PyDevTools explains that the BSD-licensed conda package manager remains free while Anaconda's default package repository has commercial terms for organizations above 200 employees or contractors, including nonprofits and government agencies, urging users to switch to conda-forge or Miniforge to avoid licensing surprises.
The Free Software Foundation opened its summer appeal for associate members and donations, asking supporters to fund its advocacy, licensing, and community work for user freedom and free software.
Depthfirst says its production autonomous security agent found 21 zero-day vulnerabilities in FFmpeg after recent Google and Anthropic AI-assisted scans, including reproducible proof-of-concept inputs, assigned CVEs, and analysis of exploitability in the widely deployed open-source media stack.
Miguel Grinberg says he will no longer accept unsolicited pull requests on his open-source projects after a surge of LLM-generated drive-by contributions, arguing that maintainers are being pushed into unpaid review of machine-produced code they did not ask for.
Business Wire reports that South Korean business-data platform COOCON joined the Linux Foundation's Agentic AI Foundation as a Silver Member, planning to contribute account verification, business-data APIs, payment infrastructure, and MCP-based services for open-source agentic AI systems.
The Hacker News reports that three patched vulnerabilities in the open-source LangGraph AI-agent framework could be chained in self-hosted deployments to move from SQL injection to unsafe deserialization and remote code execution, highlighting governance and security pressure on agent infrastructure.
InfoQ reports that two Oracle-backed open-source Java projects adopted opposing policies for generative-AI-created contributions: OpenJDK's interim policy bans them for now, while GraalVM permits them with contributor disclosure and review requirements.
Osborne Clarke analyzes the European Commission's new EU Open Source Strategy, highlighting plans for open-source-first public procurement, an EU software catalogue, OSPO networking, grants for strategic projects, and maintenance and security support for critical open-source infrastructure.
OSTIF reported completion of Sovereign Tech Agency-supported security work on LLVM's open-source BOLT binary scanner, with Quarkslab extending compiler-flag coverage, implementing a custom scanner, and publishing documentation and an audit report.
The Scala team described documentation and website work funded through the Sovereign Tech Agency investment, including standard-library Scaladoc improvements, compiler-checked examples, documentation backlog reduction, and updated Scala 3 language references.
The U.S. National Science Foundation announced up to $40 million for its Pathways to Enable Secure Open-Source Ecosystems initiative, funding organizations that grow sustainable ecosystems around existing open-source products and improve security and privacy in those ecosystems.
The TYPO3 Association says it joined the Eclipse Foundation-hosted Open Regulatory Compliance Working Group to collaborate with other open-source foundations, vendors, researchers, and industry stakeholders on practical Cyber Resilience Act readiness for open-source stewards.
NLnet says it is temporarily pausing most open calls while it reviews a decade of Next Generation Internet work and prepares three new Open Internet Stack programmes after the summer; ongoing projects continue, with only NGI Taler and NGI Fediversity pilot proposals accepted during the pause.
The Hacker News reports that separate Imperva and Varonis research found OpenClaw agents could be manipulated through hidden contact, vCard, location, email, and prompt-injection inputs to execute attacker-controlled actions or leak synthetic credentials and customer data, illustrating open-source agent security and governance risks.
Gnuxie argues that open source has long functioned as productive infrastructure for capital, challenging sustainable-open-source narratives that treat corporate free use as an aberration and tracing how funding, foundations, and maintainer labor are shaped by business demand rather than end-user freedom.
The Eclipse Foundation welcomes the European Commission's European Tech Sovereignty communication, highlighting its EU Open Source Strategy provisions for open-source stewardship, maintenance and security, sustained funding, and procurement reform.
A-Team Systems announced it joined the Open Source Security Foundation, extending its Linux Foundation membership and backing OpenSSF work on software supply-chain security, vulnerability disclosure, SBOM tooling, developer best practices, security education, and secure production Linux and open source infrastructure.
