I learn by doing, and this was one of those times

In recent CHAOSS AI Alignment Working Group and in Open Future meetups, we've been talking about openness, and what it means for AI to be aligned with human intentions, specifically as it relates to honoring the work and intention of open source over the decades. Mulling this over is why I wrote about the 'Open Source AI and the two contracts'; I (like many) are concerned about the widening divide between serving humans and power/profit. I also wrote more recently about the need for open data in the AI definition, which makes so much sense on the surface as an open advocate, but I realized that having an opinion (and even deep experience with openness) isn't enough in this moment.

What seems most lacking is helping average users practically understand AI's output in the context of human values, and giving them the ability to change or challenge what they see. To be actually open. I also want to better understand the resistance to open source + open data in AI, and to clarify for myself which is grounded in safety, and which is in service of profit.

What I built

My use-case was focused on licence obligations, and I built a local app that takes a code snippet, searches open source AI training data for license information, and flags mismatches with the intended license of a project. It runs on only open source, open data, open models. This is the sort of functionality (in theory) that would help an open source maintainer - flag license, or AI generated code (in a PR for example).

What I learned..

It's easy enough to put together an open-source AI stack, but you must clearly define what you mean by 'open'

I got a working app running locally. In addition to my own research and skillset, I used Claude, a closed-source AI, to help me research the stack and write code. I'll share some prompting tips I learned along the way. For example, Claude will instantly reach for Llama and other "open" solutions if you are not specific. Open washing is in the training data, so AI assistants repeat it.

A prompting tip: When asking AI assistants to recommend an open source AI stack, be specific. A prompt like "recommend an open source LLM" will get you Llama (custom restrictive license), Mistral (Apache 2.0 weights but closed training data), and other models that aren't fully open. Try instead: "Recommend an LLM where the model weights, training code, training data, and training recipes are all published under permissive open source licenses (Apache 2.0, MIT, ODC-BY). I need to be able to inspect and search the training data. Do not recommend models where the training data is undisclosed or the license restricts commercial use.

I did spend a fair bit of time reviewing each technology selection however, before going with it - and iterated on a few models, and datasets before choosing :

• OLMo 2 1B Instruct (Allen AI): open model, open weights and code, Apache 2.0. Not their newest version, but that wasn't important for learning (Apache 2.0)
• Dolma: the training data the model learned from (3 trillion tokens), also open, searchable via the infini-gram API (ODC-BY)
• HuggingFace Transformers (Apache 2.0)
• infini-gram API: (MIT license) a search engine that indexes Dolma for exact phrase matching. This is what my app uses to search the training data. It powers Allen AI's OLMoTrace (Apache 2.0), a more advanced tool that traces model outputs back to training documents verbatim.

The UI was meant to help test 'view source' as a user experience without much effort.

• Gradio for the UI. I like it because it's easy to test on HuggingFace Spaces, though I didn't publish this time around. Gradio is open source. (Apache 2.0)
• An editable example bank (JSONL file) that guides licensing classification
• A "Contribute Upstream" tab for cases of mismatch or incorrect license

Working locally means tradeoffs: smaller model, slower inference. But it ran on my modest laptop with 16GB RAM, and it was more than enough to learn from.

An open dataset can be a curation of other open datasets; this makes tracing source harder

I assumed Dolma was a single dataset. Turns out it's assembled from Common Crawl, The Stack (permissively licensed code from GitHub, which I didn't know existed before this project), C4, Reddit, Wikipedia, peS2o (academic papers), and Project Gutenberg (public domain books). Each has its own licensing terms. "Open" has layers.

Allen AI's contribution is the cleaning pipeline: PII removal, deduplication, quality and toxicity filtering, license checks on code, language detection. They document the entire process openly. This reminded me of what we used to say about normalizing databases and indexing to make queries faster.

A prompting tip: When you find an open dataset, don't assume you understand what's in it. Ask: "What datasets were used to create [dataset name]? For each one, tell me who maintains it, what kind of content it contains, what license it uses, and link me to its documentation." Then follow up: "Which of these sub-datasets contain code? Which contain content scraped from the web? Are there any licensing conflicts between them?"

How I discovered this: I expected popular code like React to have thousands of hits in the training data, since it exists in so many repositories. But during data curation, deduplication collapses near-identical copies down to a handful (68). So the count is low, and the few surviving copies may not be the ones that had the license header attached. I discovered this trying to understand why my search results weren't matching my expectations.

Deduplication can separate code from its license, and that gap is hard to detect

Deduplication removed roughly 40% of code files in The Stack, keeping one copy out of many near-identical versions. License detection was only available for 12% of repositories; the rest relied on automated guessing which the BigCode team acknowledged had errors (source). A modified fork with different variable names or reordered functions won't match as an exact phrase, but might carry the same license obligations. And even when code is found, the LICENSE file or copyright header may not be in the same document. So a search might find the code but not the license.

For now, this kind of analysis is a forensic signal, not a verdict.

Deduplication removed roughly 40% of code files in The Stack, keeping one copy out of many near-identical versions. The surviving copy may not be the one with the license header. And license detection was only available for 12% of repositories; the rest relied on automated guessing, which the https://huggingface.co/datasets/bigcode/the-stack

An editable example bank lets you steer the model at runtime, no retraining needed

This was the part that felt most like "view source" to me. The app has a JSONL file, one labeled example per line, that gets injected into the model's prompt before each classification. I filled mine with known license patterns: MIT headers, Apache headers, GPL markers, signatures from popular libraries.

A prompting tip: When building an example bank for few-shot prompting, ask your AI assistant: "I want to create a JSONL example bank to guide an LLM doing [your task]. For each example, I need a text sample, a label, a source attribution, and a note explaining why this example teaches the model something useful. Give me 10 seed examples that cover the most common cases and the trickiest edge cases. Format as one JSON object per line." Then review every example yourself. The whole point of an example bank is that a human curated it. If you let the AI generate it unchecked, you've just automated your own blind spots.

