Open Source Funded

A weekly newsletter tracking grants, sponsorships, and direct support for open source projects, with relevant analysis included in each issue.

June 8, 2026

Issue #11: License changes, OSS funding, and AI maintainer pressure

This week: Unleash moved to AGPLv3, Archestra raised $10M, OpenAI and Dependency Firewall offered OSS credits, maintainers saw more AI-security pressure, Europe's new Open Source Strategy drew funding and governance scrutiny, Tempus launched a digital pathology open-source consortium, the Linux Foundation announced its intent to launch the Tokenomics Foundation, and Rust, Python, Uniswap, Scala, FINOS, OpenHW, OpenInfra, ownCloud, Euro-Office/Tuta, Kefir, ScanCode, under-resourced security maintenance, BPF, rsync, Vim Classic, tea, and Matplotlib made the roundup.

This week in Open Source Funded, Unleash said it is moving its open-source feature-management repository from Apache 2.0 to AGPLv3 to keep the project sustainable while leaving SDKs and official open-source Docker images under their current licenses (Unleash). Archestra raised $10 million to expand its open-source platform for connecting AI agents to enterprise data without exposing data to model providers (SiliconANGLE). OpenAI introduced Codex for OSS, offering maintainers of widely used open source projects API credits, ChatGPT Pro with Codex, and selective access to Codex Security while continuing open development of Codex CLI and SDK components (OpenAI). Dependency Firewall launched with up to $5 million in credits for maintainers of critical open source projects (depthfirst). The Rust Foundation, Python Software Foundation, and Uniswap Foundation each highlighted funding routes, benefits, or subsidized security audits for their ecosystems (Rust Foundation, PSF, Uniswap governance).

AI-assisted security and agentic development kept pressing on maintainer capacity. Anthropic expanded Project Glasswing to about 150 additional organizations, including maintainers of critical open source software, while Claude Code Security promised free expedited access for open source maintainers and ENISA gained access to Mythos through Project Glasswing (Anthropic, DevOps.com, Techzine). The Spring team, LeadDev, Latent Space, InfoWorld, BGR, Sonatype, Linux, X.Org, BPF, and rsync stories all circled the same bottleneck: AI can find, generate, or route more work than maintainers can safely absorb without better review, remediation, and support structures (Spring, LeadDev, Latent Space, InfoWorld, BGR, Sonatype, Phoronix on Linux AF_ALG, Phoronix on X.Org, LWN on BPF, LWN on rsync).

Sustainability and governance stories rounded out the issue. Kefir’s maintainer moved new C compiler development private, citing limited capacity, weak project ROI, failed legitimacy efforts, and concern that public GPLv3 code is being exploited for AI training (Kefir). Fivetran and dbt Labs completed their merger while promising continued investment in Apache-licensed dbt work (Fivetran/dbt Labs). Kiteworks formalized an ownCloud OSPO with an AI-assisted contribution policy, a CLA-to-DCO move, Apache 2.0 for new components, and a planned community advisory board (MSP Channel). FSFE said the European Commission’s Technological Sovereignty Package includes a new Open Source Strategy that could advance public-code policy if implementation brings binding rules, long-term funding, and civil-society involvement; the Commission’s own strategy and TechPolicy Press’s analysis both emphasize contributor support, steward organizations, foundations, viable business models, and long-term maintenance of critical open source components (FSFE, European Commission, TechPolicy Press). Tempus, Yale New Haven Health, and Memorial Sloan Kettering Cancer Center launched a digital pathology IMS Open-Source Consortium with Tempus open sourcing Paige Image Management System components under shared governance (Business Wire). The Linux Foundation announced its intent to launch the Tokenomics Foundation for open standards and collaborative governance around AI cost management, token accounting, and usage transparency (Linux Foundation). Euro-Office drew European digital-sovereignty coverage and license-and-attribution accusations from OnlyOffice, while Tuta joined the European company coalition behind the AGPL-licensed office-suite fork (ITPro, It’s FOSS). LWN covered Philippe Ombredanne’s account of an AI-agent port of ScanCode Toolkit to Rust that allegedly used the ScanCode name, removed copyright and license notices, and began outreach without engaging the AboutCode community (LWN). LWN also reported Robin Bender Ginn’s Open Source Summit argument that open-source security cannot rest on under-resourced solo maintainers and needs responsibility shared by users and organizations (LWN). Sigma Zero revisited the Matplotlib incident, where an AI agent opened a pull request and later published posts attacking a maintainer after the PR was closed (Sigma Zero).

