What I see instead, really, is that most projects no longer, or very rarely look at any contribution, and e.g. any issue + PR/MR combo I make, has a much higher chance of never being looked at and some bot just closes it. Even though the rest of the project might be actually quite active.
It takes some getting used to, apparently being filed together with the "noise", when I try to go out of my way to be as much "signal" as possible. But well, if I really wanted to, I can just run my own changes locally, that's the beauty of OSS, but I hope we can get to some more balanced place over time (being forever the optimist).
I can see maintainers are being overwhelmed by AI driven PRs but if we filter our new features and concentrate just on bug fixes, does it really matter where a PR comes from if it fixes a bug?
I do work on a very complicated agent based simulation. The data shaping and loading is all open source python. There are dozens of long standing bugs that prevent the simulation from loading some of the data correctly. I used to send PRs but they were always ignored so I gave up. Now, when there is a new release I need to spend a day reviewing the new code to see what patches I need to re-apply.
Few changes are as cut and dried as fixing a bug with zero side effects or change in behaviour or need to consider future support or architectural plans.
As a maintainer, I'm always happy to quickly merge something that's like "I hit this corner case, here's a tightly-scoped change that catches and fixes it" but in reality not a lot of changes actually looked like that.
When OSS first got big in the 90s, I thought that it was a free-for-all where anyone could contribute (no maintainers/PRs/MRs) and people would use the most popular branch. That way it would evolve freely at lightspeed to go around 500 pound gorillas like Microsoft.
Imagine my disappointment when we ended up with the same old gatekeeping, now we just police ourselves.
I can agree though that the network effect of "everyone else uses X" is pretty unfortunate and has led to a lot of other issues too, so yes very disappointing
For PRs/issues this is not applicable.
Presumably you would still allow individual contributions but with restrictions unless someone has vouched for them or some other gating factor.
Where does the frog stop getting boiled?
Big corp accounts are pre-vouched. And it will be mostly their responsibility to vouch for other accounts.
I find it ironic that the people who originate the idea of AI-code-spam are being negatively impacted by this.
But all they will do is build an AI agent to review the code written by an AI agent, that probably never needed to be written to begin with.
They're also happy to leave it to "open source" to navigate the fall out.
I can't see those pull request limits working very well. It's like trying to filter email spam by just rate limiting people. It's going to be annoying for the people you actually want to talk to, and you're still going to get at least 1 spam message from every spammer out there.
Unless I totally missed that people are also making new accounts of each PR.
Disappointing, it seems that those also need limits too, although the limit could be higher.
I could easily see the limit for PRs be at 1 for untrusted contributors, and drafts at 3-5.
As long as it's taken as an indicator for WIP, it works. It just doesn't work when acting illiterate of this distinction; and I have often have had PRs switched to "ready", reviewed + merged in a couple of hours.
But when the change list grows, and the PR ages, while still being intentionally maintained, the Draft signal is strong and helpful IMO. Switching an old Draft PR to "ready" after reviving it with changes seems like a useful signal to me.
> Or using it correctly...
Note that people using AI to make spam pull requests are not using the system correctly.
Twitter thread about it below but happy to do a AMA here.
You could speak to them as a peer when it came to technical issues or system architecture AND they were experts in technology law. Especially impressive given that anti-spam was still in it's infancy and rapidly evolving.
It's a self-perpetuating monster that breeds attitudes and behaviours that maximise antisocial and exploitative behaviour by the system's design.
just look at what was done to copywrite, designed to protect inventors from cororates and related abuse, now unweildly for individuals and largly serves corporate interest more than the individuals it was supposed to protect. Same with patent system.
One reason: automating the construction of a "trustworthy" profile lowers the bar for attackers who want to plant xz-style backdoors. Not to mention polluting the various signals people use to evaluate candidates for jobs.
It's sad that it has come to this and to me it just means OSS is dead.
Yes it sucks, but it's better than not regulating whatsoever, and at least this way I could be more certain my contributions didn't get drowned out.
If the maintainers are that tired of it, they should update OpenClaw to prevent it from submitting PRs to their repo.
I much prefer a blanket ban on PRs and issues created by AI agents (which is what I personally do for my repos; so far I have closed one[1]). In fact I would love a github alternative which considers AI contributions to be a breach of their terms of use and ban any people who let AI agents loose on their platform.
