How may open source libraries have auditing budgets?

simonw · 2026-04-15T16:24:57 1776270297

I expect we're about to find that it's a lot easier to convince a company to spend money running an AI security scan of their dependencies and sharing the results with the maintainers than it is to have them give those maintainers money directly.

(I just hope they can learn to verify the exploits are valid before sharing them!)

Mordisquitos · 2026-04-15T16:07:54 1776269274

Their commercial users have auditing budgets.

dspillett · 2026-04-15T16:13:05 1776269585

Does your ideal world have an easy path to citizenship?

I might like to live there.

raincole · 2026-04-15T22:15:07 1776291307

> SAN FRANCISCO – March 17, 2026 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced $12.5 million in total grants from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI to strengthen the security of the open source software ecosystem.

https://openssf.org/tag/google

"But that's Linux, how small libraries get audit budget..." fortunately LLM has eliminated the need to have small libraires in your dependency chain.

techpression · 2026-04-16T05:08:40 1776316120

It’s almost cute how insignificantly small that amount is considering the companies named. Great for The Linux Foundation of course, but it still feels like they are being cheap as heck.

dspillett · 2026-04-16T09:22:19 1776331339

> SAN FRANCISCO

I take back the “I might like to live there” :)