On May 11th Daniel Stenberg, lead developer of cURL wrote in his blog about his encounter with Linux Foundation people offering Claude Mythos access. This is the person who had complained last year about the sharp increase of "slop" generated bug reports exhausting maintainers.
Mythos finds a curl vulnerability by Daniel Stenberg https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/ The section after the introduction is titled "My (non-)access". As I wrote in a previous message, Linux Foundation faces a dilemma: I believe Jim Zemlin's plan to make Claude available to a large number of "open source" developers is at odds with the desires of Project Glasswing member firms. Glasswing is promoted as a small and tight group while Zemlin calls for throwing the gates wide open. Apparently the Linux Foundation made a compromise. They decided that they could not give "open source" developers direct access to Claude Mythos. They let someone else conduct the actual examination and sent Daniel Stenberg the results. Five issues were reported. Stenberg identifies two bugs. One affects security, but he does not consider it severe. We don't know what would have happened had the inspection turned up no defects. Would they have sent a report explicitly stating that the slate was clean, or not? Will the Linux Foundation produce a summary of its findings at some point? Death by a Thousand Slops https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/ Alpha Omega (Linux Foundation project, handles security issues) https://openssf.org/community/alpha-omega/ --- Nowadays Anthropic's Claude Mythos is discussed quite frequently in the mainstream media. Politicians and finance heads see it as a genuine threat and are ordering strengthening of defenses. Responding to a request by by the Japanese government, Anthropic will allow the three largest Japanese banks access to Mythos. Developers who actually deal with security issues generally see the media attention overblown. Daniel Stenberg takes this position. However I would like to point out that it may well be that Mythos found few problems in cURL because few existed. cURL is well maintained. On the other end of the spectrum there likely exist programs with scores or even hundreds of problems. They may be owned and maintained by for-profit firms which are reluctant to disclose information about shortcomings fearing damage to reputation. So it may be true that Claude Mythos discovered thousands of serious vulnerabilities. _______________________________________________ libreplanet-discuss mailing list [email protected] https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
