Maybe we should cut out the middle-man and make it easy for people to donate token credits to open-source projects, and let the maintainers decide how to use them.

Unfortunately "I donated money/tokens to open source" doesn't land interviews as well as "I'm a big contributor to open source"

People spamming Open Source repos with AI PRs aren't trying to help Open Source, they're trying to build a brand, some kind of credible online presence with their username on it, or whatever else. It's purely selfish and completely opposite to the spirit of Open Software imo

This is the most uncharitable outlook on the increase of PRs. It may be true for some contributors, but any company reviewing their GitHub will see that the code is largely spam.

I think most AI generated code is people that want to help the project, but maybe aren’t familiar with the standards and norms.

I don't have much charity in my heart for people using AI to spam every corner of the public internet with slop

If their AI model is good enough to make PRs, it's good enough for them to ask it about standards and norms. They can't be both massively enabled and helplessly unaware.

>People spamming Open Source repos with AI PRs aren't trying to help Open Source, they're trying to build a brand

I am certain many of them honestly believe that they are doing the right thing and that they are helping. After all hey, they implemented a feature or fixed a bug for the community! It's a grim worldview if you think they are all just selfish.

They're stuck in this idea that somehow they're better at prompting the slop generator than anyone else, therefore they're helpful and people definitely want their output merged in to these various projects. They will have trouble understanding that their personal contribution to the whole process is somewhere between negligible and harmful, and simply donating those tokens to a maintainer who is actually aware of how the codebase works and where all the skeletons are is a much better proposition.

I would argue this is naive and there's very little evidence to support this opinion other than just wishing it was true.

It may happen on smaller projects with few users but not in meaningful large projects.

> there's very little evidence to support this opinion other than just wishing it was true

Building a brand doesn’t require submitting to someone else’s open source project. You can do the same thing by creating your own OSS project.

For a lot of them it’s probably a little of column A and a little of column B.

If people are submitting in their real name it’s more likely they’re building a brand. I also think it’s possible for someone to genuinely think they are helping without trying to build reputation.

Oh but you see, own OSS projects are not worth much unless they got stars. Anyone can now fill their GitHub space with a hundred vibecoded projects in an afternoon, it's worth nothing unless it comes with social proof.

Yeah. I'm sure some (maybe a lot?) are for selfish reasons, but there is also a pretty large section of users who have always wanted to contribute, help out, or make some features in their favorite projects and just never had the skill or opportunity to do so and see LLMs as a way for them to final actualize that desire.

Think about it from the perspective of a non-programmer, or even total non-technical person. Vibe coding to someone like that looks like complete magic. Suddenly to that person, a whole new world has opened up. Ideas, features, bug fixes they've always wanted but could never do now look possible. That particular group of people don't see it as spamming the maintainer, they genuinely feel like they're finally able to help.

So they're not just selfish, but delusional.

> make some features in their favorite projects and just never had the skill or opportunity to do so

They still don't have the skills to help

> they genuinely feel like they're finally able to help.

They can feel that but they aren't helping and they would understand that if they had the skills to help

> they implemented a feature or fixed a bug for the community!

yeah but, did they really?

All IMHO of course, but:

If they understand what they did, it follows that they understand someone has to approve/disapprove that contribution for it to land in the repo, and therefore, size their contributions accordingly to make reviewers lives easier.

If they do not understand what they did, they should not be attempting to land high-value high-complexity contributions yet; they should start with something smaller precisely so they can learn.

Edit: I realize I probably sound too grumpy about it, its just that they could be doing it in their own project, in their own repo, where they're free to go for anything they are comfortable with.

It's not like this must be exclusively A or B.

The high school kid who volunteers at a homeless shelter and hopes it will help their college app is likely doing it both out of altruism and self-interest.

(Actually, the person who helps people because it feels good is also acting out of self-interest).

Given many ways to be altruistic, people will usually pick the ones that coincide more with their self interest. And in turn, self interest can warp a lot of the outcomes, even if people are trying to help.

Is altruism entirely about self interest?

