[Eufrat]

I think Tridge is simultaneously trying to be proactive and kinda giving too much credit to marketing. Anthropic has not been able to really give numbers or actual values on what Mythos can really do. It just waved Mythos in front of the public like a boogeyman screaming that AI is going to cause a security nightmare (and it has, but mostly through vibe coded trash from what I’ve noticed); I’m hard pressed to find their statement that they spent less than $20,000 to find a Kerberos bug in FreeBSD a compelling win without a lot more context and they seem disinclined to provide that data. I really do wonder what evidence they have provided to their approved partners, all of this smells…weird.

I honestly think the main problem is Tridge just failed at communicating any of this correctly and I don’t think the implication he gives that all of this was due to the urgency of the impending security apocalypse really holds water.

Why was all of this written straight to the master branch? Now that the release is out, why not better explain what the urgency of this release was? Why wasn’t he proactive in communicating this and instead let the mob make up their own story? I think a lot of people are inclined to give Tridge a lot of leeway due to the fact that he literally is the reason why rsync exists, but this was avoidable and I think the comment in his response post where he mentions that, “I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done,” speaks volumes as to what is going on.

[rsc]

As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.

Tridge doesn't owe anyone anything as far as rsync is concerned. Yet he is spending his time maintaining it, only to be attacked for his efforts.

To respond to the specific technical point, there really _is_ a flood of security reports arriving everywhere in the past few months. The jury is out on whether Mythos is that much better than alternatives, but even the publicly available models are _highly_ capable of finding real problems, and they are being employed to that end quite effectively. Here are the counts of security issues fixed in each monthly Go minor release going back to the start of 2024:

     0 2024-01-09 Go 1.21.6, Go 1.20.13
     0 2024-02-06 Go 1.21.7, Go 1.20.14
     5 2024-03-05 Go 1.22.1, Go 1.21.8
     1 2024-04-03 Go 1.22.2, Go 1.21.9
     2 2024-05-07 Go 1.22.3, Go 1.21.10
     2 2024-06-04 Go 1.22.4, Go 1.21.11
     1 2024-07-02 Go 1.22.5, Go 1.21.12
     0 2024-08-06 Go 1.22.6, Go 1.21.13
     3 2024-09-05 Go 1.23.1, Go 1.22.7
     0 2024-10-01 Go 1.23.2, Go 1.22.8
     0 2024-11-06 Go 1.23.3, Go 1.22.9
     0 2024-12-03 Go 1.23.4, Go 1.22.10
     
     2 2025-01-16 Go 1.23.5, Go 1.22.11
     1 2025-02-04 Go 1.23.6, Go 1.22.12
     1 2025-03-04 Go 1.24.1, Go 1.23.7
     1 2025-04-01 Go 1.24.2, Go 1.23.8
     1 2025-05-06 Go 1.24.3, Go 1.23.9
     3 2025-06-05 Go 1.24.4, Go 1.23.10
     1 2025-07-08 Go 1.24.5, Go 1.23.11
     2 2025-08-06 Go 1.24.6, Go 1.23.12
     1 2025-09-03 Go 1.25.1, Go 1.24.7
    10 2025-10-07 Go 1.25.2, Go 1.24.8
     * 2025-10-13 Go 1.25.3, Go 1.24.9
     0 2025-11-05 Go 1.25.4, Go 1.24.10
     2 2025-12-02 Go 1.25.5, Go 1.24.11
    
     6 2026-01-15 Go 1.25.6, Go 1.24.12
     2 2026-02-04 Go 1.25.7, Go 1.24.13
     5 2026-03-05 Go 1.26.1, Go 1.25.8
    10 2026-04-07 Go 1.26.2, Go 1.25.9
    11 2026-05-07 Go 1.26.3, Go 1.25.10
     3 2026-06-02 Go 1.26.4, Go 1.25.11

* The Go 1.25.3 and Go 1.24.9 releases were a fast follow to fix a problem introduced by one of the security fixes the previous week.

You can see that 2026 has been quite different from the previous years. There are plenty of other contemporaneous accounts from other security teams about the load increase they've seen (which again is almost entirely not Mythos).

Also, the number of reports we are receiving has gone up far faster than the number of actual vulnerabilities. Over the 75-month period from January 2020 to early April 2026, the final 30 days accounted for ~16% of the reports.

It is easy to believe that Tridge is seeing a similar flood of reports. More reports means more fixes means more code changes means more bugs.

[wolletd]

> Yet he is spending his time maintaining it, only to be attacked for his efforts.

