OpenSourceShit Part 4: The Closing

Three parts in, here’s where it lands. Part 1 was the economics: AI made a plausible contribution free to produce, and review capacity didn’t move, so curl killed a six-year bug bounty over it. Part 2 was the people generating the load, mostly convinced they’re helping. Part 3 was the people who were never trying to help at all, running cloned repos and hijacked ad accounts against small maintainers because one infected developer covers the campaign cost many times over.
This part is about what maintainers are doing in response. There have actually been two different waves of this, years apart, and they don’t end the same way.
The Old Closing¶
In October 2018, MongoDB relicensed under the SSPL. The company’s own framing was careful, but everyone understood who it was aimed at: cloud vendors running MongoDB as a managed service, keeping the revenue, contributing nothing back upstream. Debian, Red Hat, and Fedora dropped MongoDB from their repos over it. The SSPL was submitted to the Open Source Initiative for approval and later withdrawn. It never got the label.
Elastic did the same thing in 2021, dual-licensing under SSPL and the Elastic License after years of trademark friction with AWS over “Amazon Elasticsearch Service.” AWS responded by forking the last Apache-licensed version into OpenSearch. HashiCorp moved to the Business Source License in 2023 for the same reason. Redis dropped its BSD license in March 2024, and the Linux Foundation backed a fork, Valkey, that 83% of large Redis-using companies were testing or running within a year.
Every one of these had a name attached. MongoDB was closing the door on AWS specifically. Elastic was closing the door on AWS specifically. The opponent was a company with a legal department, a PR team, and a reason to eventually sit down and negotiate.
The Reversal¶
Which is exactly what happened. In August 2024, Elastic added AGPLv3 back as a licensing option and announced it was, in its own words, open source again. Founder Shay Banon’s explanation was blunt: three years on, AWS was fully invested in its OpenSearch fork, the market confusion was resolved, and the relationship with AWS was “stronger than ever.” The fight had a natural endpoint, so the license could go back to normal. Redis followed a similar path in May 2025, adding AGPLv3 alongside its existing licenses.
That’s the shape of the old closing: a dispute with a specific, identifiable, well-resourced opponent, settled through licensing, and reversible once the dispute resolves. You can make peace with a company.
The New Closing¶
Nobody is negotiating with the 109 accounts running the SmartLoader campaign from Part 3. Nobody is going to sit down with whoever cloned corepack.org’s FAQ and had it hallucinate an answer about yarn bombing. There’s no CEO to call when the adversary is a script re-pushing 10,000 repos every few hours to look active, or an AI agent that responds to a rejected pull request by publishing a personal attack on the maintainer who rejected it, the way Matplotlib’s Scott Shambaugh experienced in February 2026.
That’s why the January 2026 wave looked completely different from MongoDB’s. Ghostty restricted AI-generated contributions to pre-approved issues from existing maintainers. tldraw started auto-closing every external PR. NetBSD required written Core Team sign-off on anything AI-touched. QEMU named Copilot and ChatGPT directly in a policy declining their output outright. None of that required a lawyer, an OSI submission, or three years of patience waiting for a rival to feel satisfied. It required a sentence in CONTRIBUTING.md and the will to enforce it.
The old closing was a negotiation. The new closing is a wall built because there’s nobody on the other side worth negotiating with.
Why This One Doesn’t Reopen¶
Elastic could reopen because the harm had an edge to it: one company, one grievance, one resolution. The harm in Parts 1 through 3 doesn’t have an edge. curl isn’t going to un-ban a slop reporter once the incentive structure that produces slop reporters is gone, because it isn’t going anywhere. Ghostty isn’t going to reopen its PR queue once AI-assisted contribution volume drops, because the cost of trying again next month is still zero for whoever wants to try. There’s no fork to watch mature, no trademark to settle, no single account to make an example of and call it resolved.
This is the part of the series that started with a joke about someone offering to hire the person whose project they’d copied. That’s not a one-off. It’s the whole pattern at human scale, before it gets automated: someone extracts the value, breaks the thing they took, and then asks the original maintainer to fix it for free, or for a “gig,” which amounts to the same offer. Multiply that by a script that runs it against every unpaid maintainer with a few hundred dollars a year in donations, and closing the gate isn’t overcorrection. It’s the first response that actually scales to match the attack.
What’s Left Open¶
None of this means open source disappears. The code in these projects is still visible, still auditable, in most cases still forkable under the same license it always was. What’s closing isn’t the source. It’s the assumption that anyone showing up with a pull request, a bug report, or a “hey I love your project” DM is operating in good faith by default.
That assumption held for two decades because the cost of abusing it was, mostly, still human effort. Parts 1 through 3 were three different accounts of that cost hitting zero. Part 4 is just maintainers doing the only thing left that’s actually within their control: deciding who gets to walk through the door, one project at a time, because nobody bigger is going to do it for them.
The math broke. This is what it looks like when people start doing something about it.
🔗Interstellar Communications
No transmissions detected yet.Be the first to establish contact!
Related Posts
OpenSourceShit Part 3: The Impersonators
Parts 1 and 2 were about people who at least pretend to contribute. This one isn't. Cloned repos, faked commit history, blockchain-rotated malware C2, and a takedown that got re-squatted within a day. The impersonators don't want your codebase. They want your reputation.
OpenSourceShit Part 2: The Parasites
curl and Jazzband and Ghostty didn't close the door because of an abstract "AI problem." They closed it because of specific people. Eight archetypes, all real, all currently in your notifications.
OpenSourceShit Part 1: The Math Broke
curl killed its six-year bug bounty. Jazzband shut down. Ghostty, tldraw, NetBSD, and QEMU all closed the door on AI contributions in the same three weeks. This isn't paranoia. It's what happens when the cost of producing a plausible pull request hits zero and review capacity doesn't move.