IBM and Red Hat Commit $5 Billion to Redefine the Future of Open Source in the AI Era
Posted by MatchingTurret@reddit | linux | View on Reddit | 31 comments
ILikeBumblebees@reddit
Wow. Redefining other people's future to fit your own ambitions sure is expensive.
MatchingTurret@reddit (OP)
Grab the pitch forks! These bastards are coming for our bugs!
ColbieSterling@reddit
In an era when the GPL is losing out to the corporation-friendly MIT license in the open source community, they're justified in their cynicism.
schmeckmaster2000@reddit
That era was 20 years ago. Today every license can simply be bypassed by having an AI spit out the code.
Existing-Tough-6517@reddit
No if you feed it the literal code and say give it back to me that is just copyright infringement. Same if you trivially obfuscate the fact that you did the same thing.
If you want it to write something like a project it can't because fully automated it will give you shit code that isn't maintainable nor maintained. You will burn a lot of money on tokens and human checking and rewriting to achieve a single use copy of v1
When the actual project continues to evolve you can't just feed it the diff you are going to spend tokens and labour hours to get 1.1 then 1.2 then 1.3
This is a continual burden which is very likely less secure and more buggy than the source. You need a very compelling reason to undertake this burden.
natermer@reddit
Copyright is incredibly arbitrary. It is government granting monopoly privilege to specific goods produced by people in exchange for trying to promote the creation of said goods through monetary exchange.
That is the purpose of copyright. It is a trade off. They inflict a bunch of restrictions on society in a attempt to create a commercial market for the production of literature, maps, software, etc.
People need to stop believing that it is some sort of moral right or objective ethical good. That was never the point.
This is confusion caused by decades of corporate propaganda. It is lawyers trick to try to convince the public that it is valuable to have draconian copyright laws.
Ultimately it means if there is commercial advantage to nullifying the effect of copyright then that is the right of government legislators and the court system to decide that.
It has never been illegal to read other people's code, learn how it works, and then write your own software based on what you have learned.
The whole "china firewall" thing was never a requirement. It was just used to make legal defenses against lawsuits more robust. A author can read your code, duplicate most of it for his own software as long as it isn't direct copying.
On the flip side it is unlikely that AI generated code is copyrightable.
DogeGroomer@reddit
call me when they do this for linux
ILikeBumblebees@reddit
Forgive the cynicism, but at this point, I think it's justifiable for people to be deeply skeptical of these sorts of top-down, centralized initiatives.
thetango@reddit
All I've heard from open source maintainers is concerns about the AI Security Vulnerability Wave that is starting to happen. Red Hat and IBM (I'm going to stress that I look at Red Hat as leading this effort) are coming to the table with, for lack of a better phrase, counter-AI efforts to help with 62K+ open source packages.
I get it. It's IBM and we're supposed to shit all over them. But on this particular topic? This at least is an effort that we should applaud.
Existing-Tough-6517@reddit
Will said patches be part of actual open source projects and commercial resources simultaneously or will they be available to commercial customers first ensuring anyone with access to patched versions can use their fixes as a blueprint to attack anyone running open source software without paying IBM?
bonzinip@reddit
Red Hat's policy has always been upstream first, and if anything that has become stronger over the years.
Existing-Tough-6517@reddit
natermer@reddit
Offering commercial subscriptions and making features available and upstream for open source developers are not mutually exclusive things.
This is basically how Redhat works. The produce lots of enhancements to core open source projects and then sell that to customers. As part of doing that they integrate those enhancements to upstream project.
Which means that if you want to benefit from Redhat's work without paying Redhat you can go ahead and use Debian or Arch or Fedora.. which are descendants of the upstream projects Redhat contributes to.
If you are a commercial entity that has millions of lines of code for your internal business logic you are not going to want to release that as open source. Not only because you don't want to reveal how your internal operations work to the rest of the planet, but also because it is incredibly pointless since that software is almost entirely worthless to anybody outside of your own business.
So, yes, paying for advanced tools to help improve your software security is a good option if you think that your business will actually benefit from it.