Which, in general, is totally legit. Doing something voluntarily doesn't relieve you from criticism if what you are doing isn't good.

[mgfist]

You can criticize all you want, but he can also just stop maintaining it if he gets too annoyed by the criticism. Maybe that's a better outcome for you, idk.

[throwaway7356]

Yes, I agree. Voluntarily forming a mob to flood issue trackers with garbage shouldn't relieve the mob members from receiving criticism.

[laserlight]

Agreed. Just like one doesn't owe the society their voluntary work, the society doesn't owe one protection from criticism.

[tumetab1]

I follow Go security issues and many recent ones are consequences of features added to Go and also security researches following up on an area after one issue is found.

Recent examples are certification validation logic, one issue after an another... because it's a mess of thing to implement.

[rakel_rakel]

I agree, it's very off-putting, and I totally understand that the amount of reports are overwhelming for maintainers of popular libraries.

> More reports means more fixes means more code changes means more bugs.

Sounds like we'll be riding a downward spiral for the foreseeable future? It will be very interesting to see how stats like the ones you shared develop in the coming year(s).

From the article I find this a bit concerning:

> So: the Claude releases changed way more lines of code than historical ones, but didn't have more bugs. More code, same bugs. That's not what you'd expect if Claude were making things worse.

More code, same bugs, is a net negative, no? I mean unless it's strictly needed for the inherent complexity of the program. But I've seen a tokenizer written by Rob Pike and I've seen a tokenizer written by Claude.... they are not the same :D

[bonzini]

What Tridge says is that the "more code" is more fixes and more thorough test suites, not random changes made by LLMs.

[JetSetIlly]

> As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.

Much of the language from both groups is incredibly off-putting, frankly. Tridge in his blog post describes people as "foaming at the mouth"?!

The rhetoric around this has gotten way too emotional from both groups.

I'm glad I'm just a hobbyist.

[lemming]

Tridge in his blog post describes people as "foaming at the mouth"?!

Did you see the picture in the article where the user posted a picture of them strangling the maintainer? I think “foaming at the mouth” is probably gentler than how I would characterise that.

[Eufrat]

IMHO, the whole episode is just embarrassing. I have no doubt he’s just trying to do the right thing. You can disagree with the tactics, but the vitriol is outrageous. rsync is a gift to the world and we should be grateful and mindful of how much it has been quietly woven into the fabric of computing. rsync is taken for granted. This is not okay.

[JetSetIlly]

> This is not okay.

Agreed. The way to address it though, is through calm analysis and reason. The emotional language from both groups is not helping.

If there's one problem with Claude et al, it's that it's all happened way too quickly for people to keep up. We're all at different stages of acceptance and I think that's what we're seeing manifest in the various discussions.

[Barrin92]

>We're all at different stages of acceptance

I do hope you see the irony of accusing people of armchair psychology and then hitting us with the five stages of grief.

I trust rsync (which handles critical data on my system) because I know a veteran of 40 years wrote the code it runs. If I see code like the one above posted by the OP, that the author wouldn't have written, I start to pay attention. When I then read the blog post of him saying that he'd "rather go sailing than fix rsync issues", I start to question whether the software is still written in a way I can trust and where it's going quality wise.

The problem isn't this weird gaslighting attempt that we just haven't let Claude in our hearts and souls yet which you seem to have determined is inevitable (spoiler alert, it is not), it's that a bot wrote crappy code and I wasn't even aware I was running it and now don't know to what standard this project is held.

[cthalupa]

> If I see code like the one above posted by the OP, that the author wouldn't have written, I start to pay attention.

Except the author did write it. https://github.com/RsyncProject/rsync/issues/959#issuecommen...

Which is part of the problem with all of this nonsense right now - everyone is running off of emotion and not looking to see if what is being said is actually true. Which is somewhat ironic, considering the message of the article.

[oxzidized]

> I do hope you see the irony of accusing people of armchair psychology and then hitting us with the five stages of grief.

I just want to point out that those were two different commenters.

[JetSetIlly]

> The problem isn't this weird gaslighting attempt that we just haven't let Claude in our hearts and souls yet which you seem to have determined is inevitable (spoiler alert, it is not),

I don't believe it's inevitable and in fact, I'm thoroughly against the use of tools like Claude.

My reference to "different stages of acceptance" was only to indicate that people have embraced these things to varying degrees, and it that it seems to be this difference which is causing conflict in discussions like this. (I doubt I will ever fully accept it. A lot needs to change for that to happen).

I didn't really have the "five stages of grief" in mind when I wrote it.

[Eufrat]

> As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.

