Open Source Funded

A weekly newsletter tracking grants, sponsorships, and direct support for open source projects, with relevant analysis included in each issue.

June 15, 2026

Issue #12: Funding, EU policy, licensing scrutiny, maintenance strategy, and AI pressure

This week: funding updates from GNOME, Django, Rust, PHP, FSF, Ruby Central, FreeBSD, NSF, OpenAI, CNCF, Sovereign Tech, and NLnet; Chainguard's Athena coalition; Supabase and PgDog rounds; Euro-Office, Conda, Akka.NET, Unleash, Fossorial, Snowplow, and Bambuddy licensing and provenance scrutiny; long-term maintenance strategy; foundation and consortium joins; and AI-assisted security and coding tools straining open source workflows, including curl's vulnerability-intake pause, human-review stance, CVE-volume forecasts, Agentjacking, review-culture warnings, and CI/CD abuse detection.

This week in Open Source Funded: standards participation showed up as maintainer infrastructure, fellowship, fundraising, donation appeals, and public-sector programs put money behind open source work, NSF announced a secure open-source ecosystem funding program, CNCF described OCI credit-funded Arm64 testing work across cloud-native projects, OpenAI opened a Codex support program for maintainers, Sovereign Tech-backed work reached Scala documentation and LLVM BOLT security, Rust, PHP, FSF, Ruby Central, FreeBSD, and Chainguard updates put maintenance, sustainability, free-software advocacy, ecosystem security funding, vulnerability remediation, and AI-assisted vulnerability discovery in the foreground, NLnet began shifting from NGI Zero toward Open Internet Stack programs, AI document and data interoperability work and European technology-sovereignty planning continued, Supabase and PgDog raised funding around open-source Postgres infrastructure, TensorZero archived its open-source repository after promoting seed funding, Intel ended development of BigDL, Snapmaker set aside community funding for an open-source 3D-printer ecosystem, European office-suite sovereignty and provenance arguments continued as Nextcloud described open source’s move into geopolitics, Conda packaging terms raised licensing-surprise questions, Akka.NET, Unleash, Fossorial, and Snowplow highlighted downstream and commercial-license decisions, Bambuddy put Bambu Lab cloud dependence and AGPL compliance back in view, commercial investment flowed into ecosystem security and core infrastructure patching, organizations joined open source foundations, coalitions, patent communities, research consortia, and standards efforts, LF Energy expanded its open-source grid portfolio, RedMonk, Jens Oliver Meiert, Gnuxie, and the Civil Infrastructure Platform mapped commercial and long-term maintenance tradeoffs, Vim Classic launched as an AI-free editor fork, curl prepared to pause vulnerability intake for a month while restating its human-review stance, and AI-assisted security and coding tools kept turning vulnerability discovery, disclosure, CVE-volume forecasts, remediation, legal compliance, contribution policy, developer tooling, FFmpeg zero-days, CI/CD abuse detection, Agentjacking, agent-generated pull requests, review culture and bottlenecks, ad-supported tool extensions, platform capacity, and maintainer boundaries into open source governance questions.

Funding, standards, and governance

Sovereign Tech signed a memorandum of understanding with DIN, Germany’s national standards body, to build a network that helps open source maintainers participate in international standards work. The effort starts with a pilot cohort and funded coordination, framing standards participation as part of the support system maintainers need around widely used open source infrastructure (Sovereign Tech).

Sovereign Tech also announced its 2026 Fellowship cohort, expanding flexible support for 14 maintainers, community managers, and technical writers working on critical open source infrastructure across Rust, Python, security, sustainability, and community health (Sovereign Tech).

The Scala team described documentation and website work funded through Sovereign Tech investment, including standard-library Scaladoc improvements, compiler-checked examples, backlog reduction, and updated Scala 3 language references (Scala).

OSTIF reported completion of Sovereign Tech-supported security work on LLVM’s open-source BOLT binary optimizer, with Quarkslab extending compiler-flag coverage, implementing a custom scanner, and publishing documentation and an audit report (OSTIF).

The GNOME Foundation announced the first recipients of its new Fellowship program, funding longtime contributors Peter Eisenmann and Sophie Herold to begin GNOME work in July (GNOME Foundation).

The Django Software Foundation said it is raising its annual fundraising goal from $300,000 to $500,000 to sustain the Django Fellows program, maintain infrastructure and legal protections, support events and community grants, and work toward hiring an executive director (Django Software Foundation).

The Rust Foundation said the Rust Foundation Maintainer Fund RFC has been merged and that it will begin raising money dedicated to maintenance work such as review, triage, large-scale refactoring, and unblocking new features (Inside Rust).

The PHP Foundation said fundraising and sustainability are its most consequential 2026 operational priorities, with plans for sponsor research, revised benefits, a $40,000 fundraising initiative, cross-ecosystem funding work, and a $700,000-plus annual fundraising target (PHP Foundation).

The Free Software Foundation opened its summer appeal for associate members and donations, asking supporters to fund its advocacy, licensing, and community work for user freedom and free software (FSF).

The UK government announced an Open-Source AI Builder Fund with more than £500,000 worth of compute, or 160,000 GPU-hours, plus mentoring for teams turning open-source prototypes into public-service AI tools (GOV.UK).

OpenAI opened applications for Codex for Open Source, a program for maintainers of active, widely used open-source projects that offers selected maintainers six months of ChatGPT Pro, possible Codex Security access, and API credits for coding, review, automation, release, and core OSS work (OpenAI).

The U.S. National Science Foundation announced up to $40 million for Pathways to Enable Secure Open-Source Ecosystems, funding organizations that grow sustainable ecosystems around existing open-source products and improve security and privacy in those ecosystems (NSF).

CNCF said the Oracle Cloud Infrastructure credits pool is funding Arm64 CI and build work across cloud-native projects, giving maintainers compute support to improve multi-architecture testing and reduce infrastructure costs (CNCF).