Not saying you are wrong. Just trying to point out that your quote doesn't really say what you think it is saying.
thetango@reddit
Can you show me a case of where Red Hat has pushed fixes to IBM customers first? That's not the way Red Hat works, to the detriment of themselves. Look at all the Enterprise clones out there.
Existing-Tough-6517@reddit
thetango@reddit
You're conflating two very different things. The first is the open source changes (as another user said 'upstream first') and making that code available in Red Hat's forks of upstream projects. For example, consider the linux kernel. Red Hat pushes changes there and makes them available in their supported kernels.
Isofruit@reddit
I went in anticipating this being a big scale version of Malus, but am coming out after some skimming with ... apparently IBM and red hat wanting to dump 5 billions into fixing bugs across the open source stack they care about found via LLM agents?
The only concerns I have is how those fixes will be presented for fixing. Are we just going to get a flood of AI slop fixes that don't actually fit into the project code and aren't going to be maintainable? Or will some engineers have at least looked at the code and be guiding the PRs so they actually get shaped in a way that the corresponding maintainers appreciate?
Cynicism and having seen how companies operate make one lean heavily towards the former.
HovercraftStock4986@reddit
AI to identify bugs and devs to fix them sounds like an excellent implementation of ai to me, hopefully that’s the plan
thetango@reddit
The 20k engineers are led by experienced open source engineers from Red Hat. They know how to 'present' fixes in a reasonable manner. I'm less worried about fixing issues today and making sure we provide open source maintainers the ability to scan future contributions. That's where the real problem lies. If upstream maintainers keep adding security vulnerabilities then 'chasing the AI contributions' never ends.
bonzinip@reddit
Small correction: the 20k engineers are the totality of open osurce engineers from Red Hat and IBM
mmcgrath@reddit
The people power will help upstream communities that are not ready for agentic workflows (which is the vast majority of them).
robkam@reddit
Anthropic creates the risk with Mythos, gates the fix with Glasswing, and uses IBM and Red Hat as the storefront to sell the safety back to everyone. The silver lining is that because the patches are pushed back to the original open-source projects, the "plumbing" of the digital world gets a massive, permanent upgrade for free.
Existing-Tough-6517@reddit
Do you and I get the fixes at the same day without a subscription and running rhel?
MatchingTurret@reddit (OP)
The bugs were already there. How did Mythos create them?
robkam@reddit
Mythos didn't write the bugs, but it weaponized them.
BoutTreeFittee@reddit
This article is so full of marketing/MBA slop that it's difficult to read. I find it funny that it says "IBM and Red Hat." IBM owns Red Hat. They are the same thing. It's like saying "Meta and Facebook" or "Alphabet and Google." All of Red Hat's back end are currently being absorbed into IBM.
Anyway it's good that security bug are getting squashed, and something like Project Lightwell is truly needed, so I'm glad about that.
Existing-Tough-6517@reddit
Does this mean commercial vendors will have first crack at fixes that will by virtue of not being all that secret will become blueprints to trivial exploitation by bad actors at once strengthening the open source ecosystem whilst effectively poisoning it for anyone outside the circle not paying them.
Eg now libfoo has a bug nobody realizes. Someone finds it and discloses it to devs who make the fix available to everyone at once. Even if IBM finds it they don't want to be responsible for understanding everyone's project so they drop it on the project devs.
New reality. Automation finds libfoos issue and writes a patch which becomes part of their special version of libfoo. A bad actor can pay for access or many bad actors can collectively do do and automatically churn out exploits which work vs the open version of libfoo in between release of the commercial version and integration into open source project.
Even if the gap is days it becomes untenable to run actual open source versions without paying IBM
MobileWriting9165@reddit
Good news to me, I am optimistic about this. Just hope they aren't secretly dealing with 3-letter-agencies in the backroom giving them access to the juiciest new backdoors with users left none the wiser.
zeno0771@reddit
Considering how they locked down access to the OS code via a technicality in GPLv2, I'm not thrilled with their current definition of open source.
History indicates this is not a situation that will improve.
spacecamel2001@reddit
I would prefer that they throw a few engineers at some of the small projects that are being maintained by one overwhelming guy that is about to give up.
LostGeezer2025@reddit
Embrace, Extend, Destroy...