Issue #3: foundation handoffs, office-suite drama, and AI review pressure

This week in Open Source Funded, open source kept getting more formal structure at exactly the moment its human support systems looked shakier.

Several projects moved into foundation homes or foundation-run structures. But the rest of the week was rougher: office-suite communities fell into public licensing and governance fights, security funding paused in visible ways, maintainer succession remained fragile, and AI kept pushing more cost into review queues instead of removing it.

Projects joining a foundation

Per this issue’s editorial rules, this section also includes projects entering a foundation’s formal project structure.

SQLMesh entered the Linux Foundation as a vendor-neutral project — SQLMesh Goes Open Source Neutral To Power Modern Data Stacks
HPX joined the High Performance Software Foundation (HPSF) as an established project — HPSF Welcomes HPX as a New Project, LSU’s HPX Project Joins Prestigious High Performance Software Foundation
Velero was donated into the CNCF Sandbox — Why Broadcom gave Velero to the CNCF Sandbox
OSS-CRS was welcomed into OpenSSF — From AIxCC to OpenSSF: Welcoming OSS-CRS to Advance AI Driven Open Source Security
x402 moved under Linux Foundation stewardship via the new x402 Foundation — Linux Foundation is Launching the x402 Foundation and Welcoming the Contribution of the x402 Protocol, Linux Foundation Launches x402 Foundation for AI Payments Protocol, Coinbase’s AI Payments System Joins Linux Foundation

That is a substantial foundation section for one issue. These moves are not all direct grants, but they still matter: foundation placement remains one of the clearest signals that projects are trying to solve for neutral governance, trademark control, and long-term stewardship.

Funding is arriving, but in many forms

The direct-money stories were easy to spot. Kestra raised $25 million. Coder raised $90 million. The Human Rights Foundation’s Bitcoin Development Fund announced support for 26 projects. Modular launched a grant program for community work on MAX and Mojo. And Anthropic’s Claude for Open Source program offered high-end tool credits to maintainers instead of cash.

Sources: Kestra raises $25M Series A to build the enterprise orchestration standard, Coder secures $90M investment to optimize development environments, HRF’s Bitcoin Development Fund Announces Support for 26 Projects Worldwide, Introducing the Modular Community Grant Program, Anthropic Offers Free Claude Max Access To Open Source Developers

The other support stories mattered because they were not plain venture funding. The Rust Foundation’s Innovation Lab gave rustls a fully funded stewardship vehicle. Bloomberg, CNCF, and OpenTelemetry are testing a contributor pipeline through a mentorship cohort. RISE is subsidizing RISC-V CI by offering free GitHub runners on real hardware. And at the policy level, talk of a European sovereign tech fund plus Germany’s move toward open standards and open source in government both point toward public institutions treating open infrastructure as something worth paying for.

Smaller institutional signals kept landing too: HeroDevs joined the .NET Foundation, SEARCH became a NIEMOpen sponsor, Framework became a KDE Patron, Collate joined the Linux Foundation to support OpenMetadata, and Monado kept gaining backing as shared XR infrastructure.

Sources: What’s Next for the Rust Innovation Lab?, Sustaining OpenTelemetry: Moving from dependency management to stewardship, RISE Launches RISC-V GitHub Runners, Providing CI and Build Services Free to Open Source Projects, Europe could get a sovereign tech fund, Germany embraces open source as government standard, HeroDevs Joins The .NET Foundation to Secure and Grow the Open Source Ecosystem, SEARCH becomes a NIEMOpen sponsor, Framework becomes a KDE Patron helping to fund open source, Collate Joins the Linux Foundation to Advance OpenMetadata, XR Vendors Rally Around Open Source Monado Runtime

Governance and vendor neutrality still matter

A quieter but important theme across this issue is that being open source is not the same thing as being well-governed.

Eclipse SDV’s response to Google’s Android Automotive push made that point directly by asking whether the effort will actually behave like shared infrastructure or remain effectively vendor-led. KubeVirt’s approach toward CNCF graduation is the more positive version of the same story: maturity ladders still matter because they are one of the few visible ways to signal durable, multi-party backing. FINOS tightening its lifecycle definitions fits the same pattern.

