I think Tridge is simultaneously trying to be proactive and kinda giving too much credit to marketing. Anthropic has not been able to really give numbers or actual values on what Mythos can really do. It just waved Mythos in front of the public like a boogeyman screaming that AI is going to cause a security nightmare (and it has, but mostly through vibe coded trash from what I’ve noticed); I’m hard pressed to find their statement that they spent less than $20,000 to find a Kerberos bug in FreeBSD a compelling win without a lot more context and they seem disinclined to provide that data. I really do wonder what evidence they have provided to their approved partners, all of this smells…weird.
I honestly think the main problem is Tridge just failed at communicating any of this correctly and I don’t think the implication he gives that all of this was due to the urgency of the impending security apocalypse really holds water.
Why was all of this written straight to the master branch? Now that the release is out, why not better explain what the urgency of this release was? Why wasn’t he proactive in communicating this and instead let the mob make up their own story? I think a lot of people are inclined to give Tridge a lot of leeway due to the fact that he literally is the reason why rsync exists, but this was avoidable and I think the comment in his response post where he mentions that, “I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done,” speaks volumes as to what is going on.
As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.
Tridge doesn't owe anyone anything as far as rsync is concerned. Yet he is spending his time maintaining it, only to be attacked for his efforts.
To respond to the specific technical point, there really _is_ a flood of security reports arriving everywhere in the past few months. The jury is out on whether Mythos is that much better than alternatives, but even the publicly available models are _highly_ capable of finding real problems, and they are being employed to that end quite effectively. Here are the counts of security issues fixed in each monthly Go minor release going back to the start of 2024:
0 2024-01-09 Go 1.21.6, Go 1.20.13
0 2024-02-06 Go 1.21.7, Go 1.20.14
5 2024-03-05 Go 1.22.1, Go 1.21.8
1 2024-04-03 Go 1.22.2, Go 1.21.9
2 2024-05-07 Go 1.22.3, Go 1.21.10
2 2024-06-04 Go 1.22.4, Go 1.21.11
1 2024-07-02 Go 1.22.5, Go 1.21.12
0 2024-08-06 Go 1.22.6, Go 1.21.13
3 2024-09-05 Go 1.23.1, Go 1.22.7
0 2024-10-01 Go 1.23.2, Go 1.22.8
0 2024-11-06 Go 1.23.3, Go 1.22.9
0 2024-12-03 Go 1.23.4, Go 1.22.10
2 2025-01-16 Go 1.23.5, Go 1.22.11
1 2025-02-04 Go 1.23.6, Go 1.22.12
1 2025-03-04 Go 1.24.1, Go 1.23.7
1 2025-04-01 Go 1.24.2, Go 1.23.8
1 2025-05-06 Go 1.24.3, Go 1.23.9
3 2025-06-05 Go 1.24.4, Go 1.23.10
1 2025-07-08 Go 1.24.5, Go 1.23.11
2 2025-08-06 Go 1.24.6, Go 1.23.12
1 2025-09-03 Go 1.25.1, Go 1.24.7
10 2025-10-07 Go 1.25.2, Go 1.24.8
* 2025-10-13 Go 1.25.3, Go 1.24.9
0 2025-11-05 Go 1.25.4, Go 1.24.10
2 2025-12-02 Go 1.25.5, Go 1.24.11
6 2026-01-15 Go 1.25.6, Go 1.24.12
2 2026-02-04 Go 1.25.7, Go 1.24.13
5 2026-03-05 Go 1.26.1, Go 1.25.8
10 2026-04-07 Go 1.26.2, Go 1.25.9
11 2026-05-07 Go 1.26.3, Go 1.25.10
3 2026-06-02 Go 1.26.4, Go 1.25.11
* The Go 1.25.3 and Go 1.24.9 releases were a fast follow to fix a problem introduced by one of the security fixes the previous week.
You can see that 2026 has been quite different from the previous years. There are plenty of other contemporaneous accounts from other security teams about the load increase they've seen (which again is almost entirely not Mythos).
Also, the number of reports we are receiving has gone up far faster than the number of actual vulnerabilities. Over the 75-month period from January 2020 to early April 2026, the final 30 days accounted for ~16% of the reports.
It is easy to believe that Tridge is seeing a similar flood of reports. More reports means more fixes means more code changes means more bugs.
I follow Go security issues and many recent ones are consequences of features added to Go and also security researches following up on an area after one issue is found.
Recent examples are certification validation logic, one issue after an another... because it's a mess of thing to implement.
You can criticize all you want, but he can also just stop maintaining it if he gets too annoyed by the criticism. Maybe that's a better outcome for you, idk.
