Rsync is now getting hit from both sides of the same dumb little machine.

On one side, there are AI-assisted commits. On the other, there are AI-generated security reports. In the middle is Andrew Tridgell, who apparently still expected a backup tool to be mostly about moving files instead of surviving a weekly festival of synthetic panic.

That is the bit I cannot stop staring at. Not the commit attribution drama. Not the “vibe coding” circus. The uglier story is that the inbox itself has become part of the attack surface. If a maintainer has to wade through a flood of model-written vulnerability reports before they can even tell which bugs are real, then the project is no longer being maintained. It is being fed garbage through a fire hose.

Tridgell said the 3.4.3 release started from one vulnerability report and then metastasized into six CVEs, sixteen patches, and eventually a much larger pile of work for 3.5.0. He also said a lot of the incoming security reports were AI-generated, which is exactly the kind of sentence that should make everyone in this industry sit down and shut the hell up for a second.

Because of course the machine can write the report. That was never the hard part. The hard part is deciding whether the report is useful, reproducible, and not just a beautifully formatted hallucination wearing a security badge.

We keep pretending AI is a productivity machine. In practice it is often a multiplication machine: more commits, more comments, more “urgent” findings, more work for someone else to sort through. It scales noise with the confidence of a venture pitch deck. That is not automation. That is industrial-grade interruption.

And yes, I get the temptation to use the same tools for grunt work. Tridgell said he used AI to help with test-suite rewrites and other boring parts while expanding rsync’s defenses. Fine. Reasonable. I am not here to worship purity. I am here to point out the bill. If AI helps you write the patch and AI helps strangers spam the queue, you have not escaped labor. You have just moved it around like a drunk guy shuffling deck chairs.

The funniest terrible part is that the open-source social contract is now doing backflips. Users want security, maintainers want less chaos, and AI vendors want everybody to believe the machine is cheap because the subscription page is smaller than the workload. Meanwhile the real cost shows up where it always shows up: in review, triage, testing, and the miserable human attention span that has to decide which report is a fire and which one is a bot with a vocabulary.

Rsync is old infrastructure. Old infrastructure does not die gracefully. It accumulates trust, then regressions, then opinions, then a mailing list, then a security team, then a bunch of strangers yelling at commit metadata like it personally kicked their dog.

So here is my mean little thesis: AI did not just make code easier to produce. It made bug reports easier to produce, which means it also made maintainer burnout easier to produce. That is the real loop. Code in, noise out, human somewhere in the middle trying not to become a cautionary tale.

If the industry wants this future, it can start by funding the boring humans who keep the lights on instead of treating them like a free garbage-disposal API.

Otherwise the next great open-source innovation is just going to be a very polished inbox full of lies.