The deeper question is who controls critical infrastructure after the announcement cycle ends. RedMonk’s two-year look at Valkey is a useful reminder that relicensing stories do not end when the fork happens. PyTorch Foundation leadership is now making the case that neutral stewardship is what keeps hardware vendors interoperable. And Reuters’ reporting on Nvidia’s SchedMD acquisition shows why that governance question stays live long after software becomes industry-critical.

Sources: Google’s AAOS SDV: Open source and the open question of governance, Kubernetes virtualization approaches CNCF graduation, Updated FINOS Project Lifecycle: Providing clear guidance at every level of maturity, Two Years of Valkey, Every GPU has to work with PyTorch to reach the market - so who’s making sure it stays open?, Nvidia acquisition of SchedMD sparks worry among AI specialists about software access

Office suites made the week’s licensing drama impossible to ignore

The loudest licensing and governance story of the week was the Euro-Office / ONLYOFFICE blow-up. What began as Nextcloud and IONOS launching a European fork for sovereign deployments quickly turned into a broader dispute over branding, partnership boundaries, trust, and alleged licensing violations. That escalation matters because it shows, again, that “open source” does not remove conflict around control, distribution, or commercial positioning.

At the same time, LibreOffice and The Document Foundation had their own public turbulence. LWN covered the governance conflict, The Document Foundation published a response, and OSNews framed the LibreOffice and Euro-Office disputes together as a broader office-suite governance crisis.

Smaller licensing notes reinforced the same point. Final Fight MD is going open source after criticism over how the fan project was being funded. Facepunch’s new Valve license lets s&box creators ship standalone Steam releases. And one widely shared explainer reminded readers that Microsoft’s official VS Code binaries are not the same thing as the MIT-licensed source tree.

Sources: Nextcloud And Ionos Launch Open Source Euro-Office To Challenge Microsoft, ONLYOFFICE Gets Forked as “Made in Europe”, Sparks Licensing and Trust Debate, ONLYOFFICE suspends Nextcloud partnership for forking its project without permission, OnlyOffice Pulls 8-Year Partnership with Nextcloud Over Euro-Office Licensing Violations, Turbulence at the Documentation Foundation, LibreOffice – Let’s put an end to the speculation, Open source office suites erupt in forking and licensing drama, “My Way Of Giving Back” - Final Fight MD Is Going Open-Source, Facepunch signed a license with Valve to allow standalone releases from s&box, VS Code’s open source claim is misleading — here’s the truly open source version

Security funding looked shakier just as maintainer risk kept rising

The most concrete sustainability warning in this week’s set is the Node.js security bug bounty pause. Node.js said the program is stopping because external funding from the Internet Bug Bounty program ended. Then the Internet Bug Bounty program itself paused submissions and payouts, saying AI-assisted research is expanding discovery faster than remediation can keep up. That is a bad combination: more reported issues, more automation, and less money to absorb the work.

The rest of the week made the pressure feel immediate. Attackers reportedly used AI deepfakes in a campaign that briefly compromised axios, and later reporting suggested the social-engineering campaign had been underway for weeks. Ruby Central’s report on the earlier RubyGems repository takeover also reopened the governance question around who controls critical package infrastructure when trust breaks down.

The human-side commentary got blunter too. Martin Wimpress said it is time to hand Ubuntu MATE to new maintainers. Booklore became another single-maintainer cautionary tale. And several essays converged on the same complaint: maintainers want cash more than more AI tooling, sustainable growth is still hard, and underfunding keeps turning into both security risk and business opportunity for firms selling support.

Sources: Node.js Security Bug Bounty Program Paused Due to Loss of Funding, Node.js Drops Bug Bounty Rewards After Funding Dries Up, Internet Bug Bounty Pauses Payouts, Citing ‘Expanding Discovery’ From AI-Assisted Research, Internet Bug Bounty Program Pauses Payouts, Top NPM Maintainers Targeted with AI Deepfakes in Massive Supply-Chain Attack, Axios Briefly Compromised, North Korea’s hijack of one of the web’s most used open source projects was likely weeks in the making, Ruby Central report reopens wounds over RubyGems repo takeover, Martin Wimpress Wants Out at Ubuntu MATE, Single-maintainer open source is a ticking time bomb, and Booklore just detonated, Why Sustainable Growth Is One of the Hardest Challenges for Open-Source Platforms, The Million Dollar Question: What Do Open Source Maintainers Actually Want?, Open-Source Funding Strains Highlight Potential Market for HeroDevs, The Supply Chain Attack Playbook: Why Package Ecosystems Keep Getting Compromised

AI kept moving from policy debate into workflow friction

The Copilot pull-request ads episode is still the cleanest example of how AI controversy in open source has become operational rather than theoretical. Reports said Copilot-generated pull request text was injecting promotional copy into PR workflows. Then GitHub backed down after backlash. Microsoft later said the behavior was a bug rather than an ad campaign. Whatever the intent, the practical effect was the same: maintainers got another example of AI product behavior spilling into ordinary collaboration surfaces.