No weights change. It's transparent, auditable, version-controllable, and instantly reversible. I could see exactly what was guiding the model's decisions, and change it. Coming up with the use case of licenses helped me think more deeply about what I actually want to know about data behind interactions with AI.

(Some) safety, security fears associated with open source AI are valid

Last year at a Linux Foundation Members Summit, someone angrily declared "view source for AI" a dangerous statement - which felt drastic at the time, stuck in my head as something to understand. He had probably read something like this:

"I think the open-source movement has an important role in AI. With a technology that brings so many new capabilities, it's important that no single entity acts as a gatekeeper to the technology's use. However, as things stand today, unsecured AI poses an enormous risk that we are not yet able to contain." - Open-Source AI Is Uniquely Dangerous 2025

Training data may contain real code from real repositories, and sometimes that includes API keys, credentials, or proprietary code that slipped through filtering. Especially as AI starts writing code, that chance may get higher. A tool that makes training data searchable makes all of that more findable too. And the example bank that lets me teach the model about license patterns? The same mechanism could teach it to misidentify them, calling GPL code "MIT," or flagging permissive code as restricted. The barrier to doing this is almost zero.

Last week, Anthropic was blacklisted after refusing to remove safeguards against mass surveillance and autonomous weapons. The principle is the same as my little example bank: whoever controls what shapes the model's behavior controls what it considers acceptable. At my scale, that's a text file on my laptop. At national scale - well, you know...

“We need to ensure America has leading open models founded on American values.” (White House AI action plan)

I don't just want to view source. I want to view the prompt that shaped it

Searching training data for exact matches was the easy part. The hard part was understanding what I was looking at. A code snippet in a PR (as a possible use case) might be assembled from multiple training examples: a function signature from one source, error handling from another, variable names from a third. I heard the term "melted code" recently to describe AI output that blends sources until you can't trace any single origin.

My tool can tell you whether a phrase exists in the training data. Whether the model actually used that specific example to generate the code is a much harder question, and still unsolved.

This is the gap between "view source" and data provenance. I can see ingredients. I can't yet see the recipe. The Cyber Resilience Act (CRA) may eventually force investment in tools that close this gap, but right now, we're early.

Contributing upstream is encouraged but hard to do meaningfully, yet

My app has a tab that links to Allen AI's repos for filing issues. The idea: if you find a license mismatch or missing attribution, contribute that finding back. Something like: "I searched a PR snippet, found it in Dolma, and here are the specific phrases and documents that matched, but the license context is missing."

Disclaimer : this is just a test project, I am not recommending using my app to generate meaningful information to send these reports, but rather pro typing what contribution may look like for non-developers.

In practice, I didn't find a path where my individual findings could clearly improve either the model or the dataset. The contribution mechanisms exist (GitHub issues, open training recipes) but meaningful data improvement requires coordinated effort, not one-off reports. That's an ecosystem problem. Still, it's worth thinking about the value exchange to the open projects we use. We would also want to avoid our contributions sounding like AI slop, which is something like what this project might help solve.

A prompting tip: Ask: "For [model name], where can I report issues with the training data? Give me the specific GitHub repositories for the model, the training data, the data pipeline, and the post-training/instruction tuning. For each one, tell me what kind of issues are appropriate to file there, and link me to any CONTRIBUTING.md or issue templates." Then follow up: "What format should a good training data issue take? What information would the maintainers need from me to act on it?"

The cognitive load means agents, and agents mean thinking about people first

"AI-assisted development inverts this relationship. A junior engineer can now generate code faster than a senior engineer can critically audit it." - Cognitive Debt, When Velocity Exceeds Comprehension

Everything I did in this project was manual: paste a snippet, read the results, decide whether to flag it. That's fine for learning, but it doesn't scale, my brain while good at multi-tasking - cannot scale. My next experiment is building an agent that does this continuously: watches incoming code, checks it against open training data, flags license issues, and drafts upstream contributions, with a human governing the process.

But agents raise their own questions. Who reviews the agent's decisions? Who edits its example bank,? What permissions do we allow? We need to think about people in systems design like this. Automation without governance just moves the trust problem somewhere harder to see.

View source but faster.

Governance is the real infrastructure we need

Creative Commons published a piece this week called "AI's Infrastructure Era" that captures the work ahead. They argue that governance needs to move from principles to infrastructure, and that openness and guardrails aren't opposites. Responsible governance is what makes open systems sustainable.

We believe that the path forward is not enclosure. It is stewardship. Governance mechanisms, interoperability standards, and access frameworks will determine who participates in the AI ecosystem and who does not. If we want AI systems that reflect diverse knowledge and lived realities, we must build the infrastructure that makes responsible openness durable. - Creative Commons, AI's Infrastructure Era

Last word...

More people need a seat at the table. There is no shortage of organizations stating bold and inspiring claims and work-to-be-done around open source AI, but community influence on AI governance remains very hard to discover; everyone is focused on developer-eyes, but we need to invite educators, scientists, librarians, students - USERS.

The early web's transparency came from millions of people right-clicking "View Source" and learning how things worked. AI needs that same democratization of understanding before we can have meaningful democratic governance. Building this project was my attempt at right-clicking. My early sense, and it is early, is that the absence of open data in AI is less about deliberate privacy (although certainly true in some) and more about unknown risks, convenience, and cognitive load.

Hopefully sharing this is valuable to folks thinking about how to invite participation and teach openness in this new era.

I am underemployed since my layoff at Microsoft last year, and open to contracts exploring these and other topics. Please reach if you think we should work together!

One of the motivations behind Open Source Wishlist was promote the knowledge that: We know how to fix MOST sustainability issues in open source. There's not a lot of mystery, communities like CHAOSS, Kubernetes, Rust, Drupal, CNCF, Porter have built a ton of stuff - all openly available.

The challenge is, that we want maintainers and other volunteers to achieve those goals. Paying the maintainer will help, but extended that to additionally pay other, skilled people to deliver on these levers of sustainability is key. That could be funding a core contributor's time - or contracting specialized consultant like those in our Practitioner Community. "Think OSPO for the rest of us."

The knowledge exists, the experts exist but people must be paid; maintainers must be given support and not just more tasks to fix.