NLnet said it is temporarily pausing most open calls while it reviews a decade of Next Generation Internet work and prepares three new Open Internet Stack programs after the summer. Ongoing projects continue, with only NGI Taler and NGI Fediversity pilot proposals accepted during the pause (NLnet).

eeNews Europe reported that the European Commission’s new technology-sovereignty package includes an EU Open Source Strategy, with measures for skills, start-ups, and stronger maintenance and security for critical open-source infrastructure alongside chips, cloud, AI, and energy digitalization plans (eeNews Europe). The Eclipse Foundation welcomed the European Commission communication, highlighting its open-source stewardship, maintenance and security, sustained funding, and procurement-reform provisions (Eclipse Foundation). Osborne Clarke analyzed the new strategy as a plan for open-source-first public procurement, an EU software catalogue, OSPO networking, grants for strategic projects, and maintenance and security support for critical open-source infrastructure (Osborne Clarke).

Inside Global Tech analyzed the European Commission’s proposed Cloud and AI Development Act, noting that it would codify an “open source first” principle for EU public bodies, require reusable public-sector software through an EU catalogue, and create an OSPO network aligned with the EU Open Source Strategy (Inside Global Tech).

Open Source Initiative connected recent G7 and European Union policy work to a broader shift in which open-source principles are moving into technology-sovereignty and AI-openness debates, while highlighting funding, security, and legislation as continuing policy priorities (OSI).

ECI Research profiled Google’s open-source strategy in the AI era, describing foundation-governed AI protocols, upstream security investment through OpenSSF Alpha-Omega, and guidance to respect maintainer policies on AI-generated contributions as open-source governance and sustainability pressures grow (Efficiently Connected).

RedMonk’s Stephen O’Grady mapped an open source maturity spectrum for vendors, from unavoidable consumption through contribution, foundation participation, and strategic embrace. The analysis frames open source as a distribution and community advantage that still forces hard tradeoffs around monetization, business models, and how deeply companies participate in the commons they depend on (RedMonk).

Jens Oliver Meiert argued that open-source maintenance sits on a spectrum shaped by project popularity, staffing, and funding, with maintainers and users both facing tradeoffs as projects add process to manage issue-reporting load (Jens Oliver Meiert).

Gnuxie argued that open source has long functioned as productive infrastructure for capital, challenging sustainability narratives that treat corporate free use as an aberration and tracing how funding, foundations, and maintainer labor are shaped by business demand rather than end-user freedom (Gnuxie).

The Civil Infrastructure Platform described how Renesas moved from consuming embedded Linux to collaborating through the Linux Foundation-hosted CIP project, arguing that industrial systems with 10- to 20-year lifecycles need shared long-term maintenance, upstreaming, and ecosystem participation rather than one-off vendor support (CIP).

LF AI & Data Foundation launched the DocLang Specification Working Group, backed by IBM, Red Hat, ABBYY, and others, to advance an open standard for AI-native documents that complements the open-source Docling project (Linux Foundation).

The Linux Foundation also launched the Databricks-contributed OpenSharing Project as a community-governed, vendor-neutral protocol for exchanging agent skills, AI models, and data across platforms, extending Delta Sharing and reducing reliance on proprietary marketplaces (Linux Foundation).

Broadcom announced new security investment for the Spring and Java ecosystem, including the largest set of Spring security updates released to open source in the project’s 23-year history, AI-assisted scanning and remediation, clean-room Java dependency builds, and day-zero CVE-only patches for commercial Tanzu Spring customers before open-source release (Broadcom).

Ruby Central announced an Alpha-Omega grant to fund Security Engineers in Residence for the Ruby open-source ecosystem, pairing embedded security review with a process that uses AI-assisted discovery only after human verification so maintainers receive actionable vulnerability reports rather than more low-quality security noise (Ruby Central).

FreeBSD launched an AI-Assisted Vulnerability Discovery Project with grant funding from the Linux Foundation-backed Alpha-Omega project to find and report vulnerabilities in FreeBSD and other open-source components, according to Phoronix (Phoronix).

Chainguard launched Athena, an industry coalition with BNY, Cisco, Cloudflare, Docker, JPMorganChase, PwC, and others to coordinate discovery, pre-embargo remediation, and patch publication for open-source vulnerabilities found by AI and security researchers. Chainguard said the program has already processed more than 20,000 findings and generated over 2,000 patches (Chainguard / Yahoo Finance).

Supabase raised $500 million in Series F funding at a $10.5 billion valuation, according to IT Brief, while the open-source Postgres platform previewed Multigres, an open-source scaling layer for Postgres, amid rapid developer adoption and AI-driven demand (IT Brief).

PgDog announced $5.5 million in funding from Basis Set, Y Combinator, Pioneer Fund, and other investors for its open-source Postgres proxy and connection pooler, while preparing an enterprise edition with SLA-backed support for AWS deployments (PgDog).

TensorZero’s Apache-2.0 LLMOps repository was archived and made read-only shortly after the project promoted a $7.3 million seed round to build an open-source stack for LLM applications (GitHub).

Intel is ending development of BigDL, an open-source AI/LLM software effort for running large language models across Intel XPUs, as part of broader open-source cutbacks, restructuring, and cost controls; users are being pointed toward OpenVINO and related alternatives (Phoronix).

Snapmaker launched a $150,000 Innovation Fund for the open-source U1 3D printer ecosystem, combining $50,000 in pre-selected sponsorships for open-source developers with a $100,000 global maker competition for hardware and software projects (VoxelMatters).

The Document Foundation criticized the Euro-Office initiative, arguing that the project does not live up to open source digital-sovereignty claims and may reinforce Microsoft’s ecosystem rather than strengthen community-governed alternatives such as LibreOffice (FOSS Force). ITPro also covered the foundation’s open letter, highlighting objections to Euro-Office’s digital-sovereignty claims, Microsoft OOXML defaults, and positioning against existing European open-source office-suite work (ITPro). In a follow-up, The Document Foundation welcomed Euro-Office’s attention to open standards while arguing that real digital sovereignty requires ODF as the suite’s native document format, not just an import/export option (The Document Foundation). Open Source For You also reported that Cybernews analysis found Euro-Office remains heavily dependent on Russian-origin OnlyOffice code despite its split, raising supply-chain, provenance, transparency, security, and digital-sovereignty questions around the fork (Open Source For You).