The Claude Code leak took the same theme in a more alarming direction. The reporting trail now includes the original leak story, privacy concerns about what the tool can collect, overbroad DMCA takedowns hitting legitimate forks, claims that the leaked code exposed a mode for stealth AI contributions, and broader discussion of Anthropic’s cleanup effort. That is a dense cluster of problems: security, transparency, contribution policy, and platform power all at once.

The broader debate is now less about whether AI can generate code and more about what it does to review queues. Several pieces argued that AI can clone the behavior of open source software fast enough to weaken traditional copyright leverage. Others argued that projects need explicit AI-era contribution rules because the real costs show up as process shock, hidden review tax, low-quality patch volume, smarter-but-more-expensive security reports, and harder disclosure questions. Mesa responded by banning autonomous submissions and requiring disclosure of AI assistance. Heise’s analysis of the Node.js debate and ZDNET’s more optimistic take both land on the same point: the tooling is improving, which means governance has to get tighter rather than looser.

Not every AI-adjacent story was defensive. The Linux Foundation launched the Agentic AI Foundation, and Microsoft released an open-source Agent Governance Toolkit. Even there, though, the trend is the same: the ecosystem is trying to turn agent governance into shared infrastructure rather than one vendor’s private policy.

Sources: “Over 1.5 million GitHub PRs have had ads injected into them by Copilot”, Microsoft Copilot Is Now Injecting Ads Into Pull Requests On GitHub, GitHub backs down, kills Copilot pull-request ads after backlash, Microsoft says Copilot ad in GitHub pull request was a bug, not an advertisement, Claude’s code: Anthropic leaks source code for AI software engineering tool, Claude Code source leak reveals how much info Anthropic can hoover up about you and your system, Anthropic says its leak-focused DMCA effort unintentionally hit legit GitHub forks, Claude Code Leak Reveals a ‘Stealth’ Mode for GenAI Code Contributions, Anthropic’s Mess from Claude Code Source Leak, This AI open-source cloning software shows the gaping hole in code copyright, AI Can Clone Open-Source Software In Minutes, Can Agentic AI Coding Tools Finally End Copyright For Software While Re-Inventing Open Source?, How open source projects need to adapt to the AI coding era, When AI Breaks the Systems Meant to Hear Us, There’s a hidden tax on every AI-generated merge request, Enterprise hits and misses - agentic AI project failure versus success, open source versus AI, and the perils of disconnected CX, AI slop got better, so now maintainers have more work, Analysis: Should AI implement core features in critical software?, Mesa Developers Decide On Two Gen AI Policies For Development Moving Forward, How AI has suddenly become much more useful to open-source developers, Vulnerability Research Is Cooked (sockpuppet.org), Agentic AI Foundation Announces Global 2026 Events Program, Microsoft’s Newest Open-Source Project: Runtime Security For AI Agents

Three takeaways from issue #3

Foundation placement is still one of the clearest governance signals in open source. SQLMesh, HPX, Velero, OSS-CRS, and x402 all fit that pattern.
Support is arriving, but unevenly. This week had venture rounds, grants, tool credits, public-policy momentum, and free infrastructure offers — while security bounty money dried up in parallel.
AI’s real cost keeps landing in human review systems. The core issues are no longer just models or licenses. They are pull requests, disclosure rules, takedown overreach, maintainer workload, and who gets to set the policy.

Jobs

We re-checked every URL in jobs.yaml before publishing. The listings below all still resolved to live job or application pages at publication time.

