The Changelog: Software Development, Open Source - Astral has been acquired by OpenAI (News)
Episode Date: March 27, 2026Astral is joining OpenAI, which says a lot about where the center of gravity is moving for developer tools, LiteLLM got hit by a nasty supply-chain attack, and OpenCode blew up as the latest serious o...pen source swing at the coding-agent stack. We've also got Rust doing a very public reality check on its own pain points, WorkOS pushing AuthKit into CLI auth, Ryan Lizza using AI to build an open source TurboTax alternative, and a fresh httpx fork that turns open source maintenance drama into a real dependency story. If nothing else, this week was a good reminder that tools, trust, and control all move together.
Transcript
Discussion (0)
What's up, friends, Adam here.
This is Change on News for the week of March 23rd, 2026.
Friends, I'm hot off an epic spring break.
You know, I've never taken a true spring break vacation.
Sure, I've done some things, but never an epic trip to South Florida that we did this year.
It was much needed time away with family, friends, and good sleep.
Sadly while away, Chuck Norris passed away.
he was a high achieving person in life and someone worth emulating.
He has 10 principles to live by.
Here are two of my favorites.
Number one, I will forget the mistakes of the past and press on to greater achievements.
And number two, I will always remain loyal to my God, my family and friends, and my country.
Okay, let's get into the news.
Astro has been acquired by OpenAI.
This is a big one, y'all.
Astro, the company behind UV, Ruff, and.
NTIY says it has entered into an agreement to join OpenEI as part of the Codex team.
And I think the reason why this hits so hard for me is that Astrol is not some random AISO
startup getting aqua hired.
These are already some of the most important tools in modern Python development.
So the obvious first question is, what happens to the tools?
Astral says the open source work continues after the deal closes, and that matters a lot
because UV and Ruff in particular are not side projects anymore.
These are foundational pieces of a lot of Python workflows right now.
If we zoom out, the bigger revelation is the center of gravity for developer tools
keeps moving toward the coding agent stack.
Astral started out making Python development dramatically faster,
and now the same team is heading into Codex.
That tells you where they think the highest leverage work is next.
And if you're a Python developer, or honestly any developer paying attention to tools,
this is one of those moments worth clocking because it suggests the future
is not just better linteres, better package managers,
better type checkers, and separate things.
The future is those tools getting pulled closer and closer into the agent itself.
Light LLM compromised by a supply chain attack.
LightLM1.8 was reported to include a malicious.PtH file
that could execute on Python startup and potentially steal secrets for machines that installed it.
attackers published a fake lightlm 1.8.8.
Release directly to Pi Pi, outside LightLLM's normal GitHub release flow.
The current explanation for how it got there is the real story.
Light LLM says a publishing token was exposed through an unpinned trivy security scan in CI.
This was not just one bad package upload.
It was a supply chain chain reaction.
Compromised security tooling, stolen published credentials, then poisoned releases,
pushed straight to Pi-Py.
LightLM is not some random edge dependency, though.
For a lot of teams, it sits right in the middle of their AI stack,
writing model calls, living right next to API keys, cloud credentials,
and internal config.
And the dot PTH file is a nasty delivery mechanism
because it can execute when Python starts before anybody even imports the library.
So if you're out there and you install the affected versions,
treat this as an incident, not an upgrade.
bug check where it ran rotate anything exposed and look at CI and developer machines
first the takeaway is the AI middleware layer now belongs inside your real supply
chain threat model open code tops hacker news open code blew up this week as the
highest traction new coding agent launched on hacker news open code is an open source
attempt to build the full coding agent surface area terminal IDE desktop multi-session
workflows, LSP support, with bring your own model flexibility.
The uncomfortable signal is in the timing.
Right before open code hit number one on Hacker News, the project had to strip anthropic
oath and anthropic references after legal pressure.
And if you've been on X lately, you've likely heard about the Claude OpenCode drama.
This should tell us the open agent race is real, but it's still happening inside ecosystems
controlled by model vendors.
So my read on this is that open code matters less because it's definitively the best
agent today and more because it shows where this market is going next.
The next fight is not just over model quality.
It is over who owns the interface, the workflow, and the default home for coding with agents.
Rust has challenges, but here's how we can address them.
The Rust Project published a reality check.
This is not a Rust is doomed post.
It is not a victory lap either.
More like, we talk to a bunch of people, and yes, the problems you already think Rust has
are in fact the problems people keep running into.
The interesting part is the shape of those problems.
Compiled times are still a thing,
but they're not really blockers for most people.