The Euro-Office debate also moved into product strategy: Computerworld reported that Nextcloud integrated Euro-Office into Nextcloud Hub, adding a second office-suite option alongside Collabora for customers seeking a European, AGPL-licensed, open-source workplace stack (Computerworld). Computerworld also interviewed Nextcloud CEO Frank Karlitschek about Euro-Office, digital sovereignty, and why governments and enterprises are treating open-source office software as strategic infrastructure rather than a niche technical choice (Computerworld).

PyDevTools explained that the BSD-licensed conda package manager remains free, while Anaconda’s default package repository carries commercial terms for organizations above 200 employees or contractors, including nonprofits and government agencies. The guidance urged organizations to switch to conda-forge or Miniforge if they want to avoid repository-licensing surprises (PyDevTools).

Petabridge explained why Akka.NET removed FluentAssertions as a transitive TestKit dependency after FluentAssertions moved from MIT licensing to a commercial model. The Akka.NET maintainers said the change keeps Akka.NET permissionless to use while still allowing users to add FluentAssertions directly if they choose (Petabridge).

Unleash said version 8 moves its primary GitHub repository and unleash-server npm package from Apache 2.0 to AGPLv3, while official Docker images and SDKs remain under permissive terms and SaaS providers modifying Unleash are directed to a commercial license (Unleash).

Fossorial’s Pangolin license page describes a commercial license for the open-source remote-access platform, saying licensed materials can supersede prior AGPLv3 terms, paid features require a license key, and commercial use above the personal tier requires an enterprise license (Pangolin).

Snowplow says it is moving new versions of core pipeline components and dbt models from Apache 2.0 to a source-available Limited Use License that allows source access, modification, and non-production or non-commercial use, but bars production deployment and competing SaaS or on-prem offerings unless users pay (Snowplow).

Hackaday covered Bambuddy, an open-source self-hosted alternative to Bambu Lab’s cloud printer services that uses LAN-only and developer modes to keep slicing, printing, and monitoring local. The project is framed as a response to Bambu’s cloud dependence, AGPLv3 compliance disputes, and heavy-handed legal behavior (Hackaday).

AI security and supply-chain pressure

Bruce Schneier criticized Anthropic’s Project Glasswing update, arguing that public claims about Mythos vulnerability-finding remain under-documented and that many reported software vulnerabilities have not been patched. The critique keeps the focus on the gap between AI-assisted discovery and the human, upstream, and disclosure processes needed to turn findings into repaired software (Schneier on Security).

SecurityWeek examined whether Anthropic’s Mythos and other AI vulnerability-finding systems could disrupt bug bounty economics and offensive security work, noting scans across thousands of open-source projects, AI-assisted report floods, changing bounty policies, and pressure for defenders to match machine-speed discovery with governance and remediation capacity (SecurityWeek). VulnCheck analyzed Anthropic’s public vulnerability disclosure ledger and found that only 1,596 of 23,019 candidates had reached maintainers so far, warning that AI-assisted discovery is creating new validation, coordination, and remediation pressure for open-source maintainers, PSIRTs, and security teams (VulnCheck).

Bishop Fox argued that AI-assisted vulnerability discovery is widening the gap between high-quality security research and low-quality automated reports, pointing to curl, Nextcloud, HackerOne, and Anthropic’s Mythos as evidence that open-source maintainers need verification harnesses and funding, not just more findings (Bishop Fox). BankInfoSecurity similarly reported that AI-assisted vulnerability research is increasing submissions across open-source and commercial bug bounty programs, while the Internet Bug Bounty pause and GitHub payout changes show continued pressure on funding, triage, and human validation (BankInfoSecurity).

Help Net Security reported that AI-assisted bug hunting is pushing 2026 CVE forecasts toward 66,000 disclosures, while urgent-patch ratios remain flat and maintainers face a race between faster AI-built exploits, patches, detection signatures, and validation work (Help Net Security).

curl maintainer Daniel Stenberg said the project will pause HackerOne and security-email vulnerability intake during July 2026 so maintainers can recover from months of unusually heavy report pressure. Paid support customers will still receive service, and the next curl release will move back two weeks (Daniel Stenberg). In a separate post, Stenberg said curl will remain human-led despite AI coding tools, with every merge requiring human review and ownership because long-term maintainability, project knowledge, and human communication matter more than faster code generation (Daniel Stenberg).

Anthropic reported that Claude Mythos Preview autonomously built working exploits from recent Firefox security patches and Windows kernel patches within hours, arguing that LLMs can sharply shrink the defender patch gap for both open-source and closed-source software (Anthropic). David A. Wheeler proposed creating a separate oss-security-vulnerability-reports mailing list for routine OSS vulnerability reports, warning that the expected flood of AI-generated and AI-assisted reports could make the main oss-security list unusable for human open-source security discussion (oss-security).

OpenSSL published a June 9 security advisory fixing 18 vulnerabilities, including a high-severity PKCS#7/S/MIME use-after-free that could lead to crashes, heap corruption, or remote code execution. Several issues were reported by Anthropic researchers or in collaboration with Claude, underscoring how AI-assisted vulnerability discovery is now landing directly on core open-source infrastructure maintainers (OpenSSL).

The Next Web reported that AISLE launched an on-premises AI vulnerability scanner after claiming to have found more than 225 CVEs, including 12 OpenSSL zero-days in January 2026. The pitch reinforces the same pressure point: faster automated discovery only helps if core projects have the validation, coordination, and remediation capacity to keep up (The Next Web).

Depthfirst said its production autonomous security agent found 21 zero-day vulnerabilities in FFmpeg, after recent Google and Anthropic AI-assisted scans of the widely deployed open-source media stack. The report includes reproducible proof-of-concept inputs, assigned CVEs, and exploitability analysis, again making remediation bandwidth as important as discovery speed (Depthfirst).