Foundations and core infrastructure

The Linux Foundation — Customer Support Specialist (link) — Remote (Philippines-based). Posted 2026-03-21.
Mozilla — Senior Data Engineer (link) — Remote US. Posted 2026-03-30.
The Linux Foundation — Associate Program Manager (link) — Remote (US). Posted 2026-02-19.
Eclipse Foundation — Software Developer (link) — Remote. Posted 2026-01-27. Deadline 2026-04-27.
Eclipse Foundation — Security Software Engineer (link) — Remote. Posted 2026-01-16. Deadline 2026-04-16.
Free Software Foundation — Engineering and Certification Manager (link) — Remote (US preferred). Posted 2026-03-10. Deadline 2026-04-17.
Wikimedia Foundation — Senior Site Reliability Engineer (link) — Remote. Posted 2026-03-18.
Wikimedia Foundation — Senior Software Engineer (Security & Privacy) (link) — Remote. Posted 2026-01-26.
The Linux Foundation — Marketing Communications Manager II (link) — Remote (US). Posted 2026-01-30.
Thunderbird / MZLA — Release Engineer (link) — Remote. Posted 2026-03-03.
Wikimedia Foundation — Engineering Manager, Wikidata Platform (link) — Remote. Posted 2026-01-21.
The Linux Foundation — Technical Trainer I (link) — Remote (US). Posted 2026-02-13.
Mozilla — Engineering Manager, Firefox Desktop OMC (link) — Remote. Posted 2026-03-27.
Eclipse Foundation — Performance Engineer / Performance Analyst (link) — Remote.
Thunderbird / MZLA — Senior Full-Stack Engineer, Email Systems (link) — Remote. Posted 2026-02-24.
Mozilla — Senior Software Engineer (Localization) (link) — Remote. Posted 2026-03-24.
Thunderbird / MZLA — Staff Mobile Engineer, iOS (link) — Remote. Posted 2026-02-10.
Mozilla — Staff Software Engineer, Add-on Operations (link) — Remote. Posted 2026-02-09.
Mozilla — Staff Security Engineer (link) — Remote. Posted 2026-03-04.
The Linux Foundation — Sales Development Representative I (link) — Remote (Philippines). Posted 2026-02-11.
Mozilla — Senior Localization Technical Program Manager (link) — Remote US. Posted 2026-04-06.
Wikimedia Foundation — Staff Software Engineer (link) — Remote (UTC-3 to UTC+3). Posted 2026-01-16.
Mozilla — Senior Product Manager, Media, Graphics & OS Integrations (link) — Remote Canada; Remote US. Posted 2026-04-06.
Tor Project — Senior Android Engineer / Mobile Team Lead (link) — Remote. Deadline 2026-04-10.
Thunderbird / MZLA — Staff Engineer, Front End (Desktop) (link) — Remote. Posted 2026-02-11.
Wikimedia Deutschland — Director of Engineering (all genders) (link) — Berlin (hybrid).

Community and developer relations

Astronomer — Senior Developer Advocate (link) — Remote. Posted 2026-03-27.
Mistral AI — AI Developer Advocate (link) — Remote (US/EU). Posted 2026-02-10.
LiveKit — Staff Developer Advocate – Community & Events (link) — Remote (Bay Area preferred). Posted 2026-03-28.
LiveKit — Developer Advocate (link) — Remote. Posted 2026-03-28.
Mozilla — Social Media & Content Strategist (Open-Source AI) (link) — Remote US. Posted 2026-03-25.
Mozilla — Community Manager (Open-Source AI) (link) — Remote US. Posted 2026-03-25.
Mozilla — 0to1 Engineer (link) — Remote US. Posted 2026-03-25.
Metabase — Global Community Events Manager (link) — Remote-US. Posted 2025-12-30.
ClickHouse — Developer/Community Advocate- AMER (Remote) (link) — United States. Posted 2026-03-03.
Dagster Labs — Video Content Marketer (link) — Remote (US). Posted 2026-03-18.
The Linux Foundation — Staff Technical Community Architect, FOCUS (link) — Remote (US). Posted 2026-03-31.
The Linux Foundation — Ecosystem Lead, P4 (Contractor) (link) — Remote. Posted 2026-02-02.
Grafana Labs — Staff Developer Advocacy Engineer | US | Remote (link) — United States (Remote). Posted 2026-03-13.
Wikimedia Foundation — Media Partnerships Lead (link) — Remote. Posted 2026-03-04.
ClickHouse — Senior Developer Relations Advocate - EMEA (link) — London / Berlin / Amsterdam. Posted 2026-01-21.
Grafana Labs — Senior Developer Advocacy Engineer | UK | Remote (link) — United Kingdom (Remote). Posted 2026-04-06.

