October 28, 2025
Bots vs Humans: Patch Panic
The Geomys Standard of Care
Open Source Goes Pro: Geomys’ Care Standard ignites a bot war
TLDR: Geomys published a professional “Standard of Care” to keep open‑source projects stable and secure, including saying no to auto‑update bots. The community split: security folks cheer the human-first approach, while others argue skipping bots risks stale, vulnerable code—sparking a lively “humans vs bots” debate.
Security celeb Filippo Valsorda just dropped the Geomys “Standard of Care”—a grown‑up rulebook for maintaining popular open‑source crypto tools—and the comments turned into reality TV. Supporters love the move toward professional maintenance: strict compatibility, real code review (even for AI‑generated submissions), and a firm “no” to feature bloat. But the spicy part? Geomys swears off auto‑update bots like Dependabot, arguing they create churn and supply chain risks. Cue the split: one camp cheers “humans over bots,” the other screams “update or die.”
Non‑tech summary: they want maintainers to act like pros, lock down accounts, keep things stable, and avoid risky automatic upgrades. They’ll beef up CI (continuous integration—think robot assistants that check your code) and peek at OAuth apps (permissions you grant to other sites). The email survey even got flagged as phishing, which the crowd turned into a meme: “Security so strong it scares email filters.” Fans call this a blueprint for safer software; critics call it gatekeeping and fear projects will lag behind fixes. The jokes landed fast: “No‑Bot November,” “Dominikh is the hall monitor,” and “The package repo now has a bouncer.” Whether you’re pro‑bot or pro‑human, the drama is delicious, and the stakes—your software’s safety—are real. Read the draft at geomys.org/standard-of-care and the backstory at words.filippo.io/geomys.
Key Points
- •Geomys published a draft Standard of Care to professionalize open-source maintenance and improve security and reliability.
- •The standard was informed by a survey of recent supply-chain compromises and input from CI security experts and Geomys maintainers.
- •Scope covers specific Go-related projects (crypto/..., golang.org/x/crypto/..., filippo.io/{bigmod,nistec,mlkem768,hpke}); personal projects may be excluded.
- •Practices include thorough code review (including LLM-generated code), static analysis with staticcheck in CI, strict v1 compatibility, and responsive maintenance.
- •Geomys avoids automated dependency bump tools like Dependabot due to security risks, citing impersonation concerns reported by Synacktiv, and plans future audits and binary transparency efforts.