{"id":4203,"date":"2026-06-02T14:01:20","date_gmt":"2026-06-02T14:01:20","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/02\/can-chainguard-save-open-source-software-from-mythos-can-anyone\/"},"modified":"2026-06-02T14:01:20","modified_gmt":"2026-06-02T14:01:20","slug":"can-chainguard-save-open-source-software-from-mythos-can-anyone","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/02\/can-chainguard-save-open-source-software-from-mythos-can-anyone\/","title":{"rendered":"Can Chainguard Save Open-Source Software From Mythos? Can Anyone?"},"content":{"rendered":"
\"\"<\/div>\n

\"\"<\/p>\n

IBM and Red Hat aren\u2019t the only ones that mean to lock down open-source code against AI hacking tools.<\/span><\/p>\n

Last week, <\/span>IBM and Red Hat launched Project Lightwell<\/span><\/a> to protect open-source projects with $5 billion and 20 thousand engineers. Not to be outdone, with tongue in cheek, <\/span>Chainguard<\/span><\/a>\u2019s CEO Dan Lorenc announced a <\/span>$50 million, 100\u2011engineer commitment as an attempt to \u201cbuild new trust infrastructure for open source consumption.\u201d<\/span><\/a> Why? Because Lorenc argues that open source consumption \u201cis fundamentally broken, and no amount of incremental improvement is going to fix it in time.\u201d I wish I could disagree, but he\u2019s right.<\/span><\/p>\n

In his blog post, <\/span>The Hardest Fork<\/span><\/a>, Lorenc warns \u201c<\/span>Mythos<\/span><\/a> is real,\u201d pushing back on those who dismiss Anthropic\u2019s scary code scanner as hype or a \u201cmarketing stunt.\u201d He describes the Mythos findings as \u201cnovel combinations of a few dozen issues out of thousands of things every SAST [Static Application Security Testing] scanner already finds, chained together into something much worse.\u201d In short, Mythos is \u201cnot a better scanner\u201d but \u201ca different category of threat.\u201d\u00a0<\/span><\/p>\n

This means modern AI is ruining coordinated vulnerability disclosure into an at\u2011scale problem: \u201cA model can now find hundreds overnight in the long tail. The existing system is not going to keep up, and we all need a backup plan for the vulnerabilities that don\u2019t get patched.\u201d<\/span><\/p>\n

Lorenc argues that the basic way enterprises use open source is unsustainable under AI pressure. He wrote, \u201cThe way the world consumes open-source software is fundamentally broken, and no amount of incremental improvement is going to fix it in time.\u201d Open source is \u201cgoing to have to change.\u201d<\/span><\/p>\n

After all, he points out that \u201cmodern apps are layers of dependencies,\u201d where changing one component can cascade through an entire stack, especially in large organizations with legacy codebases. On the maintainer side, he notes that \u201csome of the most critical software on the internet is maintained by one or two people in their spare time,\u201d and that \u201cautomated scanners and AI-generated reports have already been burying them in low-quality noise for years.\u201d<\/span><\/p>\n

What to do?\u00a0<\/span><\/p>\n

Plan A: coordinated disclosure that actually scales<\/span><\/p>\n

In the near term, Lorenc says the ecosystem needs both \u201ca Plan A and a Plan B.\u201d Plan A is \u201ccoordinated disclosure that actually works at scale,\u201d which he defines as \u201ca single, trusted group that routes fully vetted reports and patches upstream, and supports the maintainers who want help.\u201d<\/span><\/p>\n

That\u2019s all well and good, but who will that be? IBM and Red Hat have certainly thrown their hat into the ring, but do you trust them?\u00a0<\/span><\/p>\n

