[logicprog]

Tridge already explains this:

"Like many developers of open source packages I’ve been hit by a flood of security reports lately in my role as the rsync maintainer. Many of those reports are AI generated (not all though, there are some notable ones with very careful and high quality manual analysis).

As this flood started to get more intense I realised I needed to raise the defences on rsync a lot — we needed much more thorough test suites, code coverage analysis, CI testing on a lot more platforms, deliberate and thorough scanning for possible security issues (so I find at least some of them before other people!) and the addition of a whole lot of defence-in-depth hardening techniques. This is all a huge amount of work. "

https://medium.com/@tridge60/rsync-and-outrage-d9849599e5a0

[Eufrat]

I think Tridge is simultaneously trying to be proactive and kinda giving too much credit to marketing. Anthropic has not been able to really give numbers or actual values on what Mythos can really do. It just waved Mythos in front of the public like a boogeyman screaming that AI is going to cause a security nightmare (and it has, but mostly through vibe coded trash from what I’ve noticed); I’m hard pressed to find their statement that they spent less than $20,000 to find a Kerberos bug in FreeBSD a compelling win without a lot more context and they seem disinclined to provide that data. I really do wonder what evidence they have provided to their approved partners, all of this smells…weird.

I honestly think the main problem is Tridge just failed at communicating any of this correctly and I don’t think the implication he gives that all of this was due to the urgency of the impending security apocalypse really holds water.

Why was all of this written straight to the master branch? Now that the release is out, why not better explain what the urgency of this release was? Why wasn’t he proactive in communicating this and instead let the mob make up their own story? I think a lot of people are inclined to give Tridge a lot of leeway due to the fact that he literally is the reason why rsync exists, but this was avoidable and I think the comment in his response post where he mentions that, “I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done,” speaks volumes as to what is going on.

[rsc]

As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.

Tridge doesn't owe anyone anything as far as rsync is concerned. Yet he is spending his time maintaining it, only to be attacked for his efforts.

To respond to the specific technical point, there really _is_ a flood of security reports arriving everywhere in the past few months. The jury is out on whether Mythos is that much better than alternatives, but even the publicly available models are _highly_ capable of finding real problems, and they are being employed to that end quite effectively. Here are the counts of security issues fixed in each monthly Go minor release going back to the start of 2024:

     0 2024-01-09 Go 1.21.6, Go 1.20.13
     0 2024-02-06 Go 1.21.7, Go 1.20.14
     5 2024-03-05 Go 1.22.1, Go 1.21.8
     1 2024-04-03 Go 1.22.2, Go 1.21.9
     2 2024-05-07 Go 1.22.3, Go 1.21.10
     2 2024-06-04 Go 1.22.4, Go 1.21.11
     1 2024-07-02 Go 1.22.5, Go 1.21.12
     0 2024-08-06 Go 1.22.6, Go 1.21.13
     3 2024-09-05 Go 1.23.1, Go 1.22.7
     0 2024-10-01 Go 1.23.2, Go 1.22.8
     0 2024-11-06 Go 1.23.3, Go 1.22.9
     0 2024-12-03 Go 1.23.4, Go 1.22.10
     
     2 2025-01-16 Go 1.23.5, Go 1.22.11
     1 2025-02-04 Go 1.23.6, Go 1.22.12
     1 2025-03-04 Go 1.24.1, Go 1.23.7
     1 2025-04-01 Go 1.24.2, Go 1.23.8
     1 2025-05-06 Go 1.24.3, Go 1.23.9
     3 2025-06-05 Go 1.24.4, Go 1.23.10
     1 2025-07-08 Go 1.24.5, Go 1.23.11
     2 2025-08-06 Go 1.24.6, Go 1.23.12
     1 2025-09-03 Go 1.25.1, Go 1.24.7
    10 2025-10-07 Go 1.25.2, Go 1.24.8
     * 2025-10-13 Go 1.25.3, Go 1.24.9
     0 2025-11-05 Go 1.25.4, Go 1.24.10
     2 2025-12-02 Go 1.25.5, Go 1.24.11
    