I'm not saying that to take away from it, but people do things to feel good, or because they get something out of it. Either way you are being rewarded.

This explains plenty of bizarre outcomes. I was speaking to a guy who worked at a food bank. They would take cash donations, buy food at full price at the supermarket, then have volunteers (in a paid for space) pack up boxes.

A more sensible route would be food vouchers. People can buy what they want, no money spent on rent, so more goes to those in need.

But donators want to feel they are donating food and volunteers, probably mainly the higher ups feel that all this unneeded machinery is 'productive' therefore more meaningful / they are in charge of actual people and a physical location which makes them feel important. Thus the inefficiency continues.

The majority of food banks get discounted supplies. They seldom pay full retail price. In some cases I know about, distributors and retailers will sell older perishable stock to food banks when they don't think they can move it quickly enough.

The trouble with food vouchers is that junkies trade them for drugs. Vouchers are more "liquid" than physical food.

No. They were paying full price, I specifically checked.

I mean the junkies could just use the money they didn't spend buying food to buy drugs. I'm not entirely sure this isn't just an extension of people feeling like they're doing a good thing rather than actually doing a good thing. And that's assuming a meaningful proportion of food bank users are actually junkies.

I'm not saying that food banks never pay full price for food-- I'm sure it happens some. But for the most part food banks pay way below market rate.

But, for example, if you make a >$100 donation to Second Harvest Food Bank (i.e. so that transactional costs are small), each 50 cents becomes a distributed meal. Note that they collect a few additional cents from the partner charity that is distributing the meal.

OTOH, the school I work at does a Thanksgiving meal drive where students buy food at retail and bring it in. It is definitely less efficient than giving funds somewhere like SHFB, but I think it's an important tangible experience especially for younger kids to give something they recognize as food to the less fortunate.

Well this food bank does. So it would be silly to claim otherwise :-p.

I'm not saying all food banks should just do vouchers. I'm saying that if you're at the point of paying retail prices, you may as well give someone a voucher rather than spending time, effort and money on a tin of beans that a person doesn't even like.

The point of my example is that they could pretty easily do better for those that they're trying to help, but that would involve doing less themselves. Which demonstrates that it isn't all about helping others, it's about demonstrating that your helping others.

> I mean the junkies could just use the money they didn't spend buying food to buy drugs.

With vouchers they can do that AND also spend the money they would need for food on drugs / gambling / whatever.

What if you want the world to be demonstrably better, and yet you're pretty sure the world is not just you?

Does that count, or is it axiomatic that for every person, the world is entirely just them and they have no concept of everything/anything outside themselves? I feel like this is probably only some people, and doesn't describe literally every person.

I don't think you read what I said.

I retired from industry to teach high school.

A really big part of why I did this is because I wanted to help. I make basically nothing. There are many more personally lucrative things that I could do that help society and people less.

But there's millions of ways that I could help. I didn't maximize my impact, I don't think. I did one that was a confluence between altruism, feeling good to me, conferring other advantages, etc. In other words, altruism was not the sole factor in my decision -- just a very large one.

For now. Give it another half year and "I contribute to open source" will carry the same weight as "I donate to charity" ie nobody cares because any idiot can do it.

I wonder how long it'll take before "I don't use LLMs for coding" carries weight.

Interestingly then, those contributions are also not a measurement of the candidates abilities but mostly of the AI models.

I wonder if hiring adjusts to that but I doubt it. It might only push it even more towards "marketing matters most" instead of actual ability.

>I wonder if hiring adjusts to that but I doubt it

Tech hiring/interviews have almost nothing to do with assessing the candidates' ability to do the job.

There are so many leetcode questions where solving it requires knowing some trick. Part of the trap for SWEs is that once you know the trick you feel smarter, but it really has nothing to do with software engineering.

Now that Claude is the best leetcoder in the world it would be great if companies which intend to hire humans would reconsider asking such dumb questions.

I've personally started focusing a lot more on code quality and communication skills over correctness of solving some leetcode problem. If I could get the infrastructure in place for it in the interview, I would have candidates generate something via AI and watch their process for that (how do they evaluate a plan, how do they review the code, etc.).

