I hadn’t been to the Open Source Summit in a couple years, and boy was I in for a shift. It was a shift I expected, because AI/ML has taken over tech a big way, but experiencing it was a whole different thing.

I also don’t think I’ve every heard the word “human” said so many times in a week. It’s weird to talk like that.

This blog post isn’t meant to be anything shocking or insightful in the realm of AI. It’s more a brain dump checkpoint for me personally to share what working through the shift to AI tooling is like from where I’m sitting. The value you can get from this post may vary ;)

The first thing I’ll say that I’ve never seen a tech industry shift happen this fast, and having been in the industry for nearly 25 years I’ve worked through some major transformations. In the past 9 months I’ve seen multiple cases where a conference CFP being 6+ months before the conference causes a considerable change in the resulting presentation material, I’ve seen two talks change their titles from what was listed because tools and companies rose and fell in that time. Tech has always been an industry of continuous learning, and I love that, but today if you haven’t spent some time learning about AI in the past 6 months, you’re going to be blindsided by a whole slew of terms and concepts. You’ll likely find it hard to learn at conferences because there’s so much new foundational AI knowledge that’s assumed. Indeed, I like to think I’ve stayed fairly well-informed, and even I had to go back to my room in the evening and do some learning so I could properly absorb what I had been exposed to throughout the day, and be ready for the next day. My conference notes have a lot more “learn more about this” notes than usual.

Career-wise, this has already proven to be a difficult time for people in tech. Huge layoffs have hit major tech companies with AI given as a reason. Obviously, this is incredibly painful for folks who have a mortgage to pay, health care costs, and mouths to feed; suddenly the market has become unrecognizable and they can’t find a new job. That sucks. The core programming skills that coding boot camps were founded on as being a golden ticket to a high paying job in tech are rapidly being replaced by AI tools. We’re not there yet, I’ve been reviewing some very bad AI-generated code in the past few months as I touched upon in my blog post about CPOSC, but there is a fast-paced trend of improvements. If the rise of AI in programming turns out to be sustainable (capacity can be expanded and that it continues to be cost-effective), the need for straight up entry level programmers will continue to decrease, and we’ll need more folks with more advanced skills related to computer science and architecture. How do you get more advanced skills without learning programming basics first? I don’t know the answer to that, but there are a lot of smart people trying to figure it out.

I’m also aware of the fact that adoption of things like AI agents will actually take a while in most companies. I think back to the rise of configuration management, and in spite of all the benefits, the amount of work it would take to rebuild their systems with configuration management in place was simply not a priority (indeed, in most shops I saw it implemented slowly, and only with new systems that were brought up). Will this be the case for AI agents as well? I had more than a few conversations where developers were using AI-assisted coding tools, but having an infrastructure that supported using agents to automatically carry out tasks was nowhere close to their reality. There’s also the question of economies of scale. A massive tech company like Google may see the value of heavily investing in AI, but for a company with a tech department of a half dozen folks? Maybe it doesn’t sense any time soon. After all, using that Perl script we’ve always used is still faster than re-writing everything in Puppet, since our ten servers are unique pets (no cattle here!).

Coming back to open source, I’ve also been thinking a lot about the reason companies invest in open source software. At the core, it’s because… of the core. Core technology is what everyone uses and there’s no business advantage to it, so it makes sense to invest in them collectively. Kubernetes is not what makes money, Red Hat OpenShift and the ecosystem built on top of it is, so SUSE can also play that game with Rancher. Is there a future where that core technology is created by AI, and it’s good and cheap, so the need for open source collaboration is no longer “worth the trouble”? I hope not. And not just because my livelihood depends upon it. I’ve always believed that open collaboration on tooling across the tech industry has literally made the world better.

At the Open Source Summit the keynotes were AI-heavy, as was to be expected. Jim Zemlin had a lot of positive things to say about the role of open source software today at every layer of the AI stack, but acknowledged that the final layer is what is missing: data.

The open data community will always lag behind here, because those who hold private data will always have the open data plus their own. It seems like the question that’s being asked is whether a vast pool of open data can be “enough”, even if it’s not “better” than the private data. This is already being seen with AI models, the best ones are proprietary, but the open ones? Pretty good! Probably good enough for most of us! The statistic Jim shared was that open source models only lag proprietary ones by 3-6 months, whereas the gap was measured in years back in 2022. The concern with data is that the desire for open data is arguably in direct competition with privacy and the ability for us to keep our servers running. What happens when you’re running a webserver and 80% of the traffic is bots collecting data rather than serving your customers? You get that bill, and that bill is getting larger. This leads to an inclination for organizations to pull back what they share, and put more and more behind paywalls and proxy services, or in apps that aren’t on the web. Still, the Linux Foundation still believes we’re in a world where the problem is not lack of data, but lack of coordination to collect and curate these data sources. Maybe.

