This is an automated archive made by the Lemmit Bot.

The original was posted on /r/opensource by /u/Crescitaly on 2026-07-10 09:15:41+00:00.


The EU’s new AI cybersecurity plan includes a campaign to secure critical open-source software. That is the right category of problem, but “secure open source” can easily become a round of audits that finds work for maintainers without funding them to do it.

Many critical projects do not primarily need another dashboard. They need paid time for release engineering, dependency updates, incident response, documentation, review, and the unglamorous work that prevents one exhausted maintainer from becoming a systemic risk.

A useful public program would fund:

  • multi-year maintainer contracts, not one-off prizes
  • reproducible builds and signed release infrastructure
  • coordinated disclosure and incident-response capacity
  • independent audits paired with remediation budgets
  • dependency mapping that does not punish projects for being widely used
  • succession plans for projects with a single active maintainer

The important metric should not be how many vulnerabilities a program announces. It should be how quickly funded projects can fix issues without burning out the people who understand the code.

If a government had EUR 100 million for open-source security, what percentage should go to audits, maintainer time, build infrastructure, and emergency response?

Source: …europa.eu/…/new-eu-plan-address-risks-and-opport…