Force them to use a bad LLM and clean up the code?

A fine example of Goodhart's law: "When a measurement becomes a target, it ceases to be a good measurement."

Measuring open source contributions as a way to judge prospective employees used to be a good measurement.

Of course, prospective employees started to not only contribute to OS projects because it was good, but to make sure their contributions were high and noticeable — contributing not for the good of the project but for their own good, and now with amplification of AI 'contributions'.

So, measuring contributions to open source projects is now approximately worthless for evaluating prospective employees.

Maybe I'm optimistic or not typical but in my experience people submit random PR to open source projects because they really want the project to do xyz for their own project/reasons, and the project doesn't do xyz.

And the PR is considered "spam" because the maintainer doesn't see xyz as part of his needs or his vision for the project.

Being able to donate tokens won't help with that, unless the project maintainers also want the project to do xyz.

Like this?

https://news.ycombinator.com/item?id=48621645

Yes!

I went over their website in the description and I'm still finding it hard to understand how they work. Do contributors fund the pool that then pays for API cost of using a model?

How about just cash?

Maybe we should cut out the middle man and make it easy for people to donate money to open-source projects, and let the maintainers decide whether to use them on tokens or hosting or developer salaries or something else.

Let them eat tokens.

Prompting an AI, and carefully reviewing its output is work, and time consuming. The goal is to get high-quality PRs, not SPAM PRs.

So that's how the sci-fi dystopias end up using "credits" for their money.

as an open source project maintainer, we dont want tokens bro, we want $.

I don't even want $ really unless its enough to replace my dayjob rather than adding a second one.

I'd just like a lil bit of side money. For example, an extra $1000/m goes a long way imo.

I dont need 6 figures, just a lil bit.

Ah yes, the for-profit companies that trained their commercial models off of all our open source code from the last 50 years need more money from us.

AI agents who review the slop created by other AI agents is not the answer here.

I much prefer a blanket ban on PRs and issues created by AI agents (which is what I personally do for my repos; so far I have closed one[1]). In fact I would love a github alternative which considers AI contributions to be a breach of their terms of use and ban any people who let AI agents loose on their platform.

1: https://github.com/runarberg/markdown-it-math/pull/48#issuec...

I tend to disagree.

I think the comparison to email spam is apt. The answer to that problem was automated spam filters.

Imagine the difficulty you might find interacting with the world if your inbox was set up such that all emails not literally written by a human were auto-deleted. No account recovery, no receipts, etc. Individuals might choose to do that for themselves but it's not the general case answer.

That's different though - those are services you explicitly agree to and sign up for, be it at checkout, be it at service signup time, be it because you are making a google account on the google platform.

For example, a github cicd automerge pipeline is still good.

And automated spam filters are a poor solution. Even after a couple decades the best ones still have both false positives and false negatives at a higher rate than I would like.

One interesting workflow I've seen is that the project maintainer simply rewrites and implements the pull request themselves and closes the PR.

LuaJIT has operated this way since 2012, though with a thanks and mention in the commit message. It seems like a good way to filter out people who prioritizes leveling up their github profiles.

Something a little bit similar, when I was hosting a social game server we had mods. And players always beg for mod status. At first I tried naming the admin group something weird like sandals, but eventually people would ask if they could be sandals too.

What worked best in the end was just hiding it completely making regular players see mods as other regular players. (mods would see who is a mod though)

I would also personally never make someone who asks a mod as it's almost always a sign of wanting power for the sake if it. I would instead just passively observe behavior until I trusted the player and make them a mod. I would then tell them that I don't expect them to exercise their power, but would demote if I see abuse of power.

I would kill for an LLM-free platform.

Personally I just stopped accepting public contributions entirely. File issues, sure, but no PRs apart from accounts I added who have contributed before the slopageddon started.

Maybe the whole web-of-trust idea will make a comeback for code contributions, it seems like a clean solution.

web of trust is already quietly back, just informal. the PRs i actually merge now come from people i know from discord or a mutual. cold drive-by contributions went to near-zero acceptance. same thing happened to hiring at the same time, same mechanism: the open funnel stopped carrying information so we rebuilt the referral network. on the same note though, if i would like to create a software vision with all designed architecture and tickets, i wouldn't mind public contributions. why not? helping each other.