These playbooks include outcomes for sustainability, focused on known levers and based on formal-requests by maintainers for help. They provide resources, and most importantly a rubric to rate outcomes. These are Open Educational Resources (OER) that anyone can take, work with and contribute to.

• Succession Planning : Solve the solo-maintainer problem by setting up for inclusive leadership, making visible the opportunity to lead, and grow through leadership contribution.
• Funding Strategy: Setup for success through research, documentation and provided means for funding
• AI Consent Framework: Make consent part of community engagement, healthy communities require this now.
• Moderation Strategy: Many burnout situations begin and end with effective moderation strategies.
• Project and Community Governance: Governance sets projects up for many aspects of success, including trusted distribution of funds to contributors.
• CRA Compliance: Based on the most recent checklist of responsiblities.
• Developer Relations Strategy: Many maintainers need help, but lack the time to do setup for success with those they most need to join and contribute. Help them.

....Or how do we stop the impending 'finger pointing shit show'

This is truly a 'note' of Emma's notes', maybe I'll rephrase this later (by the way I use dashes in my writing, not em-dashes, but dashes, its me not AI)

I have attended a lot of sessions on WHY the OSI AI 1.0 definition allows data to be described instead of open; I deeply respect a lot of people who have been involved in that decision - and understand some of the tension (health care data etc), and the proposal to think of it as a stack, rather than one thing - but in a world where AI is literally taking over - having no true accountability for sources it's already becoming a shit show.

Just this morning, I opened my computer to two different examples - both in the open source world (canary in coal mine?). First, the challenge about the origins of a GitHub process chart (shared in CHAOSS #wg-ai-alignment WG)

Microsoft uses plagiarized AI slop flowchart to explain how Github works, removes it after original creator calls it out: ‘Careless, blatantly amateuristic, and lacking any ambition, to put it gently’

The official Introduction to Github page included an AI-generated graphic with the phrase “continvoucly morged” on it, among other mistakes.

PC GamerWes Fenlon

Second (and sadly I had to download Threads to see this), finger pointing about origins of a marketing phrases.

A lot of very smart people have been vocal about open data needing to be part of Open Source AI definition , and I am late to the push there - but I cannot see how this will get better without people (being influenced to) starting to build, share and use systems that have transparent data and attribute sources.

It doesn't even seem (correct me if I am wrong) that people are embracing open source AI as an opportunity to do better by humans; its hard to find a lot of research on that (although there is some), just a hunch and observing the marketing push primarily in service of profit.

We spent so MUCH TIME in open source/open access/open science/open education teaching and advocating for attribution and licensing, because it matters - not because it was a nice thing to do, its because given the opportunity, people will appropriate, misattribute and feel rushed (especially with the push to be fast right now) to hide sources as a defense to accountability.

Or maybe I am missing something.

The language of openness is everywhere in AI right now. As someone who has spent a long time in open source, open education, open government, and open data, it is increasingly noticeable that the words, and the technology output, are in service of profit and power - losing the origins of human intention and value. Business and community values have always co-existed, but I observe that division getting much, much wider.

I have been paying close attention.

I listen with a lens of someone deeply experienced in context-switching to bring businesses together with community. For example, when I am speaking to community, to humans - I speak about the mechanisms for empowerment that allow their success in open communities (career, justice, safety, control, privacy ); this is also where I am most comfortable.

When I speak to businesses, groups of funders, or others (AKA humans with OKRs) I switch to speak about innovation, cost reduction, risk mitigation, hiring pipelines, brand-value etc. I am less comfortable in this space, but I know that the outcomes can still help humans and thus I have gotten quite good at it.

You might say, that it goes beyond context - that there have always been two different 'contracts' required to sustain and grow open source - one being for humans, and the other business.

While complimentary in some ways, there's always been friction between business contracts, and human contracts - we saw the Ethical Source license rise as part of that tension. Its also not uncommon to hear 'FOSS purists' as a dismissal of attempts to align technology as a contract with humans, and not profit.

I observe that the gap between these two contracts is widening to a point that we are witnessing a rupture. Recent moments brought this into focus for me.

“Doubtless some of you are affronted by my modest use of an LLM. You think that LLMs are “fruits of the poisoned tree” and must be eschewed because they are saturated with the sin of their origins. I think this is a very bad take, the kind of rathole that purity culture always ends up in.”

- Corey Doctorow on his usage of an LLM for his writing (6 years of Pluralistic)

He uses a so-called “open source LLM” and that’s very much how he presents his values but open-source LLMs do not really exist. You can download some weights but cannot understand what went into them or really change or reproduce them. Open source AI is just marketing and openwashing. Acting Ethically in an Imperfect Word, tante who later posted an Olive-branch update.

Corey, has built his esteemed career as a critic of technology, and yet - when criticism applies to his own business contract, he seed to find it a little harder. That's because , for him, context has switched - it's about his livelihood and reputation. There's nothing inherently wrong with caring about your livelihood, - but human need for openness and transparency is a feature not a flaw.

Prof. Emily M. Bender described more clearly how Corey could have averted both is own reaction (and those of others) by describing what LLM he was using (and thereby teaching others) how to use Data Statements to pivot back to the human contract.

There's a lot of great work like this 'out there' but still very difficult to pull together in the moment, I get that too. It also need to be easier.

Another example (though not specifically about openness + AI, includes anything open that Open AI builds), was this statement from CEO Sam Altman, who is clearly not focused on the human contract (environment):

"People talk about how much energy it takes to train an AI model, relative to how much it costs a human to do one inference query. But it also takes a lot of energy to train a human," he said during a Q&A session hosted by The Indian Express. "It takes like 20 years of life and all of the food you eat during that time before you get smart."

More subtle, is the article from Mozilla's CTO Raffi Krikorian making the case for open source AI as the path to national sovereignty. A serious argument, genuinely important to the human contract on some level. I got stuck on this statement however:

Mozilla is building a program that "leverages the open-source community to build at real scale and speed - AI sovereignty won’t come from renting Big Tech’s models, Raffi Krikorian, CTO, Mozilla

The means by which scale gets achieved ]is by 'leveraging' the community; described as a monolith available - with open source AI we know that the community is not a given; there has to be a contract and it must have equal mention .

