We will no longer accept public pull requests. From now on, code changes to the Ladybird codebase will only be introduced by project maintainers.
We will no longer accept public pull requests. From now on, code changes to the Ladybird codebase will only be introduced by project maintainers.
Doesn’t make sense… This premise seems flawed by two aspects:
It feels like they are not capable of detecting a vulnerability when they see one. meaning that they themselves can potentially introduce tons of new vulnerabilities unknowingly.
In this situation it would be for the best to have a large pool of contributors capable of detecting such issues, instead of closing it even further.
They are worried about vulnerabilities that are introduced knowingly. They said that in the past you could trust that if someone spend months writing code for you project he did it with good faith and not to sneak a backdoor past you. Basically they assumed a hacker would not invest months of work trying to add a bug to an open source project because it’s just not worth it. Now, because of AI, someone can easily create big PR with a hidden bug hoping that it will get merged.
I have no idea how true it is (i.e. if AI is able to generate a big PR that will pass all the checks and get approved) but logically it does make sense.