We all depend on open source. We will defend it together

Open Source
Security
AI
Infrastructure
Governance

Akrites is a new Linux Foundation effort framed as a joint defense of critical open source software. The letter says big companies will contribute engineering talent, money, and AI-based security help to coordinate vulnerability discovery, remediation, and disclosure. It also claims Akrites can step in as a maintainer of last resort when an important package has no active maintainer. That is the core promise. Not a general funding drive for open source, but a centralized mechanism for privately handling security issues in software large companies depend on.

The reaction was skeptical from the start because the signatories are exactly the firms many people blame for free-riding on open source, over-centralizing infrastructure, and flooding maintainers with AI noise. The main objection was not that coordinated disclosure is illegitimate. Most people accepted that private handling of unfixed vulnerabilities is normal security practice. The objection was that Akrites reads like a corporate control layer sitting on top of the commons. The phrases that set people off were “confidential, trusted place” and “maintainer of last resort.” Those sound less like help and more like a path to private forks, pressure on maintainers, or de facto control over package health and release timing. Where the conversation landed was more concrete than the outrage. People kept asking the same operational questions: who actually writes patches, how those fixes reach upstream projects, what counts as a “critical” package, what happens when the original maintainer disagrees, and whether this work goes through normal community channels or around them. Several comments argued that the whole effort should be judged on that implementation detail alone. If Akrites mostly funds maintainers, buys them time, provides CI, hardware, audits, and respectful security assistance, it could help. If it mostly scans code with AI, batches up reports, and escalates fixes through private corporate workflows, it will make open source worse while claiming to save it. A second theme was that the real current crisis in open source is not undiscovered bugs in famous projects. It is trust collapse around the long tail of underfunded maintainers and the flood of low-quality AI-generated reports and pull requests. That made the letter feel mis-aimed. Big projects already have corporate backing and governance. Small dependencies that everything rests on usually do not, and several people noted that these announcements rarely say how the long tail gets paid, protected, or given agency. The most persuasive practical alternative was simple: fund maintainers directly, provide infrastructure and paid review work, and make any automated security help opt-in and maintainer-first. There was some pushback to the doomier takes. A few commenters noted that corporate employees already do a huge share of maintenance on Linux, Kubernetes, and other load-bearing open source, so corporate participation itself is not the scandal. Others defended the Linux Foundation’s record as better than critics allow, especially when it provides governance and operational support without closing projects off. But even among people open to the idea, enthusiasm was thin. The consensus was that Akrites has not yet earned trust. It might become useful infrastructure, but only if it behaves like a service to maintainers instead of a command center above them.

Treat this less as a feel-good defense of open source and more as an attempt to build shared corporate security infrastructure around it. If you rely on open source, watch the governance, maintainer incentives, and disclosure process much more closely than the PR language.

June 26, 2026
akrites.org
Discuss on HN

Discussion mood

Strongly skeptical and distrustful. The dominant mood was that the initiative looks like corporate PR wrapped around a centralized private security process, with worries about AI-generated maintainer burden, governance capture, and vague promises that stop short of direct support for the people actually keeping projects alive.

Key insights

Support model matters more than branding

The useful way to read Akrites is as a choice among contribution models, not as a statement of values. The high-signal distinction was between working through normal upstream channels, forking under security pretexts, paying bounties, or funding maintainers and project operations. Experience from Linux Foundation projects suggested bounties generate lots of noise, while practical support like CI credits, paid mentorships, audits, hosting, and maintainer summits does more to improve security capacity without overwhelming small teams.

Ask any vendor or foundation backing security work which bucket they are funding. If the answer is mostly scanning and bounty intake, expect maintainer pain. If it includes staff time, audits, CI, hardware, and direct maintainer support, the odds are much better.

Attribution:

ninjagoo #1
RyJones #1

Money and hardware beat slogans

Several practitioners cut through the rhetoric and pointed at mundane needs that actually change outcomes. OpenBSD developers need current hardware. Individual contributors need steady personal support. Maintainers need paid time more than another declaration that open source is vital. That reframed the whole letter. Security coordination is not the scarce resource by itself. Maintainer bandwidth is.

If your company depends on a project, fund the humans and the equipment first. Small recurring payments, hardware grants, and contract review work will do more than joining another consortium.

Attribution:

amouat #1
brynet #1 #2
bitlad #1

AI slop is the immediate security problem

The sharpest operational critique was that maintainers are already drowning in low-quality AI-generated bug reports and pull requests. In that environment, another AI-assisted vulnerability program can easily worsen the workload even if its intentions are good. The bottleneck is no longer finding theoretical issues. It is preserving enough trust and reviewer attention to separate real bugs from generated noise and to land fixes without burning out maintainers.

If you build tooling for open source security, optimize for triage quality and maintainer consent, not report volume. Teams that consume open source should expect noisier intake and invest in filtering before forwarding anything upstream.

Attribution:

kccqzy #1
smartmic #1
Yokohiii #1
remywang #1
rjzzleep #1

The long tail is still missing

Big open source and small open source were treated as different worlds. Large projects under foundations and major vendors already have staff, governance, and visibility. The fragile part of the ecosystem is the long tail of tiny dependencies maintained by one person in their spare time. Akrites talks about critical packages, but commenters saw little sign that the structure is designed to help the smaller projects that create the deepest supply-chain risk. An opt-in model that sends findings only to maintainers was proposed as a more workable pattern.

Map your dependency tree past the famous projects. The biggest organizational risk is often in obscure packages with no staffing, not the flagship components your procurement team recognizes.

