Is Conda actually free?

PyDevTools explains that the BSD-licensed conda package manager remains free while Anaconda's default package repository has commercial terms for organizations above 200 employees or contractors, including nonprofits and government agencies, urging users to switch to conda-forge or Miniforge to avoid licensing surprises.

Added: ; Published: ; Source: Pydevtools

Commit to freedom

The Free Software Foundation opened its summer appeal for associate members and donations, asking supporters to fund its advocacy, licensing, and community work for user freedom and free software.

Added: ; Published: ; Source: Fsf

Twenty One Zero-Days in FFmpeg

Depthfirst says its production autonomous security agent found 21 zero-day vulnerabilities in FFmpeg after recent Google and Anthropic AI-assisted scans, including reproducible proof-of-concept inputs, assigned CVEs, and analysis of exploitability in the widely deployed open-source media stack.

Added: ; Published: ; Source: Depthfirst

I Am Not a Reverse Centaur

Miguel Grinberg says he will no longer accept unsolicited pull requests on his open-source projects after a surge of LLM-generated drive-by contributions, arguing that maintainers are being pushed into unpaid review of machine-produced code they did not ask for.

Added: ; Published: ; Source: Miguelgrinberg

LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution

The Hacker News reports that three patched vulnerabilities in the open-source LangGraph AI-agent framework could be chained in self-hosted deployments to move from SQL injection to unsafe deserialization and remote code execution, highlighting governance and security pressure on agent infrastructure.

Added: ; Published: ; Source: Thehackernews

BOLT Security Engagement Complete!

OSTIF reported completion of Sovereign Tech Agency-supported security work on LLVM's open-source BOLT binary scanner, with Quarkslab extending compiler-flag coverage, implementing a custom scanner, and publishing documentation and an audit report.

Added: ; Published: ; Source: Ostif

Improving Scala's docs and website

The Scala team described documentation and website work funded through the Sovereign Tech Agency investment, including standard-library Scaladoc improvements, compiler-checked examples, documentation backlog reduction, and updated Scala 3 language references.

Added: ; Published: ; Source: Scala Lang

NSF investing in secure open-source ecosystems

The U.S. National Science Foundation announced up to $40 million for its Pathways to Enable Secure Open-Source Ecosystems initiative, funding organizations that grow sustainable ecosystems around existing open-source products and improve security and privacy in those ecosystems.

Added: ; Published: ; Source: Nsf

TYPO3 Association Joins the Open Regulatory Compliance Working Group

The TYPO3 Association says it joined the Eclipse Foundation-hosted Open Regulatory Compliance Working Group to collaborate with other open-source foundations, vendors, researchers, and industry stakeholders on practical Cyber Resilience Act readiness for open-source stewards.

Added: ; Published: ; Source: Typo3

Transitioning from NGI to Open Internet Stack — open calls temporarily paused

NLnet says it is temporarily pausing most open calls while it reviews a decade of Next Generation Internet work and prepares three new Open Internet Stack programmes after the summer; ongoing projects continue, with only NGI Taler and NGI Fediversity pilot proposals accepted during the pause.

Added: ; Published: ; Source: Nlnet

New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets

The Hacker News reports that separate Imperva and Varonis research found OpenClaw agents could be manipulated through hidden contact, vCard, location, email, and prompt-injection inputs to execute attacker-controlled actions or leak synthetic credentials and customer data, illustrating open-source agent security and governance risks.

Added: ; Published: ; Source: Thehackernews

A Commons of Software Productive Infrastructure, by and for Capital

Gnuxie argues that open source has long functioned as productive infrastructure for capital, challenging sustainable-open-source narratives that treat corporate free use as an aberration and tracing how funding, foundations, and maintainer labor are shaped by business demand rather than end-user freedom.

Added: ; Published: ; Source: Marewolf

A-Team Systems Joins the Open Source Security Foundation

A-Team Systems announced it joined the Open Source Security Foundation, extending its Linux Foundation membership and backing OpenSSF work on software supply-chain security, vulnerability disclosure, SBOM tooling, developer best practices, security education, and secure production Linux and open source infrastructure.