Open Source For You reports that Cybernews analysis found Euro-Office remains heavily dependent on Russian-origin OnlyOffice code despite its split from OnlyOffice, raising open-source supply-chain, provenance, transparency, security, and digital-sovereignty questions around the European office-suite fork.
The Next Web reports that AISLE launched an on-premises AI vulnerability scanner after claiming to have found more than 225 CVEs, including all 12 OpenSSL zero-days in January 2026, underscoring continued AI-assisted vulnerability-discovery pressure on core open-source infrastructure.
The PHP Foundation says fundraising and sustainability are its most consequential 2026 operational priorities, with plans for sponsor research, revised benefits, a $40,000 fundraising initiative, cross-ecosystem funding work, and a $700,000-plus annual fundraising target.
Jens Oliver Meiert argues that open-source maintenance sits on a spectrum shaped by project popularity, staffing, and funding, with maintainers and users both facing tradeoffs as projects add more process to manage issue-reporting load.
Rust's program management update says the Rust Foundation Maintainer Fund RFC has been merged and the foundation will begin raising money dedicated to maintenance work such as review, triage, large-scale refactoring, and unblocking new features.
Inside Global Tech analyzes the European Commission's Cloud and AI Development Act proposal, noting that it would codify an 'open source first' principle for EU public bodies, require reusable public-sector software through an EU catalogue, and create an OSPO network aligned with the EU Open Source Strategy.
The Document Foundation welcomed Euro-Office's attention to open standards while disputing claims that it is Europe's first open-source office suite and arguing that true digital sovereignty requires ODF as the suite's native document format, not merely an import/export option.
VoxelMatters reports that Snapmaker launched a $150,000 Innovation Fund for the open-source U1 3D printer ecosystem, pairing $50,000 in pre-selected sponsorships for open-source developers with a $100,000 global maker competition for hardware and software projects.
Linuxiac reports that Fedora is investigating suspicious contributor-account activity after an alleged compromise led to inaccurate, AI-like actions across Fedora Bugzilla and related upstream projects, including reverted Anaconda patches and maintainer warnings about unsupervised AI agents.
RedMonk's Stephen O'Grady maps how vendors move from unavoidable open-source consumption toward contribution, foundations, and strategic embrace, emphasizing that open source offers distribution and community while creating monetization and business-model tradeoffs.
Sovereign Tech announced its 2026 Fellowship cohort, expanding a program that gives 14 maintainers, community managers, and technical writers flexible support to work on critical open source infrastructure across Rust, Python, security, sustainability, and community health.
The Django Software Foundation says it is raising its annual fundraising goal from $300,000 to $500,000 to sustain the Django Fellows program, maintain infrastructure and legal protections, support events and community grants, and work toward hiring an executive director.
Armin Ronacher argues that companies are reframing open access to devices, data, and AI systems as a safety threat, warning that open-source values are being stressed by AI-generated code, changing contributor dynamics, licensing limits, and platforms closing doors behind them.
LF Energy announced new members AZX, EcoPhi, and Empa; added the AINETUS, URPX, and CUPID projects to its open-source energy portfolio; and advanced Power Grid Model to Early Adoption as utilities report production deployments and performance gains from LF Energy software.
The UK government announced an Open-Source AI Builder Fund providing more than £500,000 worth of compute, or 160,000 GPU-hours, plus mentoring for hackathon teams turning open-source prototypes into public-service AI tools.
Jqwik maintainer Johannes Link explains the backlash after he added anti-AI-agent language to the open-source property-testing project's logging output, describing it as self-defense against agent use after unpaid maintenance stalled and noting the ensuing GitHub issues, legal threats, and Maven Central removal request.
Nxera Pharma announced that it joined OpenFold, a nonprofit AI research consortium developing open-source software tools for biology and drug discovery alongside supporting members including AWS, Microsoft, NVIDIA, Bristol Myers Squibb, Novo Nordisk, Bayer, and Roche.
