Open-Source AI Is Not Safe. Llama.cpp Just Proved It.

Imagine loading your favorite open-source AI tool, only to be asked for permission to use it. That’s not a bug. It’s a feature.

Late last week, a single commit—b9927—landed in the llama.cpp repository. It was quiet. No fanfare. But if you’re one of the thousands of developers, researchers, or privacy-conscious users who rely on this tool to run LLMs locally, without surveillance, you should be furious.

Open-source is not a promise; it’s a temporary wrapper. The moment a project gains enough traction, the enshittification cycle begins. First, you build a community. Then you add telemetry. Then you add access controls. Then you call it a ‘managed service’ and charge for the privilege.

Let’s be clear: llama.cpp was the last bastion. It was the tool you could run on a laptop, offline, with no one watching. It was the antidote to the API-fication of AI. But now, the CLI is asking for access to load a model. A comment on the discussion thread says it plainly: “We are heading towards a closed and monitored system, better said a proprietary one soon. Get the last genuine llama.cpp build before too late. b9925.”

You’ve probably noticed the pattern. It happened with Docker. It happened with Redis. It happened with every open-source darling that became a unicorn. The community builds the castle, then the company locks the gates. Neutrality is death in open-source; you’re either fighting for freedom or preparing to monetize it.

But here’s the twist: llama.cpp wasn’t a company. It was a community project. There was no VC pressure, no board meeting. And yet, the drift toward closed, monitored access is happening anyway. Why? Because the same people who build the tools are the same people who get tired of giving them away. They want control. They want metrics. They want—eventually—a paycheck.

I saw this firsthand when I tried to run the latest build. The model refused to load until I ‘authenticated.’ My first thought was that I’d misconfigured something. Then I checked the commit history. Access controls are the canary in the coal mine. Once they’re in, the rest follows.

So what do you do? You freeze your build. You pin yourself to b9925 and never upgrade. Or you fork the project and strip out the rot. But the real lesson is bigger: Don’t trust any open-source AI project to stay open forever. The only safe build is the one you control.

This isn’t about one commit. It’s about the creeping normalization of surveillance in the one space that was supposed to be free. If you rely on llama.cpp for privacy, for local execution, for the simple joy of running AI without permission—you need to act now. Because the next commit might not be reversible.

FAQ

Q: Is llama.cpp actually becoming proprietary?

A: Not yet. The access control is a step toward a closed system, but the current code is still open source. However, the precedent is set: once you require authentication to load a model, the door is open for telemetry, rate limiting, and eventually paid tiers.

Q: What should I do if I use llama.cpp for privacy?

A: Freeze your build at b9925 or earlier. Do not upgrade beyond that commit. Consider forking the repository and removing the access control code. If you need a guarantee, switch to a truly decentralized alternative like llama.cpp forks that explicitly reject monitoring.

Q: Isn't this just a minor change for security?

A: That's the classic slippery slope argument—and it's correct. Security is the Trojan horse for control. If the project wanted to add security, they could have done it without blocking local model loading. The fact that they chose to gate access means they're preparing for something bigger: monetization.

📎 Source: View Source