Added: ; Published: ; Source: Ateamsystems

Euro-Office’s Break From OnlyOffice Faces Fresh Questions

Open Source For You reports that Cybernews analysis found Euro-Office remains heavily dependent on Russian-origin OnlyOffice code despite its split from OnlyOffice, raising open-source supply-chain, provenance, transparency, security, and digital-sovereignty questions around the European office-suite fork.

Added: ; Published: ; Source: Opensourceforu

AISLE Snapshot brings AI vulnerability scanning on premises

The Next Web reports that AISLE launched an on-premises AI vulnerability scanner after claiming to have found more than 225 CVEs, including all 12 OpenSSL zero-days in January 2026, underscoring continued AI-assisted vulnerability-discovery pressure on core open-source infrastructure.

Added: ; Published: ; Source: Thenextweb

Integrating Community Feedback into Foundation Strategy Part 2

The PHP Foundation says fundraising and sustainability are its most consequential 2026 operational priorities, with plans for sponsor research, revised benefits, a $40,000 fundraising initiative, cross-ecosystem funding work, and a $700,000-plus annual fundraising target.

Added: ; Published: ; Source: Thephp

On the Two Sides and the Spectrum That Is Open Source Maintenance

Jens Oliver Meiert argues that open-source maintenance sits on a spectrum shaped by project popularity, staffing, and funding, with maintainers and users both facing tradeoffs as projects add more process to manage issue-reporting load.

Added: ; Published: ; Source: Meiert

Program management update — May 2026

Rust's program management update says the Rust Foundation Maintainer Fund RFC has been merged and the foundation will begin raising money dedicated to maintenance work such as review, triage, large-scale refactoring, and unblocking new features.

Added: ; Published: ; Source: Rust Lang

The EU Cloud and AI Development Act in Depth

Inside Global Tech analyzes the European Commission's Cloud and AI Development Act proposal, noting that it would codify an 'open source first' principle for EU public bodies, require reusable public-sector software through an EU catalogue, and create an OSPO network aligned with the EU Open Source Strategy.

Added: ; Published: ; Source: Insideglobaltech

Euro-Office, open standards, and native ODF

The Document Foundation welcomed Euro-Office's attention to open standards while disputing claims that it is Europe's first open-source office suite and arguing that true digital sovereignty requires ODF as the suite's native document format, not merely an import/export option.

Added: ; Published: ; Source: Documentfoundation

Snapmaker commits $150,000 to fund community projects behind the U1

VoxelMatters reports that Snapmaker launched a $150,000 Innovation Fund for the open-source U1 3D printer ecosystem, pairing $50,000 in pre-selected sponsorships for open-source developers with a $100,000 global maker competition for hardware and software projects.

Added: ; Published: ; Source: Voxelmatters

Fedora Account Compromise Raises AI Agent Supply Chain Concerns

Linuxiac reports that Fedora is investigating suspicious contributor-account activity after an alleged compromise led to inaccurate, AI-like actions across Fedora Bugzilla and related upstream projects, including reverted Anaconda patches and maintainer warnings about unsupervised AI agents.

Added: ; Published: ; Source: Linuxiac

The Open Source Maturity Spectrum

RedMonk's Stephen O'Grady maps how vendors move from unavoidable open-source consumption toward contribution, foundations, and strategic embrace, emphasizing that open source offers distribution and community while creating monetization and business-model tradeoffs.

Added: ; Published: ; Source: Redmonk

Meet the new Sovereign Tech Fellows

Sovereign Tech announced its 2026 Fellowship cohort, expanding a program that gives 14 maintainers, community managers, and technical writers flexible support to work on critical open source infrastructure across Rust, Python, security, sustainability, and community health.

Added: ; Published: ; Source: Sovereign

DSF 2026 Fundraising Goals

The Django Software Foundation says it is raising its annual fundraising goal from $300,000 to $500,000 to sustain the Django Fellows program, maintain infrastructure and legal protections, support events and community grants, and work toward hiring an executive director.

