> As I've written before, this is not the correct response to the purported threat by Mythos. Neither the AI Safety Institute nor the NCSC recommend this action. While there may be some increase in risk from AI security scanners, to shutter everything would be a gross overreaction.
> Even if we ignore the impracticality of closing all the code - it is too late! All that code has already been slurped up. If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.
> And if it were both practical and effective to hide source code - that doesn't matter. These AI tools are just as effective against closed-source. They can analyse binaries and probe websites with ease.
> There are tens of thousands of NHS website pages which refer to their GitHub repos - will they all need to be updated? What's the cost of that?
All true, and it shows how everything is solely done for optics, and any flimsy excuse is used to instantly claw back at any kind of transparency/openness the very second it arises. Non-technical people making this decision because they believe there's even a 0.1% chance that they'll be blamed that they "didn't do enough" when they didn't go closed source and a vuln is found. And 2026's extreme greed and selfishness (and yes, average greed level does change over time, as with every single cultural trait) means they gladly make that decision at the cost of the common good.
Do always keep in mind that the private sector isn't any better on these things.
The only exception is if there were significant changes to the code after it was closed given that won't be read by the attackers or the LLMs, if you are using them locally.
They can use LLMs internally to find bugs privately without revealing the source code, a step ahead of the attackers.
We have just seen the Copy.fail disclosure disaster that was discovered by someone using a LLM and released a zero day without a clear fix and descended the community into confusion / panic.
Given that powerful LLMs exist both open and closed weight models, open sourcing everything for the sake of it makes less sense and there has to be a balance especially when it is used by hospitals.
If you’re reading this thread because you care about the quality of the NHS’s digital services, I encourage you to also sign this petition to block NHS providers from wasting money of “accessibility overlays” that actively harm the experience for people with disabilities and cost money that could be spent on improving the core service: https://petition.parliament.uk/petitions/765480/
I've been chatting with CISOs, CTOs, maintainers, and other peers for the past few weeks (some of whom are F50s) about this, and their default gameplan now is to pause OSS contribution and usage until AppSec teams reach a point where they can easily validate and fix issues within a day. Traditionally, end-to-end response times were in the 8-10 day range which clearly cannot hold today.
I don't think it's the death of open source, but it shows how the economics of open source turned into a tragedy of the commons, with maintainers not being provided the resources needed to sustainably operate projects.
It also is an admission of how organizations never prioritized security for decades both within engineering and organizationally, but that's a separate conversation that HNers are not equipped to discuss looking at the lacking calibre of conversations on here.
If OSS lovers actually care, then they need to put their money where their mouth is, stop being idealistic, and think about either going open core or getting formalized funding and sponsorship. Adopting much more restrictive licenses that also allow commercialization by project owners is also critical. The majority of GNU style project that exists on the goodwill of a couple of ideologically aligned individuals will not survive, becuase contributors also need to be paid.
Edit: can't reply
> What do you mean by that? They can't possibly stop using Linux/Kubernetes/Chrome (including Edge)/almost all programming languages/nginx/...
Meaning they will freeze all dependencies and libraries being used going forward, and will not release source code until end-to-end vuln remediation can be done within 24 hours.
Teams are also seriously considering forking core projects and dependencies to use in-house and not contribute upstream out of fear that upstream contributions could be tainted or introduce additional vulnerabilities.
I like simonw's take that open source should be more valuable [0]
>An interesting result of this is that open source libraries become more valuable, since the tokens spent securing them can be shared across all of their users. This directly counters the idea that the low cost of vibe-coding up a replacement for an open source library makes those open source projects less attractive.
I can understand why the reflexive move to fork the code and move it in-house, but how sustainable will that be when eng teams have MORE code to manage and mitigate vulnerabilities for?
> Even if we ignore the impracticality of closing all the code - it is too late! All that code has already been slurped up. If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.
> And if it were both practical and effective to hide source code - that doesn't matter. These AI tools are just as effective against closed-source. They can analyse binaries and probe websites with ease.
> There are tens of thousands of NHS website pages which refer to their GitHub repos - will they all need to be updated? What's the cost of that?
All true, and it shows how everything is solely done for optics, and any flimsy excuse is used to instantly claw back at any kind of transparency/openness the very second it arises. Non-technical people making this decision because they believe there's even a 0.1% chance that they'll be blamed that they "didn't do enough" when they didn't go closed source and a vuln is found. And 2026's extreme greed and selfishness (and yes, average greed level does change over time, as with every single cultural trait) means they gladly make that decision at the cost of the common good.
Do always keep in mind that the private sector isn't any better on these things.
They can use LLMs internally to find bugs privately without revealing the source code, a step ahead of the attackers.
We have just seen the Copy.fail disclosure disaster that was discovered by someone using a LLM and released a zero day without a clear fix and descended the community into confusion / panic.
Given that powerful LLMs exist both open and closed weight models, open sourcing everything for the sake of it makes less sense and there has to be a balance especially when it is used by hospitals.
NHS Goes to War Against Open Source
https://shkspr.mobi/blog/2026/05/nhs-goes-to-war-against-ope... (https://news.ycombinator.com/item?id=47973710)
I don't think it's the death of open source, but it shows how the economics of open source turned into a tragedy of the commons, with maintainers not being provided the resources needed to sustainably operate projects.
It also is an admission of how organizations never prioritized security for decades both within engineering and organizationally, but that's a separate conversation that HNers are not equipped to discuss looking at the lacking calibre of conversations on here.
If OSS lovers actually care, then they need to put their money where their mouth is, stop being idealistic, and think about either going open core or getting formalized funding and sponsorship. Adopting much more restrictive licenses that also allow commercialization by project owners is also critical. The majority of GNU style project that exists on the goodwill of a couple of ideologically aligned individuals will not survive, becuase contributors also need to be paid.
Edit: can't reply
> What do you mean by that? They can't possibly stop using Linux/Kubernetes/Chrome (including Edge)/almost all programming languages/nginx/...
Meaning they will freeze all dependencies and libraries being used going forward, and will not release source code until end-to-end vuln remediation can be done within 24 hours.
Teams are also seriously considering forking core projects and dependencies to use in-house and not contribute upstream out of fear that upstream contributions could be tainted or introduce additional vulnerabilities.
>An interesting result of this is that open source libraries become more valuable, since the tokens spent securing them can be shared across all of their users. This directly counters the idea that the low cost of vibe-coding up a replacement for an open source library makes those open source projects less attractive.
I can understand why the reflexive move to fork the code and move it in-house, but how sustainable will that be when eng teams have MORE code to manage and mitigate vulnerabilities for?
[0] https://simonwillison.net/2026/Apr/14/cybersecurity-proof-of...
What do you mean by that? They can't possibly stop using Linux/Kubernetes/Chrome (including Edge)/almost all programming languages/nginx/...