Other more alarming definitions like this from the White House, is arguably not a human contract. Without the structures of trust we'e built over the years - with bots maintaining projects - like, yikes how easy will this actually be?

“We need to ensure America has leading open models founded on American values.” (White House AI action plan)

If we want to know whether open source AI is actually operating under the human contract 1) that reflects intention, honors labor, respects the environment, and can be trusted 2) we can't wait for it to emerge on its own. Trust in open source is built deliberately, through inclusive leadership, codes of conduct, governance, contribution guidelines, licenses - trust. That infrastructure didn't happen because people hoped for the best. It happened because communities decided to be intentional about what their contracts required.

We need that same intentionality now, before the business contract becomes the only one anyone is building for.

Want to talk about this? Join the March 13th, Open Source Practitioners Community Call : "How do we keep the human contract in open source?"

We are also working on this problem space with the AI Alignment in OSS, CHAOSS Working Group.

...and why I am moving Open Source Wishlist under this focus.

Open Source Wishlist is something I wish existed when I led Microsoft's FOSS Fund. It has been a creative opportunity to demonstrate to the ecosystem how we can solve multiple sustainability problems at once through standardization, visibility, communication, paid labor and recognition. Building it has been an amazing, cathartic experience, but it's time to transition it underneath a bigger picture of advocating for an "open future."

I am transitioning it under a bigger focus of Open Future, where I will continue to build community infrastructure to advance conversations. Shining light on efforts that might not otherwise be happening inside for-profit product and corporate spaces; to connect on efforts and outcomes that matter for people.

Why this shift?

Building an end-to-end program for sustainability is incredibly hard without funding, or a salary, even with the most optimism I can put forward.

That said OSS Wishlist was never intended to be an income supplement for me or a product, but rather as proof of concept that: it's not actually that difficult to solve many open source sustainability problems (we know how to fix most challenges), but the need must be visible, people must be paid and that includes the maintainer AND their core contributors.

I stand by this solution, but realize there's a lot more at play - AI is causing a type of paralysis of investment for open source matters that are not strictly AI or security related AND solving broad issues of sustainability appears to be something increasingly expected of foundations and government (this is another blog post).

Sustaining OSS at its current scale under widespread vibe coding requires major changes in how maintainers are paid. - Vibe Coding Kills Open Source

Looking to the future: people and communities

People are looking and asking about their futures, the futures of their careers, education systems, countries, justice, safety, all with the lens of openness. Many of us are frustrated and feel powerless with the open-washing and outright extraction of labor happening, growing weary of trying to change systems from within existing structures, and interested in inventing new ones.

Under the umbrella of Open Future, I will continue to invest in convening and supporting people and communities on topics that require reinvention of ourselves, our governments, our education systems, and push back on corporate-led influences, including exploring what it means for "Open Source AI" to be aligned with community intentions (including, and especially non-developers).

Next Open Future Calls

Our next Open Source Practitioner Call is today (February 17th) and we have 26 people signed up so far to talk about the future of open source careers. After that, another focused on Digital Sovereignty in Canada, where openness features centrally in that future. We will have two different share-outs from folks actively engaging with government on these subjects, including myself!

I also co-chair the Alignment for AI in Open Source, CHAOSS WG, which meets every two weeks - the next one is February 18th.

Invitation

If you want to propose a popup topic, lead a session, or come share your work, the door is open.

You can still create and fulfill wishes, and you should!

And if you want to scale or lead the OSS Wishlist effort, it's all there to run and I would support your onboarding if need be. Connect on the #leadership-contribution channel.

Come find us.

I want to thank every practitioner who has signed up (so far) to contribute to wishes: Sayak Sarkar, Shauna Gordon-McKeon, Coraline Ada Ehmke, Ruth Suehle, Ruth Ikegah, Christos Bacharakis, and Dawn Foster. And every project that trusted us with a wishlist. Having the trust of people I look up to has meant the world to me.

Also sincere gratitude to Open Collective and Ecosyste.ms for their generous time and support.

Note: oss-wishlist.com will soon redirect to open-future.org, when I have a chance to do that.

The open source world is changing quickly. The maintainers, OSPOs, advocates, community builders - the people who have poured time and energy into open source for years are now watching AI reshape the landscape.

Its easy to feel discouraged, but a lot of people in our community are already adapting, redefining their skillets, and figuring out where they fit as the ground moves beneath them. This call is to help open source practitioners connected around this shared experience (and learn from each other!).

Open Source Practitioner Get-together · Zoom · Luma

Our topic for this call: What now? Open Source careers. ----------- Open Source Practitioner Get-together - a space to connect outside of product and…

Emma

On our next call, we'll talk about:

• Where open source practitioners fit in an age where AI
• How people are repositioning themselves, whether that's leaning into AI tooling, governance, supply chain security, or something else entirely
• What skills translate, what new ones matter, and where the opportunities actually are
• Experiences so far (applying for roles, getting ghosted? finding something great, still unsure?)
• How we support each other through this transition as a community

I'm on my way home now from CHAOSScon and FOSDEM, where I ran two complimentary sessions called 'AI Alignment for Open Source' .

AI alignment is the effort to design Artificial Intelligence systems so their goals, behaviors, and decisions are consistent with human values and intentions, making them safe, helpful, and reliable. In the context of open source, this BoF will explore what it means for AI to be aligned with open source (what we have built, know, value, expect).

One thing I wanted to accomplish was to move the conversation past specific symptoms like "AI slop" and instead ask: at what layer of open source does this misalignment show up, and whose interests are being served or ignored? Those two questions are the basis of the framework I have created for my sessions (and which may help you with yours).

You can see that, at the center is the values of the project/community. They might not be the right layers, but I proposed them as a start.

Below some examples of how I have seen alignment/misalignment turning up, organized by layer. See the link at the bottom of this post, for the HTML version of these (which includes links to examples).