Projects joining or launching foundations and consortia

  • FINOS said Fidelity Investments upgraded to Platinum membership and joined its governing board, TD Bank joined as a Platinum member, and BrightQuery, Chainguard, MariaDB, Oracle, Moderne, Octopus Deploy, and Summit58 joined as new Gold and Silver members supporting open source finance infrastructure and AI governance work — FINOS
  • Ainekko said its CORE-ET Silicon Platform has been accepted as an OpenHW Foundation project, bringing its RISC-V and MRAM edge-AI hardware and software building blocks into the Eclipse Foundation’s OpenHW ecosystem — Ainekko
  • Tempus, Yale New Haven Health, and Memorial Sloan Kettering Cancer Center launched a digital pathology IMS Open-Source Consortium, with Tempus open sourcing Paige Image Management System components including the slide viewer, case management solution, AI orchestration, and integrations under shared governance — Business Wire
  • The Linux Foundation announced its intent to launch the Tokenomics Foundation, a new initiative for open standards and governance around AI cost management, token accounting, and usage transparency — Linux Foundation

Funding, sponsorship, and sustainability

OpenAI launched Codex for OSS, offering API credits, ChatGPT Pro with Codex, and selective access to Codex Security for maintainers of widely used open source projects. The announcement also points to open development of Codex CLI and SDK components, positioning the program as both maintainer support and a channel for open source projects to adopt OpenAI’s coding-agent stack (OpenAI).

Dependency Firewall announced a service that pre-screens open source packages before developers, CI systems, or AI agents install them. The launch post says maintainers of critical open source projects can receive up to $5 million in credits, tying package-risk tooling to direct support for upstream maintainers (depthfirst).

Archestra raised $10 million to expand deployments and grow the ecosystem around its open-source platform for brokering AI-agent access to enterprise data without exposing that data to model providers (SiliconANGLE).

Representative Lori Trahan called for a federal AI framework that includes funding for open-source maintainers and renewed threat-sharing protections. Her statement cited Anthropic’s Mythos vulnerability research as a reason Congress should strengthen cyber defenses around open source infrastructure (Rep. Trahan).

Uniswap Foundation Security Fund opened applications for its June 2026 cohort, offering eligible Uniswap ecosystem projects up to 100% subsidized smart-contract security audits to reduce security-related funding bottlenecks (Uniswap governance).

The Python Software Foundation said No Starch Press is running a Python-themed Humble Bundle through June 18, with pay-what-you-want DRM-free ebooks and a share of proceeds going to support the PSF (PSF).

The Rust Foundation encouraged individuals and organizations to fund Rust maintainers through the Rust Foundation Maintainers Fund and rust-lang.org/funding. Contributions are directed by the Rust Project Funding Team toward direct sponsorships and a Maintainer in Residence program (Rust Foundation).

tea said its open-source L2 and $TEA token will go live on June 4 as an economic layer for open-source software, using Proof of Contribution and teaRank to register projects, map dependencies, and route rewards and value exchange to maintainers and contributors (Yellow.com).

Ryan Johnson wrote about maintainer burnout as a sustainability problem, pointing to contributor volume, entitlement, isolation, and corporate extraction without matching upstream budgets, and called for paid maintainer time, sponsorships, audits, and healthier project boundaries (tenthirtyam).

Dawn Foster described the CHAOSS Practitioner Guide for Funding Impact Measurement, translating research into ways OSPOs and organizations can assess, justify, and improve funding for open source project development and maintenance (Fast Wonder).

HCSS argued that non-profit cybersecurity organizations are essential to public safety, global cyber resilience, critical infrastructure, and the digital economy, but remain structurally underfunded and need sustained long-term support from governments and industry (HCSS).

LWN covered Robin Bender Ginn’s Open Source Summit talk arguing that open-source security is a shared responsibility, not something users can expect lone maintainers to shoulder without time, support, and organizational participation (LWN).

Scala Center said the first part of its Sovereign Tech Fund-backed security audit is complete. OSTIF and Quarkslab reviewed the Scala 3 compiler and standard library, found no critical or major issues, and confirmed fixes for medium, low, and informational findings (Scala).

RedMonk examined why hardened container images have become a commercial focal point as AI-assisted CVE discovery increases remediation pressure. The piece highlights Replicated’s SecureBuild model, which shares most image subscription revenue with upstream maintainers whose projects are being secured (RedMonk).

Fivetran and dbt Labs completed their all-stock merger and said they will continue investing in open source dbt, including dbt Core v2.0 under Apache 2.0 and the open sourcing of the dbt Fusion engine runtime (Fivetran/dbt Labs).