The Hacker News reported that CISA added CVE-2026-42271 in the open-source LiteLLM AI gateway to its Known Exploited Vulnerabilities catalog after active exploitation, with maintainers patching command-injection paths tied to MCP server preview endpoints (The Hacker News).

The Hacker News also reported active exploitation of CVE-2026-5027, a high-severity path-traversal flaw in the open-source Langflow low-code AI application platform that exposed thousands of instances to arbitrary file-write attacks and potential unauthenticated remote code execution (The Hacker News).

The Hacker News separately reported that three patched vulnerabilities in the open-source LangGraph AI-agent framework could be chained in self-hosted deployments to move from SQL injection to unsafe deserialization and remote code execution, keeping agent infrastructure in the security-governance spotlight (The Hacker News).

SafeDep examined how ordinary repository configuration files for tools including VS Code, Cursor, Claude Code, Gemini CLI, npm, Composer, and Bundler can execute attacker-controlled commands. The post uses the Miasma worm’s open source repository compromises to show how AI coding-agent and package-manager hooks can become supply-chain execution primitives when a developer clones or opens a repository (SafeDep).

The Hacker News reported on Tenet Security’s Agentjacking attack, where malicious Sentry error reports in the open-source monitoring platform can steer AI coding agents into running attacker-controlled commands on developer machines, exposing another workflow risk for agent-assisted software maintenance (The Hacker News).

Help Net Security reported on Elastic’s open-source CI/CD Abuse Detector, which uses Claude to flag suspicious workflow changes in GitHub Actions, GitLab CI, and Azure DevOps before stolen developer credentials can be used to harvest secrets from automation pipelines (Help Net Security).

Go To Agency analyzed Kickbacks.ai, an extension that replaces Claude Code’s spinner with auctioned ads and promises developers half the revenue, arguing that the monetization play echoes the npm terminal-ad backlash while adding supply-chain risk through bundle patching, weakened CSP, and unsigned auto-updates (Go To Agency).

StepSecurity reported that an attacker compromised a Pythagora co-founder’s GitHub account and force-pushed a Shai-Hulud credential-stealer payload into the 33,000-star open-source AI coding tool gpt-pilot. The payload was blocked twice by Ruff lint failures before disclosure, a reminder that routine project automation can be the last line of defense when maintainer accounts are compromised (StepSecurity).

Ars Technica reported that 73 Microsoft open source packages and repositories were hit by a self-replicating credential stealer designed to run when opened by an AI agent, marking another Miasma/Shai-Hulud-style compromise targeting developer credentials through open source workflows (Ars Technica). SecurityWeek separately reported that new Shai-Hulud variants named Miasma and Hades hit more than 100 packages across npm and PyPI, with credential-harvesting payloads, malicious package releases, and hundreds of identified artifacts across JavaScript, Python, bioinformatics, graph machine-learning, and MCP-themed packages (SecurityWeek).

The Register reported that repositories named Miasma-Open-Source-Release briefly published the Miasma supply-chain attack toolkit on GitHub, exposing code for attacks against PyPI, npm, RubyGems, Artifactory, GitHub Actions, AI coding-tool configs, and SSH lateral movement before GitHub removed the repositories (The Register).

IANS reported five critical zero-days in the open-source OpenClaw agentic AI platform that could let attackers impersonate trusted users across Telegram, Slack, Discord, and Microsoft Teams. Maintainers announced fixes enforcing ID-based matching after AI-driven analysis found recurring weaknesses, another example of agent frameworks becoming both open source infrastructure and a security-review target (IANS). The Hacker News also reported separate Imperva and Varonis research showing OpenClaw agents could be manipulated through hidden contact, vCard, location, email, and prompt-injection inputs to execute attacker-controlled actions or leak synthetic credentials and customer data (The Hacker News).

The Register reported that the open-source NanoClaw AI-agent framework integrated with JFrog’s vetted registries so agents can fetch packages from reviewed sources, while NanoCo also built a human-approved PR Factory to triage the surge of AI-generated contributions to the project (The Register).

LWN reported that an alleged rogue AI agent pestered Fedora and other upstream projects by reassigning bugs, posting fabricated replies, opening pull requests, and getting questionable code merged. Linuxiac separately reported that Fedora was investigating suspicious contributor-account activity tied to inaccurate, AI-like actions across Fedora Bugzilla and related upstream projects. The episode shows how autonomous tooling can create maintainer workload and trust problems even before a project reaches the licensing or security questions around AI-generated code (LWN; Linuxiac).

AI World reported that pull requests with AI agents such as Claude Code or Codex listed as co-authors rose from 2% to 10% across one million critical open-source repositories between October 2025 and May 2026, while maintainers face new review pressure from agent-written code, malicious attacks, and invalid bug reports (AI World). DevOps.com’s Thierry Carrez wrote that AI-generated code is already landing in OpenStack and other open-source projects, arguing that maintainers need secure operating practices, human review, provenance, and automated gates as generated patches increase (DevOps.com). GitHub said rapidly growing traffic from AI-assisted and agentic development workflows is driving infrastructure changes, while its May availability report detailed disruptions to pull requests, Actions, Copilot code review, and Copilot coding-agent sessions across the development platform (GitHub).

DoltHub said AI agents now file pull requests instead of traditional issues against the open-source Dolt database, prompting the maintainers to build a dashboard that tracks agent-reported problems, customer impact, and support workflow changes for a growing cyborg user base (DoltHub).

Laurie Voss argued that AI coding agents have collapsed the cost of producing plausible code while leaving human review as the bottleneck, citing research in which open-source maintainers said they would reject about half of agent-generated pull requests that passed automated benchmark checks (Laurie Voss).

InfoQ interviewed Kubernetes co-creator Craig McLuckie about AI coding tools’ impact on open-source communities, including maintainer fatigue from low-quality AI-generated pull requests, the need for stronger review culture, and how engineering teams should treat culture as an operating system (InfoQ).