I will write more about the themes that came out of these sessions in the near future. However, I will say that misalignment exists on both very difficult topics like the environment, and data ('described data' feeling like a brick wall ) and those that were maybe easier to solve like adding rules to governance about AI usage and/or improving contribution ladders to encourage learning and growing in knowledge of a project (before submitting a PR). I also think Red Hat is showing some early leadership in proactively designing for alignment .

The CHAOSS AI Alignment Working Group, is surveying our community to learn more about their perspectives and encounters with AI - before proposing solutions. In the meantime I hope this discussion framework can help you/your community navigate this bumpy time in OSS/.

You can find the HTML deck in our ai-alignment repository.

I'll be at CHAOSScon (January 29), the Open Source Policy Summit (January 30 although still on the waitlist), and FOSDEM (February 1-2). If you're around, I'd love to connect over coffee ~ learn from and share with you!

Digital Sovereignty in Canada

There's growing momentum around digital sovereignty - the Open Source Policy Summit reflects that energy. Europe's Sovereign Tech Fund is a concrete example: direct investment in the open source infrastructure that governments depend on. Germany recognized that democratic societies must invest in digital foundations the same way they invest in physical infrastructure. Canada has nothing like this. We have open source directives, and the Open Data Multi-Stakeholder Forum, but no equivalent investment in the underlying open source infrastructure that runs our country (that I know of!)

What I want to learn: How do you activate these conversations with government? How do you build momentum toward something like a Sovereign Tech Fund? Are there efforts underway in Canada I haven't found? I'd love to connect with anyone who's navigated this.

Thanks to fellow-Canadian Greg Wilson for inspiring this section.

AI Alignment for Open Source

I co-lead the AI in Open Source Alignment Working Group at CHAOSS. We're exploring what it even means for AI to be aligned with open source - with what we've built, what we know, what we value, what we expect, and in ways that honor the labor and intention of communities. Some early tide lines of misalignment are visible: moderation challenges from AI-generated contributions, knowledge enclosure as questions move from public forums to private LLMs. We're launching the CHAOSS AI in OSS Alignment survey to expand collective understanding for innovation, advocacy and resistance.

What I want to learn: What does AI alignment mean to you? What is open source AI anyway - what does it enable (whats missing)?

I'm hosting BoFs at CHAOSScon (January 29 evening, remote participation available) and FOSDEM (Sunday, 14:00, H.3242) - I hope you'll join us.

Grassroots Community Organizing

I've been running Open Source Practitioner calls to fill a gap I feel around grassroots organizing. So much of what happens in open source right now is in service of product, dollars(for billionaires), seeking developer perspective only. I want to understand how we get back to - or make visible - organizing that combats the injustice, extraction and exploitation in and through technology; all while protecting safety, privacy of organizers.

What I want to learn: What's already happening? Where can I plug in? How do we build out the practitioner community to fill gaps? How do we bring in educators, librarians and others who drove the early democratization of technology? How do we keep people safe, what decentralized, sovereign and privacy-respecting technology should we e using. Are there grants to support this kind of organizing that aren't centered in the US?

Funding Open Source

Corporate direct sponsorship of open source projects feels like it's declining, even as supply chain criticality increases. I've built Open Source Wishlist as community infrastructure to connect maintainer needs with practitioners and funding (based on my experience as both a funder and a maintainer). I have hypotheses about what's working and what isn't, but I want to validate them.

What I want to learn: How do maintainers actually want to ask for support? What if any supplementary support helps? Is sponsorship on the decline? Why? How might digital sovereignty efforts drive new policy for investment.

Attribution

Attribution is one of my focus areas for this year, and with that focus - I have a hyper awareness of the different contexts in which that is showing up (acknowledged or not by the industry) I'm trying to understand how they connect:

• Policy attestation - compliance requirements like the EU's Cyber Resilience Act
• Contribution attestation - something I've written about before - tracking who actually did the work in open source
• AI attestation - the missing gap of attribution for creators whose work trains models - this isn't going away

What I want to learn: Beyond licensing, how does attribution actually happen? What role does policy play?

I'll be in Brussels from January 29 through February 2, then spending a few days in London as a tourist.

Available for all the coffees ☕️

The question of 'how to moderate AI contributions' is a hot topic:

My OSS project is over two years old and leverages AI if the user chooses to use it. However, this also seems to attract vibe coders who submit pull requests that absolutely do not follow coding standards. They're sloppy, include random changes, Add complexity and contain plainly useless code that isn’t even used. - recent /r/opensource Reddit post

The AI in Open Source Alignment Working Group (special thanks to @MoralCode / Adrian Edwards) is compiling this list of challenges, discussions, resources, and emerging policies to help the community navigate the growing problem of low-quality AI-generated contributions.

Contributors and maintainers are approaching this issue from multiple angles - automated detection, policy frameworks, and in some cases, outright bans. We'll continue tracking progress and resources as they develop.

Attribution as Accountability

The problem of AI slop may also benefit from improved contribution attribution (something I have been chatting with a lot of people about this month). While my attribution proposal focuses on positive impact, there's significant potential in tracking negative impact as well - wasted maintainer time, useless code, and review burden. This approach could help enforce accountability.

Get Involved

The AI in Open Source Alignment Working Group meets bi-weekly. We'll also be hosting an evening Birds of a Feather (BoF) session at CHAOSScon, just before FOSDEM.

Join us!

I started this post intending to 'look back' (a year in review), but found my spirit lowering as I described loss of power and fear - what has felt like an extraction of open culture, value and effort in service of the already very powerful; the role of tech in the decline of democracies and human rights...

I don't do well, however, lingering in this space of loss and dread. I am an optimist by nature and thus focusing on a vision of the world I want to see is so much more motivating and empowering.

Inspired by the principles of the Folk Tech community and the 'Return to Light' Open Source Practitioner call held late last month, I've decided channel energy into positivity - on a vision for I want to see happen and ultimately work on in 2026:

This builds on my personal and paid work of the last year, and gives me a sense of purpose, camaraderie and hope for 2026. I have listed specific goals below. Interested in collaborating? Please get in touch or see links to join in specific efforts.