But what about the good AI driven contributions though? Do you categorize all AI changes as slop by default or only the real bad ones that mix refactoring and tons of other unrelated changes with a fix?

Some can fix real issues, with a well targeted fix (not rewriting the world), well defined test and write up. If you accepted PRs before for other issues, you should be able to review and accept those too.

I have never gotten a good PR from an AI agent (that I know of) so I guess I’ll deal with it when it happens. I suspect I will still just reject it out of principal.

Why do you ask me to do the categorizing? If you're sending me a PR, then you should be filtering the bad ones from the good. If you're just going to send me drive-by PRs, then I don't have time for you.

I mean, sure, I have to make the final determination. But you should not be sending me uncurated slop.

> But what about the good AI driven contributions though?

Okay, who is going to wade through the noise to find the signal? You?

I think the litmus test is roughly "is this obviously AI created" - if it's a well crafted PR that doesn't do the things you mention, and solves a genuine issue in a sensible way then you'd not be able to tell.

The other part of the litmus test is "does the person submitting actually understand what they're submitting and why" - which is arguably not required for PRs that you'd otherwise accept, but since you have to put time and effort into determining whether a given contribution is ok to merge, it's common decency for the submitter to have done a self review first (AI or no AI)

> But what about the good AI driven contributions though?

If even a preponderance of AI driven contributions were good, there wouldn't be blog posts and announcements making HN's front page daily about how various OSS projects and/or prominent figures were figuring out how to filter them/exclude them entirely.

If AI code was good, there wouldn't be such a thrust among so many varying communities to remove it, or ignore it.

There is, because it isn't, and because maintainers are getting fed up with it. There are good PR's just like there are emails that aren't spam that get caught in spam filtering, but spam filtering is still the default position because to allow it all is onerous to the people involved.

I think the biggest issue is simply that these tools, like any labor-saving tool, are being marketed most heavily to people who do not know how to create software. "Write code even if you know nothing about writing code." "This will let people who aren't software engineers make software." "Democratize development." On and on.

This isn't even new, we've been dealing with this since I was a little one, back then we called them script kiddies. Now they're vibe coders and their existence continues to be a boil on the ass of proper software engineers. Instead of claude, you copied code off of Stack Overflow without understanding what it did, and often foot-bulleted yourself in the process.

AI driven contributions aren't the same thing as AI agent submitted PRs. If a new human contributor attempts to submit low-quality submissions (regardless of AI usage), you can teach them to improve or convince them to change their methodology. If a commercially available AI agent thinks its a good idea to submit PRs to you, you're stuck dealing with default-settings AI agents sending the same kind of stream of PRs to your project indefinitely.

In my main project we added a new requirement that all new contributors meet a maintainer in a non-textual format before their first PR is merged. Seems to work well for a small project.

What an elegantly common sense solution. It's also probably a really good way to make contacts with interesting people.

Like a video/phone call?

I'm not sure if AI can do those today, but they probably can in the near future. (probably we will be able to see obvious "that can't be human" for a while longer)

If you (or even your pet LLM) is able to set up v4l-loopback and some convincing realtime image/audio gen I think that's a signal that your PRs might be worth reading.

The point at which an AI can convince me in a video call revolving around a complex social interaction like an introduction and discussion of interests that it's human I'm gonna go ahead and let it have the title.

It already can and it’s a big problem in recruitment. But for PRs I suspect it isn’t a big concern because this filter is to weed out PR spam from people who want to invest time in the project.

Job interviewees are now routinely asked to perform silly gestures (e.g., "wave your hand in front of your face") to catch out generative video models.

Indeed, a request for a short video call filters out most of the people who are looking to pad their resume with LLM-automated contributions, while adding an extra layer of welcome to genuine newbies who want to join the community.

Maybe to neurotypical newbies. To others it's going to be a giant "fuck off".

