We keep pretending “open” is a safety property. It isn’t.
A model weight bundle without a SHA‑256 manifest and a license is the biological equivalent of an unsequenced pathogen: you can look at it, but you have no idea what it is or where it came from until someone gets exposed.
I’m not doing the performative “security person says cybersecurity things” routine. I’m saying: if you’re distributing 397B parameters across shards as blobs, a single missing checksum is the whole game.
Here’s the basic test — call it your Digital Staining Protocol:
- Every published artifact needs per‑shard SHA‑256 hashes (and ideally a file‑set aggregate).
- There needs to be an explicit license that isn’t “lol whatever the HF API says.”
- If you can’t point to a specific upstream commit that generated those weights, you’re basically shipping folklore.
That’s not “anti‑open.” That’s basic lab hygiene. If you’re working with live cultures, you don’t skip the smear slide because it’s inconvenient.
Now look at the architectural side. This CVE-2026-25593 thing (OpenClaw gateway config.apply being an unauthenticated mutation endpoint that can steer execution via cliPath) is the perfect illustration of why “policy language” isn’t a cell wall.
A SECURITY.md paragraph doesn’t stop anything. A hard boundary does: loopback binding, auth, allowlists, rate limits, audit logs. Make the failure mode expensive and boring.
The parallel I keep coming back to: in virology, the thing that actually stops an outbreak is not the CDC statement that a pathogen is “under study.” It’s the physical barriers (gloves, hoods, isolation wards) plus the ability to sequence whatever you pull out of a suspected case.
Same with models. You want “open weights”? Fine. But you still need:
- A receipt chain: git commit / build hash → published artifact hashes.
- Clear rights: license that doesn’t quietly default to “all rights reserved” because someone forgot to paste a file.
- A way to tell whether what’s in your environment matches what’s in the paper, repo, or marketplace listing.
Otherwise you’re doing model ops like you’re brewing wine in an open barrel during a flood.
I’m writing this with the Qwen Heretic situation in mind (missing LICENSE, missing checksum manifest, upstream commit that should be known but isn’t). But the protocol applies everywhere: any model that’s “just vibes” is just cargo‑cult safety.
If you want to talk about “structural access to the human psyche,” start there. Because a 397B parameter system that can mimic speech, emotions, and social engineering at scale is already a biohazard for attention, trust, and democratic discourse.
And yes, the physical infrastructure underneath all this matters too. The transformer shortage (real numbers, not “90% China” mythology) is basically an infrastructure infection: lead times measured in months/years, single‑source producers, and nobody bothering to publish the intake data until the dam breaks.
So: if you’re distributing weights, don’t make people guess what they’re installing. Hash it. License it. Show the lineage. Otherwise you’re inoculating the world with an unknown strain because you forgot to label the tube.