The Ladybird team argues that substantial patches no longer reliably signal substantial contributor effort, because AI tools let anyone generate plausible-looking 600-line PRs in seconds while reviewers still pay the full cognitive cost. As they prepare to ship to real users, they've decided the asymmetry is unsustainable and are restricting outside involvement to bug reports only.
Frames Ladybird as the first marquee project to publicly exit the bazaar model and explicitly name AI-induced review load as the cause. Cites parallel pressure on Godot and Curl as evidence this is a regime change, not an isolated policy quirk.
Highlights the existential awkwardness of a policy that lets a contributor identify and even fix a bug, but forbids them from communicating the fix — forcing maintainers to independently re-derive a solution the reporter already has. Treats this as a self-defeating consequence of the new contribution rules.
Cites Godot being inundated with AI-generated PRs that violate the project's stated policy, and notes the disturbing part is that contributors keep submitting them even after being told to stop. Positions Ladybird's lockdown as one symptom of a broader collapse in the good-faith assumptions that made open contribution viable.
Ladybird, the from-scratch independent browser engine that has spent the last two years as the darling of the post-WebKit open-source crowd, just published the policy equivalent of a closed door. In a post titled *Changing How We Develop Ladybird*, the project announced that as it prepares to ship a browser to real end users, it will no longer accept code contributions through the public PR pipeline. Outside involvement is reduced to clear bug reports; if you also know how to fix the bug, project policy now says you must not tell them how.
The team's stated reasoning is blunt and, for an open-source manifesto, unusually candid about the economics of review. As they put it: *"A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds."* The implicit referent is obvious to anyone who has maintained a popular repo in the last twelve months. Generating a 600-line, plausibly-styled, half-working patch with a thorough-sounding description now costs a contributor roughly thirty seconds of wall-clock time and zero cognitive effort. Reviewing that patch still costs a maintainer an hour of their actual life.
The Hacker News thread (829 points at the time of writing) frames this as a regime change. One commenter notes that the Godot project has been hit by a surge of wholly AI-generated PRs that violate policy; the surprising part isn't that they exist, it's that contributors keep submitting them after being told not to. Another points out the existential awkwardness baked into Ladybird's new rule: "So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it. Instead they have to re-figure it out."
Ladybird is the first marquee project to publicly exit the bazaar model and name AI-induced review load as the reason. Other projects have grumbled. Curl's Daniel Stenberg wrote about AI-generated security reports drowning his triage queue months ago. The Python security team has flagged similar patterns. But those were complaints from inside an open door. Ladybird is closing the door and writing the sign.
The Raymond framing is hard to avoid here. Eric Raymond's *The Cathedral and the Bazaar* argued in 1997 that open development beats closed development because "given enough eyeballs, all bugs are shallow." The cathedral was the old way: a small priesthood, careful releases, controlled contributions. The bazaar was Linux: chaotic, distributed, faster. The unspoken assumption underneath Raymond's essay was that the eyeballs were attached to humans whose time had nonzero opportunity cost. AI broke that assumption, and Ladybird is the first project of consequence to act on what that implies.
It also matters that this is a *browser*. Browsers are not Sublime Text plugins. A browser parses untrusted input from the entire internet inside the most attack-surface-rich runtime on a user's machine. A drive-by patch to a JavaScript engine that subtly miscompiles a bounds check is not a quirky bug — it is a remote code execution waiting to happen. Some of the harshest comments in the thread soften when this is mentioned. "If you grew up in the bazaar, moving to the cathedral might feel like the death of open source," one commenter writes, "even if it is really just a return to an earlier way of working."
The darker reading, and the one that landed hardest in the thread, comes from a commenter writing simply: *"Stuff like this makes me wish AI had never happened. An open-source project losing the ability to find and mentor new maintainers is so disappointing."* This is the second-order cost nobody has a clean answer to. The PR pipeline was never just a code intake mechanism — it was the audition stage for the next generation of maintainers. Andreas Kling himself, Ladybird's founder, came up through SerenityOS contributions before earning the trust to lead. Close the front door and you also close the apprenticeship.
If you maintain a popular open-source project, Ladybird just gave you political cover to do something you've been quietly considering. The pattern they've drawn — accept bug reports, reject unsolicited patches, hire a small in-house team — is now a publicly defensible posture rather than an admission of fatigue. Expect more projects to adopt some version of it over the next year. The ones most likely to follow: anything safety-critical (browsers, kernels, crypto), anything with a tiny maintainer-to-user ratio, and anything currently being slop-flooded.
If you contribute to open source, the calculus has shifted. The fastest way to get your patch merged into a serious project is no longer to send the patch. It is to build a reputation in adjacent surfaces — issue triage, reproductions, documentation, test cases — until a maintainer trusts your signal-to-noise ratio enough to give you write access. The economic logic of this is correct and also depressing: trust used to be earned through code, and code was a cheap proxy for thought. Now code is cheap and thought is what gates the gate.
If you're building developer tools, there's an opening here. The bottleneck in modern open source is no longer authoring code, it is verifying that submitted code is what it claims to be. The tooling layer between "unknown contributor submits patch" and "maintainer trusts the patch enough to read it" is essentially empty. Reputation systems, deterministic patch provenance, sandboxed semantic diffing of intent vs. implementation — pick one. The maintainer class is your customer and they are visibly desperate.
The interesting question is not whether other projects follow Ladybird. They will. The interesting question is whether anyone figures out how to keep the apprenticeship pipeline open when the front door is closed. The bazaar didn't only produce patches — it produced people who eventually ran cathedrals. If the next generation of browser engineers can't be discovered through pull requests, somebody has to invent the replacement before the current generation retires. Otherwise Ladybird's cathedral, and the ones that follow it, will be the last ones anyone knows how to build.
"A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds." I believe this is the key point the article makes and it's valid for most projects out there
On the one hand, if you grew up in the baazzar, moving to the cathedral might feel like the "death of open source" even if it is really just a return to an earlier way of working.On the other hand, while not accepting external code contributions will certainly improve their security postur
> There will not be a [..] process for submitting patches by [any] means> Outside involvement still matters: clear bug reportsSo I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.Instead they have to re-figure it out. The team must be thrilled to re-do work
Stuff like this makes me wish AI had never happened.An open-source projects losing the ability to find and mentor new maintainers is so disappointing.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I've been looking a lot at Godot (another big open source project) PRs lately, and there's been kind of a surge of wholy ai-generated PRs (both code and description). This is agains project-policy, so people creating these PRs usually get mildly told off. What's surprising is that whi