Attribution:

bmitch3020 #1
cryo32 #1
seanclayton #1

Big contributions fail on trust, not code

One maintainer explained why outside help so often stalls. Large patches from new contributors are risky because the contributor is usually focused on shipping a feature, not the long-term burden on the project, and may disappear before the work is finished. That means maintainers inherit cleanup and support work. This is a strong warning for any centralized security effort that plans to drop complex fixes into projects it does not already help run. The hard part is not generating patches. It is earning enough trust that maintainers believe the sender will stay involved.

When contributing substantial fixes to open source, budget for follow-through, review cycles, and maintenance after merge. If your security program cannot commit to that, keep the scope smaller or fund someone who can.

Attribution:

bigfishrunning #1 #2
Sean-Der #1

The name choice signaled shallow understanding

The branding itself became evidence against the initiative. Greek commenters said “Akrites” refers to frontier defenders, not the etymology claimed on the site about sharing a root with “critical.” Others added that the historical Akritai were local border defenders with land and incentives, which ironically would map better to end users and maintainers than to a club of large corporations. The result was that even the name felt like corporate mythology pasted over a weak grasp of the culture it was borrowing from.

For trust-sensitive infrastructure efforts, sloppy branding hurts more than it seems. If the public-facing story gets basic details wrong, technical stakeholders will assume the governance story is fuzzy too.

Attribution:

tsoukase #1
tpoacher #1
oersted #1
mohamedkoubaa #1
adamo #1
antran22 #1

Against the grain

Corporate maintainers already are open source

The strongest pushback to the anti-corporate mood was that large companies are not outsiders crashing an otherwise independent commons. For Linux, Kubernetes, and much of the modern stack, paid employees at major firms already do most of the maintenance and carry most of the operating burden. From that angle, a corporate security coalition is not a hostile takeover of open source. It is a formalization of who already keeps the lights on.

Do not build your strategy around a romantic model of open source that ignores who maintains your dependencies today. Governance risks are real, but so is the fact that many critical projects already run on corporate payrolls.

Attribution:

nickelpro #1 #2
blcknight #1
hobofan #1

Finding bugs is still useful work

One rebuttal to the burnout narrative argued that vulnerability discovery itself should not be treated as exploitation. Programs like OSS-Fuzz did not create the bugs. They surfaced them. Downstream users need that information even when maintainers cannot fix everything immediately. Another comment added that at least some companies being attacked in the conversation do contribute money back to projects like FFmpeg, which complicates the blanket “leech” framing.

Separate the burden of remediation from the value of discovery. In your own security processes, keep reporting and fixing linked, but do not pretend unseen bugs are kinder to maintainers than visible ones.

Attribution:

woodruffw #1
oneshtein #1
Dylan16807 #1

Private disclosure is not anti-open by itself

Some of the criticism treated confidentiality as inherently incompatible with open source. That overreaches. Responsible disclosure often requires a private window before release, and one commenter flatly argued that Linux Foundation involvement means the work will not stay closed forever. The real issue is not whether some part of the process is private. It is who gets access, how long the embargo lasts, and whether maintainers remain in control of the upstream outcome.

When evaluating coordinated disclosure groups, focus on the disclosure policy and maintainer role rather than rejecting privacy on principle. Temporary secrecy is normal. Unaccountable gatekeeping is the actual danger.

Attribution:

benj111 #1
jrm4 #1
Fordec #1
justincormack #1

In plain english

AI ↩

Artificial intelligence, here mainly referring to large-scale machine learning systems and the infrastructure used to train and run them.

CI ↩

Continuous integration, automated systems that build and test code changes so teams can catch problems early.

OSS-Fuzz ↩

A Google-backed service that automatically tests open source software for bugs by feeding programs unexpected inputs.

Reference links

Linux Foundation and related projects

LF Decentralized Trust
Given as an example of Linux Foundation support mechanisms such as audits, mentorships, and infrastructure for projects
OpenWallet Foundation
Cited as another Linux Foundation project receiving infrastructure and developer support
Post-Quantum Cryptography Alliance
Mentioned as a Linux Foundation effort that uses cloud credits and mentorship support
PQCA benchmarks
Linked as a concrete example of work supported through the PQCA program
Open Source Security Foundation
Referenced as an example of Linux Foundation work aimed at supporting open source security

Open source project funding and hardware support

OpenBSD hardware wish list
Used to show the practical hardware needs of volunteer developers
OpenBSD Foundation 2026 campaign
Shared as a concrete funding target for a major open source project
Wall of Pizza
Offered as a way to directly support individual contributors personally

Security and maintenance examples

EF Core issue 38257
Linked as an example used to criticize Microsoft's response time to a dependency vulnerability
libxml2 becomes officially unmaintained
Shared as an example of maintainer burnout and abandonment in critical infrastructure software

Background on naming and history

Akritai
Referenced repeatedly to explain and dispute the historical meaning of the initiative's name
Mark Carney's Davos speech
Linked as a modern analogy for middle powers acting together for self-defense

Books and historical context

California tech culture that shaped Apple in the 1970s
Shared to connect today's open source politics to Silicon Valley counterculture roots
From Counterculture to Cyberculture
Recommended for understanding the cultural history behind personal computing and open source ideology
What the Dormouse Said
Recommended as another book on Silicon Valley's counterculture origins

Governance and ecosystem control

Apache Software Foundation mission statement
Quoted to argue that open protocols and shared infrastructure exist partly to prevent single-company control
Embrace, extend, and extinguish
Used to frame fears that platform owners could absorb and control open ecosystems