Vulnerability scanning
I think this crazy artificial intelligence bug hunting era might end up doing good for open source.
Sure, it sucks right now. Everyone across the board reports massive increase of valid vulnerabilities: Daniel Stenberg is very vocal about it, the Go toolchain has been disclosing several CVEs a week, my fedi feed is full of AI security.
None of my projects are xkcd 2347 compliant, I do not know what it really feels like, I do not have skin in the game. But I like to think that makes my vision clearer, because I do not have to struggle day to day.
We are on the edge of something new, that is for certain.
curl is giving no payments for security reports, and people keep filing them anyway. I do not know of any other software project of this size that would be likely to contain less issues.
Rust projects do not suffer from memory vulnerabilities, but uutils were not spared of CVEs either.
You can go beyond Rust, to languages where compilation approaches mathematical proof of correctness, and you can still find terrible vulnerabilities in the behavior of the program that were overlooked.
Open or not
Do you know what kind of software is not getting this attention? All of the proprietary code.
I am sure they are being hit by vulnerabilities as well, but white-box analysis done by a dozen different people's prompts will go much further than AI-driven input fuzzing.
I believe open source will come out stronger and more confident of itself.
Andrew Nesbitt has been blogging about the amount of core software infrastructure maintained by a single person for several months now, Josh Bressers has mentioned it in his recent podcast episode as well.
There will be casualities in this battle, it will not be pretty, but perhaps this is the step to properly open the discussion about open-source sustainability. Go follow Andrew, he's great.
A popular open-source project that will survive 2026 will have had so much money poured into security scanning everyone else would struggle to match. If it has to go the way of open disclosures and public CVE fixes, so be it.
Maybe Linus's Law still applies, and we are learning to use our eyes.