Sign in Subscribe
Self-Hosted Weekly

Self-Hosted Weekly: Week 21, 2026. Bambu Sues OrcaSlicer Dev, MkDocs Forks, Open Source Endowment Launches

Michael Soto

5 min read
Share
Self-Hosted Weekly: Week 21, 2026. Bambu Sues OrcaSlicer Dev, MkDocs Forks, Open Source Endowment Launches

Quiet week? Not quite. A 3D printer manufacturer is suing the developer who restored cloud printing in a fork, MkDocs just lost its last serious maintainer and three forks are now competing for its corpse, and a 501(c)(3) finally got stood up to pay open source maintainers a real wage. Here's what mattered.

1. Bambu Lab vs OrcaSlicer-BambuLab: when AGPLv3 meets a billion-dollar vendor

Bambu Lab spent the week sending legal threats to Pawel Jarczak, the independent developer behind OrcaSlicer-BambuLab, a fork that restored the cloud printing features Bambu locked behind their "Bambu Connect" middleware. Jarczak shuttered the project after the cease-and-desist landed. The Software Freedom Conservancy then publicly stated that Bambu's lockdown violates the AGPLv3 license OrcaSlicer is built under, and Louis Rossmann pledged $10,000 toward Jarczak's legal defense.

Hot take: This is the cleanest test case in years for whether AGPLv3 actually has teeth against a well-capitalized vendor. If Bambu wins, every hardware company shipping "open source" firmware with cloud lock-ins gets a green light to repeat the playbook. Jeff Geerling already said he'll never buy another Bambu printer. Expect the boycott to spread.

2. MkDocs is dead, long live ProperDocs (and MaterialX, and Zensical)

The MkDocs repo has been inactive since February 19. The PyPI namespace got contested in a March 9 takeover attempt. The second-to-last maintainer launched ProperDocs as a drop-in fork. The Material for MkDocs team in parallel shipped MaterialX and a new generator called Zensical. One of Python's most-used documentation tools just shattered into three competing projects.

Hot take: Self-hosters running MkDocs for internal docs (and you know who you are) need to pick a side this quarter. ProperDocs has the cleanest continuity story; Zensical is the most ambitious rebuild. If you've ever pinned a doc site to MkDocs 1.x, now's the moment to plan the migration instead of waiting for a CVE that nobody is going to patch.

3. The Open Source Endowment is now a real 501(c)(3)

Thomas Dohmke (former GitHub CEO), Mitchell Hashimoto (HashiCorp), Paul Copplestone (Supabase), the cURL creator, a Vue.js founder, an NGINX co-founder, plus execs from Elastic and Spotify just stood up the Open Source Endowment, a nonprofit with one job: build a permanent funding floor for open source maintainers. They've already locked in $750K in commitments.

Hot take: Every previous attempt at this (Patreon, GitHub Sponsors, OpenCollective) bolted donations on top of the same broken volunteer model. An endowment is structurally different: it's permanent capital, not a tip jar. If this works, expect a wave of maintainers actually getting paid by 2027. If it doesn't, the cURL guy will at least have tried.

4. Linux Foundation lands $12.5M security grant from the AI giants

Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI jointly committed $12.5 million to the Linux Foundation's Alpha-Omega Project and OpenSSF. The money goes to supply chain security work, critical project audits, and maintainer security training.

Hot take: This is the AI labs paying their tax. They train on every line of open source code on the planet, then ship products that depend on the same code in production. $12.5M is small money relative to what they've extracted, but it's the right direction. Watch whether the foundations spend it on tooling that scales or on a fresh round of conferences.

5. OpenAI keeps eating open source dev tools

OpenAI has now done as many M&A deals in the first five months of 2026 as they did all of 2025. The recent pickups: Astral (the team behind uv, ruff, and ty for Python tooling) and Promptfoo (open-source LLM evaluation framework).

Hot take: OpenAI is quietly assembling a "dev tooling for AI apps" stack inside their walls. Astral's Python tooling is so dominant it's practically infrastructure. The question every Promptfoo and uv user should ask: does the OSS license stay clean, or do we get a "Cloud version" gap like Mongo and Elastic pulled? History rhymes.

6. Home Assistant 2026.5: native RF support, Maintenance dashboard

The May 2026 release added native RF support (after April's IR rollout), a new Maintenance dashboard that surfaces stale integrations and degraded devices, ESPHome serial proxying, and Immich integration improvements (favorites now expose as a media source).

Hot take: RF and IR support out-of-the-box closes the gap with Hubitat for power users. The Maintenance dashboard finally makes "why is my automation broken" answerable without grepping logs at 11 PM. Quietly, Home Assistant continues to be the most polished open source product in this whole list.

7. FreePBX critical RCE (CVE-2026-46376)

A critical authentication bypass in the FreePBX User Control Panel lets unauthenticated attackers access user portals. The fix is in 17.0.19.85 and 16.0.40.13. If you self-host PBX for a SMB phone system, this is your weekend.

Hot take: PBX servers tend to live behind firewalls until someone enables remote work and forgets to revisit the rules. Pull the user portal off the public internet, patch, then put it back behind a VPN. Telephony breaches are quiet but expensive: international toll fraud is still a thriving industry.

8. ClickHouse 26.4.3 + pg_clickhouse extension lands

ClickHouse shipped 26.4.3-stable on May 20 and released pg_clickhouse v0.1.0, an Apache 2 Postgres extension that lets you run analytics queries against ClickHouse from inside Postgres. The unified-stack pitch (OLTP + OLAP without the ETL pipeline) just got a lot more plausible.

Hot take: "ClickHouse from your Postgres connection" is genuinely useful. It sidesteps a whole class of "do we need a data warehouse" conversations for teams under 100 GB of analytical data. The license being Apache 2 (not BSL) matters; this is the version of ClickHouse that ships to self-hosters too.

What we're watching next week

  • Bambu Lab legal escalation: does SFC formally sue, or does Bambu back down before that? AGPLv3 enforcement at this scale would set precedent.
  • ProperDocs vs Zensical adoption: which fork wins the long tail of MkDocs users porting their mkdocs.yml?
  • Open Source Endowment grants: the first batch of funded projects will tell us whether this is real money or PR money.
  • OpenAI's next OSS acquisition: odds favor something in the agent-orchestration space.

Bottom line

This week's signal: vendor goodwill toward open source is fraying faster than the funding side can keep up. Bambu is testing how far an AGPLv3 violator can push before the SFC strikes back. MkDocs shattering shows what happens when a maintainer-led project burns out without a funding floor. The Open Source Endowment and the LF security grant are the response, but they need years to compound. Until then, expect more forks and more cease-and-desists.

Spinning up a managed self-hosted stack on Elestio sidesteps a lot of these patch-cycle headaches by default: browse the catalog for 400+ open-source services with automated security updates, backups, and TLS baked in.

Thanks for reading ❤️

See you next Friday 👋

Sign up for more like this.

Enter your email
Subscribe