Self-Hosted Weekly: Week 9, 2026. MinIO Is Dead, the Open Source Endowment Launches, and AI Slop Hits Maintainers

It's been a big week in the self-hosted world. MinIO, one of the most relied-upon S3-compatible storage solutions, got officially archived. A new nonprofit wants to throw $100M at open source funding. And AI-generated contributions are pushing maintainers to the breaking point. Here are the 8 stories you need to know.

1. MinIO Officially Archived: The End of an Open Source Storage Giant

On February 12, MinIO updated its GitHub README with six words: THIS REPOSITORY IS NO LONGER MAINTAINED. The repository is now archived and read-only.

This didn't happen overnight. In May 2025, MinIO stripped the console GUI from the community edition. By December, the project entered "maintenance mode." Now it's fully dead, with the company steering everyone toward AIStor, their paid commercial replacement.

Hot take: MinIO's trajectory is a textbook example of the open-core trap. Build community adoption with a generous free tier, then progressively strip features until the open-source version is unusable. If you're running MinIO in production, start evaluating alternatives now. Garage and SeaweedFS are worth exploring. And if you're on a managed platform like Elestio, keep an eye on which alternatives get added to the catalog.

2. The Open Source Endowment Wants to Raise $100M

A new nonprofit called the Open Source Endowment launched this week with some serious backers: Mitchell Hashimoto (HashiCorp founder), Paul Copplestone (Supabase CEO), an NGINX co-founder, and the creators of Vue.js and cURL. They've raised $750K so far, with a target of $100M within seven years.

The model is interesting: donations get invested, and only the investment returns fund grants. The principal stays untouched. Projects get selected based on user count, how many other projects depend on them, and whether they're already well-funded elsewhere.

Hot take: This is the most structurally sound approach to open source funding we've seen. The endowment model means funding doesn't dry up when a single corporate sponsor loses interest. Compare that to the Linux Foundation's Alpha-Omega, which distributed $5.8M across 14 projects last year. If the Endowment hits even a fraction of its $100M goal, it could meaningfully change the economics of maintaining critical infrastructure.

3. AI Slop Is Breaking Open Source Maintainers

The "Eternal September" of open source is officially here. Daniel Stenberg shut down cURL's bug bounty after 20% of submissions turned out to be AI-generated nonsense. Mitchell Hashimoto banned all AI-generated code from Ghostty. Steve Ruiz closed all external pull requests to tldraw entirely.

Meanwhile, an Ars Technica article was retracted because the AI tool used by a writer hallucinated quotes from an open source maintainer. You can't make this up.

Hot take: This is going to get worse before it gets better. The incentive structure is broken: AI makes it trivially easy to generate plausible-looking contributions, but the cost of reviewing them still falls entirely on maintainers. Expect more projects to implement contribution gates, verification systems, or simply close their doors to external PRs.

4. Open Source Vulnerabilities Doubled in Commercial Software

Black Duck's 2026 OSSRA report dropped some alarming numbers: open source vulnerabilities per codebase surged 107%. 87% of all audited codebases contained at least one vulnerability, and 78% had high-risk issues.

The driver? AI-accelerated code generation is creating more code, more dependencies, and more complexity. The average number of files per codebase grew 74% year-over-year, while open source components increased 30%.

Hot take: Speed without security is just technical debt with a fuse. AI-generated code is often "correct enough" to pass reviews but introduces subtle dependency chains that nobody audits. The EU Cyber Resilience Act enforcement starting this year will force organizations to actually track their open source supply chain. If you're self-hosting critical infrastructure, automated dependency scanning isn't optional anymore.

5. Vaultwarden Patches Auth Bypass (CVE-2026-26012)

Vaultwarden, the popular self-hosted Bitwarden-compatible password manager, patched CVE-2026-26012, an authentication bypass that let any organization member access all ciphers regardless of collection permissions. The fix landed in version 1.35.3.

Hot take: Medium severity on paper, but devastating in practice for teams using Vaultwarden with granular permissions. If you're running Vaultwarden with multiple users and collections, update immediately. On Elestio, managed instances get automatic security patches, so this is already handled.

6. Docker Compose v5.1.0 Ships with New Go SDK

Docker Compose v5.1.0 dropped on February 24, bringing bug fixes and the continued rollout of the official Go SDK introduced in v5.0. The SDK lets you integrate Compose functionality directly into applications, loading, validating, and managing multi-container environments programmatically without the CLI.

Hot take: The Go SDK is the real story here. It opens the door for platforms and tools to embed Docker Compose as a library rather than shelling out to a CLI binary. Expect infrastructure-as-code tools and deployment platforms to start integrating this. For self-hosters running complex stacks, this means better tooling is coming.

7. Kubernetes 1.32 Hits End of Life Tomorrow

Kubernetes 1.32 officially reaches end of life on February 28, 2026. If you're still running it, you're about to be on unsupported infrastructure. The current supported versions are 1.33 through 1.35, with v1.36 in active development.

Hot take: K8s version management remains one of the most annoying parts of running Kubernetes. If you're on 1.32, you're not just one version behind, you're three. Prioritize the upgrade. Or better yet, consider whether you actually need Kubernetes at all. For many self-hosted workloads, Docker Compose on a managed platform like Elestio handles 90% of what teams use K8s for, with a fraction of the operational overhead.

8. Nuxt Studio Goes Fully Open Source and Self-Hosted

Nuxt Studio, previously a paid hosted CMS for Nuxt Content websites, has been completely rebuilt as a free, self-hosted module. The shift happened after NuxtLabs joined Vercel and committed to open-sourcing their premium products. Features include Notion-like editing, TipTap rich text, MDC component support, and direct Git publishing.

Hot take: This is how it should work. A SaaS product gets acquired, and instead of being sunset or locked behind a paywall, it goes open source. The 2026 roadmap includes AI-powered content generation, which could make this a genuinely compelling self-hosted alternative to tools like Contentful or Sanity.

What We're Watching Next Week

• Kubernetes 1.36 enhancements freeze passed on February 11. Expect early previews of what's coming in the next release.
• EU Cyber Resilience Act reporting requirements are now active. Watch for the first enforcement actions and compliance tooling releases.
• Open Source Endowment first grant recipients could be announced as the initiative gains momentum.
• MinIO fork activity on GitHub. The community is already discussing forks and alternatives.

Bottom Line

The self-hosted ecosystem is going through a correction. Projects that took community trust for granted (MinIO) are paying the price. AI is simultaneously creating more code and more problems. And new funding models (the Open Source Endowment) are emerging to support the infrastructure we all depend on. If there's one takeaway this week, it's this: the tools you self-host are only as reliable as the communities maintaining them. Choose projects with sustainable governance, not just impressive feature lists.

Thanks for reading. If you're looking for a hassle-free way to self-host any of the tools mentioned above, check out Elestio. See you next Friday.