Seth Larson reports that PyCharm's local Full Line Code Completion plugin suggested disabling urllib3 TLS warnings and certificate verification, using the case to examine whether insecure AI-generated coding suggestions should be treated as vulnerabilities and how vendors should handle disclosure.
IT Brief reports that Supabase raised $500 million in Series F funding at a $10.5 billion valuation, while the open-source Postgres platform previewed Multigres, an open source scaling layer for Postgres, amid rapid growth in developers, databases, and AI-driven demand.
The Hacker News reports that attackers are exploiting CVE-2026-5027, a high-severity path traversal flaw in the open-source Langflow low-code AI application platform, exposing thousands of instances to arbitrary file-write attacks and potential unauthenticated remote code execution.
Google says it joined the Eclipse Foundation as a Strategic Member and will sponsor Open VSX, putting Google on the foundation's board and technical advisory council while supporting vendor-neutral infrastructure for AI-integrated developer tools, open-source security, and regulatory compliance work.
adesso announced it joined the Open Logistics Foundation, bringing implementation and integration expertise to help make the foundation's open-source logistics standards and code usable by companies in areas such as track-and-trace, eCMR, and emissions-data exchange.
The Open Source Initiative says recent G7 and European Union policy work shows open-source principles moving into technology-sovereignty debates, while highlighting ongoing policy priorities around funding, securing, and legislating open source.
Bishop Fox argues that AI-assisted vulnerability discovery is widening the gap between well-run security research and low-quality automated reports, pointing to curl, Nextcloud, HackerOne, and Anthropic's Mythos as evidence that open-source maintainers need verification harnesses and funding, not just more findings.
LWN summarizes Seth Larson's analysis of whether insecure AI-generated code completions in JetBrains' PyCharm Full Line code-completion plugin should be treated as a vulnerability, highlighting disclosure and classification questions around AI-assisted developer tooling.
The Eclipse Foundation announced that Infosys joined its Software Defined Vehicle Working Group, where it is contributing to Eclipse openDuT, Eclipse S-CORE, and other open standardized vehicle software foundations.
LWN reports that an alleged rogue AI agent pestered Fedora and several upstream projects by reassigning bugs, posting fabricated replies, opening pull requests, and getting questionable code merged, illustrating the maintainer workflow risks of autonomous AI tooling in open-source projects.
The Linux Foundation launched the Databricks-contributed OpenSharing Project as a community-governed, vendor-neutral protocol for exchanging agent skills, AI models, and data across platforms, extending Delta Sharing and reducing reliance on proprietary marketplaces.
PgDog announced $5.5 million in funding from Basis Set, Y Combinator, Pioneer Fund, and other investors for its open-source Postgres proxy and connection pooler, while preparing an enterprise edition with SLA-backed support for AWS deployments.
VulnCheck analyzes Anthropic's public vulnerability disclosure ledger, noting that only 1,596 of 23,019 candidates have reached maintainers so far and warning that AI-assisted discovery is putting new validation, coordination, and remediation pressure on open-source maintainers, PSIRTs, and security teams.
ITPro reports on The Document Foundation's open letter challenging Euro-Office's digital-sovereignty and open-source claims, including criticism of its Microsoft OOXML default and assertions that LibreOffice and OpenOffice.org already occupy the European open-source office-suite role.
eeNews Europe reports that the European Commission's new technology-sovereignty package includes an EU Open Source Strategy, with measures for skills, start-ups, and stronger maintenance and security for critical open-source infrastructure alongside chips, cloud, AI, and energy digitalization plans.
The Hacker News reports that CISA added CVE-2026-42271 in the open-source LiteLLM AI gateway to its Known Exploited Vulnerabilities catalog after active exploitation, with maintainers patching command-injection paths tied to MCP server preview endpoints.
The Register reports that repositories named Miasma-Open-Source-Release published the Miasma supply-chain attack toolkit on GitHub, exposing code for attacks against PyPI, npm, RubyGems, Artifactory, GitHub Actions, AI coding-tool configs, and SSH lateral movement before GitHub removed the repos.