I agree that the entire episode is obscene, but I am also unsure of what to do here either. On some level this is the same problem movie stars run into. I agree that guessing or waxing about the motivations of anyone is a nosy and overall unproductive exercise (yet paparazzi exist because of this very human behavior), but I also think that there is a modest duty owed to users to explain things.

> Tridge doesn't owe anyone anything as far as rsync is concerned. Yet he is spending his time maintaining it, only to be attacked for his efforts.

I am reminded of this piece: https://mikemcquaid.com/open-source-maintainers-owe-you-noth...

Which, I empathize with, but I fundamentally disagree that maintainers owe users nothing. I will die on that hill. If you are getting to that point where you actively loathe working on the project, I agree you should be able to walk away. However, I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.

I suppose in a very extreme and intentionally histrionic example, having a project carry the MIT license, getting frustrated and then changing the project to delete the entire system is a crime. The average person and the courts don’t care if the license is “as-is”. There is a duty that is understood that you don’t do that and I think we need to make it clear what that duty is for OSS.

Ultimately, though, I think this is all symptomatic of the fact that the OSS model has gaps that the increase in security reports whether AI generated or not has exerted more pressure on. I have certainly been on the receiving end of a lot of frivolous security reports that were discarded because it was obvious that it was just someone with a security scanner wandering around the Internet. You still have to review that nonsense and it eats into your time. Doing this on your own time, without pay and having to listen to the peanut gallery is just infuriating.

Is any business built on top of rsync going to donate their money in a sustainable manner?

[nl]

> However, I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.

Wow.

The entitlement in this statement is outrageous.

[0123456789ABCDE]

> I also think that there is a modest duty owed to users to explain things.

> I fundamentally disagree that maintainers owe users nothing.

> I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.

do you realize how unhinged this all reads like?

there is no duty. nothing is owed to no one. there is no implicit anything. this is all happening in your head. you are making up things that don't exist. the social contract is not a real thing either. the only contract you can have with the author of rsync is the GNU GENERAL PUBLIC LICENSE Version 3, and then, only when you get a copy of rsync.

> getting frustrated and then changing the project to delete the entire system is a crime

boop: strawman argument — you have been disqualified

> Is any business built on top of rsync going to donate their money in a sustainable manner?

does it matter? do you have an invoice for rsync?

the author wrote it themselves, he is retired, and sailing. unless google is buying him a new boat, i doubt he gives a crap what anyone has to offer.

truly obscene is the fabricated idea that you are owed anything after downloading code from github.

> I am also unsure of what to do here either.

touch grass?

[agartner]

> the courts don’t care if the license is “as-is”.

There isn't any case law to show that. Certainly not in the age of AI. On the criminal side, the CFAA requires "intentionally causes damage" and that's entirely impossible to prove in the age of AI. On the civil side, liability waivers and warranty disclaimers generally cannot shield intentional or willful misconduct or gross negligence.

[kelipso]

Yeah the maintainers don’t owe users nothing is a disgusting sentiment that doesn’t stand real scrutiny. There is a social contract here. If you want to be respected and get recognized as “tridge” or whatever your name is, you owe the people that recognize you and that wider community in general.

[kelnos]

First off: I don't agree that there's a social contract here at all. That's just some imaginary thing that you (and others) have decided exists. It's funny how lots of people who aren't open source maintainers seem to think it's ok to make up social contracts for other people without their consent.

But ok, let's just pretend for a second that maintainers have indeed entered into some sort of social contract that gives them an obligation to support their software, uncompensated. But if we have this contract, then it cuts both ways. The users then have entered into a social contract of their own: they agree to treat me with respect when they deal with me, to not act entitled, to not demand things of me, to not be rude, and to do their part in being a helpful, productive partner in helping to solve any issues they report.

If a user breaks their part of the contract, then I have no obligation to fulfill my side of it.

It's a bit bizarre to me that non-maintainers have decided to invent some sort of "social contract" that benefits them (while putting a sizeable burden on maintainers), but seem to think that they aren't entering into a social contract of their own when they decide to use the software. (And that there are consequences for not upholding the user side of the social contract.)

Put another way: in contract law (in the US, at least), there's the concept of "consideration". It's the idea that both parties are getting something out of a deal. Some of that can be monetary, but it can also be other things. If a contract is one sided, that is, if one party isn't getting any consideration, then the contract can often be unenforceable.

That seems to be what people like you are doing here: requiring that open source maintainers enter into a social contract, but not give them any consideration in return for it. (And no, some sort of ill-defined concepts like "reputation" or "large user base" don't pass my threshold for meaningful consideration.)

