Thiago Padilha

I really believed a whole generation of developers, who only know open source from npm and pypi, miss how open source actually used to work. When Debian or a Linux distribution ships a dependency they take responsibility of it. If there is a security issue and it’s not fixed by the developer upstream, they fix it for their users. Debian and others basically vendor every thing they distribute. They honor the license and they maintain patches. Most of the stuff that you get from your Linux distribution is basically a (small) fork. The same is true for Apple, Microsoft and others. The open source software they ship, they carry that responsibility. That doesn’t mean that security fixes are not upstreamed, but Apple or Debian or anyone else won’t jump in Twitter to shame a developer into compliance with their ways. They are not dependent on the health of a packaging infrastructure. They own their software including all the things it depends on. I want that thinking back. Because it fundamentally makes people feel more responsibility and it shares the burden of issues. It also does not put so much focus and attention on the one overworked developer who just happened to have too much of the world depend on their library. Remember: they carry a responsibility they never signed up to and they never got compensated for.

Private benchmarks tend to be biased. I have a very simple code investigation benchmark (on llama.cpp codebase) that very few models have passed so far. GPT 5.x are the only models that passes on it consistently. Both Qwen 3.6 have a good pass rate despite being well below 100B parameters. Step 3.7 Flash also passed on it, though not as consistently as Qwen 3.6 27b. Both Deepseek 4 models fail on it consistently and simply hallucinate the answer despite having many times the number of parameters as Qwen 3.6. Does that mean that Qwen 3.6 or Step 3.7 Flash are better than Deepseek 4? Definitely not. It only means that they are better in this benchmark.

Besides being much smarter, gpt 5.5 is a much more “neutral” model than opus 4.6. You can always tell when a code change was written by opus. It tends to be extremely reward hacky and comment-ridden, whereas with codex, you can't actually distinguish it. It’s much more steerable and lets the developers preferences shine through.

Supply chain attacks and OSS sustainability go hand in hand. I've semi-seriously joked for years that OSS upstreams should periodically purposely inject full vulns into their code and let downstreams fuck around and find out. Downstreams can pay to get the non-FAFO version. The not joke part is simply that OSS maintainers aren't a supply chain. OSS maintainers are not responsible for monitoring CVEs (because, they are not a supply chain). OSS maintainers are not at fault when bad shit happens to downstreams, because basically every OSS license (MIT, Apache, GPL, etc.) literally says: the software is provided "as-is, without warranty." You get what you pay for (that is to say: absolutely nothing!) Now, the joke part is that I do believe there is an ethical obligation to try to prevent harm downstream. But "try" is the key word. So, this isn't a serious proposal. But, if you're using OSS code and you're not paying for a license with a contract that promises some kind of warranty, you have no supply chain. You (the downstream user of an OSS lib) ARE the supply chain. To use a metaphor: physical goods have a real supply chain. Car manufacturers, chips, clothes, toys, etc. You have a signed commercial agreement with all your suppliers that promises quantity AND quality and blowback if either are missed. Thats a supply chain. If someone puts some chips on the side of the road with a "FREE" sign, then you integrate those into a product, then find out those chips are hacking customers, its your fault, not the person who dropped them on the side of the road.