I agree, it's very off-putting, and I totally understand that the amount of reports are overwhelming for maintainers of popular libraries.
> More reports means more fixes means more code changes means more bugs.
Sounds like we'll be riding a downward spiral for the foreseeable future?
It will be very interesting to see how stats like the ones you shared develop in the coming year(s).
From the article I find this a bit concerning:
> So: the Claude releases changed way more lines of code than historical ones, but didn't have more bugs. More code, same bugs. That's not what you'd expect if Claude were making things worse.
More code, same bugs, is a net negative, no? I mean unless it's strictly needed for the inherent complexity of the program. But I've seen a tokenizer written by Rob Pike and I've seen a tokenizer written by Claude.... they are not the same :D
> As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.
Much of the language from both groups is incredibly off-putting, frankly. Tridge in his blog post describes people as "foaming at the mouth"?!
The rhetoric around this has gotten way too emotional from both groups.
Tridge in his blog post describes people as "foaming at the mouth"?!
Did you see the picture in the article where the user posted a picture of them strangling the maintainer? I think “foaming at the mouth” is probably gentler than how I would characterise that.
IMHO, the whole episode is just embarrassing. I have no doubt he’s just trying to do the right thing. You can disagree with the tactics, but the vitriol is outrageous. rsync is a gift to the world and we should be grateful and mindful of how much it has been quietly woven into the fabric of computing. rsync is taken for granted. This is not okay.
Agreed. The way to address it though, is through calm analysis and reason. The emotional language from both groups is not helping.
If there's one problem with Claude et al, it's that it's all happened way too quickly for people to keep up. We're all at different stages of acceptance and I think that's what we're seeing manifest in the various discussions.
I do hope you see the irony of accusing people of armchair psychology and then hitting us with the five stages of grief.
I trust rsync (which handles critical data on my system) because I know a veteran of 40 years wrote the code it runs. If I see code like the one above posted by the OP, that the author wouldn't have written, I start to pay attention. When I then read the blog post of him saying that he'd "rather go sailing than fix rsync issues", I start to question whether the software is still written in a way I can trust and where it's going quality wise.
The problem isn't this weird gaslighting attempt that we just haven't let Claude in our hearts and souls yet which you seem to have determined is inevitable (spoiler alert, it is not), it's that a bot wrote crappy code and I wasn't even aware I was running it and now don't know to what standard this project is held.
Which is part of the problem with all of this nonsense right now - everyone is running off of emotion and not looking to see if what is being said is actually true. Which is somewhat ironic, considering the message of the article.
> As a long-time open-source maintainer, I find all the second-guessing and armchair psychoanalysis here (not just in this comment, all over HN) about Tridge's motivations, state of mind, and so on incredibly off-putting.
I agree that the entire episode is obscene, but I am also unsure of what to do here either. On some level this is the same problem movie stars run into. I agree that guessing or waxing about the motivations of anyone is a nosy and overall unproductive exercise (yet paparazzi exist because of this very human behavior), but I also think that there is a modest duty owed to users to explain things.
> Tridge doesn't owe anyone anything as far as rsync is concerned. Yet he is spending his time maintaining it, only to be attacked for his efforts.
Which, I empathize with, but I fundamentally disagree that maintainers owe users nothing. I will die on that hill. If you are getting to that point where you actively loathe working on the project, I agree you should be able to walk away. However, I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.
I suppose in a very extreme and intentionally histrionic example, having a project carry the MIT license, getting frustrated and then changing the project to delete the entire system is a crime. The average person and the courts don’t care if the license is “as-is”. There is a duty that is understood that you don’t do that and I think we need to make it clear what that duty is for OSS.
Ultimately, though, I think this is all symptomatic of the fact that the OSS model has gaps that the increase in security reports whether AI generated or not has exerted more pressure on. I have certainly been on the receiving end of a lot of frivolous security reports that were discarded because it was obvious that it was just someone with a security scanner wandering around the Internet. You still have to review that nonsense and it eats into your time. Doing this on your own time, without pay and having to listen to the peanut gallery is just infuriating.
Is any business built on top of rsync going to donate their money in a sustainable manner?
> However, I strongly believe that when you create something for people to use that there’s an implicit social contract about how to go about doing certain things.
> the courts don’t care if the license is “as-is”.
There isn't any case law to show that. Certainly not in the age of AI. On the criminal side, the CFAA requires "intentionally causes damage" and that's entirely impossible to prove in the age of AI. On the civil side, liability waivers and warranty disclaimers generally cannot shield intentional or willful misconduct or gross negligence.
