GitHub

Today we are changing the way code enters the Ladybird project.

We are no longer accepting public pull requests. From now on, code changes to the Ladybird codebase will only be introduced by project maintainers.

Ladybird is taking things to a new level. As we work toward our first alpha release, the project will require a more rigorous development process, a clearer security model, and fewer people responsible for the code that goes into the browser.

This is not a change we make lightly. Over the years there have been many valuable contributions from outside the group of administrators, and we are grateful to them. Many of us get ideas through open source by sending patches to projects we're interested in.

For decades, code contributions have been a way for open source projects to learn who to trust. People would show up, do the work, take responsibility for their own change, and stick around. Over time, trust emerged from the work itself.

AI tools have very quickly transformed the economics of this sector. We use them every day, but pull requests don't tell us as much about the person submitting them as they used to. A significant patch used to imply significant effort and that effort was a reasonable proxy for good faith. That assumption is no longer valid.

For browsers this is important. The browser executes untrusted input from the entire Internet on the user's computer, and all an attacker needs is a well-disguised vulnerability. We've already seen patient and resourceful campaigns in open source to gain administrators' trust and abuse it. What has changed is how quickly and cheaply it has become to produce work that appears to make a significant contribution.

At the same time, any changes that come into Ladybird become our responsibility. It needs to fit the architecture, survive future refactoring, interact correctly with the rest of the browser, and be understandable by the people who maintain it.

It doesn't matter whether you entered the code by hand or not. What matters is who is responsible once it gets into the browser. Ladybird is becoming a browser for real users. The person who introduces the change should be the one who decides that the change belongs to the project and will be accountable for the results.

As part of this change, we will close all currently open public pull requests. We appreciate the effort people put in, but leaving existing queues open actually keeps the contribution path open. There is no perfect time to make these changes, so we are making them now. Forward Pull requests are available only to project maintainers.

There is no separate process for submitting patches any other way. We do not want to create a shadow contribution system through issues, comments, emails or forks. Of course, external code may exist depending on the license terms, but we do not process forks or patch dumps into a review queue for upstream Ladybird.

Ladybird remains open source. The source code continues to be publicly available under an open source license. External engagement remains important. Clear bug reports, reductions, website testing, standards discussions, design discussions, security reports and technical feedback all help move the project forward.

This is the right change for Ladybird now. We're preparing to release the browser to real users, and our development process must live up to that responsibility.