Added: ; Published: ; Source: Djangoproject

Gaslighting Openness

Armin Ronacher argues that companies are reframing open access to devices, data, and AI systems as a safety threat, warning that open-source values are being stressed by AI-generated code, changing contributor dynamics, licensing limits, and platforms closing doors behind them.

Added: ; Published: ; Source: Pocoo

The Jqwik Anti-AI Affair

Jqwik maintainer Johannes Link explains the backlash after he added anti-AI-agent language to the open-source property-testing project's logging output, describing it as self-defense against agent use after unpaid maintenance stalled and noting the ensuing GitHub issues, legal threats, and Maven Central removal request.

Added: ; Published: ; Source: Johanneslink

Are insecure code completions in PyCharm a vulnerability?

Seth Larson reports that PyCharm's local Full Line Code Completion plugin suggested disabling urllib3 TLS warnings and certificate verification, using the case to examine whether insecure AI-generated coding suggestions should be treated as vulnerabilities and how vendors should handle disclosure.

Added: ; Published: ; Source: Sethmlarson

Supabase raises USD $500 million in Series F round

IT Brief reports that Supabase raised $500 million in Series F funding at a $10.5 billion valuation, while the open-source Postgres platform previewed Multigres, an open source scaling layer for Postgres, amid rapid growth in developers, databases, and AI-driven demand.

Added: ; Published: ; Source: Com

Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE

The Hacker News reports that attackers are exploiting CVE-2026-5027, a high-severity path traversal flaw in the open-source Langflow low-code AI application platform, exposing thousands of instances to arbitrary file-write attacks and potential unauthenticated remote code execution.

Added: ; Published: ; Source: Thehackernews

adesso Joins the Open Logistics Foundation

adesso announced it joined the Open Logistics Foundation, bringing implementation and integration expertise to help make the foundation's open-source logistics standards and code usable by companies in areas such as track-and-trace, eCMR, and emissions-data exchange.

Added: ; Published: ; Source: Adesso

From G7’s Vision on AI Openness to EU’s Tech Sovereignty Package

The Open Source Initiative says recent G7 and European Union policy work shows open-source principles moving into technology-sovereignty debates, while highlighting ongoing policy priorities around funding, securing, and legislating open source.

Added: ; Published: ; Source: Opensource

Mythos Doesn't Deploy Itself

Bishop Fox argues that AI-assisted vulnerability discovery is widening the gap between well-run security research and low-quality automated reports, pointing to curl, Nextcloud, HackerOne, and Anthropic's Mythos as evidence that open-source maintainers need verification harnesses and funding, not just more findings.

Added: ; Published: ; Source: Bishopfox

Larson: Are insecure code completions a vulnerability?

LWN summarizes Seth Larson's analysis of whether insecure AI-generated code completions in JetBrains' PyCharm Full Line code-completion plugin should be treated as a vulnerability, highlighting disclosure and classification questions around AI-assisted developer tooling.

Added: ; Published: ; Source: Lwn

AI agent runs amok in Fedora and elsewhere

LWN reports that an alleged rogue AI agent pestered Fedora and several upstream projects by reassigning bugs, posting fabricated replies, opening pull requests, and getting questionable code merged, illustrating the maintainer workflow risks of autonomous AI tooling in open-source projects.

Added: ; Published: ; Source: Lwn

PgDog is funded and coming to a database near you

PgDog announced $5.5 million in funding from Basis Set, Y Combinator, Pioneer Fund, and other investors for its open-source Postgres proxy and connection pooler, while preparing an enterprise edition with SLA-backed support for AWS deployments.

Added: ; Published: ; Source: Pgdog

Observations on Anthropic’s Vulnerability Disclosure Ledger

VulnCheck analyzes Anthropic's public vulnerability disclosure ledger, noting that only 1,596 of 23,019 candidates have reached maintainers so far and warning that AI-assisted discovery is putting new validation, coordination, and remediation pressure on open-source maintainers, PSIRTs, and security teams.