Yeah the maintainers don’t owe users nothing is a disgusting sentiment that doesn’t stand real scrutiny. There is a social contract here. If you want to be respected and get recognized as “tridge” or whatever your name is, you owe the people that recognize you and that wider community in general.
First off: I don't agree that there's a social contract here at all. That's just some imaginary thing that you (and others) have decided exists. It's funny how lots of people who aren't open source maintainers seem to think it's ok to make up social contracts for other people without their consent.
But ok, let's just pretend for a second that maintainers have indeed entered into some sort of social contract that gives them an obligation to support their software, uncompensated. But if we have this contract, then it cuts both ways. The users then have entered into a social contract of their own: they agree to treat me with respect when they deal with me, to not act entitled, to not demand things of me, to not be rude, and to do their part in being a helpful, productive partner in helping to solve any issues they report.
If a user breaks their part of the contract, then I have no obligation to fulfill my side of it.
It's a bit bizarre to me that non-maintainers have decided to invent some sort of "social contract" that benefits them (while putting a sizeable burden on maintainers), but seem to think that they aren't entering into a social contract of their own when they decide to use the software. (And that there are consequences for not upholding the user side of the social contract.)
Put another way: in contract law (in the US, at least), there's the concept of "consideration". It's the idea that both parties are getting something out of a deal. Some of that can be monetary, but it can also be other things. If a contract is one sided, that is, if one party isn't getting any consideration, then the contract can often be unenforceable.
That seems to be what people like you are doing here: requiring that open source maintainers enter into a social contract, but not give them any consideration in return for it. (And no, some sort of ill-defined concepts like "reputation" or "large user base" don't pass my threshold for meaningful consideration.)
That's one more thing, even: contracts are voluntary. All involved parties must agree for there to be a contract. I don't agree to your bullshit contract of one-sided obligation, so there is no contract.
This. Best writeup I've seen on the topic of entitled/abusive users. You should publish this as a blog post or launch some sort of campaign or something, something people can refer to. I haven't encountered entitled users myself, but my gawd, I'm so annoyed at users who feel entitled to other open source maintainers. I'm raging with a drive to protest against people who treat the rsync maintainer with such disrespect.
I just cannot understand this logic, can you explain why there is no responsibility whatsoever on the part of a maintainer towards the users?
Selling a toaster has an implicit warranty of merchantability. Society expects that if you sell me something, it should have certain promises. Yes, there’s no monetary exchange here, the work is given gratis, but there’s still a relationship and an interaction here and I think it is clear some people, like myself, believe that there are implied expectations. Just because it is “free” doesn’t mean it allows one to have a seemingly psychopathic attitude on the matter. It doesn’t absolve people of societal obligations.
I read that article by Mike McQuaid and I don’t get the impression that, “Yes, project maintainers should be allowed to run projects as they see fit and they put up with a lot of drive-by insults and hostile users. You don’t understand how hard all of this is and I’m doing it for free.” I get, “I hate my users and you should be grateful that I give you anything.”
If I hated my users I wouldn’t work on Homebrew for 17 years. I do hate a small subset of hostile users.
The selling metaphor doesn’t work. Homebrew is not sold and its license, effectively a EULA, discloses all warranties because it is not sold and we are not paid a wage to build it.
I have also built a bunch of proprietary software for money where my obligations are different. I also enjoy that and my responsibilities differ there.
Users should be grateful that they are given anything. We do not get anything from their use. For the vast majority, it is a one way relationship (contributors excluded of course).
If they don’t like the choices made by me or the project: they can fork it. They won’t, though, because the closest friend of entitlement is laziness. They can use Nix or MacPorts instead which may be a better fit for them and, if they are not contributing, does not disadvantage Homebrew.
Thanks for chiming in. I appreciate that this is the position of you and a large chunk of folks, but I don’t think I’m ever going to fully understand it.
If you don’t mind me probing a little further, what is the motivation to work on it?
> they can fork it
I get that, but I also think it is too pat a narrative at the same time. I think the success of the project is both a testament to the effort that you and the Homebrew team have put into it. It is also an example of just how much effort any project really takes; this stuff doesn’t set itself up nor do all the patching required to make sure things behave as well as they do.
> If you don’t mind me probing a little further, what is the motivation to work on it?
Not the person you're replying to, but I do it because it's fun. Programming is a passion of mine, and has been a part of my life since my dad gave me a book on BASIC when I was 8 years old. I love solving problems with code. Giving it away as open source is, in a way, philanthropy to me, with the hope that at least some of the things I create are useful to others. There's also a bit of a "political" aspect to it, in that I think it is bad for society for all useful programs to be locked up in proprietary software, making everyone dependent on profit-seeking corporations (whose interests and incentives are often hostile to their users) to provide the software they need to use in their daily lives. My work is a small contribution to combat that.
