The Changelog: Software Development, Open Source - Vouch for an open source web of trust (News)
Episode Date: February 9, 2026Mitchell Hashimoto's trust management system for open source, Nicholas Carlini has a team of Claudes build a C compiler, Stephan Schwab recounts the history of attempted developer replacement, NanClaw... is an alternative to OpenClaw, and Sophie Koonin can't wrap her head around so many people going so hard on LLM-generated code.
Transcript
Discussion (0)
What up, nerds?
I'm Jared, and this is ChangeLog News for the week of Monday, February 9th, 2026.
So the folks at AI.com apparently spent 70 million on the domain, then another 15 million on a Super Bowl ad,
then failed to prepare for the resulting flood. The end result? One of the most expensive, self-inflicted,
DDoS attacks, in tech history, and free advertising for CloudFlare's standard gateway timeout page.
Yikes.
Okay, let's get in to this week's news.
Vouch for an open source web of trust.
Here's ghosty creator Mitchell Hashimoto.
Quote, AI eliminated the natural barrier to entry that let OSS projects trust by default.
People told me to do something rather than just complain, so I did.
Introducing vouch.
trust management for open source.
Trusted people vouch for others.
End quote.
The idea is simple and it mimics real life social constructs,
so I think it has a chance of succeeding.
Quote, unvouched users can't contribute to your projects.
Very bad users can be explicitly denounced,
effectively blocked.
Users are vouched or denounced by contributors via GitHub issue
or discussion comments or via the CLI.
End quote.
Mitchell is rolling out this vouching process in Ghostie,
immediately. Clods build a C compiler. Alongside the launch of Opus 4.6, the Anthropic team
published the results of Nicholas Carlinie's experiment with agent teams. Quote, I tasked 16 agents
with writing a Rust-based C compiler from scratch capable of compiling a Linux kernel. Over nearly
2,000 Claude code sessions and $20,000 in API costs, the agent team produced a 100,000 line compiler
that can build Linux 6.9 on X86, Arm, and Risk 5.
End quote.
It was a fascinating journey which produced some new techniques in designing harnesses
for long-running autonomous agent teams.
The resulting compiler can build Linux 6.9,
but isn't a fully functional C compiler.
In fact, it fails to compile the most basic Hello World program,
which gave the general public all it needed to torch the entire effort.
We've tried to replace devs every decade since 1969.
Stephen Schwab recounts the history of the sentiment that this time
will finally make software development simple enough
that we won't need so many developers.
According to Stephen, quote,
understanding why this cycle persists for 50 years
reveals what both sides need to know about the nature of software work, end quote.
In brief, the history looks like this.
1969, the dream was born during the Apollo program.
1970s, Cobol, business people will write their own programs.
1980s, case tools will generate everything.
1990s, Visual Basic and Delphi, drag, drop, done.
2000s, web frameworks, low code, and no code.
And today, AI, the latest chapter in a long story.
So far, every advancement has not reduced the need for developers, but increased it.
Stephen says AI will do the same.
Quote, the pattern continues because the dream reflects a legitimate need.
We genuinely require faster, more efficient ways to create software.
We just keep discovering that the constraint isn't the tool.
It's the complexity of the problems we're trying to solve.
Understanding this doesn't mean rejecting new tools.
It means using them with clear expectations about what they can provide
and what will always require human judgment.
It's now time for sponsored news.
Did your AI just recommend a vulnerable package?
Here's a fun experiment.
Ask your coding agent to recommend a logging library for your next project.
Now check when that recommendation was last updated.
You feel unlucky?
AI coding agents are trained on data with a knowledge cutoff.
That package they just confidently suggested could have three CVEs disclosed since the model learned about it.
Your code runs, but your security audit does not.
That's why Sonotype built Guide.
No sign up, no credit card, just go to guide.com and start querying.
Sonotype Guide is an MCP server that plugs directly into Claude, Cursor, and other AI assistance.
Instead of your agent pulling from stale training data, it pulls from Sonotype's live component
intelligence. These are the folks behind Maven Central, trusted by over 15 million devs.
They know which packages are safe and which ones you should avoid.
Here's a challenge. Go to guide.sonotype.com. Search for a dependency your AI recently
recommended and see what Sonotype knows that your model doesn't. Learn all about it at sonotype.com
or follow the link in the newsletter. Check it out today. And thanks to Sonotype for sponsoring
change log news. A lightweight containered alternative to open claw. Quote,
OpenClaw is an impressive project with a great vision, but I can't sleep well running software
I don't understand with access to my life.
OpenClaw has 52 plus modules, eight config management files, 45 plus dependencies, and abstractions
for 15 channel providers.
Security is application level with allow lists and pairing codes rather than OS isolation.
Everything runs in one node process with shared memory.
NanoClaw gives you the same core functionality in a code base you can understand in eight
minutes. One process, a handful of files, agents run in actual Linux containers with file system
isolation, not behind permission checks. End quote. OpenClaw's success is undeniable, but that doesn't
mean it fits everyone perfectly. Nanoclaw looks like a great alternative for the security and or
simplicity conscious. It also has an interesting approach to feature additions and configuration. No,
fork the code base and add skills to adapt it to your needs instead. Stop generating, start thinking. Sophie
Coonin explains why she's unsettled by so many people going so hard on LLM generated code in a way that she can't wrap her head around.
Quote, I find it hard to justify the value of investing so much of my time, perfecting the art of asking a machine to write what I could do perfectly well in less time than it takes to hone the prompt.
You've got to give it enough context, but not too much, or it gets overloaded.
You're supposed to craft lengthy prompts that massage the AI assistance apparently fragile ego by telling it, you are not.
you are an expert in distributed systems, as if it were an insecure, mediocre software developer,
or I could just write the damn code in less time than all of this takes to get working, end quote.
I shared this position with her until recently, but I don't do any of the fancy prompting or massaging that other devs talk about,
and I've been getting excellent results the last few months.
Back to Sophie.
Quote, my worry is more around people thinking they can vibe code their way to production ready software,
or hand off the actual thinking behind the coding, end quote.
I'm 100% with her on this last bit.
We cannot hand off the actual thinking and produce anything of lasting value.
And I would love to say that we won't do that,
but I repeatedly underestimate the extent to which humans are, above all else, lazy.
That's the news for now.
But go and subscribe to the change log newsletter for the full scoop of links worth clicking on, such as
the Anthropic Hive Mind,
saying no in an age of abundance.
And why Elixir is the best language for AI.
Get in on the newsletter at changelog. News.
Have yourself a great week.
Like, subscribe, and five-star review us.
If you like the show, and I'll talk to you again real soon.