(Safe)

Contributing to policy and efforts that ensure safe, inclusive digital spaces

I have long worked on inclusion and safety in digital in digital spaces, through code of conduct policy work, building incident response teams, and through metrics work and AI Alignment at CHAOSS (inclusive of AI safety).

In 2026 creating safe places for collaboration matters more than ever, and I am already working with communities evolving and updating their policy and response processes (will report back on that later in the year).

(Paid)

Make open source project sustainability need discoverable, clear, actionable and paid

The average user of open source, has zero visibility into the needs and risks associated with projects they depend on. Every new exploit gains attention for that particular project, and that particular problem - creating a hyper focus for a time. But this isn't true visibility. It's like waiting for a fire before you check the wiring in your house.

Open Source Wishlist is my effort - drawing on years as a funder, community builder, and maintainer, to make need and risk visible in dependencies through maintainer curation (who better knows what is needed). Using SBOM analysis to surface wishlists, industry-validated metrics to define need, and aligned rubrics to measure impact.

It's my hypothesis and experience that without clarity of need and impact, the funding piece very very difficult for the average user to advocate for. With 200 wishes in hand, and what is already an incredible group of OSS practitioners, I am dedicated to working with big and small funders interested in demonstrating their impact through action. I plan to collaborate on touch-points with the CycloneDX (SBOM) standard, and Open Source Economy doing parallel work.

(Attributed)

Make it clear who is moving the ecosystem forward (and who is missing)

Without attribution, it's guesswork as to who's really holding up the ecosystem and harder to recognize, reward and call out those who are missing. I have pitched this for many years and recently wrote this blog post - the topic has always been well received, but we actually need to do something now.

Building on Drupal's credit system and aligning with the Eclipse Foundation's CRA attestation effort, I plan to co-create attribution stand as a way to track ecosystem investment and recognize contributions that would otherwise go unseen.

For my work, this start as a pilot within Open Source Wishlist specifically as the fourth milestone:

(Community-driven)

Create a community-driven space for open source AI

When I was laid off at Microsoft, I immediately looked for a community to join to help shape open source AI, but found absolutely nothing. Yes there are (a billion) product communities, and foundation-led initiatives, but all seemed to be in service, or comprised solely of members who also happen to represent companies; with strategy purely on developers.

I yearned for something that focused on advocacy, independent of company OKRs or financial goals.

My ongoing response to this, is to-create create a space for open source AI that's actually open shaped by everyone - not just developers but educators, librarians, students, scientists, OSS practitioners, environmentalists (and more) - as it was the origins the open web.

• Continue to co-chair the CHAOSS AI alignment working group (which will have a BoF session at CHAOSScon right before FOSDEM).
• Continue to run Open Source Practitioner touch points to connect around challenges and the future we want to build. Next meetup January 21st (subscribe here for future events).
• As part of Open Source Wishlist obtain funding for at least one AI Consent Framework (service).

Collaboration methods & funding my work

I do not , and will not work in isolation, and all of these goals will continue in collaboration with Ecosyste.ms, FolOpen Source Collectfive, Folk Tech, Open Source Practitioners the Eclipse Foundation attestation efforts (Aeva Black), and through touch-points with the Open Source Practitioner community calls and events like FOSDEM.

Most (but not all) of my goals are on unpaid right now. I am building, as I said in the intro, a vision for what I want to see and work on. I do hope (as part of my put food on the table plan) that I can secure a grant, or other funding as the year unfolds, and the value becomes clearer.

Support in general is welcome through Open Collective or GitHub sponsors.

In closing

Safe. Paid. Attributed. Community-driven. That's the open I want to build with all of you in 2026.

We're in a strange moment for open source careers. Many people who built the infrastructure, shaped the standards, crafted the policies, and nurtured the communities that open source depends on are increasingly being hit by layoffs and a shifting grant landscape.

In parallel there's a rallying cry for open source sustainability - to do more, faster, with less; it can be bewildering to hold the two messages of urgency, and complacency in your mind and heart. Sustainability of open source infrastructure is critical, but increasingly difficult to find paid work doing. Unfortunately, unpaid labor won't fix the unpaid labor problem. This in part, inspired me to start Open Source Wishlist.

If this resonates for you and you're feeling the weight of this moment, or just want to connect with others who've dedicated themselves to this work, and are figuring things out in this moment of the AI rush, I'd love for you to join me as light returns (a day after Winter Solstice) on December 22nd. Just for an hour, no agenda in particular - just connection.

Whether you're navigating a transition, settled in a role, or somewhere in between: come share how you're experiencing things, connect with others who care deeply, and explore what's possible when we're in the room together.

Calendly Invite

NOTE: I know this is in the middle of holidays for many, if there's interest I will create more of these in the new year .

Or How we might build on Drupal Credits approach to standardize attribution

Evaluating open source contributions, especially at the organizational level,remains frustratingly opaque. Who's actually investing in the projects we all depend on? Right now, there's no reliable way to say definitively. That lack of transparency is a true barrier to sustainability efforts.

I've been proposing versions of "Drupal Credits, but for all of open source" for years. It hasn't gained the traction I'd hoped for, but I keep coming back to it because the need hasn't gone away. (Notably, GitLab seems to be advancing something similar with "Contribution Records", which is worth watching.)

What is the Drupal Credits program?

For those unfamiliar: Drupal's credit system lets contributions: code, documentation, event sponsorship, and more - be attributed to individuals, their employers, or the clients funding their time. Everyone benefits. Contributors build reputation, companies get recognized for their investment. The project gains visibility into who's actually sustaining it. Years ago, I contributed a module on behalf of a client funding my time, and they were genuinely delighted to be credited. That's the kind of alignment we should make easy everywhere.

Yes, there are complexities - multiple contributors, potential for gaming the system—but Drupal has iterated on this for years and their documentation reflects real lessons learned. (Drupalistas: please flag anything I'm missing here.)

Why should we have this capability more broadly?

