Malus – Clean Room as a Service

Posted by microflash 7 hours ago

Malus – Clean Room as a Service(malus.sh)

https://fosdem.org/2026/schedule/event/SUVS7G-lets_end_open_...

747 points | 299 commentspage 2

glenstein 4 hours ago|

I first encountered the concept of "clean room" in the context of Sean Lahman's free baseball stats database. While technically baseball stats are free, their compiling and manner of presentation in any given format may be claimed as proprietary by any particular provider. And so there's an extensive volunteer effort from baseball fans to "clean room" source them from independent sources such that they are verifying the stats independently of their provenance as a legally permitted basis for building out the database.

I even recall Baseball Mogul relied on the Lahman DB for a period of time. It does make me wonder if we'll see more of that.

0xWTF 5 hours ago||

There are two teenagers who learned about Malus in the last hour and have started figuring out how to actually build it, right now. They will not cite their source in their IPO statements.

phpnode 3 hours ago||

it is straightforward to build this for real, here is my nearly one-shotted tldraw clone from a couple of weeks ago, https://x.com/c_pick/status/2028669568403578931 - the implementation side never saw the code, only the spec (in reality it did see the tldraw code in its training data, but you can't escape that anymore)

phyzome 47 minutes ago|||

Well, that's not what the page describes. You'd have to train an LLM on everything except tldraw, then use that LLM for code generation.

p0w3n3d 1 hour ago|||

I wonder about this training data. There's so much profit from open source code in training data, actually the most of the code it was taught was open source, shouldn't it be then free? Or at least open weight?

etchalon 5 hours ago||

The Torment Nexus must be built, because someone wants a lambo.

0x500x79 4 hours ago||

> If any of our liberated code is found to infringe on the original license, we'll provide a full refund and relocate our corporate headquarters to international waters.*

I love it. Brilliant satire that foreshadows the future.

kypro 4 hours ago|

The satire is A-grade.

On a quick glance, or skim read, you could be excused for believing this is real, but they drop just enough nuggets throughout that by the end there is no ambiguity.

Really helps illustrates how realistic this could be.

ameliaquining 6 hours ago||

Note for people who just briefly skimmed the site: This is satire.

Habgdnv 5 hours ago||

At least you think that this is satire, until the author receives a DMCA from one of the big corps saying that he leaked the transcript of their last meeting

kifler 5 hours ago|||

Too late. Someone's senior executive management has probably already seen it and spinning up a new project to implement it.

civvv 4 hours ago||

Luckily LLM’s are nowhere near capable enough to pull this off for anything other than the likes of isEven()

chilipepperhott 6 hours ago|||

Yeah, thank you. I was starting to get a little heated.

embedding-shape 5 hours ago||

Same, I got as far as "Finally, liberation from open source license obligations." until I went back to the comments.

frizlab 5 hours ago||

haha did the same. that being said I’m convinced some people do think AI reimplementation actually means cleanroom…

andriy_koval 3 hours ago|||

its partial satire. I kinda believe Claude/Codex spill lots of OSS code without license attribution for many millions of devs already.

tonyedgecombe 3 hours ago||

It wouldn't be funny if it wasn't close to the truth.

Lalabadie 5 hours ago|||

The situation is a bit too Torment Nexus-y for my comfort, thank you very much

TimTheTinker 5 hours ago|||

I don't know - if you upload a package.json with any dependencies that map to real npmjs.com packages, it does lead you to a Stripe payment page which appears to be real... and it appears you'd be sending real money.

Maybe that's part of the joke, though :)

scatbot 3 hours ago|||

I know this is satire, but I would wish to see something like this for liberating proprietary & closed-source hardware drivers.

schmeichel 6 hours ago|||

Thank you for pointing that out, I genuinely was scratching my head and questioning if this site was serious.

adampunk 6 hours ago|||

For now

dcchambers 5 hours ago|||

For now...

tgtweak 5 hours ago||

The best satire is that which becomes reality.

TehCorwiz 5 hours ago|||

I would posit that the best satire is that which holds a clear enough mirror to society that people choose for it to not come to pass.

intrasight 4 hours ago|||

Best comment here!

bananzamba 2 hours ago|||

Malus Corporation = EvilCorp

lo_zamoyski 5 hours ago|||

W.r.t. intent, yes. But w.r.t. content, we are long past a situation where it is unrealistic enough to function as satire.