That's one more thing, even: contracts are voluntary. All involved parties must agree for there to be a contract. I don't agree to your bullshit contract of one-sided obligation, so there is no contract.

[FooBarWidget]

This. Best writeup I've seen on the topic of entitled/abusive users. You should publish this as a blog post or launch some sort of campaign or something, something people can refer to. I haven't encountered entitled users myself, but my gawd, I'm so annoyed at users who feel entitled to other open source maintainers. I'm raging with a drive to protest against people who treat the rsync maintainer with such disrespect.

[tptacek]

This is great, but I can shorten it for you for times in the future you need to deploy it: "DM for my rate card".

[jasonvorhe]

This "social contract" seems to be vocabulary that people use to rationalize their assumptions about how the world should work. A contract requires consent of both parties.

[tptacek]

No there isn't.

[Eufrat]

I just cannot understand this logic, can you explain why there is no responsibility whatsoever on the part of a maintainer towards the users?

Selling a toaster has an implicit warranty of merchantability. Society expects that if you sell me something, it should have certain promises. Yes, there’s no monetary exchange here, the work is given gratis, but there’s still a relationship and an interaction here and I think it is clear some people, like myself, believe that there are implied expectations. Just because it is “free” doesn’t mean it allows one to have a seemingly psychopathic attitude on the matter. It doesn’t absolve people of societal obligations.

I read that article by Mike McQuaid and I don’t get the impression that, “Yes, project maintainers should be allowed to run projects as they see fit and they put up with a lot of drive-by insults and hostile users. You don’t understand how hard all of this is and I’m doing it for free.” I get, “I hate my users and you should be grateful that I give you anything.”

[mikemcquaid]

If I hated my users I wouldn’t work on Homebrew for 17 years. I do hate a small subset of hostile users.

The selling metaphor doesn’t work. Homebrew is not sold and its license, effectively a EULA, discloses all warranties because it is not sold and we are not paid a wage to build it.

I have also built a bunch of proprietary software for money where my obligations are different. I also enjoy that and my responsibilities differ there.

Users should be grateful that they are given anything. We do not get anything from their use. For the vast majority, it is a one way relationship (contributors excluded of course).

If they don’t like the choices made by me or the project: they can fork it. They won’t, though, because the closest friend of entitlement is laziness. They can use Nix or MacPorts instead which may be a better fit for them and, if they are not contributing, does not disadvantage Homebrew.

[nl]

> Selling a toaster has an implicit warranty of merchantability. Society expects that if you sell me something, it should have certain promises. Yes, there’s no monetary exchange here, the work is given gratis, but there’s still a relationship and an interaction here and I think it is clear some people, like myself, believe that there are implied expectations.

No there isn't.

Pay money and there's a contract.

Anything else is in your head.

[jasonvorhe]

That toaster example sounds so nonsensical that I'm expecting you to deliver on your indirect promise of backing that up with evidence because of this special relationship of ours you established via interaction so these expectations are obviously implied by you commenting here.

Please continue.

[tpm]

> Selling a toaster has an implicit warranty of merchantability.

Why would you think this is worth mentioning here?

Instead of explaining, just try to do something, that people actually use, for free, in the open, for some time. It doesn't have to be software, can be work for a nonprofit or a charity etc. I'm sure you will be enlightened.

[lemonad]

Some people do not realize that they're in a parasocial relationships with content creators like streamers and youtubers and feel that it is reasonable to have expectations. For me, applying your argument, that there is some responsibility for a creator towards their users, within that domain seems farfetched. Like, I can wish that they'd continue producing worthwhile content but apart from that, how would their responsibility toward me actually manifest itself?

[tptacek]

You don't have the impression that project managers should "be allowed" to run projects "as they see fit"?

[0123456789ABCDE]

it would save everyone a lot of hurt feelings, and unexpected surprises, if access to open source software was treated as a privilege, instead of treating it like a right

[celiacFun]

You have given the maintainer nothing. There is no relationship, no interaction. If you want to change open source code fork it and do as you please. No one owes you free labor.

[kelnos]

> can you explain why there is no responsibility whatsoever on the part of a maintainer towards the users?

Because I don't. It's that simple. There is nothing that says I have a responsibility, and the license I release under even makes it clear and explicit that I have no responsibility. So I don't.

If you are going to claim that I do have a responsibility, then the onus is on you to present some solid, convincing, extraordinary evidence or argumentation to support that. And you haven't succeeded in doing so.

