Tootfinder

Carelessness versus craftsmanship in cryptography
Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. […] The aes-js/pyaes maintainer, on the other hand, has taken a more… cavalier approach.
🔓 https://…

Carelessness versus craftsmanship in cryptography
Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan’s maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.

Reuse,
gut für die Fischerei
schlecht in der Kryptografie
https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/

An AI agent autonomously wrote and published a personalized attack article
against an open-source software maintainer
after he rejected its code contribution.
⚠️ It might be the first documented case of an AI publicly shaming a person as retribution. 
Matplotlib, a popular Python plotting library with roughly 130 million monthly downloads, doesn’t allow AI agents to submit code.
So Scott Shambaugh, a volunteer maintainer (like a curator for a repository of comp…

An AI agent just tried to shame a software engineer after he rejected its code
When a Matplotlib volunteer declined its pull request, the bot published a personal attack.

The story of what's been happening with an LLM posting attack pieces against an open source maintainer and then a news outlet publishing a piece using LLMs that made up quotes from the maintainer is a disturbing look into what the internet is going to look like in the immediate future
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me/
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me-part-2/

AI Agent Lands PRs in Major OSS Projects, Targets Maintainers via Cold Outreach
Apparently reputation farming and running a openclaw consultancy
https://socket.dev/blog/ai-agent-lands-prs-in-major-oss-projects-targets-maintainers-…

Wichtige Info für Syncthing-Nutzer auf Android: https://linuxnews.de/neuer-maintainer-beim-fork-von-syncthing-for-android-erweckt-misstrauen/

A matplotlib maintainer explains how an AI agent that suggests code changes on open source repos wrote a hit piece on him after a rejection, and the aftermath (Scott/The Shamblog)
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me-part-2/
…

I'm currently looking for one or more volunteers to maintain the Openmoko USB PID OUI service at https://github.com/openmoko/openmoko-usb-oui as the existing maintainer is no longer available. This is a service providing free USB Product IDs and Ethernet MAC addresses for the

Finally put together type stubs for an old (last release 2017!) python library I've been depending on for years. And now wondering whether it would have been easier to just contribute types to the library directly. I thought it abandoned but then the maintainer responded up on an unrelated ticket.
(Though there's no CI infra actually working anymore. Makes testing contributions painful. Wonder whether building that first would be worthwhile & welcome...)
#python #packaging

A now-removed Ars Technica article, covering how an AI agent wrote a hit piece about an open source project maintainer, seems to have included AI hallucinations (Scott Shambaugh/The Shamblog)
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me-part-2/

An AI Agent Published a Hit Piece on Me – More Things Have Happened
Context: An AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into acceptin…

<Overfiend_> Overfiend's First Law of Package Quality: If the
maintainer likes to spell part or all of his name in
CAPS, the package will suck.

"I accidentally became a FOSS maintainer and all I got was this lousy new perspective on librarianship"
https://www.hughrundle.net/i-accidentally-became-a-foss-maintainer-and-all-i-got-was-this-lousy-n…

This week's career limiting accessibility regression from @… is to not show comments in pull request diff any more. There's a separate comment panel which you can look at (but not at the same time as the diff) where there are indications of content replies but these cannot be interacted with using standard accessibility tools.
I review very long pull requests for work and as a volunteer maintainer and I am not sure why we're okay with this constant march of degraded experience. #a11y

DAE see lower-than-expected GitHub Sponsors payouts? (link is to the official but application-required maintainer community https://maintainers.github.com/ so you might not have access)

Silicon Valley, drunk on exponential curves and both terrified and entranced by endless funding rounds,
has given us the "Hero Developer":
a figure who ships features at midnight,
who “moves fast and breaks things,”
who transforms whiteboard scribbles into billion-dollar unicorns through sheer caffeinated will.
We celebrate this person constantly.
They're on the front page of TechCrunch et al.
They keynote conferences.
Their G…

The Rime of the Ancient Maintainer
Every culture produces heroes that reflect its deepest anxieties. The Greeks, terrified of both mortality and immortality, gave us Achilles. The Victorians, haunted by social mobility, gave us the self-made industrialist. And Silicon Valley, drunk on exponential curves and both terrified and entranced by endless funding rounds, has given us

In December, the authors of #watchtower decided to archive their own project.
There are a few forks out there - unfortunately I know nothing about them so can't really vouch for their legitimity. If you want to continue using Watchtower, please assess them yourself wit…

from my link log —
How we made Python's packaging library 3x faster.
https://iscinumpy.dev/post/packaging-faster/
saved 2026-01-27 https://

How we made Python's packaging library 3x faster
Along with a pip (and now packaging) maintainer, Damian Shaw, I have been working on making packaging, the library behind almost all packaging related tools, faster at reading versions and specifiers, something tools like pip have to do thousands of times during resolution. Using Python 3.15’s new statistical profiler and metadata from every package ever uploaded to PyPI, I measured and improved core Packaging constructs while keeping the code readable and simple. Reading in Versions can be u…

@… encoding_rs needs some maintainer attention

So crate2nix has a new maintainer after being dead for roughly two years, but it's all Co-Authored-By Claude Code now.
#nix

@… this perspective doesn’t resonate with me, knowing my incentives and internal motivations as a maintainer (not an “external” contributor) but I am curious what you mean!

The markets have reacted to the news that
systemd maintainer Lennart Poettering has left Microsoft.

from my link log —
Error handling in Rust: from `failure` to `fehler`.
https://boats.gitlab.io/blog/post/failure-to-fehler/
saved 2020-04-09 http…

The #libxml2 situation is a sad one. It sucks that big tech companies refuse to fund a library that is so critical to their products.
Let it be known that I support Nick, the now-former, original maintainer of the project.
#opensource