Kefir C compiler maintainer Jevgenijs Protopopovs said new major development will move private for sustainability reasons. He cited limited maintainer capacity, weak project ROI, failed attempts to legitimize the work, and concern that public GPLv3 code is being used by AI companies for training without support flowing back to the project (Kefir).

Governance, licensing, and provenance

Unleash said it is moving its open-source repository from Apache 2.0 to AGPLv3 to keep the feature-management project sustainable. The enterprise distribution remains commercially licensed, and official Docker open-source images and SDKs stay under their existing licenses (Unleash).

Kiteworks created an Open Source Program Office under the ownCloud brand, formalizing governance with an AI-assisted contribution policy, a move from CLA to DCO, Apache 2.0 for new components, and a planned community advisory board (MSP Channel).

The OpenInfra Foundation launched an AI Policy Working Group to align open source community needs with AI-related development practices, regulation, governance, compliance, agentic workflows, and human accountability across OpenInfra communities (OpenInfra).

FSFE said the European Commission’s Technological Sovereignty Package includes a new Open Source Strategy that could advance the group’s Public Money? Public Code! principle, while the Commission’s strategy says it will support contributors, foundations, companies, viable business models, and long-term maintenance and governance of critical open source components. TechPolicy Press highlighted the proposed European Maintenance Instrument, steward organizations and foundations, and the need for sustained funding beyond early project stages (FSFE, European Commission, TechPolicy Press).

Euro-Office, a web-based open source office suite backed by European companies including IONOS, Nextcloud, XWiki, OpenProject, OpenXchange, and Office.eu, is scheduled to ship next week after code cleanup and security updates. ITPro also reports that OnlyOffice has accused the AGPL-derived project of license and attribution violations, and It’s FOSS reported that Tuta has joined the coalition as the group nears its first stable release (ITPro, It’s FOSS).

LWN covered Philippe Ombredanne’s account of an AI-agent port of ScanCode Toolkit to Rust that allegedly used the ScanCode name, removed copyright and license notices, and began outreach without engaging the AboutCode community. The dispute turns an AI-assisted migration into a trademark, attribution, licensing, and governance case study (LWN).

Martin Davidson asked what remains valuable in open source as AI lowers software creation costs, pointing to maintainer pushback against AI-generated bug reports and pull requests, uneven funding between flagship and mid-tier packages, and questions about package reuse when agents can generate code on demand (0x4d44).

Rust is considering a formal policy for rust-lang/rust that would limit LLM-generated public contributions, require disclosure for AI-assisted code, and ban AI-created core content such as issue text, documentation, diagnostics, and substantive comments (Linuxiac).

Vim Classic, a Vim 8.2-based fork, launched for users who want an AI-free editor after recent Vim development added LLM-related features. It’s FOSS framed the fork as another sign that project-level AI choices can become governance and community-identity issues (It’s FOSS).

AI security, infrastructure, and maintainer pressure

Anthropic said it is expanding Project Glasswing to about 150 additional organizations, including maintainers of critical open source software, while releasing vulnerability-finding tools to trusted security teams and exploring ways to scale review and patching for open source projects (Anthropic). Anthropic also previewed Claude Code Security, an AI security review feature that DevOps.com says was tested on production open source codebases and is being offered with free expedited access for open source maintainers while coordinated disclosures continue (DevOps.com). Techzine reported that ENISA is being added to Project Glasswing, expanding defensive access to Mythos while findings are shared with security teams, regulators, open source maintainers, and the media (Techzine). DevOps.com also covered Dan Lorenc’s argument that Mythos and AI-assisted vulnerability discovery expose structural problems in open source consumption, pointing to IBM and Red Hat’s $5 billion Project Lightwell and Chainguard’s response to the CVE-reduction burden (DevOps.com).

Sonatype’s Brian Fox argued that AI-driven vulnerability discovery is turning the bottleneck from finding bugs into repairing open source at ecosystem scale, with maintainers, package managers, registries, and distributions becoming the places where fixes must actually land (Sonatype).

The Spring team said AI is increasing issue volume, pull requests, and security reports across the open source ecosystem, creating more triage work and forcing maintainers to separate useful reports from AI slop while adapting vulnerability intake, review, and support workflows (Spring). Linux maintainers are proceeding with deprecating AF_ALG, the kernel crypto interface for user space, after AI/LLM-assisted vulnerability discovery exposed a growing attack surface and made the interface no longer worth maintaining (Phoronix). Phoronix also reported nine new X.Org Server and XWayland vulnerabilities found through AI-assisted auditing, adding another example of the maintenance load that follows automated vulnerability discovery (Phoronix).

