An open letter asking NHS England to keep its code open

> As I've written before, this is not the correct response to the purported threat by Mythos. Neither the AI Safety Institute nor the NCSC recommend this action. While there may be some increase in risk from AI security scanners, to shutter everything would be a gross overreaction.

> Even if we ignore the impracticality of closing all the code - it is too late! All that code has already been slurped up. If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.

> And if it were both practical and effective to hide source code - that doesn't matter. These AI tools are just as effective against closed-source. They can analyse binaries and probe websites with ease.

> There are tens of thousands of NHS website pages which refer to their GitHub repos - will they all need to be updated? What's the cost of that?

All true, and it shows how everything is solely done for optics, and any flimsy excuse is used to instantly claw back at any kind of transparency/openness the very second it arises. Non-technical people making this decision because they believe there's even a 0.1% chance that they'll be blamed that they "didn't do enough" when they didn't go closed source and a vuln is found. And 2026's extreme greed and selfishness (and yes, average greed level does change over time, as with every single cultural trait) means they gladly make that decision at the cost of the common good.

Do always keep in mind that the private sector isn't any better on these things.

If you’re reading this thread because you care about the quality of the NHS’s digital services, I encourage you to also sign this petition to block NHS providers from wasting money of “accessibility overlays” that actively harm the experience for people with disabilities and cost money that could be spent on improving the core service: https://petition.parliament.uk/petitions/765480/

Even if they agreed and wanted to do it, they would take at least a year to get guidelines on it. Then after, they would need to ask their current tech team to sort it, that will take another 10 years.

I can't sign because the cloudflare verifier says I'm not human...

This is an accessible explainer of the situation https://youtu.be/XNLUfqtgBUk Please do sign the open letter if this is in your area of expertise

Related:

NHS Goes to War Against Open Source

https://shkspr.mobi/blog/2026/05/nhs-goes-to-war-against-ope... (https://news.ycombinator.com/item?id=47973710)

I've been chatting with CISOs, CTOs, maintainers, and other peers for the past few weeks (some of whom are F50s) about this, and their default gameplan now is to pause OSS contribution and usage until AppSec teams reach a point where they can easily validate and fix issues within a day. Traditionally, end-to-end response times were in the 8-10 day range which clearly cannot hold today.

I don't think it's the death of open source, but it shows how the economics of open source turned into a tragedy of the commons, with maintainers not being provided the resources needed to sustainably operate projects.

It also is an admission of how organizations never prioritized security for decades both within engineering and organizationally, but that's a separate conversation that HNers are not equipped to discuss looking at the lacking calibre of conversations on here.

If OSS lovers actually care, then they need to put their money where their mouth is, stop being idealistic, and think about either going open core or getting formalized funding and sponsorship. Adopting much more restrictive licenses that also allow commercialization by project owners is also critical. The majority of GNU style project that exists on the goodwill of a couple of ideologically aligned individuals will not survive, becuase contributors also need to be paid.

Edit: can't reply

> What do you mean by that? They can't possibly stop using Linux/Kubernetes/Chrome (including Edge)/almost all programming languages/nginx/...

Meaning they will freeze all dependencies and libraries being used going forward, and will not release source code until end-to-end vuln remediation can be done within 24 hours.

Teams are also seriously considering forking core projects and dependencies to use in-house and not contribute upstream out of fear that upstream contributions could be tainted or introduce additional vulnerabilities.