Changing how we develop Ladybird

curious what the "did the pipeline actually do what we think" story looks like now.

"green" and "the right artifact exists" drift apart faster than expected with more automation. exit code wasn't enough for us — had to make the output file the thing that proves a run happened.

I feel like the project just died.

Are they going to be using gerrit or a private repo and push changes back regularly?

Sometimes the discussions on PRs are equally valuable to see how a commit was arrived at, and I'd be sad if that got lost in this change.

I wonder if adding an artificial barrier in form of a donation could help. That's probably the only remaining way to show the good faith.

To be honest, judging by their repository, it doesn't look like they've stopped accepting third-party PRs.

I see this as the slow death of OpenSource.

It’s controversial to say, and I may be downvoted, but I’ll share this as a pov: OSS is essentially giving away our work for free. Did that ever really make sense? If it does, why don’t graphic designers give their work away for free? Why don’t authors do that? UX designers?

It’s a very peculiar thing to us nerds.

And the strangest thing is, we may have unwittingly built the data source required to make our skills redundant, as models are trained on the work we gave away for free.

I think this is an interesting narrative.

Surprising how little appetite for changing norms exists here on HN. Yes, the transition to agentic coding will be difficult, but to me this is mostly exciting. Despite my AI enthusiasm, I also run into shortcomings that the agents have very often, but that's a more interesting learning experience than the status quo without AI would have been!

We'll have more such disruptions and we'll learn to live with it.

It's surprising to me how many people here seem offended that someone might just not want their code.

I guess it takes quite a lot of experience as a maintainer to realize that 'free' in 'free code contributions by strangers' is like 'free' in 'free puppy'.

"Gain trust through plausible contributions" is a new angle on AI-produced PRs I haven't seen yet.

Though in retrospect we should have seen it. It's been an angle of attack since forever, it only took a lot of effort.

Meh. The project died for me when they started using LLMs for development in the first place.

We need stricter verifications / credentials behind GitHub accounts and PRs.

And this we should have had already before AI.

I been thinking about it for a while that we need some score based system where each PR on GitHub/Gitlab grants you a review form the maintainer as well. You build your rep and the maintainers decide about the thresholds for contribution.

I'm surprised this isn't yet a thing. Heck, this can be made independent of GitHub/Gitlab, like a portal which tracks your rep. Could also help you got hired. Think Stackoverflow rep mixed with LinkedIn but for actual code contribution.

Yes I'm aware it sounds Black Mirror-ish. But we need more meritocracy in the world of OS that is otherwise highly anonymous and with very little public authority.

I wonder how can a new browser engine survive with the source available model. Like, why would anyone support this, unless they have business association with the Ladybird developers?

I feel like every time I hear something about Ladybird its literally anything but a working browser to actually play around with.

The cause of this is that the cost of creating plausible code contributions has gone down, so PR proposals can multiply, but flaws still threaten project security and LLMs can be confidently wrong. So human review is needed right now to maintain the integrity of the project, but it takes time and costs money. Ladybird's developers, and we as a community, can't easily evaluate "this is what we want" vs. "this is not what we want" without manual review, because we haven't settled upon a reliable representation of the meaning of our code and its side effects that is time-efficient, secure, and meaningfully interpretable at scale.

This is partly due to Ladybird building on low-level system-language primitives that make it harder to identify problems, and while they are porting to Rust it's not fair to say that C++ is single-handedly the cause of this, because regardless of the language, in a complicated interconnected codebase the complexity easily compounds. It's a real shame we don't have the option of a trust-graph filter stop-gap that can filter contributors with a social model of who is trusted for what, purely as a heuristic to reduce the risk of bad contributions (not as solid proof of soundness).

This whole situation shows the way that development has been done isn't nearly as transparent as just having the source code being available.

We haven't been able to say what we want the code to do in a way that can be tested robustly enough to make openly accepting contributions sustainable, and it's unfair to blame the team for that because on top of needing to develop and review their own changes, it's an incredibly difficult problem with only so many hours in the day. I hope we figure out the representation and social trust graph problems, and that people continue to build on their great work.

Bad actors pay good money for vulnerabilities and patient actors are invested in slowly introducing them. Agent loops like Codex or Claude, with Anthropic's Mythos model finding ~271 Firefox 0-days, and helping fix them shows both the problem and the promise.

It's bitter-sweet in a way that Ladybird is great at showing how the incidental complexity of web browsers could be vastly reduced. To protest being gagged, cryptographers made t-shirts with DeCSS DVD or RSA algorithms on them. Alan Kay suggests that t-shirt computing is actually a useful target, and STEPS by his Viewpoints Research Institute managed to really distill some parts of OS-level and desktop publishing software down into minimal, more understandable abstractions that encode the rules of the programs with more appropriate patterns for the problems at hand, that might more plausibly fit on a small wardrobe of t-shirts. Browsers really need this range of t-shirts making.