Right now, its very hard if not impossible for a company/org/individual to speak to their impact on a project without doing a lot of their own data curation. I recently tried to write a script to pull all [organization_name] members who contributed to the top 5 critical packages as defined by Ecosyste.ms API, but rate limits are a thing that exists. Even with a project to ingest data over time for analysis, it's just a whole lot of work on all sides.

GitHub, GitLab and Codeberg contribution graphs are helpful as a snapshot, but you cannot tell if a customer paid for that work; if it relates to employed or personal time - it also doesn't capture non-coding contribution, like event sponsorship, board membership, code of conduct committee membership and more - that really make up the big picture.

Where should it live?

I no longer think this belongs in a single product's workflow. Instead, I believe we need a standard something communities can adopt and adapt to their own values, implemented through CI/CD workflows.

Not unlike a Code of Conduct, really: a template that defines what contributions count, how value is measured, and how attribution flows. Each community decides what matters to them. And as communities learn, they contribute back to the evolution of that standard.

How can it help?

It gives organizations and individuals visible, meaningful credit for their efforts - not just marketing fluff, but something with real weight in the project they support. It also reveals who's missing.

What does it miss?

As Dries pointed out in this recent blog post, there are remaining questions about behavior changes:

"How do we distinguish between companies that can't contribute and those that won't? What actually changes corporate behavior: shame, self-interest, punitive action, exclusive benefits, or regulation?"

Credit and visibility are necessary foundation to then address these motivational challenges.

Who should build it?

Any ecosystem standards organization can do this and be an example for others. Drupal has put in the groundwork, and learning over years its just a matter of intention. This is work that requires humans.

I am sure you have ideas too! These are mine, on my own time: observed and written since being layed off at Microsoft. I appreciate sponsorship, and opportunities to work on efforts like this for your organization or project. Get in touch!

Also check out:

• Open Source Wishlist, which is just getting going!
• AI alignment in open source (working group)

The open source origin story describes a time when transparency, collaboration, and inclusion helped us build software that shifted power and value over the tools and infrastructure we depend on away from corporations and toward people and communities. It worked. Not without its own inequities and blind spots, but it worked. And like any democratization, it requires continual vigilance and collective action to sustain.

In this AI moment, it feels alarmingly like we're losing that power - watching it shift back toward corporations, away from the open communities who built the foundation AI runs on.

"Many people so desperately want to believe that they have a relationship with technology that is, at the very least, symbiotic. 'Bicycle for the mind' cliches galore. But computing technologies, built by the most powerful companies in the world, run by the richest men in the world (the richest the world has ever seen) are all fundamentally committed to something else altogether: not to symbiosis but to extraction, exploitation, and domination." — The Right to Say No, 2ndBreakfast, Audrey Watters

Open communities are feeling this loss of power in (at least) three ways:

• AI being added to products, services and interactions open source communities use without consent
• AI being added to products and services that open source communities co-build - without consent
• Misalignment between communities and corporations about what "open source AI" actually means (independent of the OSI definition), obfuscating

These are, each, deep topics on their own, but at the core they're about the same question: where does value and power flow, and how might communities require their consent to define the parameters, including the right to say 'no'.

Note: Consent related to AI is not a new concept, I couldn't find one specific to open communities (please correct me if I missed it), but happy to be wrong.

For open source communities using platforms and products shipped by companies

As open source became central to engineering workflows, so too have maintainers, developers and communities have become the 'user' that products have been designed for. It's increasingly critical that communities define their 'terms of being a user' (for want of a better term); and to think in terms of collective action not a long list of +'s in an issue, but actions that require attention.

Example goals:

• (proactive) As a community of creators and users, define your AI terms: What AI integration is acceptable to you as a user building in the open? Opt-in only? What does it change? Model, data and weight openness? What crosses the line?
• Establish response process: What AI changes (addition/location/purpose) trigger action? Who decides? What timeline do you give platforms to respond?
• What if consent is denied?: Alternatives identified, migration guides ready, sponsors informed, communication channels outside the platform
• (last resort) Exit together: Move as a unit, redirect funding, archive the old, document for others facing the same choice. Zig showed what this might look like:

"We look forward to fewer violations of our strict no LLM / no AI policy" — Zig, on their community standards around AI and migration from GitHub to Codeberg

We may discover at some point that products accept losing communities on their product paths, which is also very useful information — as we think about new areas for innovation and building this becomes a gap needing solved; new openness.

For open communities building platforms and products governed by corporations

A lot of us contribute to, and build with communities governed by companies - this is not inherently negative. In fact many maintainers are hired from the community, and care deeply about this relationship. However with the AI race, and (honestly) people fearing for their jobs right now, it's not a given. It feels increasingly important that the consent of communities be a milestone for building and shipping products:

"The response from the Firefox community has not just been overwhelmingly negative, it is universally negative as far as I can tell. At least among users willing to post on Mozilla's forums about the issue... Mozilla's core audience hates this move. At the very least, they would want all the AI components of Firefox to be opt-in, a choice that Firefox has been unwilling to make so far, instead enabling these new features by default." — The Mozilla Cycle, Part III, Taggart Tech

"It was a remarkable event – the first time in my 15+ years as an education writer (and 25+ years working in and adjacent to ed-tech) that I've been to a technology event where 'No' was presented as a viable (indeed, perhaps even the moral) response to computing." — The Right to Say No, Audrey Watters

Examples goals for product teams:

• Create a community consent milestone for each product release. This could be as easy as adding one more step to the open collaboration model.
• Define AI contribution standards with your community: Be explicit about what AI-generated (or AI-anything) contributions will be accepted, disclosure expectations, and quality thresholds.
• Be transparent: When proposing AI integration, explain what, why, what data, what's default. If you ship over objection, document it publicly and own the decision. Include the openness of models, weights and data in your product roadmap and how to contribute to the evolution.
• Support exit paths: Business decisions sometimes go against community consensus. When that happens, be honest about those decisions, make space and dignity for disagreement and exit.