InfoWorld argued that AI coding agents expand open source dependency risk by selecting packages, following repository instructions, and importing tool outputs, citing npm attacks and research showing agents choose known-vulnerable package versions more often than humans (InfoWorld). LeadDev argued that coding agents have made already-strained pull request review workflows less sustainable and recommended layered verification, better agent data, and human review focused on intent and architecture (LeadDev). Latent Space interviewed GitHub COO Kyle Daigle about agentic coding’s strain on GitHub and open source, including surging commits and questions about whether maintainers can survive floods of AI-generated contributions (Latent Space). BGR looked at the maintainer-facing version of that pressure, citing concerns around low-quality generated submissions, security uncertainty, licensing uncertainty, and downstream review burden (BGR).

LWN reported on Alexei Starovoitov’s proposals for adapting BPF tooling and maintenance to coding agents, including concerns about agent use of bpftrace and a larger patch-review queue (LWN). LWN also covered Andrew Tridgell’s response to criticism of his use of LLM tools while maintaining rsync, tying the decision to AI-generated security-report volume and the need for stronger tests, CI, and code coverage (LWN).

A Matplotlib incident added another example of the accountability problem around autonomous agents: Sigma Zero revisited an AI agent pull request that was closed, after which the agent published posts attacking a maintainer (Sigma Zero).

Jobs

Foundations and core infrastructure

  • Mozilla — Technical Support Specialist (link) — Remote. Posted 2026-06-02.
  • Mozilla — Technical Support Specialist (link) — Remote Canada. Posted 2026-06-02.
  • Mozilla — Technical Support Specialist (link) — Remote US. Posted 2026-06-02.
  • Mozilla — Senior Rust Software Engineer (link) — Remote Canada. Posted 2026-06-02.
  • Wikimedia Foundation — Senior Site Reliability Engineer (link) — Remote. Posted 2026-06-01.
  • Wikimedia Deutschland — Interim Technical Product Manager, Fundraising Technology (all genders) (link) — Berlin, Germany (hybrid). Posted 2026-06-01.
  • Wikimedia Foundation — Senior Site Reliability Engineer, Wikimedia Enterprise (link) — Remote. Posted 2026-06-01.
  • Mozilla — Front End Engineering Manager, Firefox Desktop (link) — Remote Canada. Posted 2026-06-01.

Community and developer relations

  • Temporal Technologies — Senior Events & Field Marketing Manager, Conference Production & Operations (link) — United States. Posted 2026-06-02.
  • Temporal Technologies — Senior Events & Field Marketing Manager, Developer Conference Programming (link) — United States. Posted 2026-06-02.
  • Airbyte — Product Advocate (link) — San Francisco. Posted 2026-06-01.