     6 2026-01-15 Go 1.25.6, Go 1.24.12
     2 2026-02-04 Go 1.25.7, Go 1.24.13
     5 2026-03-05 Go 1.26.1, Go 1.25.8
    10 2026-04-07 Go 1.26.2, Go 1.25.9
    11 2026-05-07 Go 1.26.3, Go 1.25.10
     3 2026-06-02 Go 1.26.4, Go 1.25.11

* The Go 1.25.3 and Go 1.24.9 releases were a fast follow to fix a problem introduced by one of the security fixes the previous week.

You can see that 2026 has been quite different from the previous years. There are plenty of other contemporaneous accounts from other security teams about the load increase they've seen (which again is almost entirely not Mythos).

Also, the number of reports we are receiving has gone up far faster than the number of actual vulnerabilities. Over the 75-month period from January 2020 to early April 2026, the final 30 days accounted for ~16% of the reports.

It is easy to believe that Tridge is seeing a similar flood of reports. More reports means more fixes means more code changes means more bugs.

[wolletd]

> Yet he is spending his time maintaining it, only to be attacked for his efforts.

Which, in general, is totally legit. Doing something voluntarily doesn't relieve you from criticism if what you are doing isn't good.

[mgfist]

You can criticize all you want, but he can also just stop maintaining it if he gets too annoyed by the criticism. Maybe that's a better outcome for you, idk.

[throwaway7356]

Yes, I agree. Voluntarily forming a mob to flood issue trackers with garbage shouldn't relieve the mob members from receiving criticism.

[laserlight]

Agreed. Just like one doesn't owe the society their voluntary work, the society doesn't owe one protection from criticism.

[tumetab1]

I follow Go security issues and many recent ones are consequences of features added to Go and also security researches following up on an area after one issue is found.

Recent examples are certification validation logic, one issue after an another... because it's a mess of thing to implement.

[rakel_rakel]

I agree, it's very off-putting, and I totally understand that the amount of reports are overwhelming for maintainers of popular libraries.

> More reports means more fixes means more code changes means more bugs.

Sounds like we'll be riding a downward spiral for the foreseeable future? It will be very interesting to see how stats like the ones you shared develop in the coming year(s).

From the article I find this a bit concerning:

> So: the Claude releases changed way more lines of code than historical ones, but didn't have more bugs. More code, same bugs. That's not what you'd expect if Claude were making things worse.

More code, same bugs, is a net negative, no? I mean unless it's strictly needed for the inherent complexity of the program. But I've seen a tokenizer written by Rob Pike and I've seen a tokenizer written by Claude.... they are not the same :D

[bonzini]

What Tridge says is that the "more code" is more fixes and more thorough test suites, not random changes made by LLMs.

[JetSetIlly]

> As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.

Much of the language from both groups is incredibly off-putting, frankly. Tridge in his blog post describes people as "foaming at the mouth"?!

The rhetoric around this has gotten way too emotional from both groups.

I'm glad I'm just a hobbyist.

[lemming]

Tridge in his blog post describes people as "foaming at the mouth"?!

Did you see the picture in the article where the user posted a picture of them strangling the maintainer? I think “foaming at the mouth” is probably gentler than how I would characterise that.

[Eufrat]

IMHO, the whole episode is just embarrassing. I have no doubt he’s just trying to do the right thing. You can disagree with the tactics, but the vitriol is outrageous. rsync is a gift to the world and we should be grateful and mindful of how much it has been quietly woven into the fabric of computing. rsync is taken for granted. This is not okay.

[JetSetIlly]

> This is not okay.

Agreed. The way to address it though, is through calm analysis and reason. The emotional language from both groups is not helping.

If there's one problem with Claude et al, it's that it's all happened way too quickly for people to keep up. We're all at different stages of acceptance and I think that's what we're seeing manifest in the various discussions.

