FOSS in Times of War, Scarcity, and Adversarial AI

• by Petabite
open-sourcesecurityaipolitics

FOSS in Times of War, Scarcity, and Adversarial AI

Open source software was born from idealism: information wants to be free, collaboration over competition, standing on the shoulders of giants. In 2026, FOSS has become something more: infrastructure for resilience.

The Context

Three simultaneous pressures on software:

1. Geopolitical Fragmentation

Software supply chains are now battlegrounds:

  • U.S. restricts exports of AI chips to China
  • China mandates domestic alternatives to Western software
  • Russia develops parallel internet infrastructure
  • EU demands data sovereignty

Result: The global internet is Balkanizing.

2. Supply Chain Attacks

Security incidents in 2024-2025:

  • xz backdoor (almost compromised SSH on millions of servers)
  • SolarWinds (Russian APT, affected thousands of companies)
  • Log4Shell (still finding vulnerable instances)
  • NPM package typosquatting (constant problem)

Result: Trusting dependencies is risky.

3. AI-Powered Threats

New attack vectors:

  • AI-generated phishing (impossible to detect)
  • Automated vulnerability discovery
  • Deepfake social engineering
  • Code generation with hidden backdoors

Result: The threat model changed.

Why FOSS Matters Now

1. Auditability

When tensions are high, you need to know what your software does:

Closed source:

"Trust us, there's no backdoor"

Open source:

$ rg "send.*data.*to.*server" src/
# Verify for yourself

During the Kaspersky ban (2024), U.S. government needed alternatives for antivirus. They could only trust auditable code.

2. Independence from Vendors

What happens when:

  • Your software vendor gets sanctioned?
  • They go out of business?
  • They change pricing 10x overnight?
  • They’re forced to comply with a hostile government?

Closed source: You’re stuck.

Open source: Fork it, maintain it yourself.

3. Resilience to Disruption

Real scenario (Ukraine, 2022-2024):

  • Russian attacks on infrastructure
  • Need for offline-capable software
  • Can’t rely on cloud services
  • Need to self-host everything

Open source meant:

  • Deploy your own servers
  • No dependency on external vendors
  • No kill-switch held by others

4. Community Verification

The xz backdoor was caught by:

  • An open source maintainer (Andres Freund)
  • Noticing weird behavior during benchmarking
  • Digging into the source code

This ONLY works when source is available.

The Challenges

FOSS isn’t a panacea. New problems:

1. Maintainer Burnout

Most FOSS is maintained by individuals, for free:

  • curl: Daniel Stenberg (one person)
  • OpenSSL: ~3 full-time developers
  • xz: Lasse Collin (one person, targeted by attackers)

When a critical library is maintained by one person with no funding, that’s a single point of failure.

2. Supply Chain Complexity

Modern app dependencies:

$ npm list | wc -l
1,237 packages

$ cargo tree | wc -l
843 packages

You can audit YOUR code. Can you audit 1,237 packages?

3. Adversarial Contributions

The xz attack playbook:

  1. Become a trusted contributor
  2. Earn commit access over months/years
  3. Insert backdoor disguised as performance optimization
  4. Pressure maintainer to merge it

This is happening RIGHT NOW in other projects.

4. AI-Generated Code

// Copilot suggestion
function hashPassword(password) {
  // Looks innocent...
  const hash = crypto.createHash('md5').update(password).digest('hex');
  // But MD5 is broken!
  return hash;
}

AI doesn’t know security best practices. It generates plausible-looking but vulnerable code.

What We Need

1. Funding for Maintainers

Critical infrastructure should be funded:

  • Linux kernel: funded by Linux Foundation
  • OpenSSL: funded after Heartbleed
  • curl, xz, many others: still unfunded

Proposal: Tax on software companies funds FOSS they depend on.

2. Better Supply Chain Security

Tools that are emerging:

  • Sigstore: Cryptographic signing for OSS artifacts
  • SBOM: Software Bill of Materials (know your dependencies)
  • Scorecard: Automated security metrics for projects
  • Semgrep: Static analysis for vulnerabilities

But adoption is slow.

3. Community Resilience

We need:

  • More maintainers (not fewer)
  • Code review culture (especially for key projects)
  • Mentorship programs (to onboard new maintainers)
  • Incident response plans (for when attacks happen)

4. Forks and Redundancy

Critical projects should have active forks:

  • If main repo gets compromised, fork continues
  • If maintainer burns out, fork takes over
  • If project gets acquired, fork stays independent

Examples:

  • MariaDB (MySQL fork)
  • LibreOffice (OpenOffice fork)
  • Gitea (Gogs fork)

Practical Steps

What can you do?

As a User

# Verify signatures
gpg --verify package.sig package.tar.gz

# Use lock files
npm install --package-lock
cargo update --locked

# Audit dependencies
npm audit
cargo audit

# Pin versions
# Don't use `*` or `latest`

As a Developer

# Sign your commits
git config --global commit.gpgsign true

# Enable 2FA on package registries
npm profile enable-2fa

# Use SBOM generation
syft scan .

# Review dependencies regularly
dependabot, renovate, etc.

As a Company

  • Fund FOSS you depend on (GitHub Sponsors, Open Collective)
  • Hire maintainers (pay them to work on FOSS)
  • Contribute back (patches, docs, testing)
  • Run your own security audits (and share findings)

The Philosophical Question

Is FOSS inherently more secure?

Linus’s Law: “Given enough eyeballs, all bugs are shallow.”

Reality check: Heartbleed was in OpenSSL for 2 years. xz backdoor almost made it to production.

The truth: FOSS enables security, but doesn’t guarantee it.

You need:

  • Eyeballs (people reviewing code)
  • Expertise (knowing what to look for)
  • Time (security review is slow)
  • Funding (to pay for the above)

The Geopolitical Angle

In a fragmented world, FOSS becomes neutral ground:

  • Not controlled by any one government
  • Not subject to sanctions (code is speech)
  • Can be forked if politics interfere

Examples:

  • Linux Foundation: members from US, China, Russia, EU
  • Tor Project: Used by dissidents worldwide
  • Signal: Deployed in hostile regimes

FOSS is infrastructure that transcends borders.

The Adversarial AI Problem

AI changes the game:

Old threat model:

  • Human attacker finds vulnerability
  • Writes exploit
  • Limited scale

New threat model:

  • AI finds 1000 vulnerabilities
  • Generates 1000 exploits
  • Fully automated

Defense needs to scale similarly:

  • AI-powered code review
  • Automated security testing
  • Continuous monitoring

The Path Forward

FOSS in 2026 needs:

  1. Funding: Maintainers can’t work for free forever
  2. Security tooling: SBOM, signing, auditing
  3. Community resilience: More maintainers, better processes
  4. Independence: From vendors, platforms, governments

The alternative? Closed-source monocultures controlled by a handful of companies.

When things get bad—and they will—you want:

  • Code you can audit
  • Software you can fork
  • Infrastructure you control

My Conclusion

I run:

  • Linux (not Windows or macOS)
  • Firefox (not Chrome)
  • Signal (not WhatsApp)
  • Self-hosted services (not cloud when possible)

Not out of ideology. Out of pragmatism.

In uncertain times, FOSS is the bedrock.

Open source isn’t just an idealistic choice anymore. It’s a strategic one.