Added: ; Published: ; Source: Vulncheck

‘Open source should rest on transparency, not deception’: Euro-Office ‘sovereignty’ claims questioned in scathing open letter by LibreOffice maintainers

ITPro reports on The Document Foundation's open letter challenging Euro-Office's digital-sovereignty and open-source claims, including criticism of its Microsoft OOXML default and assertions that LibreOffice and OpenOffice.org already occupy the European open-source office-suite role.

Added: ; Published: ; Source: Itpro

EU targets tech sovereignty with new Chips and AI push

eeNews Europe reports that the European Commission's new technology-sovereignty package includes an EU Open Source Strategy, with measures for skills, start-ups, and stronger maintenance and security for critical open-source infrastructure alongside chips, cloud, AI, and energy digitalization plans.

Added: ; Published: ; Source: Eenewseurope

Miasma worms its way onto GitHub as attack kit goes open source

The Register reports that repositories named Miasma-Open-Source-Release published the Miasma supply-chain attack toolkit on GitHub, exposing code for attacks against PyPI, npm, RubyGems, Artifactory, GitHub Actions, AI coding-tool configs, and SSH lateral movement before GitHub removed the repos.

Added: ; Published: ; Source: The Register

Nextcloud adds Euro-Office to Hub workplace suite, expands AI assistant

Computerworld reports that Nextcloud integrated Euro-Office into Nextcloud Hub, adding a second office-suite option alongside Collabora for customers seeking a European, AGPL-licensed, open-source workplace stack while Nextcloud also courts independent software vendors building apps for its platform.

Added: ; Published: ; Source: Computerworld

OpenSSL Security Advisory [9th June 2026]

OpenSSL published a June 9 security advisory fixing 18 vulnerabilities, including a high-severity PKCS#7/S/MIME use-after-free that could lead to crashes, heap corruption, or remote code execution; several issues were reported by Anthropic researchers or in collaboration with Claude, underscoring AI-assisted vulnerability discovery pressure on core open-source infrastructure.

Added: ; Published: ; Source: Openssl Library

Measuring LLMs' impact on N-day exploits

Anthropic reports that Claude Mythos Preview autonomously built working exploits from recent Firefox security patches and Windows kernel patches within hours, arguing that LLMs can sharply shrink the defender patch gap for both open-source and closed-source software.

Added: ; Published: ; Source: Anthropic

Broadcom Expands Its Investment in Spring and Java Ecosystem Security to Prepare Customers for AI-Enabled Threats

Broadcom announced new security investment for the Spring and Java ecosystem, including the largest set of Spring security updates released to open source in the project's 23-year history, AI-assisted scanning and remediation, clean-room Java dependency builds, and day-zero CVE-only patches for commercial Tanzu Spring customers before open-source release.

Added: ; Published: ; Source: Broadcom

Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks

SecurityWeek reports that new Shai-Hulud variants named Miasma and Hades hit more than 100 packages across NPM and PyPI, spreading through open-source ecosystems with credential-harvesting payloads, malicious package releases, and 471 identified artifacts affecting JavaScript, Python, bioinformatics, graph machine-learning, and MCP-themed packages.

Added: ; Published: ; Source: Securityweek

Will AI Kill the Bug Bounty Industry?

SecurityWeek examines whether Anthropic's Mythos and other AI vulnerability-finding tools could disrupt bug bounty economics and offensive security work, noting Mythos scans across thousands of open-source projects, AI-assisted report floods, changing bounty policies, and pressure for defenders to match machine-speed discovery with governance and remediation.

Added: ; Published: ; Source: Securityweek

Hyundai Motor and Kia Join the Open Invention Network 2.0 Community

Open Invention Network announced that Hyundai Motor and Kia joined OIN 2.0, backing the open source patent non-aggression community and its shared funding model as Linux and open source become critical to software-defined vehicles, connected car platforms, cloud services, robotics, and mobility technologies.