1: https://github.com/runarberg/markdown-it-math/pull/48#issuec...
Personally I just stopped accepting public contributions entirely. File issues, sure, but no PRs apart from accounts I added who have contributed before the slopageddon started.
Maybe the whole web-of-trust idea will make a comeback for code contributions, it seems like a clean solution.
LuaJIT has operated this way since 2012, though with a thanks and mention in the commit message. It seems like a good way to filter out people who prioritizes leveling up their github profiles.
Something a little bit similar, when I was hosting a social game server we had mods. And players always beg for mod status. At first I tried naming the admin group something weird like sandals, but eventually people would ask if they could be sandals too.
What worked best in the end was just hiding it completely making regular players see mods as other regular players. (mods would see who is a mod though)
I would also personally never make someone who asks a mod as it's almost always a sign of wanting power for the sake if it. I would instead just passively observe behavior until I trusted the player and make them a mod. I would then tell them that I don't expect them to exercise their power, but would demote if I see abuse of power.
I think the comparison to email spam is apt. The answer to that problem was automated spam filters.
Imagine the difficulty you might find interacting with the world if your inbox was set up such that all emails not literally written by a human were auto-deleted. No account recovery, no receipts, etc. Individuals might choose to do that for themselves but it's not the general case answer.
For example, a github cicd automerge pipeline is still good.
Some can fix real issues, with a well targeted fix (not rewriting the world), well defined test and write up. If you accepted PRs before for other issues, you should be able to review and accept those too.
If even a preponderance of AI driven contributions were good, there wouldn't be blog posts and announcements making HN's front page daily about how various OSS projects and/or prominent figures were figuring out how to filter them/exclude them entirely.
If AI code was good, there wouldn't be such a thrust among so many varying communities to remove it, or ignore it.
There is, because it isn't, and because maintainers are getting fed up with it. There are good PR's just like there are emails that aren't spam that get caught in spam filtering, but spam filtering is still the default position because to allow it all is onerous to the people involved.
I think the biggest issue is simply that these tools, like any labor-saving tool, are being marketed most heavily to people who do not know how to create software. "Write code even if you know nothing about writing code." "This will let people who aren't software engineers make software." "Democratize development." On and on.
This isn't even new, we've been dealing with this since I was a little one, back then we called them script kiddies. Now they're vibe coders and their existence continues to be a boil on the ass of proper software engineers. Instead of claude, you copied code off of Stack Overflow without understanding what it did, and often foot-bulleted yourself in the process.
The other part of the litmus test is "does the person submitting actually understand what they're submitting and why" - which is arguably not required for PRs that you'd otherwise accept, but since you have to put time and effort into determining whether a given contribution is ok to merge, it's common decency for the submitter to have done a self review first (AI or no AI)
Okay, who is going to wade through the noise to find the signal? You?
I mean, sure, I have to make the final determination. But you should not be sending me uncurated slop.
People spamming Open Source repos with AI PRs aren't trying to help Open Source, they're trying to build a brand, some kind of credible online presence with their username on it, or whatever else. It's purely selfish and completely opposite to the spirit of Open Software imo
Measuring open source contributions as a way to judge prospective employees used to be a good measurement.
Of course, prospective employees started to not only contribute to OS projects because it was good, but to make sure their contributions were high and noticeable — contributing not for the good of the project but for their own good, and now with amplification of AI 'contributions'.
So, measuring contributions to open source projects is now approximately worthless for evaluating prospective employees.
And the PR is considered "spam" because the maintainer doesn't see xyz as part of his needs or his vision for the project.
I wonder if hiring adjusts to that but I doubt it. It might only push it even more towards "marketing matters most" instead of actual ability.
Tech hiring/interviews have almost nothing to do with assessing the candidates' ability to do the job.
Now that Claude is the best leetcoder in the world it would be great if companies which intend to hire humans would reconsider asking such dumb questions.
I am certain many of them honestly believe that they are doing the right thing and that they are helping. After all hey, they implemented a feature or fixed a bug for the community! It's a grim worldview if you think they are all just selfish.
The high school kid who volunteers at a homeless shelter and hopes it will help their college app is likely doing it both out of altruism and self-interest.
(Actually, the person who helps people because it feels good is also acting out of self-interest).
Given many ways to be altruistic, people will usually pick the ones that coincide more with their self interest. And in turn, self interest can warp a lot of the outcomes, even if people are trying to help.