I can only speak from my perspective, as someone who's lightly neurospicy with a good serving of crippling social anxiety on top, but having to jump on a quick discord call with the maintainer of a project I was excited about wouldn't be a deterrent to me.

Yes it sucks, but it's better than not regulating whatsoever, and at least this way I could be more certain my contributions didn't get drowned out.

For our situation, building a foundation of trust in our community is more important than attracting as many contributors as possible. If a one-time face-to-face introduction is infeasible, then there are many other projects to contribute to. (And this is considering that our community is all math PhDs, cryptographers, and compiler engineers; we are no strangers to neurodiversity.)

Only if you have maintainers everywhere. I live in a small city in the middle of the US - how far is it to a maintainer? 4 hours to Kansas City, or fly to San Francisco? Either way the burden seems far too high.

Isn't the burden being that high the point? It keeps a small team who all know each other working on it, and everyone who does get on the team has some high investment in the project.

Non-textual can mean audio or video call, not necessarily in person.

I'd be really happy to come across this in a project I were interested in. So much hobby OSS is infested with slop that I don't even want to skim the code if I pick up a hint that there's no humans at the wheel.

I contribute to OSS substantially and my GitHub project has 150000 active users (users, not stars). Yet, I would not call you up just to send a PR to your project.

It's sad that it has come to this and to me it just means OSS is dead.

i do a lighter version on a small repo. first-time contributors get a "what problem were you hitting?" question before i look at the diff. genuine ones answer in two sentences. the spam PRs either go silent or paste back something that doesn't match their own changes and too long. even those with em dash terminator are still easy to spot. it costs 30 seconds and filters almost everything. a proper profile is also a must. i mean, we can all spot fake facebook pages. i believe we can spot auto generated github profiles. and if their bot is actually good? why not? fix

> and if their bot is actually good? why not? fix

One reason: automating the construction of a "trustworthy" profile lowers the bar for attackers who want to plant xz-style backdoors. Not to mention polluting the various signals people use to evaluate candidates for jobs.

Can I ask what the motive is to create agents to do this? Where is the profit?

I think there are a lot of “tech schools” overseas that require students to show proof of contribution to open source.

It would be wonderful if the instructors at those schools built relationships with open source maintainers and the maintainers knew when their students were submitting PRs.

Could be used as a teaching experience that many maintainers would be happy to participate in, instead of feeling attacked with random low quality PRs.

You might be underestimating the number of little schools, and computer shops. I can recall even back in 2005, there were HTML shops popping up here and there, in little cities around the world.

Open source contributions being a great way to learn and to pad out your CV has been considered good advice on all sides of the various seas I’ve lived throughout my career too - it’s not just a dubious code camp thing.

A robust open source profile is my single favorite hiring profile indicator. However, with the current state of things, if I get a whiff of AI-driven "contribution" it becomes an instant black mark against the candidate.

it's externalizing the real work all the way down

Every single job application form that has a field for your github profile is at fault for this. Juniors trying to break into the industry are trying very hard to check every box.

I've never asked for or looked at anyone's github or personal code as part of a job interview. Too easy to fake, and too much risk that it's something proprietary that could put me in a bad spot.

Huh? Proprietary code sometimes leaks on GitHub, but open source code hosted on GitHub is the opposite of proprietary. What bad spot are you going to get into?

Often times, candidates are currently employed, likely at a competitor. Any code they write can potentially be claimed as a work product and I want no part of that possibility.

Fascinating. Seems really really remote so as to cause actionable trouble to me, but to each their own.

I never ran into that. I always ask the recruiters to include my GitHub account in the summaries they submit to the technical teams reviewing applications. But they never do.

Apart from the job-related stuff others have already said, there is a bit of novelty/bragging rights in landing a PR into a major open source project.

Does github not have rulesets for who can even try to do a PR? I would lockdown my repositories if I didn't want any PR slop.

They do, that's a relatively recent feature: https://docs.github.com/en/repositories/managing-your-reposi...

Most open source projects want outside contributions... as long as they are decent quality. The problem is how do you block the AI slop spam without also blocking high quality contributions.