As a minority browser user (and someone wanting to build on them), I'm excited to see Ladybird get increasingly usable for real browsing, and I am hopeful that in time, the spec representation gaps, and social trust map heuristics are solvable problems that could restore the dream of open-source, or at least stop a trend of closing (with tldraw doing this much earlier, for a less risky but still thorny project).

The cathedral vs. the bazaar. Makes sense to me.

http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...

I truly understand why this step was taken, but it is still sad to see the death of open source or rather open contribution. Every project that turns away from open contributions is a project lost to the whims and fuckery of AI Bros.

What I realy want to know how sustainable a model like this is. How does one find new maintainers when old ones leave. When you cannot contribute anymore.

This is one way to rephrase "we don't want your AI slop, thanks.".

it's fair, especially because if people want to contribute to something so badly, they can make their own fork or version of it

they can vibe-code their own browser, there's no need for the public to access every single open-source project anymore, you need to find people you can actually trust

A bit sad to see this. Of course they are free to do it the way they prefer, and there are successful projects like this (Notably SQLite) but there has to be a reasonable middle ground between "everyone can just flood us with 30,000-line 'Claude implement feature X make no mistakes' PRs" and "we're not open to outside contributions"

LLMs are killing open source just like they're killing online discussion forums.

It's heartbreaking, my two favorite things about the internet are dying off because human interaction can't outscale AI slop.

While I understand the motivation for this change, I have to highlight something: GitHub's slogan 'social coding' is becoming more and more true these days. Now opensource will become a thing that only "influential" people can contribute to. We're back to nepotism, not meritocracy. Down hill we go.

seems reasonable.

I wasn’t around much before GitHub so. I believe I tried submitting patches to the XFCE project but I didn’t get anything accepted to FOSS before GitHub.

In this type of system, if I am competent and can contribute how to do I? By reviewing the maintainers PRs, helping fill out more info for bug reports / root causing?

There had to be some way for a competent user to get involved enough to become a familiar handle to the maintainers and be seen as a possible future maintainer/ expert contributor right?

> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.

Applies so, so widely. Glad they’re taking (very necessary) action here.

I paid for Kagi's Orion (even though it's actually a little crappy) because I want options in the browser landscape. I'm really rooting for Ladybird, and just in case they don't offer a paid version in the future, here's a link to how you can sponsor its development: https://opencollective.com/ladybird

"The Cathedral and the Baazzar"

Legit

I think we are going to see a lot opensource project switching to Humans Need Not Apply Mode.

One more data point that AI is ruining open source. It's disgusting what these people are doing.

I don't understand why people contribute AI slop to existing projects. You move 1000x faster. Just write your own browser in 2 days.

Honesty. WTF is Ladybird? Feel like as a normal guy doing normal software development I'm living in an alternate reality or something.

How is this the top post on my favorite website?

The problem statement is clear to everybody.

> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.

The solution, IMO, is a strictly worse version than what we chose in the Zig project (banning LLM contributions).

> AI tools have changed the economics of this very quickly. We use them ourselves every day, but a pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.

Things that worry me about this choice:

- open source is a tough business and you need to leverage the good things about it to make it worth doing. contributors bring in a huge amount of value that they offer you essentially for free (see contributor poker: https://kristoff.it/blog/contributor-poker-and-ai/), on top of being a hugely valuable recruitment funnel. They're rejecting all of that, which seems insane to me.

- one could argue that LLMs could fill that gap but, first of all they could have just banned LLM usage only in PRs from untrusted contributors, and second even the best LLM: 1. is a cost, not just free value, and the price of tokens is increasing 2. the code has to be reviewed anyway, unless you think that just passing tests is good enough for a browser 3. ultimately can't become a trusted core contributor able of taking ownership of a part of the codebase

- removing the influx of code that comes from PRs means that over time the whole project will have a small number of contributors that own all the code, making it easier for the project to do a license rugpull. when copyright ownership is well distributed this kind of thing is harder to pull off.

Overall, this is not good in my opinion. They're making open source a more problematic business model for them than it has to be, while at the same time making it harder to recruit more core contributors, as the code ownership coalesces to small group of people.

This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors are playing a mean game of Secret Hitler. I guess only time will tell.

Oh well, AI bros ruined it. I'm actually glad in some twisted way, because if more projects follow suit and close their development, it will again become an actual badge of honor to get on those teams. Having contributed to such projects will mean something.

[dead]

[dead]

"A browser runs untrusted input from the entire internet on the user’s machine, and one well-disguised vulnerability is all an attacker needs. We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it."

Then the linux kernel is doomed. /s

[flagged]

Cool - how about fewer perma-bans on github for participating in discussions?

Also, as I have pointed out before, they seem to develop too slowly for a solid beta this year. You only have to look at the issue tracker and check for URLs not working or even crashing the browser. Ladybird may have gotten better in the last months, but imagine if 50.000 people are using it, you will see more bugs. How do they then handle bug reports?

Seems cold how they present this, but on the other hand I’ve ignored Ladybird because I just don’t think they’ll have meaningful impact, so I remain unaffected by this policy change.