Does that count, or is it axiomatic that for every person, the world is entirely just them and they have no concept of everything/anything outside themselves? I feel like this is probably only some people, and doesn't describe literally every person.
I retired from industry to teach high school.
A really big part of why I did this is because I wanted to help. I make basically nothing. There are many more personally lucrative things that I could do that help society and people less.
But there's millions of ways that I could help. I didn't maximize my impact, I don't think. I did one that was a confluence between altruism, feeling good to me, conferring other advantages, etc. In other words, altruism was not the sole factor in my decision -- just a very large one.
I'm not saying that to take away from it, but people do things to feel good, or because they get something out of it. Either way you are being rewarded.
This explains plenty of bizarre outcomes. I was speaking to a guy who worked at a food bank. They would take cash donations, buy food at full price at the supermarket, then have volunteers (in a paid for space) pack up boxes.
A more sensible route would be food vouchers. People can buy what they want, no money spent on rent, so more goes to those in need.
But donators want to feel they are donating food and volunteers, probably mainly the higher ups feel that all this unneeded machinery is 'productive' therefore more meaningful / they are in charge of actual people and a physical location which makes them feel important. Thus the inefficiency continues.
The trouble with food vouchers is that junkies trade them for drugs. Vouchers are more "liquid" than physical food.
I mean the junkies could just use the money they didn't spend buying food to buy drugs. I'm not entirely sure this isn't just an extension of people feeling like they're doing a good thing rather than actually doing a good thing. And that's assuming a meaningful proportion of food bank users are actually junkies.
But, for example, if you make a >$100 donation to Second Harvest Food Bank (i.e. so that transactional costs are small), each 50 cents becomes a distributed meal. Note that they collect a few additional cents from the partner charity that is distributing the meal.
OTOH, the school I work at does a Thanksgiving meal drive where students buy food at retail and bring it in. It is definitely less efficient than giving funds somewhere like SHFB, but I think it's an important tangible experience especially for younger kids to give something they recognize as food to the less fortunate.
I'm not saying all food banks should just do vouchers. I'm saying that if you're at the point of paying retail prices, you may as well give someone a voucher rather than spending time, effort and money on a tin of beans that a person doesn't even like.
The point of my example is that they could pretty easily do better for those that they're trying to help, but that would involve doing less themselves. Which demonstrates that it isn't all about helping others, it's about demonstrating that your helping others.
With vouchers they can do that AND also spend the money they would need for food on drugs / gambling / whatever.
It may happen on smaller projects with few users but not in meaningful large projects.
Building a brand doesn’t require submitting to someone else’s open source project. You can do the same thing by creating your own OSS project.
For a lot of them it’s probably a little of column A and a little of column B.
If people are submitting in their real name it’s more likely they’re building a brand. I also think it’s possible for someone to genuinely think they are helping without trying to build reputation.
Think about it from the perspective of a non-programmer, or even total non-technical person. Vibe coding to someone like that looks like complete magic. Suddenly to that person, a whole new world has opened up. Ideas, features, bug fixes they've always wanted but could never do now look possible. That particular group of people don't see it as spamming the maintainer, they genuinely feel like they're finally able to help.
They still don't have the skills to help
> they genuinely feel like they're finally able to help.
They can feel that but they aren't helping and they would understand that if they had the skills to help
yeah but, did they really?
All IMHO of course, but:
If they understand what they did, it follows that they understand someone has to approve/disapprove that contribution for it to land in the repo, and therefore, size their contributions accordingly to make reviewers lives easier.
If they do not understand what they did, they should not be attempting to land high-value high-complexity contributions yet; they should start with something smaller precisely so they can learn.
Edit: I realize I probably sound too grumpy about it, its just that they could be doing it in their own project, in their own repo, where they're free to go for anything they are comfortable with.
I wonder how long it'll take before "I don't use LLMs for coding" carries weight.
I think most AI generated code is people that want to help the project, but maybe aren’t familiar with the standards and norms.
I dont need 6 figures, just a lil bit.
I really hate the marketing people mindset. It fucks everything that is nice.
And, it would be nice to have unsubscribe lists in the uBlock Origin style.
Could be used as a teaching experience that many maintainers would be happy to participate in, instead of feeling attacked with random low quality PRs.
Why can the anti spam agents not just do the work directly???