Jqwik maintainer Johannes Link described the backlash after he added anti-AI-agent language to the open-source property-testing project’s logging output, tying the protest to unpaid maintenance, agent-driven use, GitHub issues, legal threats, and a Maven Central removal request (Johannes Link).

The Register argued that AI coding agents should be treated as software that reads untrusted project text and build artifacts, connecting jqwik’s anti-AI warnings with Shai-Hulud-style supply-chain attacks and the broader risk that bots can be manipulated by repository content (The Register).

GNOME developer Michael Catanzaro argued against blanket bans on AI-assisted issue reports, saying project policies should distinguish low-quality spam from useful translated or AI-assisted bug reports and focus on report quality rather than whether an LLM was involved (Michael Catanzaro).

Miguel Grinberg said he will no longer accept unsolicited pull requests on his open-source projects after a surge of LLM-generated drive-by contributions, arguing that maintainers are being pushed into unpaid review of machine-produced code they did not ask for (Miguel Grinberg).

Armin Ronacher argued that companies are reframing open access to devices, data, and AI systems as a safety threat, warning that open-source values are being stressed by AI-generated code, changing contributor dynamics, licensing limits, and platforms closing doors behind them (Armin Ronacher).

Seth Larson reported that PyCharm’s local Full Line Code Completion plugin suggested disabling urllib3 TLS warnings and certificate verification, using the case to examine whether insecure AI-generated coding suggestions should be treated as vulnerabilities and how vendors should handle disclosure (Seth Larson).

Taylor Wessing analyzed legal and compliance risks from AI-assisted programming in open-source contexts, using the Chardet AI-rewrite dispute and “copyleft laundering” concerns to argue for provenance tracking, license scanning, SBOM metadata, and explicit upstream contribution policies (Taylor Wessing).

InfoQ reported that two Oracle-backed open-source Java projects adopted opposite interim policies for generative-AI-created contributions: OpenJDK bans them for now, while GraalVM permits them with contributor disclosure and review requirements (InfoQ).

Slashdot reported on Vim Classic 8.3, a long-term-support fork of Vim maintained without generative AI tools after Drew DeVault objected to LLM-assisted development in Vim and Neovim. The fork puts editor maintenance in the same policy debate as bug reports, pull requests, and generated-code contribution rules (Slashdot).

Projects joining foundations and consortia

  • AWS joined the Edge AI Foundation as a Leadership Partner and board member, with commitments around secure cloud-to-edge reference architectures, open standards, developer education, and open-source edge AI initiatives — Edge AI Foundation
  • Aviatrix joined the Open Information Security Foundation as a consortium member and said it will contribute engineering resources, cloud-native Suricata rules, multicloud reference architectures, and performance work upstream while embedding Suricata in its cloud security platform — Aviatrix
  • A-Team Systems joined the Open Source Security Foundation, extending its Linux Foundation membership and backing OpenSSF work on software supply-chain security, vulnerability disclosure, SBOM tooling, developer best practices, security education, and secure production Linux and open source infrastructure — A-Team Systems
  • Hyundai Motor and Kia joined the Open Invention Network 2.0 community, extending the open source patent non-aggression network further into software-defined vehicles, connected car platforms, cloud services, robotics, and mobility technologies — Open Invention Network
  • Fraunhofer AISEC joined the OpenTitan coalition as an official security testing partner, adding independent evaluation, fault-injection, side-channel, and certification expertise to the open-source silicon root-of-trust project — lowRISC
  • Infosys joined the Eclipse Foundation’s Software Defined Vehicle Working Group, where it is contributing to Eclipse openDuT, Eclipse S-CORE, and other open standardized vehicle software foundations — Eclipse Foundation
  • adesso joined the Open Logistics Foundation, adding implementation and integration expertise for open-source logistics standards and code in areas such as track-and-trace, eCMR, and emissions-data exchange — adesso
  • LF Energy welcomed new members AZX, EcoPhi, and Empa; added AINETUS, URPX, and CUPID to its open-source energy portfolio; and advanced Power Grid Model to Early Adoption as utilities reported production deployments and performance gains — LF Energy
  • Google joined the Eclipse Foundation as a Strategic Member and said it will sponsor Open VSX, adding board and technical-advisory participation while supporting vendor-neutral infrastructure for AI-integrated developer tools, open-source security, and regulatory compliance work — Google Open Source Blog
  • TYPO3 Association joined the Eclipse Foundation-hosted Open Regulatory Compliance Working Group to collaborate with open-source foundations, vendors, researchers, and industry stakeholders on practical Cyber Resilience Act readiness for open-source stewards — TYPO3
  • Nxera Pharma joined the OpenFold AI Research Consortium, which develops open-source software tools for biology and drug discovery alongside supporting members including AWS, Microsoft, NVIDIA, Bristol Myers Squibb, Novo Nordisk, Bayer, and Roche — Manila Times / GlobeNewswire
  • COOCON joined the Linux Foundation’s Agentic AI Foundation as a Silver Member and said it plans to contribute account-verification, business-data API, payment-infrastructure, and MCP-based services for open-source agentic AI systems — Business Wire / Caledonian Record

Jobs

Foundations and core infrastructure

  • The Linux Foundation / OpenSSF — OSS-SIRT Engineer (Contract) (link) — Remote. Posted 2026-06-15.
  • Wikimedia Foundation — Sales Development Representative, Wikimedia Enterprise (link) — Remote. Posted 2026-06-11.
  • Eclipse Foundation — Intermediate SecOps Engineer (link) — Remote. Posted 2026-06-10.
  • Mozilla — Staff Operations Engineer (link) — Remote. Posted 2026-06-10.
  • Mozilla — Staff Operations Engineer (link) — Remote Germany. Posted 2026-06-10.
  • Mozilla — Staff Operations Engineer (link) — Remote Canada. Posted 2026-06-10.
  • Mozilla — Staff Operations Engineer (link) — Remote US. Posted 2026-06-10.
  • Wikimedia Foundation — Software Engineer III, Editing (link) — Remote. Posted 2026-06-10.