While such tactics would render certain OSS software licenses absurd, the tactic itself, as a means to get around them, is entirely sound. It just reveals the flawed presupposition of such licenses. And I'm not sure there is really any way to patch them up now.

zozbot234 5 hours ago|||

It would also entirely obviate the need for those very same OSS licenses, if LLMs can simply do a clean-room reimplementation of any copywritten software whatsoever.

kshacker 4 hours ago|||

It will be like Galaxy Quest - they saw the historical records, copied them and then ... still needed humans to help them :)

jajuuka 5 hours ago|||

I was wondering. I had heard chardet story and wouldn't be surprised to see others moving into that same space.

Robdel12 5 hours ago||

It legit got me. An actual "whaaaaaatttt?" out loud and then I had to figure out why it was the top of HN haha.

Pannoniae 5 hours ago||

This is satire but this is where things are heading. The impact on the OSS ecosystem is probably not a net positive overall, but don't forget that this also applies to commercial software as well.

There will be many questions asked, like why buy some SaaS with way too many features when you can just reimplement the parts you need? Why buy some expensive software package when you can point the LLM into the binary with Ghidra or IDA or whatever then spend a few weeks to reverse it?

OkayPhysicist 5 hours ago||

This is going to bring back software patents.

piperswe 2 hours ago|||

Considering my name's on a software patent submitted just last year, I don't think software patents have gone anywhere...

intrasight 4 hours ago||||

I was discussing that very point yesterday with a colleague after telling him of recent events. I pointed out that leaning on copyright/copyleft for software has always been a risky move.

OJFord 4 hours ago|||

Where did they go?

egonschiele 1 hour ago||

Good idea, but as several comments here suggest, the time when this sort of thing could be taken as satire is gone. I promise you there are multiple people here thinking that this is a good idea. I predict that within a year we will see a service that does exactly this.

mushufasa 6 hours ago||

"Change all your core software library dependencies to be unmaintained ripoff copies of those libraries." Sounds wise.....¡¡

dullcrisp 14 minutes ago||

Guaranteed CVE-free at time of delivery!

roughly 5 hours ago|||

Sounds like my CTO. Overuse of LLMs in c-suites is like overuse of weed by teenagers - it may not cause delusions, but it sure seems to make them worse.

jakeydus 5 hours ago||

Don't worry, I'm positive that we're only a few years out from realizing just how damaging both were/are.

bigfishrunning 48 minutes ago||

I just hope we realize it before it's too late.

fabioborellini 2 hours ago||

Actually I have been told that replacements to (restricted subsets of) open source libraries, generated by LLM’s, vendored next to our code using the dependency, cannot be vulnerable since they don’t have cve’s, and therefore they don’t ever have to be maintained.

That’s how deep we are in neoliberal single truth shit now

e12e 3 hours ago||

> Our proprietary AI systems have never seen the original source code.

For this to be plausible satire, they need to show how they've trained their models to code, without mit, apache, bsd or GPL/agpl code being in the training set...

pradn 1 hour ago||

Is AI-driven clean room implementation a wild west at the moment? I suppose there haven't yet been any cases to test this out in real life?

typeiierror 5 hours ago|

I know this is satire, but I have an adjacent problem I could use help with. In my company, we have some legacy apps that run, but we no longer have the source, any everyone that worked on them has probably left the planet.

We need to replatform them at some point, and ideally I'd like to let some agents "use" the apps as a means to copy them / rebuild. Most of these are desktop apps, but some have browser interfaces. Has anyone tried something like this or can recommend a service that's worked for them?

ekidd 4 hours ago||

I have actually very convincingly recreated a moderately complex 70s-era mainframe app by having an LLM reimplement it based on existing documentation and by accessing the textual user interface.

The biggest trick is that you need to spend 75% of your time designing and building very good verification tools (which you can do with help from the LLM), and having the LLM carefully trace as many paths as possible through the original application. This will be considerably harder for desktop apps unless you have access to something like an accessibility API that can faithfully capture and operate a GUI.

But in general, LLM performance is limited by how good your validation suite is, and whether you have scalable ways to convince yourself the software is correct.

ensemblehq 5 hours ago|||

Interested to keep updated on this point. As a consultant, I've worked on transformation of legacy applications so this would help me greatly as well. We've worked on pretty archaic systems where no one knows how the system works even if we have the source code.

nivethan 5 hours ago|||

I've done a little bit of this and Claude is pretty great. Take the app and let Claude run wild with it. It does require you to be relatively familiar with the app as you may need to guide it in the right direction.

I was able to get it to rebuild and hack together a .NET application that we don't have source for. This was done in a Linux VM and it gave me a version that I could build and run on Windows.

We're past the point of legacy blackbox apps being a mystery. Happy to talk more, my e-mail is available on my profile.

Traubenfuchs 5 hours ago||

Well, what kind of desktop apps?

Unless obfuscated C# desktop apps are pretty friendly to decompile.

More comments...