FOSS in times of war, scarcity, and AI
Michiel Leenaars, director of strategy at the NLnet Foundation, used his keynote at FOSDEM to sound warnings for the community for free and open-source software (FOSS); in particular, he talked about the threats posed by geopolitical politics, dangerous allies, and large language models (LLMs). His talk was a mix of observations and suggestions that pertain to FOSS in general and to Europe in particular as geopolitical tensions have mounted in recent months.
Leenaars began by saying that there is a lot of good open source out there, but it is not being used for good. The irony is that in trying to empower people to take control of their own computing destiny, the FOSS community has empowered the wrong people—those who would like to use software to control others. The ideals of global cooperation and reuse have enabled abuse as well.
![[Michiel Leenaars]](https://static.lwn.net/images/2026/2026-Michiel-Leenaars-sm.png "Michiel Leenaars")
So how did we get here? Leenaars referred back to the birth of the
World Wide Web at CERN in
Switzerland. The thinking was, "we should do things for the world,
we should not have boundaries; let's see if we can
share
". Economies were booming, technology was advancing, money
was being made, and parliamentary democracies were taking
over. Everybody was in a positive, constructive mood. It was the "end
of history", a political philosophy put forward by Francis Fukuyama in
his book The
End of History and the Last Man. The thesis of the book was
that, with liberal democracy, humanity had reached its final form of
government.
Leenaars's talk description had been shared on Hacker News well
before FOSDEM; he noted that one of the
comments said that it sounded like "the official obituary for
the 90s techno-optimism many of us grew up on
". He said that it
is, in a sense.
As FOSS evolved, the community chose "dangerous allies
" in
the tech companies and future public cloud "hyperscalers". "We
thought we could control that; it was not a realistic assumption.
"
There was a darker narrative going on instead, he said; the US
National Security Agency (NSA) was carrying out mass surveillance and
spying on politicians in other countries, which came to light when Edward
Snowden leaked documents that revealed the existence of those
programs.
SCRAPS
Despite "this dark layer underneath
", though, people,
organizations, and governments in Europe were not upset enough to stop
working with and trusting businesses in the US. Instead, Europe
continued to depend on US tech companies, and to host its data in the
public clouds anchored there. He said that Europeans felt like equals
with the US, and that it was safe to trust "our friends and long-time
allies
" in building public clouds that it could rely on. "We
can focus on our core business, and look at the total cost of
ownership
" instead of infrastructure.
That dependence, he said, "makes you incompetent, a victim of
potential abuse
". It's fine in the short term, but the pain comes
afterward. If the entire European Union depends on external
providers, and it does, it draws the short straw. "We don't have
capacity. We are literally incompetent
". CTOs were proud of
"cloud-first" strategies; he proposed a different term, "strategic
computer rental and anchoring to proprietary services
"
(SCRAPS).
Even SCRAPS are not guaranteed. Providers of cloud services can
refuse to do business with an organization, or be compelled to do
so. He referred to sanctions
against the International Criminal Court that caused Microsoft to
block
the email account of the court's chief prosecutor. "We're now
at the mercy of the same people who profit off of us, and they still
hold the kill switch.
"
European people, Leenaars said, are now in panic mode and looking
for government to keep society afloat. "We
shouldn't have become so dependent, but that's about three decades too
late
". Still, many people inside governments are running
toward the fire instead of away from it. He mentioned the Netherlands
Ministry of Finance that has been working on a migration to Microsoft
365. The ministry has seen the whole situation, but it's put so much
effort into it and has been "locked in to the same company for 50
years
". A sort of Stockholm Syndrome has evolved, he said. But he
agreed it has a problem with their current tools. "I filed a
freedom of information request with them three months ago, and they
have not been able to produce a single document
". He thought it
would be nice if the ministry had gained some situational awareness and would
stop putting people in danger.
History did not end
The government's answer is, "let's get more European startups,
lots of competitors
", he said, but that is the wrong
approach. "We don't need to breed more predators; we need
mission-driven organizations, we need companies that are public
stewards.