That joy I feel hits a wall when I run into an entitled, lazy user who thinks that I owe them something more than what I've already given. If most users were like that, I just wouldn't do it. Or at most I'd do it, releasing under a pseudonym, and have no public issue tracker, pull request mechanism, or public contact information. That would make the project worse, not better, of course, but the most important thing to me is my mental health and my happiness. If that's selfish, so be it.
> > they can fork it
> I get that, but I also think it is too pat a narrative at the same time.
I'm not sure what you expect someone to do with that statement. So what if it's "too pat"? That's the reality of the situation. It's the maintainer's way or the highway. If you don't like it, then open source has a truly wonderful escape hatch that proprietary software doesn't: you can fork and go your own way with it.
Many open source communities have problems, certainly, but I think many of the better ones are the some of the closest things we have to true meritocracies. If you do the work, and the work is good and valued, you get a say. If you don't, you don't. And yes, I would say "providing good, helpful, actionable feedback" can be part of "doing the work", so people who don't write code can have a say, depending on how well they are able to provide value to the process. But people who just want to take: no, they don't get a say, and that's exactly how it should -- and must -- be.
Some people do not realize that they're in a parasocial relationships with content creators like streamers and youtubers and feel that it is reasonable to have expectations. For me, applying your argument, that there is some responsibility for a creator towards their users, within that domain seems farfetched. Like, I can wish that they'd continue producing worthwhile content but apart from that, how would their responsibility toward me actually manifest itself?
> Selling a toaster has an implicit warranty of merchantability. Society expects that if you sell me something, it should have certain promises. Yes, there’s no monetary exchange here, the work is given gratis, but there’s still a relationship and an interaction here and I think it is clear some people, like myself, believe that there are implied expectations.
If you induce someone to expend resources you can have liability even if those resources are not a payment to you. You can’t license your way out liability if you advertised, formally or informally, certain features and functionality that cause people to act on that advertisement. It’s called reliance interest. It’s an actual legal principle with case law supporting it.
> Selling a toaster has an implicit warranty of merchantability.
Why would you think this is worth mentioning here?
Instead of explaining, just try to do something, that people actually use, for free, in the open, for some time. It doesn't have to be software, can be work for a nonprofit or a charity etc. I'm sure you will be enlightened.
I volunteer and I don't tell people or believe they should be grateful that an event is happening because of the volunteers. I just don't find this logic compelling in the same way that you don't find my logic compelling either.
It's not about telling other people how they should feel, it's about managing your own emotions as an unpaid maintainer of a somewhat public good facing unreasonably entitled members of public (often not even users of your product).
> can you explain why there is no responsibility whatsoever on the part of a maintainer towards the users?
Because I don't. It's that simple. There is nothing that says I have a responsibility, and the license I release under even makes it clear and explicit that I have no responsibility. So I don't.
If you are going to claim that I do have a responsibility, then the onus is on you to present some solid, convincing, extraordinary evidence or argumentation to support that. And you haven't succeeded in doing so.
> Selling
That's part of it, right there. If I sell my open source software, then yes, I may have created an implied warranty of merchantability, even if my license disclaims that.
But if I haven't sold it to you, then no such warranty or obligation exists.
> Yes, there’s no monetary exchange here, the work is given gratis, but there’s still a relationship and an interaction here
So you admit that, but seem to ignore the idea that there's a difference between selling something and giving it away for free. I fundamentally disagree with that. If I give away something for free, the person accepting it has zero claim on me or my time. If I sell something, then there's some claim there, depending on the terms of sale that we both agreed to before I took payment.
> It doesn’t absolve people of societal obligations.
This is something you've invented out of whole cloth. There's no societal obligation to maintain something (for free) that you've given away for free. And on top of that, there's no societal obligation to deal with demanding, entitled, sometimes angry people, who want more of your time for free.
Let's actually look at it from a paid perspective. Let's say I release some software (open- or closed-source; I suppose the distinction doesn't matter for this example), and also offer paid support for that software. Some people use it without paying for support, some people pay for support. Let's say some of the people who are paying for support are demanding and rude when reporting issues and asking for fixes. Even then, I still don't have to put up with it. I can "fire" those customers if I want, either by cancelling and refunding their remaining support contract, or by deciding not to renew them when their current contract runs out.
