Issue #5: foundation moves, private turns, and sharper AI rules

This week in Open Source Funded, the pattern was consolidation under pressure.

One project moved into a new foundation home. Another got a more explicit operating plan for long-term survival. A high-profile startup decided openness had become too risky and took its core product private. And on the AI side, projects kept tightening the line between tool use and human responsibility, with some communities allowing assisted work and others banning machine-generated contributions outright.

Projects joining a foundation

• O-RAN Software Community became a formal project under LF Networking — LF Networking Welcomes O-RAN Software Community as Formal Project, Deepening Open RAN Ecosystem Collaboration

It was the only clear project-to-foundation move in this week’s links, but it fits a familiar pattern: when shared infrastructure becomes important enough, projects often look for a more formal governance home.

Sustainability still looks like stewardship and monetization discipline

The week’s clearest sustainability story was ClearlyDefined. The Open Source Initiative said AboutCode will take on day-to-day operations under a three-year roadmap focused on reducing infrastructure costs, paying down technical debt, and building sponsor support.

That is the unglamorous side of sustainability, but it is often the decisive one. Many ecosystem projects do not fail because they are unimportant. They fail because nobody has a durable operating arrangement for the boring work.

A separate essay made the same point more bluntly, arguing that maintainers should stop assuming adoption or goodwill will turn into income on its own. Not every project should become a company, but the piece is a useful reminder that open source value and open source revenue are still very different things.

Sources: ClearlyDefined: A Three-Year Roadmap for Sustainability and Growth, Nobody Wants Your Open Source Project. Build Something People Pay For.

Foundation structures kept attracting institutional support

Not every governance signal is a project migration. TD Bank Group joined FINOS as a Platinum Member, which gives the bank a stronger role inside one of the most visible finance-focused open source foundations.

That is a membership story rather than a project-hosting story, but it still matters. Large institutions continue to treat foundation structures as places to coordinate shared tooling, policy, and industry alignment.

Source: TD Joins FINOS as Platinum Member to Accelerate Open Orchestration and AI Governance in Financial Services

Cal.com made the week’s biggest proprietary turn

The sharpest commercialization story was Cal.com’s decision to take its core scheduling codebase private.

The company’s argument was not the usual one about cloud capture or copycat competition alone. Instead, it said AI-assisted attack capability had changed the security tradeoffs around publishing its source code openly. That makes the move especially notable: the justification was framed as a security response, but the result was still a retreat from open source.

Whether other companies follow that logic is still unclear. But if AI-driven offensive tooling keeps becoming a standard explanation for closing code, this will not be the last such story.

Sources: Cal.com goes private: A security reckoning for open source, ‘Like handing out the blueprint to a bank vault’: Why AI led one company to abandon open source

The OnlyOffice dispute turned into a sharper AGPL fight

The week’s clearest licensing conflict centered on OnlyOffice, Nextcloud, and the reach of AGPLv3 additional terms.

First, LWN reported that the FSF considers the extra restrictions at issue to be incompatible with the AGPL. Then the Software Freedom Conservancy pushed the point further, arguing that recipients can strip those incompatible terms rather than carry them forward.

That matters beyond this one dispute. It is a reminder that companies cannot simply layer extra controls on top of copyleft software and assume the result will hold. When monetization pressure runs into license boundaries, the argument quickly stops being theoretical.

Sources: FSF clarifies its stance on AGPLv3 additional terms, AGPLv3§7¶4 Empowers Users to Thwart Badgeware

AI contribution policy kept getting stricter

The Linux kernel and SDL landed on different operational policies, but both stories pointed in the same direction: AI tooling does not remove maintainer burden.

Kernel guidance kept the rule straightforward. AI-assisted contributions may be allowed, but humans remain responsible for review, attribution, licensing, and the final patch. SDL took the harder line and adopted a policy forbidding LLM-generated code contributions altogether.

Those are different choices, but they come from the same pressure. Projects are trying to manage provenance risk, review cost, and the possibility that machine-generated patches look plausible while still pushing hidden work onto maintainers.

Sources: New Linux Kernel Rules Put The Onus On Humans For AI Tool Usage, SDL Adds Policy To Forbid LLM/AI Generated Code Contributions

Security pressure around open source kept rising

Two more links captured the wider operating environment around open source software.

Sonatype’s latest malware index said attackers are getting better at abusing trusted packages, workflows, and dependencies. Meanwhile, Open Source For You argued that newer AI capabilities are increasing the pressure on public codebases and widely used libraries by making vulnerability discovery and chaining easier.

The exact claims will vary by source, but the broad direction is familiar: open source projects are carrying more security load, and that load is becoming more expensive to manage.

Sources: Q1 2026 Open Source Malware Index: Adaptive Attacks, Familiar Weaknesses, Anthropic’s Silent AI Shift Deepens Open Source Security Fears

Three takeaways from issue #5

1. Foundation homes still matter. O-RAN’s move under LF Networking shows that formal governance structures remain a standard way to signal durability.
2. Sustainability pressure is still splitting projects in different directions. ClearlyDefined got a longer operating runway, while Cal.com decided the answer was to close up.
3. AI keeps increasing policy work rather than eliminating it. Linux kept humans accountable, SDL banned generated code, and security pressure continued to rise around public software ecosystems.

Jobs

Foundations and core infrastructure

• Mozilla Foundation — Product Director, Common Voice (12 month Fixed-Term) (link) — Remote Canada; Remote Germany; Remote UK; Remote US. Posted 2026-04-13.

Sustainability and commercial open source

• GitLab — Staff Backend Engineer, AST: Composition Analysis (link) — Remote (Australia/Canada/India/Ireland/Israel/Japan/Netherlands/New Zealand/UK/US). Posted 2026-04-15.
• Mozilla — Staff Product Manager, Search & Monetization (link) — Remote US. Posted 2026-04-13.

Legal and licensing

• The Hartford — Senior Analyst, Open Source Software (OSS) Compliance (link) — Remote US. Posted 2026-04-14.

References

• Nobody Wants Your Open Source Project. Build Something People Pay For.
• ClearlyDefined: A Three-Year Roadmap for Sustainability and Growth
• TD Joins FINOS as Platinum Member to Accelerate Open Orchestration and AI Governance in Financial Services
• New Linux Kernel Rules Put The Onus On Humans For AI Tool Usage
• Anthropic’s Silent AI Shift Deepens Open Source Security Fears
• Q1 2026 Open Source Malware Index: Adaptive Attacks, Familiar Weaknesses
• FSF clarifies its stance on AGPLv3 additional terms
• Cal.com goes private: A security reckoning for open source
• ‘Like handing out the blueprint to a bank vault’: Why AI led one company to abandon open source
• AGPLv3§7¶4 Empowers Users to Thwart Badgeware
• SDL Adds Policy To Forbid LLM/AI Generated Code Contributions
• LF Networking Welcomes O-RAN Software Community as Formal Project, Deepening Open RAN Ecosystem Collaboration