" He called for a pipeline from academia to engineering,
to nonprofits and service companies that do not seek to be captive
platforms. Simply having a public cloud that is owned by European
businesses is not the answer if those businesses follow the same
models as the US ones.
The world, Leenaars said, is in the worst shape that it's been in
for decades. It turned out that history did not end after all. He
talked about social media and described it as "95% FOSS and the rest is
cognitive warfare
". He had complaints not only about
disinformation being spread online, but the short-form content
that is popular today as well. Kids, he worried, were becoming
dependent on short content that did not deal with complexity. "I
don't fear World War III as much as I fear de-enlightenment and a
subsequent second dark ages.
"
His next worry for FOSS was as a target for state actors in warfare. Countries are now targeting the enemy's software and devices as well as waging traditional warfare. He referenced the Lebanon electronic device attacks (dubbed "Operation Grim Beeper") carried out by Israel in September 2024; those attacks made use of pagers and two-way radios carried by Hezbollah members that had been compromised at some point in the supply chain. That had enabled Israel to eavesdrop on its targets' communications until it then detonated the devices on September 17 and 18.
He also discussed the backdooring of XZ in
2024: an attack that was conducted by "Jia Tan" after gaining trust
with the original XZ maintainer over a long period of time. The
average company has 25,000 software dependencies, he said, and any of
them could be used to break in. There are millions of packages, and
millions of people maintaining them; all of those maintainers and
packages are potential weak spots. But if the new people coming in to
help cannot be trusted, or if maintainers are too paranoid and chase
contributors away, "we're also screwed
".
Cavalry or Trojan Horse?
At this point, Leenaars said, we see horses on the horizon in the
form of LLMs; is that the cavalry coming to the aid of FOSS or an army
of next-generation Trojan Horses galloping through the gates of the
village? The promise of LLMs is that they can take responsibility off of
developers' hands, and allow organizations to focus on the core
business. "That's a thing we've heard before. The product framing
is super-good. Sounds so legit."
He reminded the audience of the
saying that there is no cloud, only other people's computers. In
this context, though, he suggested: "there is no Claude, only other
people's code
."
Leenaars said that LLMs do a good job of some things, but claimed
it was fundamentally impossible for them to do all the things they are
expected to do. It is possible, he allowed, that LLM-tools could do
"a lot of the janitoring we can do that humans are really weary of
doing
". There are, after all, many boring tasks in software
development humans might like to offload. He recommended
that the audience be cautious about what machines are allowed to
do. Keep security in mind, and keep LLMs contained; but even then, he
said he was not convinced that there was a problem that needed solving
by LLMs.
Instead, if FOSS has such a large attack surface in the form of so
many libraries and dependencies, trying to reduce the attack surface
makes more sense than adding LLMs into the mix. It also makes sense to
try to reduce maintainer burnout. He called on "people
in the military who are seeing huge budgets
" to spend some of that
money on talented programmers who could improve FOSS and reduce its
attack surface. There are billions and billions of Euros that will be
invested in Europe's defenses, some of that money should be spent on
FOSS. "The FOSS ecosystem should not build stuff for weapons, but
should get money from people who need to defend us. We are their
defense, we are their infrastructure.
" Europeans should be telling
politicians that they do not just need to support FOSS to enable
digital sovereignty, but also for defense. With that, Leenaars wrapped
up the talk, without any time for questions.
Overall the talk was a bit disjointed, and Leenaars presented few concrete suggestions for the audience. But the talk seemed to resonate with the packed main room, and he touched on topics that were prevalent at FOSDEM all weekend: wariness of the changing political picture in the US, distrust of AI/LLMs, as well as a desire to reduce dependence on US companies and services.
[Thanks to the Linux Foundation, LWN's travel sponsor, for funding my travel to Brussels to attend FOSDEM.]
| Index entries for this article | |
|---|---|
| Conference | FOSDEM/2026 |