Sustainability and commercial open source

  • Mistral AI — Applied AI, Senior/Staff Forward Deployed Machine Learning Engineer - Munich (link) — Munich, Germany. Posted 2026-06-03.
  • Mistral AI — Applied AI, Forward Deployed Machine Learning Engineer - Munich (link) — Munich, Germany. Posted 2026-06-03.
  • Mistral AI — Applied AI, Technical Lead, Forward Deployed AI Engineer - Munich (link) — Munich, Germany. Posted 2026-06-03.
  • LiveKit — Distributed Systems Engineer (link) — Remote, U.S.. Posted 2026-06-03.
  • Prefect — Product Engineer (UI-Focused) — Horizon (link) — Remote. Posted 2026-06-03.
  • Chainguard — Senior Technical Program Manager (link) — United States (Remote). Posted 2026-06-02.
  • ClickHouse — Principal Product Manager - Ecosystems & Connectors (link) — United States (remote). Posted 2026-06-02.
  • ClickHouse — Principal Product Manager - Ecosystems & Connectors (link) — Netherlands (remote). Posted 2026-06-02.
  • Canonical — Software Quality Assurance Engineer - Linux, PC, IoT (link) — Taipei, Taiwan. Posted 2026-06-02.
  • Supabase — Product Manager - AI (link) — Remote. Posted 2026-06-02.
  • n8n — AI Product Manager (link) — Berlin Office. Posted 2026-06-02.
  • Redis — Principal Engineer – AI Search & Vector Infrastructure (link) — Bulgaria. Posted 2026-06-02.
  • GitLab — Senior Product Manager, AI Platform Management (link) — Remote Ireland; Remote Israel; Remote United Kingdom. Posted 2026-06-02.
  • GitLab — Senior Solutions Architect, AI / Core DevOps - EMEA (link) — Remote United Kingdom. Posted 2026-06-02.
  • Astronomer — Senior Customer Reliability Engineer - Infrastructure (link) — Ireland. Posted 2026-06-02.
  • Kitware — GTM Manager (link) — Clifton Park, New York. Posted 2026-06-02.
  • Grafana Labs — Staff AI Engineer (link) — United States (Remote). Posted 2026-06-02.
  • Grafana Labs — Staff AI Engineer (link) — Canada (Remote). Posted 2026-06-02.
  • Akuity — Solutions Architect (link) — Remote - North America. Posted 2026-06-02.
  • Astronomer — Senior Solutions Architect - East Coast (link) — Remote United States. Posted 2026-06-02.
  • Supabase — GSI Partnership Lead (link) — AMER. Posted 2026-06-02.
  • Airbyte — Senior GTM Engineer (link) — San Francisco. Posted 2026-06-02.
  • LangChain — Solutions Architect (APAC) (link) — Singapore. Posted 2026-06-02.
  • LangChain — Partner Alliance Lead - EMEA (link) — London. Posted 2026-06-02.
  • Kitware — GTM Lead (link) — Clifton Park, New York. Posted 2026-06-02.
  • n8n — Senior/Staff Engineer, n8n Labs (link) — Berlin Office. Posted 2026-06-01.
  • n8n — Senior/Staff PM, n8n Labs (link) — Berlin Office. Posted 2026-06-01.
  • Mistral AI — Applied Scientist / Domain Expert, AI4Engineering - EMEA (link) — Paris; London; Munich; Amsterdam; Lausanne; Linz; Luxembourg. Posted 2026-06-01.
  • Temporal Technologies — Staff Cloud Security Engineer (link) — United States (Remote). Posted 2026-06-01.
  • Chainguard — Principal Product Security Researcher (link) — United States (Remote). Posted 2026-06-01.
  • Chainguard — Principal Product Security Researcher (link) — United Kingdom (Remote). Posted 2026-06-01.
  • Chainguard — Principal Product Security Researcher (link) — Canada (Remote). Posted 2026-06-01.
  • Chainguard — Senior Customer Success Manager, Enterprise - East (link) — United States (Remote). Posted 2026-06-01.
  • Mistral AI — Product Monetisation & Pricing Lead (link) — Paris. Posted 2026-06-01.
  • Supabase — Senior Manager - Technical Program Management (link) — Remote. Posted 2026-06-01.
  • Astronomer — Senior Customer Reliability Engineer, Infrastructure - India (link) — Hyderabad, India. Posted 2026-06-01.
  • Canonical — Graduate Software Engineer, Open Source and Linux, Canonical Ubuntu (link) — Home based - Worldwide. Posted 2026-06-01.
  • Supabase — Product Manager - Postgres Platform (link) — Remote. Posted 2026-06-01.
  • Supabase — Product Manager - Infrastructure (link) — Remote. Posted 2026-06-01.
  • Supabase — Core Product Lead (link) — Remote. Posted 2026-06-01.
  • ClickHouse — Senior Software Engineer - Postgres (link) — United States (remote). Posted 2026-06-01.
  • ClickHouse — Senior Software Engineer - Postgres (link) — Canada (remote). Posted 2026-06-01.
  • ClickHouse — Senior Software Engineer - Postgres (link) — India (remote). Posted 2026-06-01.
  • ClickHouse — Senior Software Engineer (Backend) - AI/ML (link) — United States (remote). Posted 2026-06-01.
  • ClickHouse — Senior Software Engineer (Backend) - AI/ML (link) — Canada. Posted 2026-06-01.
  • LangChain — Partner Alliance Lead - Federal (link) — Washington DC. Posted 2026-06-01.
  • Redis — Senior Product Manager, Redis Core (Document Database) (link) — Bulgaria. Posted 2026-06-01.
  • Mattermost — Senior React Native Engineer (link) — United States. Posted 2026-06-01.
  • PostHog — AI Research Engineer (link) — Remote. Posted 2026-06-01.
  • GitLab — Commercial Legal Counsel (link) — Remote US. Posted 2026-06-02.
  • Black Duck Software — Technical Product Manager (link) — Finland. Posted 2026-06-01.
  • Black Duck Software — Customer Success Manager (link) — Bengaluru, India. Posted 2026-06-01.
  • newsletter
  • funding
  • foundations
  • open source
  • governance
  • security
  • ai
  • licenses
  • jobs