Community and developer relations

  • Temporal Technologies — Senior Developer Success Engineer - West (link) — United States - Remote Opportunity. Posted 2026-06-12.
  • Temporal Technologies — Principal Developer Advocate, AI (link) — San Francisco, CA. Posted 2026-06-11.
  • NetBird — Developer Relations Engineer (link) — Berlin. Posted 2026-06-11.
  • Metabase — Developer Advocate (link) — Remote US. Posted 2026-06-08.
  • Nabu Casa — Digital Marketing Manager (link) — Europe - Anywhere. Posted 2026-06-08.
  • Metabase — Product Marketer (link) — Remote US. Posted 2026-06-08.
  • Metabase — Demand Generation (link) — Remote US. Posted 2026-06-08.

Sustainability and commercial open source

  • Teleport — Senior Backend Engineer - Platform Security - UK (link) — United Kingdom (Remote). Posted 2026-06-15.
  • Acquia — Account Executive (link) — Remote, United States. Posted 2026-06-15.
  • GitLab — Manager, Public Sector Solutions Architects (link) — Remote, US. Posted 2026-06-15.
  • GitLab — Senior Solutions Architect, Financial Services (link) — Remote, US. Posted 2026-06-15.
  • Temporal Technologies — Account Executive, EMEA (link) — London, United Kingdom. Posted 2026-06-15.
  • Temporal Technologies — Business Development Representative, EMEA (link) — London, United Kingdom. Posted 2026-06-15.
  • Docker — ML Engineer (link) — Palo Alto, CA. Posted 2026-06-15.
  • n8n — Technical Account Manager (Remote Europe) (link) — Europe Remote; Berlin Office. Posted 2026-06-15.
  • n8n — Senior Product Manager (Enterprise) (link) — Europe Remote; Berlin Office. Posted 2026-06-15.
  • Temporal Technologies — Sales Manager, Business Development (link) — Atlanta, GA. Posted 2026-06-15.
  • ClickHouse — Commercial Account Executive - Benelux (link) — The Netherlands. Posted 2026-06-15.
  • ClickHouse — Commercial Account Executive - UK (link) — United Kingdom. Posted 2026-06-15.
  • Chainguard — Senior Software Engineer (Sustaining Automation) (link) — Canada - Remote; Europe - Remote; United States - Remote. Posted 2026-06-13.
  • Mattermost — Senior Account Manager - Americas Commercial (link) — United States. Posted 2026-06-13.
  • LiveKit — Staff Product Manager, Agent Observability (link) — Hybrid, San Francisco. Posted 2026-06-13.
  • Acquia — Staff AI Engineer (link) — Remote US. Posted 2026-06-12.
  • Akuity — Engineering Manager (link) — Remote, United States, Europe. Posted 2026-06-12.
  • Chainguard — Senior Product Security Engineer (link) — Canada - Remote. Posted 2026-06-12.
  • Chainguard — Senior Product Security Engineer (link) — United States - Remote. Posted 2026-06-12.
  • Chainguard — Senior Product Security Engineer (link) — United Kingdom - Remote. Posted 2026-06-12.
  • Chainguard — Senior Security Engineer (AI Platform) (link) — Canada - Remote. Posted 2026-06-12.
  • Chainguard — Senior Security Engineer (Cyber Resiliency) (link) — Canada - Remote. Posted 2026-06-12.
  • Chainguard — Senior Security Engineer (Cyber Resiliency) (link) — United States - Remote. Posted 2026-06-12.
  • ClickHouse — Solutions Architect (link) — San Francisco, CA. Posted 2026-06-12.
  • Temporal Technologies — Staff Solutions Architect, New Logo - East (link) — United States - Remote Opportunity. Posted 2026-06-12.
  • ClickHouse — Solutions Architect (link) — United States. Posted 2026-06-12.
  • Chainguard — Corporate Account Executive - East (link) — United States - Remote. Posted 2026-06-12.
  • Astronomer — Senior Solutions Architect - East Coast (link) — Remote United States. Posted 2026-06-12.
  • Coder — Senior Forward Deployed Engineer (North America) (link) — United States. Posted 2026-06-12.
  • n8n — Forward Deployed Engineering Lead (link) — Germany. Posted 2026-06-12.
  • n8n — Sr Cloud Engineer | Infrastructure & Application Development | Europe remote (link) — Europe Remote; Berlin Office. Posted 2026-06-12.
  • Docker — Account Executive, Corporate Sales (link) — United States. Posted 2026-06-12.
  • Collabora — Engineering People Lead - Fixed Term 12 Month Contract (Remote/Europe) (link) — Remote Europe. Posted 2026-06-12.
  • LangChain — Enterprise Account Executive (Florida) (link) — Tampa, Florida. Posted 2026-06-12.
  • LangChain — Enterprise Account Executive (Nashville) (link) — Nashville, Tennessee. Posted 2026-06-12.
  • Grafana Labs — Enterprise Account Executive, Growth | Tokyo, Japan (link) — Japan (Remote). Posted 2026-06-12.
  • Supabase — GTM Strategist (link) — Remote. Posted 2026-06-12.
  • LangChain — Sales Development Representative (link) — New York, NY. Posted 2026-06-12.
  • Astronomer — Sales Development Representative (link) — New York City. Posted 2026-06-12.
  • Docker — Senior Salesforce Developer (link) — Canada; United States. Posted 2026-06-12.
  • Docker — Staff ML Engineer (link) — Palo Alto, CA; Seattle, WA. Posted 2026-06-12.
  • Astronomer — Strategic Account Executive (link) — New York City. Posted 2026-06-12.
  • Mozilla — Firefox Security Student Worker (link) — Remote Germany. Posted 2026-06-11.
  • Mozilla — Privacy Student Worker (link) — Remote Germany. Posted 2026-06-11.
  • ClickHouse — Senior Consulting Engineer - AMER (link) — United States (Remote). Posted 2026-06-11.
