Take it easy. A guide to avoid burnown during the Vulnpocalypse

danigm — Fri, 05 Jun 2026 12:00:00 +0200

Do not let the AI to remove the fun part from software development. We shouldn't allow gen AI to write software just because it "can". First, we must ask if it "should" do it, and even then, we should ask if we want to delegate the fun part, the thinking, the writing, the learning.

Remember what's important, journey before destination, we are the Code:

Do not let AI to destroy the community, do not let it destroy the technological knowledge commons.

tl;dr

Open Source maintainers are dealing with a lot of new reports and pressure to "fix" the project due to generative AI.

We need to find a way of stopping this and get back to something maintainable before all maintainers get burned out and look for a job in a farm:

100% secure software doesn't exists, so there will be always a possible CVE there. As Spaf said in 1989:

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

Fixing bugs, adds new bugs, and if you need to fix something quick, the probability of new bugs will be higher. Do not forget about the First Law of Programming:

If it works, don't touch it

The amount of CVE reports is lowering the CVE credibility and quality, so if everything is a "high" security issue, we can't prioritize now and these reports are not different from random issues in github. Do not listen to The Boy Who Cried Wolf
Stable software is sable because it doesn't change too much. It's something that we are willing to loose trying to reach the impossible of 100% secure software?

The actual problem

There's a lot of money in AI tech right now, and everyone is trying to make the best gen AI tool or just pretend that their tool is the best.

In relation with the software analysis and writing, targeting the open source is the obvious strategy.

It's interesting to scrap every line of code, patch, pull request, issue and discussion around software to train your model, so AI scrappers are DDoSing open source projects infrastructure.
To promote their tools or themselves, Security Researches are using AI to target any project, reporting High security vulnerabilities, with the only goal of getting a CVE number to say how good they are.

This second point is affecting maintainers, because now you are receiving a lot of poor quality security reports, that are generated with AI and that looks plausible and are hard to read. You need to spend a lot of time to check if there's an actual wolf there or if it's again this boy that's tricking me.

This is burning the energy of maintainers, that instead of doing something productive are wasting their limited time talking with a Stocatic Parrot.

Do not let the AI Bros to use classic manipulation techniques on you!

A lot of open source projects are maintained by volunteers that do the work with passion and love. And even if it's the job that paid your bills, the maintainer can feel the pressure. When someone put a lot of love in something and work on it during years, it's part of his identity, so attacking the software is like attacking the person behind it.

This is nothing new, and a lot of people take advantage of this emotional link to manipulate the maintainer to do something that he do not want to do.

AI bros are using these techniques, do not let them to manipulate you and define your project agenda.

Here's a (not complete) list of known manipulation techniques that you can detect (and disarm!) in your daily community work:

Flooding the queue. Just create so many new issues that the actual maintainers can't deal with it. You feel responsible for the project and feel bad because your TO-DO list is growing.
This software is not secure (doesn't do what I want), I will use this other one instead that's better. The classic, "GNOME doesn't allow me to change this specific preference, I'll use KDE from now on".
This software is low quality, it doesn't follow the (my random) quality standards. Direct attack to the maintainer self-esteem.
Gaslighting software development. LLM are expert at this and people that uses it just copy the tactic. When the maintainer detects something weird and just tries to blame the other person for reporting nonsense and wasting all people time, it starts to invent new arguments and ignore the previous interaction.

So, take it easy, and remember the best clause in almost any software project, THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU:

Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.

Is the software more insecure in 2026?

No. Anyone old enough could remember how insecure old software was. Do you remember windows 98? Do you remember the internet when everything was http (without that little s at the end), when people use ftp to logging into their server and modify the php code directly on production?

It's true that today we have more dependency on technology, but it's also true that everything is more secure, we have more and better cryptography, we have different levels of isolation, virtual environments, containers, virtual machines...

But we have the feeling that since AI can analyse all the software and look for vulnerabilities, we are doomed, because any stupid kid can hack my over engineered GNU/Linux machine!

First, that's not true, you need to know about security to get something useful from any AI tool. But even if it was true, what can you do about it? We need to be practical and find a balance between risk and usefulness, so do not overestimate the risk just because everyone is talking about it right now.

But even then, the security paranoia is not good for anyone. Software is inherently buggy, people write software and makes mistakes, so a possible vulnerability appears. In theory, these bugs are fixed when discovered, so it's always recommended to update to the latest version, because almost all known bugs will be fixed.

But it's also known that new versions comes with new functionality and code, and that means new "unknown" bugs or different behavior. That's a headache, so that's why the stable and Long Term Support are popular distributions, because "if it works, don't touch it".

Stable packages just get the fixes, not new features, but fixes are also code changes, so there's always a possibility to break something, even with a patch update.

The stable software has a lot of value, do not let the AI security paranoia destroy that, and convert everything in a rolling release with the latest and greatest (and possibly broken) software. Sometimes it's better to keep using something old, with known vulnerabilities that you can mitigate, than use the latest with unknown new vulnerabilities that you can't do anything about.

