[30.05.202610:05] andrewtridgell
I reviewed it. The rsync project has been essentially a single developer project for about 20 years now
[30.05.202610:06] andrewtridgell
Wayne did it all himself for a long time, now I'm back doing it
[30.05.202610:06] realketas
why is it one man job, it seems like too complex for that
[30.05.202610:06] realketas
i can't even imagine
[30.05.202610:06] andrewtridgell
nobody else volunteers. Its the same story with thousands of open source tools
[30.05.202610:07] realketas
it runs entire planet, just one man does it eh
[30.05.202610:07] realketas
sad too
[30.05.202610:07] andrewtridgell
the linux kernel has thousands of paid full time devs. rsync has zero.
[30.05.202610:15] andrewtridgell
the most insane part is that security releases can't be community tested. Those security releases are going to be a huge part of lots and lots of open source projects for a while to come yet, just look at the rate of CVEs over the last couple of months, its gone nuts. You can't do a beta release of a security fix as its embargoed. So for the most critical fixes you *can't* have anyone else look at it. The people reporting the flaws mostly don't have the skills as they used AI to find the bugs. So the maintainer is the sole person to review the most critical security changes, and that is how the madhouse called the internet and IT security is designed. The only defence I have is to build the most comprehensive and accurate test suite I can, so when I need to deal with yet another security report I can at least quickly identify what else the fix breaks. Luckily I can do that work (the dev of the test suite) in public.
[30.05.202610:22] andrewtridgell
bottom line isif you want to be useful then pick holes in the test suite, find things it doesn't cover, find interactions between options it doesn't pin down, report those and offer fixes for that.
Basically, it’s a solo dev being swamped by LLM security reports, and since those are embargoed only maintainers can review them… and since nobody else has volunteered, he has to do it himself.
He primarily used several AIs to rewrite the test suite from shell (slow, lacking coverage) to python (parallelised, improved coverage). He says he’s extensively reviewed everything, but I guess the suite doesn’t cover everything. And the test suite changes can be community reviewed.
The dev has been actively inviting people to join as a maintainer and poke holes in the test suite, but it seems nobody has stepped up. I can’t really blame the dev here, he just seems unable to keep up without others helping him out. He’s tried to use AIs as sensibly as he could, and I’m not entirely sure if it’s slop fixes that cause the issues (or if an “unassisted” fix would have caught it).
A very important question is being hypothesized here and I hope we all come to a conclusion sooner rather than later.
Is it better for a FOSS project to be abandoned because a single maintainer is overwhelmed? OR Should a single maintainer use LLM tools to continue a project they no longer are able to handle?
I personally see abandoned projects easier to pick up when left “as is” for someone to eventually come in. Doing massive amounts of ai code that eventually breaks the functionality (or presumably does), and then expecting people to come in to a larger shit storm seems daunting.
Fact is there’s a bunch of 50+ engineers that have been looking after these fundamental components for a long time, and people aren’t coming through to hand things off too. It won’t be long before they’ll have come to the end of their working lives and things will be abandoned.
I would prefer they walked away rather than resort to LLM agentic coding.
I don’t want to put my trans ass out there to get brigaded by assholes so open source is not my thing. Massive respect to the people who put up with fossbros.
[30.05.2026 10:05] andrewtridgell I reviewed it. The rsync project has been essentially a single developer project for about 20 years now [30.05.2026 10:06] andrewtridgell Wayne did it all himself for a long time, now I'm back doing it [30.05.2026 10:06] realketas why is it one man job, it seems like too complex for that [30.05.2026 10:06] realketas i can't even imagine [30.05.2026 10:06] andrewtridgell nobody else volunteers. Its the same story with thousands of open source tools [30.05.2026 10:07] realketas it runs entire planet, just one man does it eh [30.05.2026 10:07] realketas sad too [30.05.2026 10:07] andrewtridgell the linux kernel has thousands of paid full time devs. rsync has zero. [30.05.2026 10:15] andrewtridgell the most insane part is that security releases can't be community tested. Those security releases are going to be a huge part of lots and lots of open source projects for a while to come yet, just look at the rate of CVEs over the last couple of months, its gone nuts. You can't do a beta release of a security fix as its embargoed. So for the most critical fixes you *can't* have anyone else look at it. The people reporting the flaws mostly don't have the skills as they used AI to find the bugs. So the maintainer is the sole person to review the most critical security changes, and that is how the madhouse called the internet and IT security is designed. The only defence I have is to build the most comprehensive and accurate test suite I can, so when I need to deal with yet another security report I can at least quickly identify what else the fix breaks. Luckily I can do that work (the dev of the test suite) in public. [30.05.2026 10:22] andrewtridgell bottom line is if you want to be useful then pick holes in the test suite, find things it doesn't cover, find interactions between options it doesn't pin down, report those and offer fixes for that.Basically, it’s a solo dev being swamped by LLM security reports, and since those are embargoed only maintainers can review them… and since nobody else has volunteered, he has to do it himself.
He primarily used several AIs to rewrite the test suite from shell (slow, lacking coverage) to python (parallelised, improved coverage). He says he’s extensively reviewed everything, but I guess the suite doesn’t cover everything. And the test suite changes can be community reviewed.
The dev has been actively inviting people to join as a maintainer and poke holes in the test suite, but it seems nobody has stepped up. I can’t really blame the dev here, he just seems unable to keep up without others helping him out. He’s tried to use AIs as sensibly as he could, and I’m not entirely sure if it’s slop fixes that cause the issues (or if an “unassisted” fix would have caught it).
A very important question is being hypothesized here and I hope we all come to a conclusion sooner rather than later.
Is it better for a FOSS project to be abandoned because a single maintainer is overwhelmed? OR Should a single maintainer use LLM tools to continue a project they no longer are able to handle?
I personally see abandoned projects easier to pick up when left “as is” for someone to eventually come in. Doing massive amounts of ai code that eventually breaks the functionality (or presumably does), and then expecting people to come in to a larger shit storm seems daunting.
Fact is there’s a bunch of 50+ engineers that have been looking after these fundamental components for a long time, and people aren’t coming through to hand things off too. It won’t be long before they’ll have come to the end of their working lives and things will be abandoned.
I would prefer they walked away rather than resort to LLM agentic coding.
I don’t want to put my trans ass out there to get brigaded by assholes so open source is not my thing. Massive respect to the people who put up with fossbros.
I’d have thought it would be an area where you could be viewed by the quality of what you do, and not anything else.
I might be being naive.
Yeah, sadly.
If you want to pick up this project you can take the last pre-llm version.
Or go work with the dev who is actively begging for volunteers instead of trying to make a whole new project.