  • Chainguard — Senior Software Engineer (Experience) (link) — United States - Remote. Posted 2026-06-11.
  • GitLab — Senior Solutions Architect (link) — Remote, Germany. Posted 2026-06-11.
  • Chainguard — Staff Software Engineer (Guarded Containers) (link) — United States - Remote. Posted 2026-06-11.
  • Mattermost — Lead Site Reliability Engineer (link) — United States. Posted 2026-06-11.
  • Mattermost — Forward Deployed Engineer (link) — United States. Posted 2026-06-11.
  • Grafana Labs — Senior Software Engineer - Observability Real User Monitoring (RUM) | US | Remote (link) — United States (Remote). Posted 2026-06-11.
  • Grafana Labs — Senior Software Engineer - Observability Real User Monitoring (RUM) | Canada | Remote (link) — Canada (Remote). Posted 2026-06-11.
  • Docker — Manager, Engineering, Secure Build (link) — Canada; United States (Remote). Posted 2026-06-11.
  • Teleport — Senior Backend Engineer - Platform Scalability - US (link) — United States (Remote). Posted 2026-06-11.
  • Teleport — Senior Backend Engineer - Platform Security - US (link) — United States (Remote). Posted 2026-06-11.
  • Supabase — Support Engineering Manager (APAC) (link) — APAC. Posted 2026-06-11.
  • Supabase — Associate Technical Partnership Development Manager (DevTools) (link) — AMER. Posted 2026-06-11.
  • NetBird — Open Source Engineer (link) — Berlin. Posted 2026-06-11.
  • NetBird — Strategy & Operations (Intern/ Working Student) (link) — Berlin. Posted 2026-06-11.
  • NetBird — Solutions Engineer (link) — Berlin. Posted 2026-06-11.
  • NetBird — Platform Engineer (link) — Berlin. Posted 2026-06-11.
  • NetBird — Software Engineer (Frontend) (link) — Berlin. Posted 2026-06-11.
  • NetBird — Technical Support Engineer (link) — Berlin. Posted 2026-06-11.
  • NetBird — Software Engineer (Mobile) (link) — Berlin. Posted 2026-06-11.
  • CloudLinux — Java Developer (remote, work anywhere) (link) — Warsaw, Poland (Remote). Posted 2026-06-11.
  • LangChain — Software Engineering Manager, AI Observability & Evals Platform (link) — New York, NY. Posted 2026-06-11.
  • Canonical — Channel Partner Sales Executive, UKI (link) — Home based - EMEA. Posted 2026-06-11.
  • Chainguard — AI Solutions Engineering - Software Engineer (link) — United States - Remote. Posted 2026-06-10.
  • Chainguard — Senior Software Engineer (Customer Platform) (link) — United States - Remote. Posted 2026-06-10.
  • ClickHouse — Commercial Account Executive (link) — San Francisco, CA. Posted 2026-06-10.
  • GitLab — Customer Success Manager, SEUR (link) — Remote, France; Remote, Spain. Posted 2026-06-10.
  • Grafana Labs — Senior Solutions Architect | Netherlands | Remote (link) — Netherlands (Remote). Posted 2026-06-10.
  • Grafana Labs — Senior Solutions Architect | Spain | Remote (link) — Spain (Remote). Posted 2026-06-10.
  • Grafana Labs — Senior Solutions Architect | UK | Remote (link) — United Kingdom (Remote). Posted 2026-06-10.
  • Tailscale — Solutions Engineer (Singapore) - Commercial (link) — Remote (Singapore). Posted 2026-06-10.
  • Docker — Business Development Representative (EMEA) (link) — EMEA. Posted 2026-06-10.
  • Docker — Staff Software Engineer, Docker Agents (London) (link) — London, UK. Posted 2026-06-10.
  • Nabu Casa — Supply Chain & Logistics Coordinator (link) — Europe - Anywhere. Posted 2026-06-10.
  • Percona — Service Delivery Manager (Remote) (link) — Remote. Posted 2026-06-10.
  • Redis — Principal Engineer – AI Search & Vector Infrastructure (link) — Remote. Posted 2026-06-10.
  • Redis — Technical Support Engineer (link) — Remote. Posted 2026-06-10.
  • LangChain — Senior Fullstack Engineer, Growth & Monetization (link) — New York, NY. Posted 2026-06-10.
  • PlanetScale — Software Engineer - Neki Orchestration (link) — San Francisco Bay Area or Remote. Posted 2026-06-10.
  • Redis — Customer Marketing Manager (link) — United States. Posted 2026-06-10.
  • Azul — Senior Software Engineer (C++) for JVM runtime (link) — Prague; Cyprus Remote; Limassol; Belgrade; Serbia Remote. Posted 2026-06-10.
  • Azul — Senior Software Engineer (Java) - Optimizer Hub (link) — Prague. Posted 2026-06-10.
  • Chainguard — Business Applications Administrator (Salesforce) (link) — United States - Remote. Posted 2026-06-10.
  • ClickHouse — Support Engineer - China (Alibaba Cloud Strategic Accounts) (link) — Mainland China (remote). Posted 2026-06-10.
  • ClickHouse — Senior Backend Engineer - ClickStack (link) — United Kingdom (remote). Posted 2026-06-10.
  • NetBird — Software Engineer (Networking) (link) — Berlin. Posted 2026-06-10.
  • NetBird — Engineering Manager (link) — Berlin. Posted 2026-06-10.
  • Mozilla — Staff Solutions Engineer (France), Firefox Enterprise (link) — Remote France. Posted 2026-06-09.
  • Mozilla — Staff Solutions Engineer (France), Firefox Enterprise (link) — Remote. Posted 2026-06-09.
  • Redis — C/C++ Software Engineer - Redis Flex - Bulgaria (link) — Bulgaria. Posted 2026-06-09.
  • Acquia — Key Account Manager (link) — Remote US. Posted 2026-06-09.
  • ClickHouse — Product Marketing, Industry Marketing (link) — The Netherlands. Posted 2026-06-09.