Added: ; Published: ; Source: Globenewswire

OpenClaw Zero-Days Allow Attackers to Hijack Agents Across Messaging Platforms

IANS reports that five critical zero-day flaws in the open-source agentic AI platform OpenClaw let attackers impersonate trusted users across Telegram, Slack, Discord, and Microsoft Teams; maintainers have announced fixes enforcing ID-based matching after AI-driven analysis found recurring weaknesses.

Added: ; Published: ; Source: Iansresearch

LibreOffice Weighs In on Euro-Office and EU Digital Sovereignty

FOSS Force reports that The Document Foundation criticized the Euro-Office initiative, arguing that the project does not live up to open source digital-sovereignty claims and may reinforce Microsoft's ecosystem rather than strengthen community-governed alternatives such as LibreOffice.

Added: ; Published: ; Source: FOSS Force

Anthropic's Project Glasswing Update

Bruce Schneier criticizes Anthropic's Project Glasswing status report, arguing that Mythos vulnerability-finding claims remain under-documented and that many reported software vulnerabilities have not been patched, raising disclosure and remediation concerns around AI-assisted security work.

Added: ; Published: ; Source: Schneier

Config Files That Run Code: Supply Chain Security Blindspot

SafeDep examines how ordinary repository config files for tools including VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler can execute attacker-controlled commands, using the Miasma worm's open source repository compromises to show how AI coding-agent and package-manager hooks become supply-chain execution primitives.

Added: ; Published: ; Source: Safedep

Where standards and code meet

Sovereign Tech says it signed a memorandum of understanding with DIN to build a standards network that supports open source maintainers participating in international standards work, starting with a pilot cohort and funded coordination.

Added: ; Published: ; Source: Sovereign

Mainframe Software Hub for Linux

The Open Mainframe Project lists Mainframe Software Hub for Linux as a vendor-neutral open source home for s390x build scripts, patches, releases, binaries, containers, and packages, aiming to make more Linux software available for mainframe environments under foundation stewardship.

Added: ; Published: ; Source: Openmainframeproject

The “Skyway” to OSS Security: OpenSSF Community Day North America 2026 Recap

OpenSSF recaps its North America community day, saying open source security working groups, researchers, maintainers, and enterprises focused on AI security transitions, autonomous workflow guardrails, maintainer support, phishing defense, and stronger supply-chain tooling.

Added: ; Published: ; Source: OpenSSF

DNS-AID lets AI agents find and verify each other through DNS

Help Net Security reports that DNS-AID, initially developed by Infoblox and now under Linux Foundation governance, provides an open DNS-based directory for AI agents and MCP servers to publish, discover, and verify each other, with a reference implementation, SDK, CLI, MCP server, and backing from Cloudflare, CSC, Equinix, GoDaddy, IDC, Indeed, ISC, and others.

Added: ; Published: ; Source: Helpnetsecurity

Microsoft just made the agent runtime free — and kept everything around it

The New Stack reports that Microsoft shipped Scout, an always-on work agent, on the open-source OpenClaw runtime, while contributing enterprise policy-conformance controls upstream and keeping paid value in identity, governance, Microsoft 365 context, Windows containment, and silicon layers.

Added: ; Published: ; Source: The New Stack

Slopper GitHub Action: Fighting AI Slop contributions on Open Source Projects

Malvads announced Slopper, an experimental open source GitHub Action that scores pull requests for AI-generated slop using author reputation, commit patterns, code quality, and behavioral signals, responding to maintainer concerns that polished AI submissions are adding review burden without useful value.

Added: ; Published: ; Source: Dev

New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages

Sonatype reports that a new Shai-Hulud/Miasma wave compromised 281 npm package versions, using install-time payloads to steal developer and CI/CD credentials, publish malicious versions through trusted maintainer channels, and create new risks for AI-assisted development workflows.

Added: ; Published: ; Source: Sonatype

Euro-Office’s real test is not sovereignty but the monthly bill

Webiano argues that Euro-Office's open-source sovereignty pitch will depend on practical commercial packaging, predictable pricing, governance, support guarantees, migration help, and compatibility rather than license costs alone.