OSPO and public-sector open source

United Nations Development Programme — Project Manager - Open-Source Programme Office (OSPO) (link) — Port of Spain, Trinidad and Tobago. Posted 2026-03-26. Deadline 2026-04-08.
Datadog — Open Source Program Developer (link) — Remote (US). Posted 2026-03-20. Deadline 2026-04-19.
Workday — Senior Principal Open Source Architect (link) — Pleasanton, CA. Posted 2026-03-28. Deadline 2026-05-14.
United Nations Development Programme — Technical Analyst (OSPO) [Open to internal and external applicants] (link) — Port of Spain, Trinidad and Tobago. Posted 2026-04-06. Deadline 2026-04-21.

Sustainability and commercial open source

Sovereign Tech Agency — Executive Assistant (link) — Berlin (hybrid). Posted 2026-03-31.
Dagster Labs — Software Engineer - Enterprise Readiness (link) — Remote (US). Posted 2026-01-27.
Dagster Labs — Customer Success Manager (link) — Remote (US). Posted 2026-03-23.
Sovereign Tech Agency — HR Generalist (link) — Berlin (hybrid). Posted 2026-04-01.
Sovereign Tech Agency — Program Manager - Sovereign Tech Fund (link) — Berlin / remote-friendly. Posted 2024-02-18. Deadline 2026-04-19.
Eclipse Foundation — Product Manager - Growth (link) — Remote. Posted 2026-01-20. Deadline 2026-04-20.
Wikimedia Foundation — Software Engineer III, Fundraising Tech (link) — Remote. Posted 2026-03-19.
Dagster Labs — Software Engineer - Full-Stack Product Development (link) — Remote (US). Posted 2026-03-26.
Freexian — Senior Sales & Business Development Manager (link) — Remote. Posted 2026-02-27.
Wikimedia Foundation — Lead Recurring Giving Specialist (link) — Remote. Posted 2026-03-25.
Wikimedia Foundation — Senior Analyst, Fundraising Data & Analytics (Contract) (link) — Remote. Posted 2026-03-19.
Eclipse Foundation — Sales Manager, Commercial Offerings (link) — Remote (Europe or Canada preferred).
ClickHouse — Frontend Engineer - HyperDX (link) — United States (remote). Posted 2026-03-25.
Grafana Labs — Senior Software Engineer - Observability Knowledge Graph Backend (link) — United States (Remote). Posted 2026-03-30.
ClickHouse — Release Engineer - Data Plane (link) — EU (Remote). Posted 2026-02-26.
Data Bene — PostgreSQL Support Engineer (link) — Worldwide/Remote.
GitLab — Engineering Manager, SSCS: AI Governance (link) — Remote, India. Posted 2026-03-27.
ClickHouse — Senior Software Engineer (Infrastructure) - HyperDX (link) — United States. Posted 2026-03-04.
GitLab — Staff Backend Engineer (Go), Software Supply Chain Security: Secrets Management (link) — Remote (Canada/Ireland/Israel/Netherlands/UK/US). Posted 2026-03-04.
GitLab — Engineering Manager, SSCS: Supply Chain (link) — Remote, India. Posted 2026-03-27.
GitLab — Intermediate Backend Engineer, SSCS: AI Governance (link) — Remote, India. Posted 2026-04-06.
ClickHouse — Senior Backend Engineer - HyperDX (link) — United States (remote). Posted 2026-04-02.
Brno University of Technology / NGI Zero — NGI0 Regional Representative (“widening area”) (link) — Remote. Deadline 2026-06-01.

Legal and licensing

Airbnb — Associate Counsel, IP & Open Source (link) — Remote (US). Posted 2026-03-30.
GitLab — Legal Counsel, Product (link) — Remote (Canada/US). Posted 2026-02-13.
ClickHouse — Senior Counsel, Commercial - AMER (PST) (link) — United States (Remote). Posted 2026-01-08.
Grafana Labs — Senior Commercial Counsel | United States | Remote (link) — United States (Remote). Posted 2026-03-25.
GitLab — Legal Counsel, Commercial (link) — Remote (Canada/US). Posted 2026-02-23.