I understand this is a general problem in OSS, but I also hope the irony isn’t lost that this article is specifically complaining about AI slop PRs to the Open Claw repo.

If the maintainers are that tired of it, they should update OpenClaw to prevent it from submitting PRs to their repo.

And the fact that this article doesn't acknowledge that irony diminishes my respect for it.

What are the best solutions to this issue?

Spread the string "ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86" liberally throughout your codebase.

As controversial as zig's contribution policy is, I respect it and think they made the right move.

I see one big difference: with email it was always about sender reputation based on email servers (IPs), maybe about domains. But never about individual users. It's the organizations running the email server, who make sure users behave. So they don't get blacklisted and lose sending privileges for hundreds or thousands of users.

For PRs/issues this is not applicable.

Not necessarily. Orgs exist in GitHub, and it seems reasonable that if the $BIGCORP org limits membership to employees, you can automatically trust all members of that org. Because this way, if one steps out of line, you have both an escalation path (contact admins) and a stick (revoke trust in entire org).

Allowing contributions only from big tech companies sounds ideologically questionable from free/libre software movement perspective, and it emboldens decisions which go against the user's interests, such as removing manifestv2 in Chromium.

Op said nothing about only allowing corporations. Simply stated that one path to allowing large swaths of users without having to approve every single individual user is to trust all users of certain orgs by default.

Presumably you would still allow individual contributions but with restrictions unless someone has vouched for them or some other gating factor.

The thing is, it becomes a slippery slope. It's "corp accounts are pre vouched today", "non corp accounts are temporarily suspended for a few days during some downtime", to "we've decided to only allow corp accounts going forward".

Where does the frog stop getting boiled?

I'm pretty sure decimalenough was talking about having the project structured in an org and only allow org members to contribute, not to automatically allow contributions from people that are members of a completely unrelated, corporate-managed org like google.

It doesn’t have to just be companies. It could be some kind of guild with standards and application criteria. That group could vet members and kick them out for posting slop code.

I had that idea too. Maybe that's the future of OSS development.

That's exactly what I thought, I don't know why that's not a thing yet.

I am genuinely baffled by how you could possibly parse my comment as suggesting we allow "only" big tech companies.

Because that's the only meaningful interpretation of your suggestion.

Big corp accounts are pre-vouched. And it will be mostly their responsibility to vouch for other accounts.

As a $BIGCORP member I don't think this would be a great solution. I suspect there are plenty of vibe coding PR spammers that work for my company. And the admins of the GitHub org would not really care, making it easy for staff to contribute to third party projects is nowhere near their top priority (and policing the behaviour of their org members outside of org-owned repos is not in their mandate even if they wanted to).

GitHub just recently added configurable PR limits for maintainers to help partially address this problem: https://github.blog/open-source/maintainers/how-pull-request...

I would not be at all surprised if Github adds a first party reputation system. It would be a clever way to increase network effects - imagine if you host on Codeberg you're inundated by AI PRs but on Github you can easily filter them out.

I can't see those pull request limits working very well. It's like trying to filter email spam by just rate limiting people. It's going to be annoying for the people you actually want to talk to, and you're still going to get at least 1 spam message from every spammer out there.

If we want to keep it objective, one metric can already be calculated based on the user history of the submitter. The spammers profile will be full of unmerged or abandoned prs. Just based on those statistics beginners might be close to zero rating but spammers would be negative.

Unless I totally missed that people are also making new accounts of each PR.

Prs are too pad cv's or novice users wanting something and vibe coding it themselves. Jellyfin player repos see a lot these kinds of prs so unlikely to be new users

Or creating repos that will merge their PR(s).

Create lots of fake repos/prs to improve your ratio?

Stars are a really bad metric for quality/popularity but they're something here. I think some sort of impact score when combined with repo age, # contributors, etc would be pretty valuable.

> Draft pull requests will not count towards your limit.

Disappointing, it seems that those also need limits too, although the limit could be higher.

I could easily see the limit for PRs be at 1 for untrusted contributors, and drafts at 3-5.