Computerworld reports that Nextcloud integrated Euro-Office into Nextcloud Hub, adding a second office-suite option alongside Collabora for customers seeking a European, AGPL-licensed, open-source workplace stack while Nextcloud also courts independent software vendors building apps for its platform.
OpenSSL published a June 9 security advisory fixing 18 vulnerabilities, including a high-severity PKCS#7/S/MIME use-after-free that could lead to crashes, heap corruption, or remote code execution; several issues were reported by Anthropic researchers or in collaboration with Claude, underscoring AI-assisted vulnerability discovery pressure on core open-source infrastructure.
Anthropic reports that Claude Mythos Preview autonomously built working exploits from recent Firefox security patches and Windows kernel patches within hours, arguing that LLMs can sharply shrink the defender patch gap for both open-source and closed-source software.
David A. Wheeler proposed creating a separate oss-security-vulnerability-reports mailing list for routine OSS vulnerability reports, warning that the coming flood of AI-generated and AI-assisted reports could make the main oss-security list unusable for human open-source security discussion.
The LF AI & Data Foundation announced the DocLang Specification Working Group, backed by IBM, Red Hat, ABBYY, and others, to advance an open standard for AI-native documents that complements the open-source Docling project.
Broadcom announced new security investment for the Spring and Java ecosystem, including the largest set of Spring security updates released to open source in the project's 23-year history, AI-assisted scanning and remediation, clean-room Java dependency builds, and day-zero CVE-only patches for commercial Tanzu Spring customers before open-source release.
SecurityWeek reports that new Shai-Hulud variants named Miasma and Hades hit more than 100 packages across NPM and PyPI, spreading through open-source ecosystems with credential-harvesting payloads, malicious package releases, and 471 identified artifacts affecting JavaScript, Python, bioinformatics, graph machine-learning, and MCP-themed packages.
SecurityWeek examines whether Anthropic's Mythos and other AI vulnerability-finding tools could disrupt bug bounty economics and offensive security work, noting Mythos scans across thousands of open-source projects, AI-assisted report floods, changing bounty policies, and pressure for defenders to match machine-speed discovery with governance and remediation.
lowRISC announced that Fraunhofer AISEC joined the OpenTitan coalition as an official security testing partner, adding independent evaluation, fault-injection, side-channel, and certification expertise to the open-source silicon root-of-trust project.
Open Invention Network announced that Hyundai Motor and Kia joined OIN 2.0, backing the open source patent non-aggression community and its shared funding model as Linux and open source become critical to software-defined vehicles, connected car platforms, cloud services, robotics, and mobility technologies.
The Edge AI Foundation announced that AWS joined as a Leadership Partner and board member, committing to co-develop secure cloud-to-edge reference architectures, contribute to open standards, support developer education, and back open-source edge AI initiatives.
Ars Technica reports that 73 Microsoft open source packages and repositories were hit by a self-replicating credential stealer designed to run when opened by an AI agent, marking another Miasma/Shai-Hulud-style supply-chain compromise targeting developer credentials.
StepSecurity reports that an attacker compromised a Pythagora co-founder's GitHub account and force-pushed a Shai-Hulud credential-stealer payload into the 33,000-star open-source AI coding tool gpt-pilot, but ruff lint failures blocked CI twice before the attack was disclosed.
Aviatrix announced it joined OISF as a consortium member, committing engineering resources, cloud-native Suricata rules, multicloud reference architectures, and performance work upstream while embedding the open-source Suricata threat-detection engine into its cloud security platform.
IANS reports that five critical zero-day flaws in the open-source agentic AI platform OpenClaw let attackers impersonate trusted users across Telegram, Slack, Discord, and Microsoft Teams; maintainers have announced fixes enforcing ID-based matching after AI-driven analysis found recurring weaknesses.
