Open source web browser Ladybird, backed by Shopify and Cloudflare, has shut its GitHub doors to public pull requests – saying open source is being massively disrupted by the ease and scale of AI-generated contributions. 

Ladybird is an open source web browser for Linux written largely in C++ that markets itself as being completely free from the Google advertising empire. 

GitHub founder Chris Wanstrath started the Ladybird Browser Initiative to finance the project in 2024 alongside its creator Andreas Kling, because “every major browser engine is… funded by Google’s advertising empire”, Wanstrath said at the time.

Wanstrath donated $1 million of his own funds to build a new engine that’s “free from advertising’s influence”. 

The project was spun out of the experimental, Unix-like SerenityOS by the project’s founder Kling in June 2024, and has attracted over 1,200 contributors. But two years later, Ladybird is battening down the hatches.

Going forward, pull requests will only be available to project maintainers. There will not be a separate process for submitting patches by other means. We do not want to create a shadow contribution system through issues, comments, email, or forks - Andreas Kling.

The project (still being built) will no longer accept public pull requests to its GitHub repository – which has 62.3k stars and over 3,000 forks. 

Only a group of pre-vetted project maintainers will be able to touch the source code ahead of its alpha release scheduled for later this year. 

The project said AI has eroded the trust in public contributions and it needs to prioritise “a tighter development process, a clearer security model, and a smaller set of people responsible for the code” as it gets ready to “ship a browser to real users.”

AI killed the open community?

Kling said AI has changed the economics of open source, eroding the good faith bargain between time spent and code produced. 

“A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.” 

He continued in an X post, “I don't believe "patches welcome" style development survives this for security-sensitive projects. (...) 

“This is really sad. It kills something that made open source magical for so many of us, myself included.”

Kling told the Tech for Tea podcast in March the project was moving over to Rust and creating a dual-language code base in part to stop unknown contributors dumping thousands of lines of C++ on the project’s maintainers.

He described AI as a code gun spraying indiscriminate bug-filled code. 

“It really feels like a safe language like Rust is something that helps alleviate some of the concerns that I have with the new world where everybody has the code gun.”

Protect the code

It’s not just lazy commits filled with bugs that project maintainers have to worry about, threat actors have been targeting the open source supply chain to harvest cloud  secrets and inject backdoors into downstream systems. 

In May, over 5,000 GitHub commits with malicious code were pushed in six hours using fake accounts and identities to inject GitHub Actions with a payload that siphoned cloud secrets and credentials from the CI environment. 

Kling’s official blog post explains this fear in more detail, “We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it. What has changed is how much faster and cheaper it has become to produce work that looks like a serious contribution”. 

For a browser running untrusted input on a users’ machine, the risk is now too high to continue to accept public commits, Kling writes in the blog. 

The link has been copied!