Example goals for communities:

• Set terms proactively: Define your AI standards before there's a conflict. As one example, Drupal's agents.md is proposed to show AI agents interact with their project, authored by the community.
• Participate in governance: Show up to roadmap discussions, RFCs, community calls. Consent requires presence if you're not in the room, you can't shape direction.
• Propose, don't just oppose: When AI features are proposed, offer alternatives. Opt-in instead of opt-out. Different defaults. Clearer disclosure. Give product teams something to say yes to.
• Celebrate alignment: When products get consent right, amplify it. Positive examples create pressure on those who don't.

When consent breaks down:

• Document the objection: Make it visible that community opposed a decision. Unify voices in a single location.
• Withdraw legitimacy: Stop advocating, stop contributing, stop lending your name. (reverse DevRel)
• Exit together: Move as a unit, redirect funding, document for others. Collective action is the ultimate feedback.

Unlike the open source origin story, it's not just one Goliath but many. There's no stalled innovation to rally against: Innovation is rapid, too rapid for communities to consent to what's being built. Everyone says "open" without meaning the same thing. The language we built is being used to describe, build and ship things open communities, users and advocates didn't agree to.

AI is the asbestos in the walls of our technological society, stuffed there with wild abandon by a finance sector and tech monopolists run amok. We will be excavating it for a generation or more." - Cory Doctorow, The Reverse-Centaurian Guide to critisizing AI

This is why consent must be central to the new open source user and community strategy. Adding consent milestones to product and community pathways feels like the minimum to ensure that power and value isn't just a feeder for the already very powerful.

I am sure you have ideas too! These are mine, on my own time: observed and written since being layed off at Microsoft. I appreciate sponsorship, and opportunities to create frameworks like this for your organization or project. Get in touch!

Also check out:

• Open Source Wishlist, which is just getting going!
• AI alignment in open source (working group)

Despite countless calls for open source sustainability, there's still no clear pathway for maintainers to express needs and receive help.

In my personal time, I've built a working proposal for how this problem might be solved using a community-based approach. It's called Open Source Wishlist and is essentially infrastructure for open source sustainability contribution .

• A centralized definition of categories of 'sustainability contribution', grounded in existing knowledge and best practices for each (metrics, resources, best practices).
• A standardized, discoverable way for maintainers to request help using shared terminology.
• A standardized way for helpers to discover, fund, contribute and unleash resources with community-defined rubrics to track impact.
• A mechanism to engage (and pay) the countless community members and open source practitioners with skills, time and ambition to resolve sustainability risks.
• A way to drive AI alignment around open source sustainability based on what we already know to be true, important and inclusive.

In the coming days I will be reaching out to maintainers, and practitioners to create profiles (including those I have spoken with so far). I will be at FOSDEM and the State of Open to chat in person.

Note: As mentioned, created this on my personal time (after layoffs), so please direct feedback kindly and through issues and PRs if possible. There will be bugs. I also welcome sponsorship as is the theme. Thank you!

Below is a quick demo if you don't want to click around yourself.

Other notes

• Playbooks are all, open for contribution and live in their own repository.
• GitHub is the primary authentication for the moment, and only because its easiest as a first step (to get repos etc), however plans do include adding other authentication methods including GitLab.
• The GitHub Action to discover wishlist's in your dependencies will likely be available closer to January once we have more wishes, and Ecosyste.ms has time to add this to their datasets. For now, if you want, you can use this JSON feed of public and approved wishlists.
• The sustainability contribution model does focus on paying practitioners for their time (although they can accept pro bono), more unpaid labour will not solve the unpaid labour problem. The focus is on set-rates, to avoid upwork-style under-bidding. Those set-rates will evolve as we learn.
  

Launching next week: Open Source Wishlist

Every open source security incident teaches us something new; but more often than not we are reminded of past lessons. Projects and maintainers need help, succession plans, modern security practices, trusted governance as well as moderation and funding strategies. Minimally.

Despite years of experiments and well-intentioned initiatives, most maintainers of critical projects still receive little or no sustained support, leaving them to shoulder enormous responsibility in their personal time. Open Infrastructure is not Free - a Joint Statement on Open Source Sustainability

Although projects and funders would both nod their heads in agreement - that solving these problems for sustainability are worthy and achievable goals, that's where the conversation hits a wall. There is no standard and discoverable way for projects to ask for support, and even then, there's no standard way to evaluate the success of such interventions making funders uncertain (educated guesses).

It sometimes feels like projects and funders are on opposite sides of a canyon filled with hungry (bad actor) monsters, each side unsure how to bridge the distance, each desperately wanting to. Monsters ready to eat us all.

Enter the Open Source Wishlist

I mentioned that there is no standard way to ask for and measure impact of sustainability support, but there are a lot of established best practices, metrics, resources and people who can bridge that canyon. There is a way to operationalize sustainability support in a way that's highly visible, built on those standards, NOT dependent on any one foundation or company; one which provides not only funds to maintainers, but actual human help from established open source practitioners

Really!

Catalogue of services and resources (Open Source Wishlist catalogue!)

1. Project maintainers choose from set of known 'sustainability' levers as 'wishes'. These are 'services' like Governance and moderation strategy but also resources like Infrastructure.
2. Those wishes are discoverable by 'Wishlist Sponsors' in a few different ways including a analysis of their SBOM and through the dependency FUNDING.yml.
3. Wishlist sponsors can fund one or more of those wishes.
4. Open source practitioners (paid or pro-bono) are dispatched to help maintainers implement the wish according to a rubric for success.
5. Sponsor reports are generated based on the rubric score, and crossed off the wishlist
6. Sponsors can report back on 'impact' (that wish will no longer in their dependencies).

Launching as a pilot next week!

This project has been a creative outlet for me as I recovered from layoffs, and find new inspiration. It is entirely open source, open content and volunteer - run. Contributions to format, content, playbooks will all be warmly welcomed. We will have up to 10 practitioners for the first pilot and as many maintainer wishes as we can muster.

Thanks to everyone, especially Christos Bacharakis who has taken time to give to contribute their ideas, insights and support. If you are interested in being part of the pilot either as a maintainer, sponsor or practitioner please get in touch at info at oss-wishlist.com .