Hi folks,

This week’s lead story looks at mounting opposition to Google’s planned Android developer verification regime, as free software advocates and civil society groups warn that mandatory registration for all apps on certified devices would extend the company’s gatekeeping power far beyond the Play Store.

Elsewhere, I look at the Open Source Endowment, Laude’s latest open research bets, OpenAI’s move beyond saturated coding benchmarks — and more.

As usual, feel free to reach out to me with any questions, tips, corrections, or suggestions: forkable[at]pm.me.

Paul

<Open issue>

Android ID rules face growing opposition

Opposition to Google’s planned Android developer verification regime is gaining steam, with a broad coalition of developers and free software advocates putting their names to an open letter published this week.

The letter challenges Google’s announcement last August that anyone developing Android apps will need to register centrally with Google — paying a fee, agreeing to its terms, providing government ID, disclosing signing key details, and listing current and future application identifiers.

While Google already had a verification programme in place for apps distributed through the Google Play store, the latest development applies to all certified Android devices, regardless of whether apps are distributed via third-party app stores, directly from a developer’s own website, through enterprise deployment systems, or installed manually via sideloaded APK files.

Google, for its part, positions the move squarely as a security measure. The company says “you shouldn’t have to choose between open and secure,” citing data that found “over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.” The new verification layer, it says, is designed to prevent repeat bad actors from exploiting anonymity — an “ID check at the airport,” in Google’s analogy — rather than a review of app content.

The critics, however, aren’t convinced. The letter argues that the policy “extends Google’s gatekeeping authority beyond its own marketplace into distribution channels where it has no legitimate operational role,” warning that centralising registration of all Android applications would give Google “newfound powers to completely disable any app it wants to, for any reason, for the entire Android ecosystem.”

Among the signatories are civil society groups, nonprofits, and technology organisations spanning the free software and digital rights communities. This includes the Software Freedom Conservancy (SFC), which goes further, suggesting that Google’s move is less about security than it is about extending platform control — part of a broader trend of large tech companies tightening control over how software is installed and distributed.

The SFC writes:

Free and open source software (and the ability to install it!) was vital for the proliferation of Android. A reversal of such a critical piece of the policy that allowed user freedom and software openness would be disastrous for users and the FOSS community at large.

There is obviously pressure from big tech companies to restrict installation options on their locked down hardware. We see this not only in the mobile space, but increasingly on desktops where both Apple and Microsoft have made it harder to install free software; refusing to allow distribution outside of their app stores, or showing vague warnings about security when software isn't signed in their preferred gatekeeping ways.

Allowing installation of free software is absolutely necessary to ensure freedom to keep our devices running, protecting user and developer privacy, and keeping an open market of innovation.

Assuming the letter falls on deaf ears, the changes will roll out in stages. Early access began in October 2025, verification opens broadly in March 2026, and from September 2026 the requirement will apply to certified Android devices in Brazil, Indonesia, Singapore, and Thailand — with global expansion planned from 2027 onward.

Read more: Keep Android Open (letter) & SFC (letter)

<Patch notes>

Open Source Endowment funds critical OSS

A newly launched Open Source Endowment uses a university-style endowment model to fund critical but under-resourced open-source projects, investing donations into a low-risk portfolio and spending only the returns. Backed by a slew of founders and leaders including Thomas Dohmke (former GitHub CEO) and Mitchell Hashimoto (HashiCorp), it aims to address perennial maintainer funding gaps with perpetual financial support.

Read more: TechCrunch & Open Source Endowment

The Laude giveth

In my Open Profile segment this week, I took an early look at Laude Institute’s second Slingshots cohort — a batch of 14 upstream open AI research projects. They range from agent evaluation frameworks to energy measurement tooling and continual-learning benchmarks, and are backed with funding, compute, and operational support.

Read more: Forkable

Benchmark saturation drives OpenAI to pivot

OpenAI says it will stop reporting scores on SWE-bench Verified — the popular coding benchmark — because scores have clustered near the top, in part due to the public data used to build the test leaking into model training sets. Because SWE-bench tasks come from widely used open source repos, models increasingly memorize solutions instead of demonstrating general problem-solving, undermining the benchmark’s usefulness. OpenAI is now recommending SWE-bench Pro instead, designed to reduce contamination and better reflect real world software engineering capability.

Read more: Tessl

Cloudflare clones Next.js using AI

Cloudflare launched Vinext, an AI-built web framework based on the open source Next.js project, rebuilt to run directly on Cloudflare’s Workers platform. This prompted Ghost founder and CEO John O’Nolan to ponder: if anyone can direct AI toward an open source codebase and have it rewritten from scratch — without copying the original code — what do software licenses actually protect?

Read more: Cloudflare & John O’Nolan

OnlyOffice is ‘fake open source,’ says The Document Foundation

The Document Foundation, the steward of LibreOffice, has accused OnlyOffice of being “fake open source,” arguing that its close collaboration with Microsoft and embrace of OOXML reinforce vendor lock-in rather than genuine software freedom.

Read more: Neowin & The Open Document Foundation

React gets its foundation

We knew it was happening, but Meta made official its plan to move React into a dedicated foundation under the Linux Foundation, shifting legal stewardship away from a single corporate owner.

Read more: React

Apple acquires open photonics project

Apple has acquired Invrs.io, effectively a one-person company building open-source tools for AI-guided optics and photonics design, including shared design challenges and a public leaderboard.

Read more: MacRumors & European Commission

IronCurtain targets AI agent risk

Esteemed researcher and security engineer Niels Provos this week announced IronCurtain, an open source personal AI assistant built secure from the ground up. It runs your agent inside a sandbox and enforces user-defined policy on filesystem, network and git access.

Read more: Help Net Security & IronCurtain

<Final commit>

Time capsule brings ‘94 Linux back

CDE Time Capsule is an open source Progressive Web App that recreates a 1994 Debian Linux desktop in your browser. It faithfully restores the Common Desktop Environment (CDE), the Unix interface widely used before GNOME and KDE, complete with period tools like Netscape and XEmacs.

Read more: Tom’s Hardware & CDE Time Capsule & GitHub