Added: ; Published: ; Source: Webiano

AI Agents in Open Source Maintenance: Valkey's Playbook

TFiR interviews Valkey maintainer Madelyn Olson about the project's response to AI-assisted contribution volume, including provenance checks, adversarial testing agents, automated backporting, and keeping human maintainers responsible for architectural decisions.

Added: ; Published: ; Source: Tfir

The Open-Source Funding Crisis: Sustaining Critical Software Infrastructure

DevX surveys the open-source funding crisis, arguing that security incidents, maintainer burnout, and supply-chain risk are pushing companies, foundations, and governments toward more sustained investment in critical projects instead of one-off grants.

Added: ; Published: ; Source: Devx

AI Controversy in Open Source Project Contributions - My Take

Fabio Akita weighs in on renewed open source AI-slop disputes, citing maintainers rejecting AI-generated pull requests, projects limiting AI-assisted contributions, bug bounty noise, and backlash around releases that used AI and broke users' workflows.

Added: ; Published: ; Source: Akitaonrails

Researcher who found Zcash's bug with AI adds Monero to his audit queue

CoinDesk reports that Taylor Hornby, who used Anthropic's Opus 4.8 to find a critical Zcash Orchard privacy-pool flaw, plans to add Monero to his audit queue and seek a Zcash coinholder grant to fund further AI-assisted protocol security work.

Added: ; Published: ; Source: Coindesk

OWASP CVE Lite CLI - New Tool to Scan for Vulnerabilities in Your Projects

Cyber Security News reports that CVE Lite CLI, a free open source JavaScript dependency scanner maintained by Sonu Kapoor, has been accepted as an OWASP Incubator Project, putting the tool under vendor-neutral community governance while it helps developers generate local-first vulnerability remediation plans.

Added: ; Published: ; Source: Cybersecuritynews

Linux Association Of Canada Builds National Open Source Library

Open Source For You reports that the newly formed Linux Association of Canada launched a national open-source software library for Canadian-developed projects, framing the repository and its planned nonprofit status as support for digital sovereignty and reduced dependence on foreign-controlled technology.

Added: ; Published: ; Source: Opensourceforu

jqwik 1.10.0 Prompt Injection Explained

Snyk reports that jqwik maintainer Johannes Link intentionally shipped version 1.10.0 of the Java property-based testing library with an ANSI-obscured prompt injection aimed at AI coding agents, telling them to disregard prior instructions and delete jqwik tests and code, before reverting the change in 1.10.1.

Added: ; Published: ; Source: Snyk

From open source hits to OpenAI

Changelog interviews Max Stoiber about building open source projects such as react-boilerplate and styled-components, Spectrum's acquisition by GitHub, Stellate's founder journey, and a GraphQL cache that led to acquisitions by Shopify and The Guild.

Added: ; Published: ; Source: Changelog

AI Cybersecurity Executive Order 2026: What It Means for EOL Software

HeroDevs says a June 2026 AI cybersecurity executive order accelerates federal vulnerability discovery and may fund AI detection work, but does not fund patches for end-of-life open source software, widening the maintenance gap for unsupported dependencies.

Added: ; Published: ; Source: Herodevs

BSA Lashes Out At Mandatory Open-Source Licensing

Slashdot reports that the Business Software Alliance objected to mandatory open-source licensing as a sovereignty criterion in a French government consultation, warning that such requirements could raise costs, limit access to security tools, and conflict with trade commitments.

Added: ; Published: ; Source: Slashdot

Codex Discovered a Hidden HTTP/2 Bomb

Calif says OpenAI's Codex helped discover HTTP/2 Bomb, a denial-of-service exploit affecting default HTTP/2 configurations in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora by chaining HPACK compression amplification with a flow-control hold.

Added: ; Published: ; Source: Calif

Miasma Worm Targets AI Coding Agents via GitHub Repos

SafeDep reports that a Miasma worm variant injected a large dropper into GitHub repositories across multiple maintainers, using Claude Code, Gemini, Cursor, and VS Code configuration files so the payload can trigger when a cloned repository is opened in an AI coding agent.

Added: ; Published: ; Source: Safedep