[Barrin92]

>We're all at different stages of acceptance

I do hope you see the irony of accusing people of armchair psychology and then hitting us with the five stages of grief.

I trust rsync (which handles critical data on my system) because I know a veteran of 40 years wrote the code it runs. If I see code like the one above posted by the OP, that the author wouldn't have written, I start to pay attention. When I then read the blog post of him saying that he'd "rather go sailing than fix rsync issues", I start to question whether the software is still written in a way I can trust and where it's going quality wise.

The problem isn't this weird gaslighting attempt that we just haven't let Claude in our hearts and souls yet which you seem to have determined is inevitable (spoiler alert, it is not), it's that a bot wrote crappy code and I wasn't even aware I was running it and now don't know to what standard this project is held.

[Eufrat]

> As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.

I agree that the entire episode is obscene, but I am also unsure of what to do here either. On some level this is the same problem movie stars run into. I agree that guessing or waxing about the motivations of anyone is a nosy and overall unproductive exercise (yet paparazzi exist because of this very human behavior), but I also think that there is a modest duty owed to users to explain things.

> Tridge doesn't owe anyone anything as far as rsync is concerned. Yet he is spending his time maintaining it, only to be attacked for his efforts.

I am reminded of this piece: https://mikemcquaid.com/open-source-maintainers-owe-you-noth...

Which, I empathize with, but I fundamentally disagree that maintainers owe users nothing. I will die on that hill. If you are getting to that point where you actively loathe working on the project, I agree you should be able to walk away. However, I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.

I suppose in a very extreme and intentionally histrionic example, having a project carry the MIT license, getting frustrated and then changing the project to delete the entire system is a crime. The average person and the courts don’t care if the license is “as-is”. There is a duty that is understood that you don’t do that and I think we need to make it clear what that duty is for OSS.

Ultimately, though, I think this is all symptomatic of the fact that the OSS model has gaps that the increase in security reports whether AI generated or not has exerted more pressure on. I have certainly been on the receiving end of a lot of frivolous security reports that were discarded because it was obvious that it was just someone with a security scanner wandering around the Internet. You still have to review that nonsense and it eats into your time. Doing this on your own time, without pay and having to listen to the peanut gallery is just infuriating.

Is any business built on top of rsync going to donate their money in a sustainable manner?

[nl]

> However, I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.

Wow.

The entitlement in this statement is outrageous.

[0123456789ABCDE]

> I also think that there is a modest duty owed to users to explain things.

> I fundamentally disagree that maintainers owe users nothing.

> I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.

do you realize how unhinged this all reads like?

there is no duty. nothing is owed to no one. there is no implicit anything. this is all happening in your head. you are making up things that don't exist. the social contract is not a real thing either. the only contract you can have with the author of rsync is the GNU GENERAL PUBLIC LICENSE Version 3, and then, only when you get a copy of rsync.

> getting frustrated and then changing the project to delete the entire system is a crime

boop: strawman argument — you have been disqualified

> Is any business built on top of rsync going to donate their money in a sustainable manner?

does it matter? do you have an invoice for rsync?

the author wrote it themselves, he is retired, and sailing. unless google is buying him a new boat, i doubt he gives a crap what anyone has to offer.

truly obscene is the fabricated idea that you are owed anything after downloading code from github.

> I am also unsure of what to do here either.

touch grass?

[agartner]

> the courts don’t care if the license is “as-is”.

There isn't any case law to show that. Certainly not in the age of AI. On the criminal side, the CFAA requires "intentionally causes damage" and that's entirely impossible to prove in the age of AI. On the civil side, liability waivers and warranty disclaimers generally cannot shield intentional or willful misconduct or gross negligence.

[kelipso]

Yeah the maintainers don’t owe users nothing is a disgusting sentiment that doesn’t stand real scrutiny. There is a social contract here. If you want to be respected and get recognized as “tridge” or whatever your name is, you owe the people that recognize you and that wider community in general.

