears the pager burden, and decides what belongs. A stranger’s generated patch arrives without that accountability and is harder to audit for subtle security problems or misaligned design choices.

If you allow AI in your team, be explicit that the policy hinges on accountability and context, not purity tests about hand-written code. That distinction will matter to contributors and to your own engineering standards.

Attribution:

adrian17 #1
bakugo #1
soerxpso #1
mikkelam #1

Public code may stay open while discussion goes dark

One underappreciated consequence is that trust-based contribution pushes coordination into private or semi-private spaces. People worried less about code visibility, which Ladybird keeps, and more about losing world-readable discussion, review history, and institutional knowledge as communities retreat to invite-only chats, conferences, or closed social circles. That makes software harder to learn from even if the license stays permissive.

If you tighten contribution, compensate by keeping design discussion and rationale public whenever possible. Otherwise you preserve the source code but lose much of the educational and governance value people associate with open development.

Attribution:

thewebguyd #1 #2
krapp #1

Against the grain

Drive-by fixes still save real work

The main pushback was that a good patch can still be cheaper to evaluate than re-deriving the bug and re-implementing the fix yourself. One experienced contributor argued this workflow is foundational to open source, especially for small and medium fixes discovered by users in the course of their own work. The stronger version of this critique is not that maintainers must merge everything. It is that banning code entirely discards useful optional input that can accelerate bug resolution.

If your project is considering a full shutdown of external code, check whether a narrower lane for small, well-scoped fixes would preserve high-value contributions without reopening the floodgates.

Attribution:

nh2 #1
tuyiown #1
froh #1

AI-assisted work can still be high signal

A few commenters objected to collapsing all AI use into slop. They described agent-driven work that still involves substantial human effort in setup, validation, testing, and iteration. Their point was not that Ladybird owes review time to that work. It was that maintainers currently lack a reliable way to distinguish careful AI-assisted contributions from one-shot garbage, so the policy throws both away.

Avoid framing the problem as 'AI code has no value.' The more accurate problem is that your intake process cannot cheaply separate disciplined AI-assisted work from junk.

Attribution:

rpdillon #1
rjh29 #1
ajjenkins #1

The policy may also reflect control ambitions

Some skeptics thought AI is only part of the story. They argued that stricter contribution gating also increases central control over roadmap, code ownership, and possibly future relicensing leverage, especially with a permissive license and a sponsor-backed project. This did not become the dominant interpretation, but it remained a live suspicion because the policy is broader than 'no AI PRs' and cuts off even established contributors.

If you make a move like this, explain governance and maintainer growth plans in detail. Otherwise people will fill the gap with theories about consolidation, licensing moves, or a future rug pull.

Attribution:

ajjenkins #1
rjh29 #1
hypeatei #1

In plain english

Drive-by fixes ↩

Small code contributions from people who are not long-term maintainers and may only interact with the project once or twice.

GitHub ↩

A platform for hosting code and collaborating on software projects.

Pager ↩

On-call alerting responsibility for responding to production incidents and outages.

PR ↩

Pull request, a proposed code change submitted for review before being merged into a shared codebase.

Reference links

Ladybird and related project posts

Changing how we develop Ladybird
The announcement being discussed, explaining why Ladybird will stop accepting public pull requests
Ladybird adopting Rust
Referenced while discussing Ladybird's broader technical direction and LLM-assisted rewrite work

Open source process and governance

Open-Source Isn't About You
Shared as a statement of maintainer-centered expectations for open source participation
Contributor Poker and AI
Cited as Zig's alternative framing for handling AI-era contribution trust
Linux kernel submitting patches guide
Used as an example of a higher-friction contribution process that still remains open
The Cathedral and the Bazaar
Referenced repeatedly as the classic framing for open versus closed development models

Trust, writing, and AI social norms

The Social Contract of Writing
Linked to support the idea that LLMs break the expected effort relationship between writer and reader
Oxide RFD 576 section on LLMs as writers
Quoted for the clearest formulation of the social-contract argument around AI-generated prose
Leyden Declaration
Mentioned as a parallel response in mathematics to trust and authorship problems created by language models

Examples of AI PR pressure in other projects

Godot .NET web export bounty
Offered as an example of a bounty that appears to attract many shallow AI-generated attempts
Godot blog on web .NET prototype
Provides technical background for why re-adding C# web exports is harder than many AI PRs imply
Godot pull request 119972
Example PR tied to the discussion of repeated AI attempts on the same hard feature
Godot AI-authored PR examples
One of several linked PRs cited as likely LLM-authored attempts at the same feature

Reputation and trust tooling

vouch
Example of a trust or endorsement system for contributors
fossier
Another linked attempt at contributor trust and reputation management

Evidence on AI coding productivity

NBER paper: Writing Code vs. Shipping Code
Used to argue that AI greatly increases code generation but much less strongly improves shipped outcomes
Financial Times summary of the NBER paper
Quoted for the funnel view from more files edited to far smaller release gains

Examples of projects and communities handling contributions differently

WebKit contribution guide
Linked to rebut the claim that WebKit is closed to outside contributions
Servo maintainer Mastodon post welcoming contributions
Shared to contrast Ladybird with a browser engine project still actively mentoring newcomers
Gray Mirror essay on Sam Altman
Posted as a broader critique of the AI moment and its social effects

Changing how we develop Ladybird

Discussion mood

Key insights

Against the grain

In plain english

Reference links

Ladybird and related project posts

Open source process and governance

Trust, writing, and AI social norms

Examples of AI PR pressure in other projects

Reputation and trust tooling

Evidence on AI coding productivity

Examples of projects and communities handling contributions differently