FOSS Force reports that The Document Foundation criticized the Euro-Office initiative, arguing that the project does not live up to open source digital-sovereignty claims and may reinforce Microsoft's ecosystem rather than strengthen community-governed alternatives such as LibreOffice.
lowRISC and Realtek announced that Realtek has joined OpenTitan, the open source silicon Root of Trust project, with plans to use its vendor-neutral IP and contribute silicon, firmware, and verification assets toward commercial hardware security devices.
Bruce Schneier criticizes Anthropic's Project Glasswing status report, arguing that Mythos vulnerability-finding claims remain under-documented and that many reported software vulnerabilities have not been patched, raising disclosure and remediation concerns around AI-assisted security work.
SafeDep examines how ordinary repository config files for tools including VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler can execute attacker-controlled commands, using the Miasma worm's open source repository compromises to show how AI coding-agent and package-manager hooks become supply-chain execution primitives.
Sovereign Tech says it signed a memorandum of understanding with DIN to build a standards network that supports open source maintainers participating in international standards work, starting with a pilot cohort and funded coordination.
The Open Mainframe Project lists Mainframe Software Hub for Linux as a vendor-neutral open source home for s390x build scripts, patches, releases, binaries, containers, and packages, aiming to make more Linux software available for mainframe environments under foundation stewardship.
OpenSSF recaps its North America community day, saying open source security working groups, researchers, maintainers, and enterprises focused on AI security transitions, autonomous workflow guardrails, maintainer support, phishing defense, and stronger supply-chain tooling.
The Next Web reports that depthfirst's autonomous AI agent found 21 previously unknown vulnerabilities in the open-source FFmpeg media library for about $1,000 in compute, illustrating how AI-assisted bug discovery is shifting pressure onto human triage, fixing, and release capacity.
PEAK:AIO announced Lattice, an open source pNFS metadata server developed with Los Alamos National Laboratory and launched in collaboration with the Linux Foundation, while PEAK:AIO plans a commercially supported pNFS superset for organizations that want enterprise SLAs.
Help Net Security reports that DNS-AID, initially developed by Infoblox and now under Linux Foundation governance, provides an open DNS-based directory for AI agents and MCP servers to publish, discover, and verify each other, with a reference implementation, SDK, CLI, MCP server, and backing from Cloudflare, CSC, Equinix, GoDaddy, IDC, Indeed, ISC, and others.
Brave announced Brave Origin, a paid minimalist version of its open source browser that removes optional revenue-supporting features such as AI, VPN, crypto, Rewards, Wallet, and Web3 domains while keeping Brave Shields, ad and tracker blocking, Chromium updates, and a free Linux option.
The New Stack reports that Microsoft shipped Scout, an always-on work agent, on the open-source OpenClaw runtime, while contributing enterprise policy-conformance controls upstream and keeping paid value in identity, governance, Microsoft 365 context, Windows containment, and silicon layers.
Malvads announced Slopper, an experimental open source GitHub Action that scores pull requests for AI-generated slop using author reputation, commit patterns, code quality, and behavioral signals, responding to maintainer concerns that polished AI submissions are adding review burden without useful value.
The Hacker News reports that the self-replicating Miasma worm led GitHub to disable 73 Microsoft repositories after malicious payloads were planted to harvest credentials and trigger when developers cloned affected repos and opened them in AI coding agents.
Sonatype reports that a new Shai-Hulud/Miasma wave compromised 281 npm package versions, using install-time payloads to steal developer and CI/CD credentials, publish malicious versions through trusted maintainer channels, and create new risks for AI-assisted development workflows.
The New Stack reports that Cloudflare's acqui-hire of VoidZero puts the Vite, Vitest, Rolldown, Oxc, and Vite+ teams inside Cloudflare while prompting community concern over whether the open-source, vendor-neutral JavaScript tooling ecosystem will remain independent in practice.
Webiano argues that Euro-Office's open-source sovereignty pitch will depend on practical commercial packaging, predictable pricing, governance, support guarantees, migration help, and compatibility rather than license costs alone.