[kelnos]

First off: I don't agree that there's a social contract here at all. That's just some imaginary thing that you (and others) have decided exists. It's funny how lots of people who aren't open source maintainers seem to think it's ok to make up social contracts for other people without their consent.

But ok, let's just pretend for a second that maintainers have indeed entered into some sort of social contract that gives them an obligation to support their software, uncompensated. But if we have this contract, then it cuts both ways. The users then have entered into a social contract of their own: they agree to treat me with respect when they deal with me, to not act entitled, to not demand things of me, to not be rude, and to do their part in being a helpful, productive partner in helping to solve any issues they report.

If a user breaks their part of the contract, then I have no obligation to fulfill my side of it.

It's a bit bizarre to me that non-maintainers have decided to invent some sort of "social contract" that benefits them (while putting a sizeable burden on maintainers), but seem to think that they aren't entering into a social contract of their own when they decide to use the software. (And that there are consequences for not upholding the user side of the social contract.)

Put another way: in contract law (in the US, at least), there's the concept of "consideration". It's the idea that both parties are getting something out of a deal. Some of that can be monetary, but it can also be other things. If a contract is one sided, that is, if one party isn't getting any consideration, then the contract can often be unenforceable.

That seems to be what people like you are doing here: requiring that open source maintainers enter into a social contract, but not give them any consideration in return for it. (And no, some sort of ill-defined concepts like "reputation" or "large user base" don't pass my threshold for meaningful consideration.)

That's one more thing, even: contracts are voluntary. All involved parties must agree for there to be a contract. I don't agree to your bullshit contract of one-sided obligation, so there is no contract.

[FooBarWidget]

This. Best writeup I've seen on the topic of entitled/abusive users. You should publish this as a blog post or launch some sort of campaign or something, something people can refer to. I haven't encountered entitled users myself, but my gawd, I'm so annoyed at users who feel entitled to other open source maintainers. I'm raging with a drive to protest against people who treat the rsync maintainer with such disrespect.

[tptacek]

This is great, but I can shorten it for you for times in the future you need to deploy it: "DM for my rate card".

[jasonvorhe]

This "social contract" seems to be vocabulary that people use to rationalize their assumptions about how the world should work. A contract requires consent of both parties.

[tptacek]

No there isn't.

[Eufrat]

I just cannot understand this logic, can you explain why there is no responsibility whatsoever on the part of a maintainer towards the users?

Selling a toaster has an implicit warranty of merchantability. Society expects that if you sell me something, it should have certain promises. Yes, there’s no monetary exchange here, the work is given gratis, but there’s still a relationship and an interaction here and I think it is clear some people, like myself, believe that there are implied expectations. Just because it is “free” doesn’t mean it allows one to have a seemingly psychopathic attitude on the matter. It doesn’t absolve people of societal obligations.

I read that article by Mike McQuaid and I don’t get the impression that, “Yes, project maintainers should be allowed to run projects as they see fit and they put up with a lot of drive-by insults and hostile users. You don’t understand how hard all of this is and I’m doing it for free.” I get, “I hate my users and you should be grateful that I give you anything.”

[wolletd]

> “I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done,”

Well, then maybe it's already overdue to find a new maintainer for the project and let someone else continue it? The tool will not get better from someone working on it who doesn't want to.

[monooso]

He explicitly addresses that in the article.

> Luckily I’ve been joined by some other very good developers with great systems development skills and security knowledge... Watch out for some credits for some great new rsync developers in the next release.

[kelnos]

Unless you're willing to step up and be that person, it's not your place for you to suggest it.

[wolletd]

I don't agree with that, I can very well still discuss that. He clearly sounds like someone who doesn't want to do this work anymore and should have searched for a successor.

That's my impression from that sentence, at least. Don't you agree?

So, why didn't he do it? Because just firing up Claude and let it rip is way easier than finding real people and building up trust?

