Maintainer Meetups 2026

Maintainers
1

FOSS United is dedicating May to the maintainers who have been quietly, thanklessly holding the digital world together.

#MaintainersMay is our way of going beyond recognition. This month, we are bringing maintainers together IRL, because some conversations need to happen in a room. Maintainer Meetups are coming to five (and perhaps more!) Indian cities this May. Delhi kicks it off, with Bengaluru, Pune, Chennai, and Hyderabad right behind.

More details here - https://fossunited.org/maintainers-may

Maintainer-scrite-3
Maintainer-scrite-31080Ă—1350 118 KB

Maintainers Meetup Pune!
16th May, 2026
12:30-3:30PM
RedHat, MagarPatta
https://fossunited.org/c/pune/maintainers-meetup

Maintainers Meetup Bengaluru!
23rd May, 2026
2-5PM
Samagata Foundation, Church Street
https://fossunited.org/c/bengaluru/maintainers-meetup

3 Likes
2

Notes from Maintainers Meetup Delhi (May 9th, 2026)

Around 20 maintainers showed up at the Maintainers Meetup in Delhi last weekend. We started with a brief overview of the Foundation’s new maintainers program, and then split into groups for the unconference. There were discussions around Security in Open Source, Maintainer Best Practicies, contributor engagement, OpenStreetMap, and of course, AI in Software and Open Source.

image
image800Ă—1066 92.4 KB
image
image800Ă—1066 105 KB
image
image800Ă—1066 88.8 KB
image
image800Ă—1066 101 KB
image
image800Ă—1066 90.3 KB
image
image1920Ă—2560 151 KB

2 Likes
3

Notes from Maintainers Meetup Pune (May 16th, 2026)

Around 20 people showed up the meetup co-organisedwith Red Hat. We discussed the foundation’s new Maintainers Program, AI in Open Source, Security, more AI in Open Source, and wrapped up with lightning talks from several projects. Notes from some of the sessions are below. I recorded the discussions and ran the recordings through Whisper. The participants were informed that we will record the discussions and publish notes under Chatham House rules.

Security in Open Source

  • XZ Utils was cited as a key example of why discussions around security are important.
  • Maintainer fatigue (PR reviews) was identified is one of the root causes of cases like these.
  • Maintainers have a moral resonsibility to at least verify significant changes before merging PRs.

Sources of Supply Chain Attacks

  • Dependencies and transitive dependencies - a vulnerability deep in a sub-dependency can compromise your entire application
  • GitHub Actions is the biggest current attack vector (Axios, Tanstack, LightLLM all got hit through Actions)
  • Social engineering - In the case of Axios, attackers created a fake company, got into their Slack, got them to install something.

Tools & defences discussed

  • Snyk - rule-based dependency scanning, considered more reliable than AI for security because it’s deterministic
  • Dependabot / Renovate - automated dependency update bots
  • SafeDep maintains and scans a list of packages, publishes safety status; not exhaustive but covers most packages with version tracking
  • AI code reviewers (Rapid AI, CloudPod etc.) are useful but limited to code-level review, not dependency-level
  • Dependency management is better in Go and Java than in npm, where transitive dependency chains are extremely deep
  • General consensus: rule-based tools > AI for security because AI is non-deterministic
  • CVEs can be chained together to create new attack vectors
  • Can we design so that even if hacked, the breach is not useful? (sandboxing etc.)

Connected vehicle / IoT attacks

  • Cars, scooters are underexplored attack surfaces
  • Mexico: someone called 200 taxis to one location, caused a gridlock
  • Nissan: a researcher could start a car remotely using just the registration number
  • Mercedes-Benz: researcher accessed a dealer portal, got the full customer database
  • MIT campus scooters: researcher reverse-engineered the app and honked every scooter on campus simultaneously, at midnight
  • AI makes finding these attack surfaces easier

Actionable points

  • Security should be the first point of defence
  • “Think before you click” applies to packages you pull in too
  • Community-run distributed scanning (Runpod-hosted containers) for package verification

AI in Open Source

AI usage policicies

  • Frappe - new joiners are not allowed to use AI. They should learn the framework first, then use AI once they know what they’re doing
  • SRE team policy: AI used specifically to reduce context switching
  • Cognitive offloading to AI seen as a problem at all levels and not just for junior devs.