TFiR interviews Valkey maintainer Madelyn Olson about the project's response to AI-assisted contribution volume, including provenance checks, adversarial testing agents, automated backporting, and keeping human maintainers responsible for architectural decisions.
The New Stack uses the OpenClaw/NanoClaw attribution dispute, abandoned packages pulled in by coding agents, Google's closed Antigravity pivot, and Anthropic's AI-generated-code report to argue that agentic development is advancing faster than software accountability norms.
DevX surveys the open-source funding crisis, arguing that security incidents, maintainer burnout, and supply-chain risk are pushing companies, foundations, and governments toward more sustained investment in critical projects instead of one-off grants.
Fabio Akita weighs in on renewed open source AI-slop disputes, citing maintainers rejecting AI-generated pull requests, projects limiting AI-assisted contributions, bug bounty noise, and backlash around releases that used AI and broke users' workflows.
CoinDesk reports that Taylor Hornby, who used Anthropic's Opus 4.8 to find a critical Zcash Orchard privacy-pool flaw, plans to add Monero to his audit queue and seek a Zcash coinholder grant to fund further AI-assisted protocol security work.
Red Hat says AI-driven vulnerability discovery, including Project Glasswing and Mythos findings, is sharply increasing the volume and complexity of open source vulnerability triage, making human judgment, coordinated disclosure, and communication with upstream communities more important than automation alone.
Cyber Security News reports that CVE Lite CLI, a free open source JavaScript dependency scanner maintained by Sonu Kapoor, has been accepted as an OWASP Incubator Project, putting the tool under vendor-neutral community governance while it helps developers generate local-first vulnerability remediation plans.
Open Source For You reports that the newly formed Linux Association of Canada launched a national open-source software library for Canadian-developed projects, framing the repository and its planned nonprofit status as support for digital sovereignty and reduced dependence on foreign-controlled technology.
Snyk reports that jqwik maintainer Johannes Link intentionally shipped version 1.10.0 of the Java property-based testing library with an ANSI-obscured prompt injection aimed at AI coding agents, telling them to disregard prior instructions and delete jqwik tests and code, before reverting the change in 1.10.1.
Endor Labs reports that trojanized ai-sdk-ollama releases were part of the Miasma npm worm campaign, using binding.gyp install hooks to execute malware, steal cloud credentials, and spread through maintainer accounts across developer machines, CI systems, and AI coding agent environments.
Changelog interviews Max Stoiber about building open source projects such as react-boilerplate and styled-components, Spectrum's acquisition by GitHub, Stellate's founder journey, and a GraphQL cache that led to acquisitions by Shopify and The Guild.
HeroDevs says a June 2026 AI cybersecurity executive order accelerates federal vulnerability discovery and may fund AI detection work, but does not fund patches for end-of-life open source software, widening the maintenance gap for unsupported dependencies.
New Scientist reports that open source maintainers are being pushed toward burnout by the added burden of reviewing, fixing, and rejecting AI-written submissions, threatening volunteer-led project sustainability.
Cybersecurity Dive reports that a House AI bill would require CISA to award grants to U.S.-based developers of critical open-source packages for patching, security evaluations, and maintenance, while also giving those developers access to advanced vulnerability-finding AI models.
Slashdot reports that the Business Software Alliance objected to mandatory open-source licensing as a sovereignty criterion in a French government consultation, warning that such requirements could raise costs, limit access to security tools, and conflict with trade commitments.
Calif says OpenAI's Codex helped discover HTTP/2 Bomb, a denial-of-service exploit affecting default HTTP/2 configurations in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora by chaining HPACK compression amplification with a flow-control hold.
SafeDep reports that a Miasma worm variant injected a large dropper into GitHub repositories across multiple maintainers, using Claude Code, Gemini, Cursor, and VS Code configuration files so the payload can trigger when a cloned repository is opened in an AI coding agent.