Did Claude increase bugs in rsync? Or did Claude just gave some basically retired programmer, who doesn't even want to work on his project anymore, the impression that he can replace finding a successor with just handing it to AI?

[lemming]

Because just firing up Claude and let it rip

Based on Tridge’s post, this seems an unfair characterisation of how he used Claude.

Did Claude increase bugs in rsync?

TFA answered this, the answer is “no”.

[rossjudson]

You're highly critical. What would you be doing differently? So far Tridge has elected to:

- generally decide to fix security issues over preserving compatibility - rewritten an aging test suite in what appears to be a highly responsible way - brought on additional qualified developers to help with the workload

Not bad for a guy who's retired.

You care enough to complain on HN. You could be a part of the solution.

What were you going to do differently, specifically?

[aseipp]

> That's my impression from that sentence, at least. Don't you agree?

No. Given a choice between doing laundry and driving Lamborghinis, I would probably choose the latter. But I still have to do my laundry. I might use a washing machine to do so. It's just a responsibility among many responsibilities. It isn't that deep, really.

The reality few people want to admit is that maintaining open-source software is often closer for many people to "doing laundry" than like, being the software equivalent of Atticus Finch.

> Or did Claude just gave some basically retired programmer, who doesn't even want to work on his project anymore,

The only thing Claude has "done" apparently is give a bunch of annoying people online a license to engage in armchair psychoanalysis of someone they don't know at all, from what I can tell.

[prmoustache]

> and should have searched for a successor.

He doesn't have to do that. If he ever do not care enough he can just stop maintaining it and that's it.

[duskdozer]

I think many would prefer that to the situation that happened.

[gverrilla]

Congratulations, you have an opinion.

[rossjudson]

Yeah, we definitely need to make sure that we take the considerations of the mob into account.

The person owning the project is using the master branch in the way he sees fit.

Incidentally, there is no amount of communicating "correctly" that quells a mob. There's a Venn diagram of concerns, and those with concerns not being met will generate (now infinite) outrage.

[rendaw]

Is using calloc for everything fixing a security issue or hardening it?

[ekidd]

Calloc is generally hardening, because it zeros out any stale memory contents left over from previous uses of the memory.

You can avoid this overhead if you use a language that forbids reading from uninitialized memory, but C is not that language.

[kelnos]

Uninitialized memory is not a problem (the OS is never going to give a program memory that has data in it from another program). The problem is memory that you allocated in the past, have freed, but hasn't been returned to the OS[0]. It might have key material or other sensitive data in it[1]. Or it might just have random garbage in it that could be misinterpreted by the code that's about to use it, if it hasn't been initialized to a known state.

For some uses, you do genuinely need (specifically) zeroed-out memory before you start to use it, and that's where calloc() is truly useful. But that need not have anything to do with security.

[0] The allocator will often hold onto memory that has been freed in order to quickly service future requests for new allocations, without needing a context switch into kernel space.

[1] Granted, the correct way to handle that is to zero it out before freeing it, in a way that the compiler won't optimize out.

[ekidd]

> The problem is memory that you allocated in the past, have freed, but hasn't been returned to the OS[0].

There are at least two different ways in which memory might be semantically "uninitialized":

1. The memory was provided by the OS. On modern desktop and mobile OSes, this memory will normally be zeroed automatically. 2. The memory was provided by the language's allocator. This may contain a mix of data used by previous allocations and memory that has never been touched (perhaps because previous allocations reserved it as end-of-array "capacity" that never got used). From the perspective of a language like Rust, this memory is considered uninitialized, and safe code should never be able to read it without first setting it.

In ancient C code, it makes a fair bit of sense to preemptively calloc everything. Or better, to wrap the allocator with one that zeroes on free. Though even there, you need to be careful not to expose recycled heap block headers in the middle of newly allocated objects.

My opinion for the last 30+ years has been that C is unfit for purpose, and that using it almost inevitably introduces large numbers of dire security holes. But until the last 10-15 years, there hasn't been any seriously viable alternatives.