> Selling

That's part of it, right there. If I sell my open source software, then yes, I may have created an implied warranty of merchantability, even if my license disclaims that.

But if I haven't sold it to you, then no such warranty or obligation exists.

> Yes, there’s no monetary exchange here, the work is given gratis, but there’s still a relationship and an interaction here

So you admit that, but seem to ignore the idea that there's a difference between selling something and giving it away for free. I fundamentally disagree with that. If I give away something for free, the person accepting it has zero claim on me or my time. If I sell something, then there's some claim there, depending on the terms of sale that we both agreed to before I took payment.

> It doesn’t absolve people of societal obligations.

This is something you've invented out of whole cloth. There's no societal obligation to maintain something (for free) that you've given away for free. And on top of that, there's no societal obligation to deal with demanding, entitled, sometimes angry people, who want more of your time for free.

Let's actually look at it from a paid perspective. Let's say I release some software (open- or closed-source; I suppose the distinction doesn't matter for this example), and also offer paid support for that software. Some people use it without paying for support, some people pay for support. Let's say some of the people who are paying for support are demanding and rude when reporting issues and asking for fixes. Even then, I still don't have to put up with it. I can "fire" those customers if I want, either by cancelling and refunding their remaining support contract, or by deciding not to renew them when their current contract runs out.

I don't think anyone would reasonably require a company to continue to have a business relationship with a customer that is causing too many problems for them. I think the reason we are fine with this concept is because there's a remedy that gives both parties something: if we refund the customer some portion or all of what they've paid, we consider that a reasonable way to terminate that relationship. With gratis open source software, there's no such monetary arrangement, so it feels a fuzzier what the author-user relationship even is. But to me, this makes an even stronger case for the idea that open source maintainers have no obligations to their users, aside from any that they voluntarily take on, and can also decide to terminate at any point they like.

[wolletd]

> “I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done,”

Well, then maybe it's already overdue to find a new maintainer for the project and let someone else continue it? The tool will not get better from someone working on it who doesn't want to.

[monooso]

He explicitly addresses that in the article.

> Luckily I’ve been joined by some other very good developers with great systems development skills and security knowledge... Watch out for some credits for some great new rsync developers in the next release.

[kelnos]

Unless you're willing to step up and be that person, it's not your place for you to suggest it.

[wolletd]

I don't agree with that, I can very well still discuss that. He clearly sounds like someone who doesn't want to do this work anymore and should have searched for a successor.

That's my impression from that sentence, at least. Don't you agree?

So, why didn't he do it? Because just firing up Claude and let it rip is way easier than finding real people and building up trust?

Did Claude increase bugs in rsync? Or did Claude just gave some basically retired programmer, who doesn't even want to work on his project anymore, the impression that he can replace finding a successor with just handing it to AI?

[lemming]

Because just firing up Claude and let it rip

Based on Tridge’s post, this seems an unfair characterisation of how he used Claude.

Did Claude increase bugs in rsync?

TFA answered this, the answer is “no”.

[rossjudson]

You're highly critical. What would you be doing differently? So far Tridge has elected to:

- generally decide to fix security issues over preserving compatibility - rewritten an aging test suite in what appears to be a highly responsible way - brought on additional qualified developers to help with the workload

Not bad for a guy who's retired.

You care enough to complain on HN. You could be a part of the solution.

What were you going to do differently, specifically?

[aseipp]

> That's my impression from that sentence, at least. Don't you agree?

No. Given a choice between doing laundry and driving Lamborghinis, I would probably choose the latter. But I still have to do my laundry. I might use a washing machine to do so. It's just a responsibility among many responsibilities. It isn't that deep, really.

The reality few people want to admit is that maintaining open-source software is often closer for many people to "doing laundry" than like, being the software equivalent of Atticus Finch.

> Or did Claude just gave some basically retired programmer, who doesn't even want to work on his project anymore,

The only thing Claude has "done" apparently is give a bunch of annoying people online a license to engage in armchair psychoanalysis of someone they don't know at all, from what I can tell.

[prmoustache]

> and should have searched for a successor.

He doesn't have to do that. If he ever do not care enough he can just stop maintaining it and that's it.

[duskdozer]

I think many would prefer that to the situation that happened.

[gverrilla]

Congratulations, you have an opinion.

[rossjudson]

Yeah, we definitely need to make sure that we take the considerations of the mob into account.

The person owning the project is using the master branch in the way he sees fit.

Incidentally, there is no amount of communicating "correctly" that quells a mob. There's a Venn diagram of concerns, and those with concerns not being met will generate (now infinite) outrage.