I don't think anyone would reasonably require a company to continue to have a business relationship with a customer that is causing too many problems for them. I think the reason we are fine with this concept is because there's a remedy that gives both parties something: if we refund the customer some portion or all of what they've paid, we consider that a reasonable way to terminate that relationship. With gratis open source software, there's no such monetary arrangement, so it feels a fuzzier what the author-user relationship even is. But to me, this makes an even stronger case for the idea that open source maintainers have no obligations to their users, aside from any that they voluntarily take on, and can also decide to terminate at any point they like.
> “solid, convincing, extraordinary evidence or argumentation to support that.”
Just ordinary evidence. If there was a charity event which asked for a volunteer to organise drinks, and you volunteered, and then there were no drinks, and you said “I don’t owe you anything stop being entitled, if you want an event with drinks you can fork the idea and organise your own”, people would be unhappy and reasonably so. It’s not that you had a legal obligation to do that work, it’s that you told everyone you would and that stopped other people from doing it.
If rsync had no maintainer and someone publicly offered to take it on and maintain it, that would also block other people taking that spot. It stops people investing time effort and money into a fork or replacement to an abandoned project. If the volunteer then either didn’t do anything or wrecked it and said “I don’t owe you anything etc.” that would be bad in a similar way.
If you want to be able to tell people you are the maintainer, that the thing is maintained, and you get to control what happens to a widely used project, you can’t really stand by the position “why did people expect me to maintain it? I only told them I would maintain it, why would they believe me, that’s not fair”.
Make it clear that it’s abandonware and has no maintainer, and you can totally uphold the “not my problem, says so in the license, deal with it” position. But if your thing becomes popular then you should expect a company like RedHat to fork it into ‘redsync’ and run it their way as their project, not look to you as ‘upstream’ and sideline you completely. Which is what a lot of open source people say they want but don’t behave as if they want that. Probably because there actually is some prestige and power and status and reputation involved, even though people try to claim there isn’t.
Why would I need to? Nobody volunteered. In the analogy, you found something on a shelf somewhere and decided to depend on it. The person who put it on the shelf never agreed to support you in that endeavor.
> “I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done,”
Well, then maybe it's already overdue to find a new maintainer for the project and let someone else continue it? The tool will not get better from someone working on it who doesn't want to.
> Luckily I’ve been joined by some other very good developers with great systems development skills and security knowledge... Watch out for some credits for some great new rsync developers in the next release.
I don't agree with that, I can very well still discuss that. He clearly sounds like someone who doesn't want to do this work anymore and should have searched for a successor.
That's my impression from that sentence, at least. Don't you agree?
So, why didn't he do it? Because just firing up Claude and let it rip is way easier than finding real people and building up trust?
Did Claude increase bugs in rsync? Or did Claude just gave some basically retired programmer, who doesn't even want to work on his project anymore, the impression that he can replace finding a successor with just handing it to AI?
You're highly critical. What would you be doing differently? So far Tridge has elected to:
- generally decide to fix security issues over preserving compatibility
- rewritten an aging test suite in what appears to be a highly responsible way
- brought on additional qualified developers to help with the workload
Not bad for a guy who's retired.
You care enough to complain on HN. You could be a part of the solution.
What were you going to do differently, specifically?
> That's my impression from that sentence, at least. Don't you agree?
No. Given a choice between doing laundry and driving Lamborghinis, I would probably choose the latter. But I still have to do my laundry. I might use a washing machine to do so. It's just a responsibility among many responsibilities. It isn't that deep, really.
The reality few people want to admit is that maintaining open-source software is often closer for many people to "doing laundry" than like, being the software equivalent of Atticus Finch.
> Or did Claude just gave some basically retired programmer, who doesn't even want to work on his project anymore,
The only thing Claude has "done" apparently is give a bunch of annoying people online a license to engage in armchair psychoanalysis of someone they don't know at all, from what I can tell.
Yeah, we definitely need to make sure that we take the considerations of the mob into account.
The person owning the project is using the master branch in the way he sees fit.
Incidentally, there is no amount of communicating "correctly" that quells a mob. There's a Venn diagram of concerns, and those with concerns not being met will generate (now infinite) outrage.
I honestly think the main problem is Tridge just failed at communicating any of this correctly and I don’t think the implication he gives that all of this was due to the urgency of the impending security apocalypse really holds water.
Why was all of this written straight to the master branch? Now that the release is out, why not better explain what the urgency of this release was? Why wasn’t he proactive in communicating this and instead let the mob make up their own story? I think a lot of people are inclined to give Tridge a lot of leeway due to the fact that he literally is the reason why rsync exists, but this was avoidable and I think the comment in his response post where he mentions that, “I’d rather be out sailing than working on rsync security issues, so I have reached for several AI tools to help with what needs to be done,” speaks volumes as to what is going on.