Open source contributions were also a big topic. Speaking personally from a tiny, niche project I run, things have clearly changed. Until 2026, every contribution was from someone we personally engaged with in some way. This year we’ve received multiple small patches that have zero contextual awareness of the project, but fix common errors in code (cool, thanks!). My current core developer has pulled back on self-assigning issues when he creates them because we’ve started to see new contributors just show up and start working on them. That has never happened before. And are they AI-assisted? Definitely. In some ways this is great. A major change landed this week that would have taken us months to do without it. We’ve gotten lucky so far, that particular change had a clever developer behind it who was willing to engage with us through a month of back and forth with fixes and improvements, and he actually understood the code that was submitted. We can’t always bet on that, and that erodes trust. My default reaction to new contributors used to be elation, now it’s turning to apprehension. I hate that. We have drive-by contributors who will never use or care about the project, so their motivations aren’t driven by usage or focused on holistic improvements, but done in order to fill up their GitHub contributions graph. Some of this has always been this way, not everyone who contributes becomes part of a project in a real way, and some of these are changes that can improve the project! But it feels like the community element that drives lifelong open source contributors like myself to maintaining a project is slipping away. As someone whose closest and longest friendships have predominantly come from shared involvement and values related to open source, this is very sad for me.

See? I told you this blog post was personal. I’m getting all mushy when you expect me to only care about the code and what’s technically best for the project. But I’m human and me caring about community is what’s best for the project. That thrill of welcoming a new contributor and the connection we build as they move up through their career is what gets me through long nights, difficult decisions, and burnout, so I can continue being an effective contributor.

Another major topic of discussion at the summit related to AI was security. There have always been solid security teams for major open source projects, but the levels to which they were funded at and the tooling available have been less impressive. And smaller projects? Honestly, very little attention paid to security. This has started changing, but we’re not where we need to be, because the vulnerability landscape is changing much, much faster. By most estimates, the number of CVEs in 2026 is expected to exceed 50,000 for the first time. With AI-assisted scanning, it’s simple and cheap to find vulnerabilities in every single piece of open source code out there. So that little project on GitHub that had security through obscurity before? Not anymore. My little tool doesn’t just have bugs being identified and reported by AI tooling, it has security problems that are being identified and reported (or just exploited!).

There’s good work happening here though. The Open Source Security Foundation (OpenSSF) is leading the way on the foundation side, and continuously coming out with new tools to help projects (now they just need to adopt them, me included!). One of the talks I went to at the Open Source Summit was a really helpful project overview of projects within the OpenSSF. I took notes to look into incorporating Allstar and to revisit SLSA tooling (it’s been a while).

Projects like OSS-CRS are also great to see, even if I expect the industry to play a much bigger role in this kind of vulnerability scanning and remediation. For my employer’s part, IBM joined Project Glasswing, but more importantly announced a $5B investment in our own Project Lightwell. I’m really proud this, it’s what industry should be doing.

So, overall, how am I feeling?

Unsettled. Scared. AI has the power to be an existential threat, and at the very least it will transform computer-based work over the next decade, and people will lose their livelihood over it. A lot of them. I can’t stress enough how serious this is in the United States where we are seeing support structures being dismantled when they should be built up to prepare for this future. I am deeply concerned about what this means for our society, and my own family.

I’m also excited. Remember how I like technology? I do, I do! I have dozens of projects in my head that I’ve never done because I don’t have that much hobby time. AI-assisted tooling has already helped me start tackling some of that. I had several very fun conversations with folks at the summit around personal projects that ranged from useful to ridiculous that we’re having fun with because we can suddenly cut out six weeks of coding time from the equation and knock out a prototype in a weekend. It’s probably a bad prototype, but maybe it’s functional enough for personal use, and it simply wouldn’t exist otherwise. It’s also an exciting time for non-programmers who can now get computers to do innovative and new things they want them to do by simply speaking to them, a goal which has been worked on at least since Grace Hopper wrote FLOW-MATIC in 1955. AI is removing the barriers that have kept the full potential of computing in the realm of technologists, and that’s a good thing.

At the end of the day, we’re not going back. Even if the recent push-back of building data centers succeeds in a big way and capacity is limited, we’ll write better models and find ways to squeeze more computing power out of reduced resources. Things probably won’t continue to grow exponentially, but AI is here, and I see no benefit in fundamentally resisting it. Let’s keep an eye on privacy and safety though, shall we?