Lorenc is certainly right when he states this can\u2019t be left to \u201ca dozen competing groups filing noisy tickets\u201d and instead needs \u201cone coordinated effort that maintainers recognize and trust, so their reports get bubbled to the top of every inbox.\u201d He cites <\/span>Project Glasswing<\/span><\/a>\u2019s current performance as a warning sign, writing that \u201cGlasswing has managed to get about 6% of its findings upstreamed\u201d and estimating that \u201cwe can get normal coordinated disclosure working, under hard time crunches, for maybe 50% of projects at best.\u201d<\/span><\/p>\n

Plan B: a \u201cmaintainer of last resort.\u201d<\/span><\/p>\n

For everything that Plan A can\u2019t reach, Lorenc says the ecosystem needs a fallback: \u201cFor all of those, and for the projects where maintainers can\u2019t or won\u2019t patch at all, we need a maintainer of last resort.\u201d He anchors this in the traditional FOSS right to fork: \u201cOpen source gives you the right to fork. To take a project, assume stewardship, and keep it alive independently.\u201d<\/span><\/p>\n

What\u2019s different, he argues, is scale: \u201cWe\u2019re not talking about forking one project. We\u2019re talking about building the infrastructure to fork, maintain, and distribute thousands of them. Under time pressure, with real adversaries on the other side. That\u2019s the hardest fork any of us has ever had to make.\u201d\u00a0<\/span><\/p>\n

That is the role he positions Chainguard as helping to fill, leveraging AI to make this kind of \u201cmaintainer of last resort\u201d function viable. In a comment, Lorenc adds, \u201c<\/span>We\u2019re not going to be the maintainer of last resort<\/span><\/a>, we\u2019re just going to help with it.\u201d\u00a0<\/span><\/p>\n

Three futures for open source<\/span><\/p>\n

Looking further ahead, Lorenc lays out three possible futures he calls \u201cforks in the road\u201d: \u201cThe naive one,\u201d \u201cThe chaotic one,\u201d and \u201cThe hard fork.\u201d\u00a0<\/span><\/p>\n

In the naive scenario, he writes, \u201cyou do nothing and hope,\u201d and imagines a world where \u201cGlasswing patches everything upstream\u201d and \u201cevery maintainer responds to every disclosure within 24 hours\u201d \u2014 a world he says plainly, \u201cWe do not live in.\u201d<\/span><\/p>\n

Indeed, we already live in that one, and you may have noticed that not a day goes by that there\u2019s not another new open-source supply chain incident. Just ask <\/span>Red Hat with its spectacular npm breach<\/span><\/a>. Yes, there is more than a little irony here.\u00a0<\/span><\/p>\n

In \u201cthe chaotic one,\u201d he warns that \u201cevery major cloud provider forks its own versions of critical libraries, each with its own patch sets,\u201d while \u201cthree different security vendors ship competing forks of the same logging framework.\u201d That, he says, is \u201cthe default if we do nothing.\u201d\u00a0<\/span><\/p>\n

I really, really hope that won\u2019t be the case, but I find it all too easy to see it happening. It\u2019s everything that\u2019s wrong about proprietary code with an open-source wrapper.<\/span><\/p>\n

The third path is \u201cthe hard fork: a deliberate, coordinated, painful decision to build new trust infrastructure for open-source consumption, including \u201cone disclosure pipeline that works at scale\u201d and \u201cone trusted place for maintained forks.\u201d<\/span><\/p>\n

Lorenc closes his essay with a mix of realism and dark humor: \u201cIs any of this actually going to work? I honestly have no idea. But we have to start, and as the Programmer\u2019s Credo says, \u2018We do this not because it is easy, but because we thought it would be easy when we started.\u2019 This one doesn\u2019t even feel easy at the start.\u201d\u00a0<\/span><\/p>\n

No, no, it doesn\u2019t.\u00a0<\/span><\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

IBM and Red Hat aren\u2019t the only ones that mean to lock down open-source code against AI hacking tools. Last […]<\/p>\n","protected":false},"author":1,"featured_media":4204,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4203","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4203"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4203\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4204"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}