The borrow checker is still brutal for beginners,
but it bothers experts a lot less,
which tells you some of that pain is onboarding pain,
not necessarily evidence the language is broken.
A-Sync is still messy,
and though Rust A-Sync has been messy for a while,
except in this post they are pretty explicit.
There are actual next steps they think can help.
And then you get to the ecosystem story, which is maybe the most important one.
A healthy crate ecosystem is Rust's largest strength.
But people do not always know which crates to trust, which ones are effectively standard,
or whether the thing that they need exists yet in their domain.
In worlds like embedded, gooey, and safety critical work, that maturity gap gets a lot more obvious.
I applaud this post because the intent behind it is awesome.
I use Rust daily.
I feel this pain every single day.
Sure, Russ can be improved, but they just.
It shows the project is listening and it shows they have clear pain points to smooth out where there's friction.
And now time for so sponsor news.
Well, friends, I'm here with Michael Greenwich, founder and CEO of Work OS.
Michael, if you didn't know, CILIs are back.
They're all the rage.
And a major problem I personally have with my CILIs is authorization, authentication.
What do you say about Work OS and Off for CLI?
Long live the CLI.
We've had a resurgence of it, which I,
I am so thrilled about.
We actually have supported CLIOth for many years at WorkOS.
This is something called the device grant flow.
It lets you have that really smooth experience where from your CLI app you're building,
you can link out to the browser and have the user authenticate through whatever system
they have in your app and then bounce back into the browser.
So nobody is pasting their credentials or their secrets into the shell itself.
Kind of zero knowledge, zero trust way of building Oath authorization.
It works great for existing CILIs.
It also works super great if you're building a CLEs.
CLI specifically for agents, which is kind of all the rage now as people are expanding upon that.
So WorkOS that we think is the fastest way to do it.
And you can actually do it without migrating your entire user base.
You can just layer on the CLI off because WorkOS is so modular.
You can just add that in front.
We have people doing this for MCP as well where they just use WorkOS for the MCP authentication gateway
and not for the primary identity stack.
So it's totally possible today.
And I think WorkOS is the fastest way to ship off in your CLI app you're building.
Well, friends, go to workOS.com. Try it today. Again, workOS.com.
Learning to code by building turbotax.
Ryan Leasy got annoyed enough with TurboTax and the larger tax filing mess that he used AI coding tools to build a free open source alternative and then put it in the public so tax professionals and quote, actual programmers, end quote, can inspect it.
The question is not whether AI can spit out code anymore. We are past that. The better question, the better question,
is whether these tools are good enough
to help somebody take a real run
at expensive, boring,
incumbent software that normal people
actually depend on. Tax software is a
great test because it is high stakes
full of edge cases
and usually not something you could fake
your way through with a polished
demo. Ryan is not asking
for your trust. He's doing the exact opposite.
He's saying, hey, here's the
app I made. It is open source.
Vet it. If you're a pro,
if you're a programmer, vet it please.
This isn't about a journalist suddenly becoming a 10x software tax engineer.
It is whether or not AI lowers the cost enough for we the people to build credible public interest software in markets that used to belong entirely to incumbents.
Why I Forked HTTPX.
This is one of those open source stories that sounds niche until you realize how much code quietly depends on it.
HTTPX is a very popular HTTP client and Michael Bayesian has now for example.
it into H TTPXYZ.
And the reason is, there hasn't been a release of HDPX since November 2024, fixes were
sitting around unreleased and upstream trust has been eroding.
Now, the real story is not just that somebody got frustrated and made a fork.
The issue is project maintenance risk eventually turns into dependency risk.
In this case, the fork author points to hidden issues, discussions being turned off, years of
talk about a future 1.0
and a growing sense that a widely used
package did not have a stable
maintenance path anymore. HGTPX
is not some obscure utility.
It sits underneath a lot
of Python software and even
high profile packages like OpenEIs
and Anthropics Python SDKs.
They've already begun guarding
against a future 1.0 release.
The fork's pitch is the interesting
part. It is not a rewrite. It is
not a revolution. Just a stable
fork with the motto, quote,
move a little faster and not break things.
End quote.
That is a pretty good summary
of what a lot of developers
actually want from infrastructure dependencies,
not novelty,
just a maintainer story they can trust.
All right, that's it for the news this week.
Thank you for tuning in.
We'll see you back here next week, of course.
ChangeLaw. Dot News.
If you haven't subscribed, do so now.
And tell a friend.
I've got some amazing shows recorded
in the canned being produced.
It is amazing.
Can we release them?
Things are getting stacked up over here.
And it's so exciting.
All right.
That's it for this week's news.
We'll see you next week.