Tootfinder

A matplotlib maintainer explains how an AI agent that suggests code changes on open source repos wrote a hit piece on him after a rejection, and the aftermath (Scott/The Shamblog)
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me-part-2/
…

Maintainer friends of wheel-heavy #Python packages: do we already have some practical, standard way to automatically upload all the cibuildwheel output across all architectures? My current workflow is a) a pain in the ass and b) requires me to have one last PyPI upload token.

If you're using #Magit for your #git productivity boost, please do consider spending a few bucks for its maintainer who earns his living with that and seems to struggle at the moment:

This week's career limiting accessibility regression from @… is to not show comments in pull request diff any more. There's a separate comment panel which you can look at (but not at the same time as the diff) where there are indications of content replies but these cannot be interacted with using standard accessibility tools.
I review very long pull requests for work and as a volunteer maintainer and I am not sure why we're okay with this constant march of degraded experience. #a11y

I need to delve into rsync. Just noticed a well maintained repo of KDE pkgs, running on the oldest distro around. I know the maintainer, finally a chance to get back into the groove 😎

One of the most popular JavaScript packages on earth Axios has been compromised
The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever
💥 https://opensourcemal…

One of the most popular JavaScript packages on earth Axios has been compromised
The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever

"I accidentally became a FOSS maintainer and all I got was this lousy new perspective on librarianship"
https://www.hughrundle.net/i-accidentally-became-a-foss-maintainer-and-all-i-got-was-this-lousy-n…

Reuse,
gut für die Fischerei
schlecht in der Kryptografie
https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/

An AI agent autonomously wrote and published a personalized attack article
against an open-source software maintainer
after he rejected its code contribution.
⚠️ It might be the first documented case of an AI publicly shaming a person as retribution. 
Matplotlib, a popular Python plotting library with roughly 130 million monthly downloads, doesn’t allow AI agents to submit code.
So Scott Shambaugh, a volunteer maintainer (like a curator for a repository of comp…

An AI agent just tried to shame a software engineer after he rejected its code
When a Matplotlib volunteer declined its pull request, the bot published a personal attack.

The story of what's been happening with an LLM posting attack pieces against an open source maintainer and then a news outlet publishing a piece using LLMs that made up quotes from the maintainer is a disturbing look into what the internet is going to look like in the immediate future
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me/
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me-part-2/

Happy Saturday! Metacurity is pleased to offer our free and premium subscribers a weekly digest of the best long-form (and longish) infosec-related pieces we couldn't properly fit into our daily news crush.
This week's selection covers
--Trump's supposed cyber-first war strategy,
--How an OpenClaw agent attacked an open source project maintainer,
--Electronic warfare threatens maritime navigation,
--Trump's offensive cyber-based strategy,
--…

Best infosec-related long reads for the week of 3/7/26
Trump's supposed cyber-first war strategy, How an OpenClaw agent attacked an open source project maintainer, Electronic warfare threatens maritime navigation, Trump's offensive cyber-based strategy, Iridium satellite is not a secure system

Carelessness versus craftsmanship in cryptography
Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. […] The aes-js/pyaes maintainer, on the other hand, has taken a more… cavalier approach.
🔓 https://…

Carelessness versus craftsmanship in cryptography
Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan’s maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.

DAE see lower-than-expected GitHub Sponsors payouts? (link is to the official but application-required maintainer community https://maintainers.github.com/ so you might not have access)

from my link log —
How we made Python's packaging library 3x faster.
https://iscinumpy.dev/post/packaging-faster/
saved 2026-01-27 https://

How we made Python's packaging library 3x faster
Along with a pip (and now packaging) maintainer, Damian Shaw, I have been working on making packaging, the library behind almost all packaging related tools, faster at reading versions and specifiers, something tools like pip have to do thousands of times during resolution. Using Python 3.15’s new statistical profiler and metadata from every package ever uploaded to PyPI, I measured and improved core Packaging constructs while keeping the code readable and simple. Reading in Versions can be u…

In December, the authors of #watchtower decided to archive their own project.
There are a few forks out there - unfortunately I know nothing about them so can't really vouch for their legitimity. If you want to continue using Watchtower, please assess them yourself wit…

So crate2nix has a new maintainer after being dead for roughly two years, but it's all Co-Authored-By Claude Code now.
#nix

@… this perspective doesn’t resonate with me, knowing my incentives and internal motivations as a maintainer (not an “external” contributor) but I am curious what you mean!

The markets have reacted to the news that
systemd maintainer Lennart Poettering has left Microsoft.

AI Agent Lands PRs in Major OSS Projects, Targets Maintainers via Cold Outreach
Apparently reputation farming and running a openclaw consultancy
https://socket.dev/blog/ai-agent-lands-prs-in-major-oss-projects-targets-maintainers-…

RE: #LeftWordle, and someone who obsesses about stats, I felt terrible t…

A now-removed Ars Technica article, covering how an AI agent wrote a hit piece about an open source project maintainer, seems to have included AI hallucinations (Scott Shambaugh/The Shamblog)
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me-part-2/

An AI Agent Published a Hit Piece on Me – More Things Have Happened
Context: An AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into acceptin…

The key takeaways from the early part of the #chardet thread (I didn't read beyond the ~30 first comments, I have my limits).
1. People there love cosplaying lawyers. Except when the other side also starts cosplaying lawyers, in which case they suddenly divert to suggesting asking professional lawyers.
2. Almost nobody there is concerned with ethics or morality.
3. There's a lot of GPL haters there. Like, they seem the kind of people who don't really care about licensing at all, just used MIT in their projects because it was cool and they heard something about license incompatibility and now bash at everything that's (L)GPL.
4. People don't get that LLMs are statistical models and can't build anything from the ground up. All they can do is remix, which implies they use existing code for inspiration.
5. The maintainer who did the rewrite is a total asshole, and is perfectly aware of it.
Honestly, I'm truly waiting for the subsidizing to end and companies start charging obscene amounts for the use of LLMs. Of course, the reality is that we're totally fucked. We have a lot of projects that adapted a lot of #slop, and people who are being increasingly addicted to this shit. The moment they can't afford it, we'd be left with lots of broken code nobody wants to maintain.
And I definitely don't want to put my effort into packaging crap if its maintainers don't even bother trying.
#AI #LLM #NoAI #NoLLM

@… thanks. Not a big deal, it was a private email from a port maintainer (not an official email address). I simply don't enjoy uninvited put-downs from developers who suffer from a superiority complex. Rude then signed "Best regards" was a weird combination, but some cultures are just weird, and software development sometimes brings out the weirdest in…

Finally put together type stubs for an old (last release 2017!) python library I've been depending on for years. And now wondering whether it would have been easier to just contribute types to the library directly. I thought it abandoned but then the maintainer responded up on an unrelated ticket.
(Though there's no CI infra actually working anymore. Makes testing contributions painful. Wonder whether building that first would be worthwhile & welcome...)
#python #packaging

from my link log —
Error handling in Rust: from `failure` to `fehler`.
https://boats.gitlab.io/blog/post/failure-to-fehler/
saved 2020-04-09 http…

Honestly, looking at the license violation thread of #chardet, I really feel like #OpenSource these days is a complete shitshow and I really don't feel like a part of the community anymore. Almost all replies are basically assholes questioning whether there "legally" is actually a problem there. Nobody's concerned that the whole thing is a huge dick move, which makes the maintainer a complete dick and nobody with a shed of morality left would be willing to approve this.
Also, it's a great opportunity to seed some GitHub blocklists.
#FreeSoftware #AI #LLM #NoAI #NoLLM