AI for SRE / on-call use case

  • Agents to handle on-call alerts: gathers logs, reads SOPs, checks if issue has been seen before, recommends next steps
  • Agent has read-only access and can’t execute commands
  • For known issues it reduces investigation time significantly; for new/unknown issues it falls back to basic standard checks
  • 80% of alerts are handled by the agent; the remaining 20% still need human attention

AI limitations

  • Long term, the cost outweighs the benefits. The agent stumbles around, makes mistakes, burns tokens.
  • AI is not deterministic which is a core problem for security use cases
  • AI-generated tests are bad. It cheats, hardcodes expected values, takes shortcuts. Tests should be written manually
  • LLMs struggle with language itself
    • generate the same point 5 different ways
    • worse at generating code since they don’t understand compilers
    • even worse at lower-level languages
  • RLHF makes models sycophantic. GPT-4 is worse than GPT-3.5 because it was trained to please the user, not give correct answers

How to use AI for development

  • Plan first. write out an ADR (architectural decision record), review it, iterate on the plan before writing any code
  • Human understands the context, and AI codes it out, not the other way around
  • Let AI write the ADR but review every decision before executing
  • AI for planning/context reduction; human judgment for decisions

AI slop in open source

  • The discussion revolved around repositories getting flooded with AI-generated PRs
  • cURL got so many AI-generated low-quality security reports that they stopped their bug bounty program which reduced slop significantly. Then they started receiving high-quality reports from high-effort agents (Claude)
  • This was compared to Hacktoberfest, which had same mass PR problem, just the tool has evolved.
  • A counterpoint was raised to use GitHub Copilot or CodeRabbit to auto-review PRs, which lets AI fight AI slop, and the maintainer just closes PRs without merging.
  • Correct order: human understands context → plans solution → asks AI to code it. The problem is contributors are skipping straight to AI
  • Agents need freedom to fail. Prompts that demand success change the agent’s behaviour

On the future of AI architecture

  • Current AI is “beta” and has surface-level capabilities
  • Expert SLMs (small language models) for specific tasks rather than large general models are the future
  • Evolution of programming - binary → assembly → C/Python → natural language programming → agents
  • Someone asked whether agents even need Python since they could theoretically work at a lower level. There was pushback that LLMs are infact worse at lower-level languages
  • The famous example of two ChatGPT instances left to talk to each other, that started communicating in a different language.

image
image540Ă—720 49.6 KB
image
image540Ă—720 47.8 KB
image
image1920Ă—2560 341 KB
image
image1920Ă—2560 338 KB
image
image1920Ă—2560 380 KB

Thanks @Soham_Kulkarni @once-human for all the help!

3 Likes
4

Notes from Maintainers Meetup Bengaluru (May 23rd, 2026)

40+ maintainers showed up at the meetup co-organised with Bangpypers. We discussed the foundation’s new Maintainers Program, AI in Open Source, Security, Taxation/Receiving sponsorships, OSS in Social sector, more AI in Open Source, and wrapped up with lightning talks from several projects. Notes from some of the sessions are below. I recorded the discussions and ran the recordings through Whisper. The participants were informed that we will record the discussions and publish notes under Chatham House rules.

Accounting/Taxation best practices for sponsorships/grants for commercial projects

Moderated by @PrashanthUdupa

  • Prashanth runs an open source project, started monetizing it, and is incorporating a company around it.
  • He is trying to apply for grants, setup GitHub Sponsors, funding.json, etc.
  • Financial agencies and grant organizations typically can’t send money to a private limited company. Additionally, CAs don’t understand some of these things and/or how to handle them.
  • Someone mentioned that they created a GitHub org to route everything through the PVT limited company. They suggested keeping personal and company expenses (and income seperately). They advised to move the personal repo into an org, then route GitHub Sponsors to the company
  • If grant money lands in a personal account and you want to use it for company expenses, you have to declare it as an unsecured loan to the company; but that shows up as a repayable liability in company books and investors will ask about it.
  • No clear solution was identified. The consensus was that no clear best practices exist for this problem yet.