I will fight AI with AI

Please, do not do that. What I was trying to argue during this long post is not a technical problem. The current burnout problem in open source is a social problem, you can't fix it with a new layer of probabilistic tokens.

Community reaction against AI. The current industry push for the usage of AI everywhere is affecting a lot of people, and as a reaction a lot of people are directly fighting back. Using gen AI just sends the message that you do not care enough to do it yourself, and destroy the trust on the project.
It doesn't worth it. Even if the AI works (that it doesn't) it doesn't worth it. Writing code is easier than reviewing, you learn and grow with every new line of code that you write, delegating the fun part and personal growth part to an AI will make you work more miserable and you will be a junior forever.
It doesn't create community. Think about it, it's hard to get someone involved in a software project, but who will want to read or improve the code produced by a gen AI? The only future collaborator will be another AI.

Take it easy

Just remember, you can always say no, there's no hurry, and there's no need to work on something that you don't want just because other people consider that important.

Free Source is something done by people, for people. The software is important, but the community around it is sometimes more important. We use Free source not because it's technically better (that it is), but because we trust who, how and why are writing it.

Remember why are you doing this, do not remove the Fun part, continue with the Just for Fun mood.

FOSDEM''13

danigm — Mon, 11 Feb 2013 00:00:00 +0100

Wadobo en el FOSDEM 2013

Este año, Wadobo al completo se ha pasado por el FOSDEM (The Free and Open source Software Developers’ European Meeting), y hemos aprovechado el evento para enterarnos de primera mano de qué es lo que se está moviendo en el mundo del software libre.

Este año, a diferencia del FOSDEM del 2011, donde Edulix habló sobre Timebank y también sobre Ágora, no hemos dado ninguna charla, no por falta de ganas o temas sobre los que hablar, sino más bien porque lo hemos ido dejando pasar y al final no hemos propuesto nada. Supongo que el año que viene estaremos allí otra vez y esta vez con alguna que otra charla.

Hacia dónde va el desarrollo

El FOSDEM es un gran evento que se desarrolla en un corto periodo de tiempo y donde se presentan simultáneamente muchísimas charlas realmente interesantes sobre diferentes tecnologías, sin embargo personalmente he presenciado un ligero cambio en la masa de desarrolladores, o más bien en el interés general.

Mozilla tuvo una sala llena de charlas los dos días. Se habló de web, de comunidad y de firefox, pero sobre todo se habló de Firefox OS. Y creo que es uno de los temas que más atención han recibido en este FOSDEM.

Actualmente las plataformas programables se han multiplicado y hoy en día no sólo existen los ordenadores tradicionales, han aparecido multitud de dispositivos y eso se está notando en la comunidad de software libre, que parece empezar a buscar dispositivos realmente libres sobre los que trabajar. Firefox OS promete algo más de libertad, y también anda por ahí ubuntu y otras cosas como jolla. Por lo que me puedo aventurar a prever un gran movimiento de desarrolladores a este tipo de proyectos que son realmente prometedores llevando el software libre un poco más allá.

Por lo tanto y viendo las diferentes charlas de este último FOSDEM me da la impresión de que el interés en el mundo del software libre, y creo que del desarrollo de software en general, está tendiendo hacia los nuevos dispositivos. Y no creo que este creciente interés sobre estas nuevas tecnologías vaya en detrimento de grandes proyectos que en el pasado pudieron ser el gran foco de interés, como las grandes distribuciones o los entornos de escritorio tradicionales, sino más bien creo que la comunidad de software libre está creciendo y llegando a lugares donde antes era imposible llegar.

Otras cosillas

Hay un par de cosas que han llamado mi atención durante el FOSDEM. Lo primero es la tecnología webrtc, me enteré de esta tecnología en una charla de mozilla y la verdad es que es algo bastante interesante. Esta charla ha motivado que me haya descargado y compilado el firefox desde el repositorio para jugar un poco y tengo pensado hacer algún tipo de aplicación de ejemplo para explorar las posibilidades que ofrece.

La otra cosa que me ha llamado la atención durante este evento ha sido el anuncio de GNOME de la elección del lenguaje oficial para el desarrollo de aplicaciones, y este no es otro que javascript. Aún siendo un defensor de python para todo tengo que decir que no es ninguna locura, javascript es un lenguaje de alto nivel y junto con gobject-instrospection gjs es una herramienta bastante potente. A partir de ahora lo único que hay que hacer es generar buena documentación y el número de aplicaciones para gnome en js crecerá considerablemente, gnome puede convertirse en una buena plataforma de desarrollo.

Lo peor

El FOSDEM es un evento bastante popular y cada vez va más gente lo que en principio es bueno, pero el espacio es finito y se convierte en un problema el pillar sitio para ir a las charlas interesantes. Por ejemplo este año había un track de python donde había bastantes charlas muy interesantes y no pudimos ver ninguna de ellas porque era una sala medianamente pequeña y estaba llena desde primera hora.

danigm.net - open-source