Ladybird Closes Public Pull Requests
Ladybird, the open-source browser project, announced today that it will no longer accept public pull requests. Code changes will only be introduced by project maintainers. The decision is driven by the need for a tighter development process and clearer security model as the project works toward its first alpha release.
According to the announcement, "AI tools have changed the economics of this very quickly." The team noted that a substantial patch no longer implies substantial effort or good faith, as AI can produce work that looks like a serious contribution at a fraction of the cost. For a browser that "runs untrusted input from the entire internet on the user's machine," a single well-disguised vulnerability is enough for an attacker.
Open Source Trust Model Broken by AI
The traditional open-source model relies on trust earned through contributions. People show up, do the work, take responsibility, and stick around. But the Ladybird team argues that AI has eroded this proxy. "We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it," the announcement states. The difference now is how much faster and cheaper it has become to produce contributions that look genuine.
"What matters is who is responsible for it once it enters the browser," the team wrote. "Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences."
All Open PRs Closed, No Shadow Contribution System
As part of the change, all currently open public pull requests will be closed. The team acknowledges the work put into them but says keeping the queue open would "keep that contribution path open in practice." There will be no separate process for submitting patches via email, issues, or forks. "We do not want to create a shadow contribution system," they wrote.
Ladybird remains open source. The source code will continue to be publicly available under an open-source license. Outside involvement still matters through bug reports, reductions, website testing, standards discussion, design discussion, security reports, and technical feedback.
Implications for the Browser Development Community
This move is unprecedented for a major open-source browser project. It signals that AI-generated code is forcing maintainers to reconsider contribution models. Other projects may follow suit, especially those with high security requirements.
Developers who contributed to Ladybird in the past can no longer submit code directly. However, they can still participate in non-code ways. The project is preparing to ship a browser to real users, and the development process must match that responsibility.
The decision is final. "There is no perfect time to make this change, so we are making it now," the team concluded.
What This Means for Open Source
Ladybird's move challenges the fundamental assumption that open-source projects benefit from broad contribution pipelines. The team explicitly states that external code can exist under the license, but they will not treat forks or patch dumps as a review queue. This could lead to a bifurcation where security-critical projects become more closed, while others remain open.
The announcement has already sparked discussion on Hacker News (19 points, 5 comments). The community is divided. Some agree that AI-generated contributions require new trust models. Others worry about the loss of community involvement.
Conclusion
Ladybird is closing its public pull request system immediately. If you want to contribute, focus on bug reports, testing, and standards discussions. Code contributions are now restricted to maintainers. The project's alpha release is the priority, and security is the reason.
Check the project's GitHub for updated contribution guidelines. The open-source license remains in effect, but the development process has changed permanently.