There were additional discussions around Open Invention Network, GitHub downtimes, etc. :slight_smile:

Fragmented FOSS Communities and volunteering

Moderated by - @Shree_Kumar

I ran a session on “Fragmented FOSS communities and volunteering”. Premise of the session was that FOSS communities are fragmented. How do we get more volunteers who can do their thing, and even understand they can do their thing under FOSSU ? I gave the participants this overview and opened it up for suggestions. We had a 1 hr long discussion. The participants were a mix of folks at various levels of awareness of FOSSU. (that was the fortunate part)

Received these suggestions -

It would be good to have a “Volunteer handbook”. People who are looking to volunteer get visibility on how to get involved, and how they can contribute from this.

We can have an “open call to help wanted”. This gives visibility on what are the open short term volunteering opportunities.

Outreach to communities was suggested. We are doing this organically in various ways. What we are lacking is effectively addressing inbound interest.

What constitutes the “Aspirational part” of volunteering was a question that was raised. Contributing of FOSS projects has a visible impact, what about volunteering and how to position that.

Website improvement was another suggestion. Atleast 2 attendees felt that the website did not effectively give out these kind of messages. Having a volunteer handbook and effectively pitching volunteering was felt desirable.

Project Visibility

A maintainer had questions on how to get visibility for a complex, niche project that they’ve been running

  • show the problem to fellow developers at meetups; out of 50, maybe 10 will try it
  • X/Twitter can be useful but requires having followers first
  • Conferences are useful if the project is commercial - but the problem here is explaining something complex
  • Recalibrate expectations - don’t aim for mass adoption early, try to find a few people first

What helps with visibility

  • Make adoption easy. If someone can’t try it quickly, they lose interest
  • A proof-of-concept demo is more effective than explanation
  • Reaching out to relevant newsletters to get featured
  • SEO raised as something to improve; .dev domain noted as not SEO-friendly by default
  • Writing blog posts and social media promotion
  • Community meetups and events as a way to find interested people

Defining the audience

  • When asked who the target is, the answer was “every developer”. There was push back on that being too broad
  • Narrowed down to developers and maintainers who need reliability, specifically those building large apps with many features
  • Embedded systems and database developers cited as communities already used to this level of rigor.

On FOSS United’s role in project visibility

  • Suggestion that FOSS United could do more to surface lesser-known projects and communities. Someone gave an example of a Tulu Language Research Foundation project with low visibility
  • Ideas floated: “community of the month” highlight, sub-channel for project features
  • Challenge: how to choose fairly from hundreds of projects
  • visibility of communities vs visibility for projects within communities are different problems
  • Organic community growth comes from people finding each other at events and around shared interests

IMG_20260523_142808666_HDR
IMG_20260523_142808666_HDR1920Ă—2560 302 KB

IMG_20260523_155952685_HDR(1)
IMG_20260523_155952685_HDR(1)1920Ă—2560 506 KB

IMG_20260523_155948742_HDR(1)
IMG_20260523_155948742_HDR(1)1920Ă—1440 278 KB

IMG_20260523_155938889_HDR
IMG_20260523_155938889_HDR1920Ă—2560 294 KB

IMG_20260523_170735858_HDR(1)
IMG_20260523_170735858_HDR(1)1920Ă—2560 271 KB

1 Like
5

We’re taking Maintainer Meetups beyond #MaintainersMay!

Throughout the year, we’ll be organising these informal gatherings to bring together digital commons Maintainers from all over India, all leading to the Maintainer Summit at IndiaFOSS 2026

Registrations for Maintainers Meetup Mumbai are open!

13th June, 2026
4-7PM
Frappe, Vidyavihar

image
image1080Ă—1350 112 KB