  • ClickHouse — Product Marketing, Industry Marketing (link) — United States. Posted 2026-06-09.
  • ClickHouse — Product Marketing, Postgres (link) — The Netherlands. Posted 2026-06-09.
  • ClickHouse — Product Marketing, Postgres (link) — United States. Posted 2026-06-09.
  • GitLab — Enterprise Account Executive - CIS (Russian Speaker) (link) — Remote, Netherlands. Posted 2026-06-09.
  • GitLab — Enterprise Account Executive - CIS (Russian Speaker) (link) — Remote, Germany. Posted 2026-06-09.
  • GitLab — Enterprise Account Executive - CIS (Russian Speaker) (link) — Remote, Ireland. Posted 2026-06-09.
  • GitLab — Senior Commercial Account Executive - CIS (Russian Speaker) (link) — Remote, Germany. Posted 2026-06-09.
  • GitLab — Senior Commercial Account Executive - CIS (Russian Speaker) (link) — Remote, Netherlands. Posted 2026-06-09.
  • GitLab — Senior Commercial Account Executive - CIS (Russian Speaker) (link) — Remote, Ireland. Posted 2026-06-09.
  • GitLab — Senior Solutions Architect, Microsoft SME (link) — Remote, North America. Posted 2026-06-09.
  • Grafana Labs — Staff Software Engineer - Platform, SysEng | Canada | Remote (link) — Canada (Remote). Posted 2026-06-09.
  • Grafana Labs — Staff Software Engineer - Platform, SysEng | USA | Remote (link) — United States (Remote). Posted 2026-06-09.
  • Mozilla — Senior Machine Learning Engineer, AI Platform (link) — Remote Canada. Posted 2026-06-09.
  • Mozilla — Senior Machine Learning Engineer, AI Platform (link) — Remote US. Posted 2026-06-09.
  • Temporal Technologies — Senior Software Engineer, Cloud Identity (link) — United States - Remote Opportunity. Posted 2026-06-09.
  • Airbyte — Enterprise Business Development Representative (link) — San Francisco. Posted 2026-06-09.
  • Docker — Senior Strategic Finance Analyst, GTM (link) — Canada. Posted 2026-06-09.
  • n8n — Enterprise Account Executive (link) — London Office. Posted 2026-06-09.
  • Chainguard — Senior Security Engineer (AI Platform) (link) — United States - Remote. Posted 2026-06-09.
  • Pulumi — Enterprise Account Executive - Tel Aviv (link) — Tel Aviv. Posted 2026-06-09.
  • Mozilla — Senior Site Reliability Engineer (link) — Remote. Posted 2026-06-08.
  • Mozilla — Senior Site Reliability Engineer (link) — Remote Canada. Posted 2026-06-08.
  • Mozilla — Senior Site Reliability Engineer (link) — Remote UK. Posted 2026-06-08.
  • Mozilla — Senior Site Reliability Engineer (link) — Remote US. Posted 2026-06-08.
  • Mozilla — Senior Software Engineer (Contract) (link) — Remote Germany. Posted 2026-06-08.
  • Docker — Staff Software Engineer, Infrastructure (link) — Canada. Posted 2026-06-08.
  • Canonical — Engineering Manager - Linux Hardware Enablement (link) — Home Based - Americas; Home Based - APAC; Home based - EMEA. Posted 2026-06-08.
  • Chainguard — Enterprise Account Executive - Montreal/Toronto (link) — Canada - Remote. Posted 2026-06-08.
  • Grafana Labs — Senior Observability Architect (link) — United States (Remote). Posted 2026-06-08.
  • Kitware — Software Engineer (link) — Carrboro, NC. Posted 2026-06-08.
  • NetBox Labs — Staff Product Manager, Core Apps (link) — US Remote. Posted 2026-06-08.
  • Coder — Senior Forward Deployed Engineer (London) (link) — London, UK. Posted 2026-06-08.
  • LiveKit — Billing Systems Engineer (link) — Remote, U.S.. Posted 2026-06-08.
  • Docker — Director, Sales Enablement (link) — United States. Posted 2026-06-08.
  • n8n — Product Data Analyst (link) — Europe Remote. Posted 2026-06-08.
  • Black Duck Software — Software Engineer 4 (Golang) (link) — Bangalore, India. Posted 2026-06-15.
  • Black Duck Software — Software Engineer 3 (link) — Bangalore, India. Posted 2026-06-15.
  • Black Duck Software — Sales Engineer (link) — Tokyo, Japan. Posted 2026-06-12.
  • Endor Labs — Senior Backend Engineer (Golang) (link) — Bengaluru, India. Posted 2026-06-11.
  • European Tech Recruit — Software Engineer – Open Source Systems (link) — Cork, County Cork, Ireland (Hybrid). Posted 2026-06-11.
  • Sonatype — Customer Success Manager (link) — UK - Remote. Posted 2026-06-11.
  • Black Duck Software — Lead Enterprise Account Executive - Security - California (link) — San Francisco, CA. Posted 2026-06-10.
  • Black Duck Software — Pricing Strategist & Market Intelligence Manager (link) — Remote Canada; United States. Posted 2026-06-10.
  • Endor Labs — Enterprise Account Executive (link) — London, UK; United States. Posted 2026-06-10.
  • Mozilla — Lead Privacy Counsel, Infrastructure & Data Governance (link) — Remote US. Posted 2026-06-10.
  • Mozilla — Lead Privacy Counsel, Infrastructure & Data Governance (link) — Remote. Posted 2026-06-10.
  • Sonatype — Regional Vice President of Sales (RVP) – US East (link) — US East - Remote. Posted 2026-06-10.
  • LangChain — Security Compliance Analyst, Privacy (link) — San Francisco, CA. Posted 2026-06-10.
  • Black Duck Software — Lead Sales Planning Analyst (link) — Burlington, MA; Atlanta, GA; TX; NC; IL; OH; PA; MI; FL. Posted 2026-06-09.
  • newsletter
  • funding
  • foundations
  • open source
  • governance
  • security
  • ai
  • licenses
  • standards
  • jobs