510 comments

[ 1.5 ms ] story [ 309 ms ] thread
It's convenient that Digital Ocean has a scapegoat for 2020 but his video doesn't explain the previous years of spammy pull requests.
Absolutely. That guy's video may have caused a lot of spammy PRs, but I'm pretty sure they're far from the majority.
As a mailserver owner, spam is the first thing that comes to my mind when someone says digitalocean.

Malicious bots would be 2nd.

I've never learned why DO is a malicious traffic leader. Maybe they're competing with OVH to be the next MCColo.

Or the next bulletproof hosting
> Maybe they're competing with OVH to be the next MCColo.

That's my guess. That was the original value prop, right? MCColo with SSDs on every instance.

It’s because they made a rather cheap Linux VPS that is extremely easy to get up. It’s 4 clicks on DO (login with GitHub, click new droplet, click $5, click create), vs 15 clicks on Azure or AWS (where you have to create a bespoke account, go through the silly billing configuration, etc) where they expect you're running all of this past your procurement people and that they’ll want to configure stuff too.
Was it much of a problem before this year?

Looking back at all prior HN stories with "hacktoberfest" in the title or with "hacktoberfest" and "spam" in the comments, I can't find any that talk about it being a big problem before this year.

I found one maintainer who said they got a non-negligible number of garbage pull requests for it, but they still said Hacktoberfest was cool. There was also one post about a filter one project adopted a year ago that used heuristics to identify and automatically reject Hacktoberfest pull requests from new submitters that were too trivial.

I'd have expected more if it was a problem to the extent that it seems to be this year.

Same. I don’t think I got a single spammy PR I could attribute to Hacktoberfest before this year, I had thought it must be people staying inside for COVID or something. But I guess I know the actual cause now.
Agreed. We got two this year. Never received a spam PR before.
One of my repos got spam PRs for last two years. So I archived the repo this time before October as a proactive measure. I got spam PRs in other months too, but October was the worst.
(comment deleted)
If a single person can cause that much harm, it's not their fault, it's the fault of the process/system.
What I don’t get is... why do this for a t-shirt? Am I missing something?
T-shirts are worth significantly more (relatively) in poorer parts of the world. It might be worth 0.5hr of average wage in the us but be worth 5hr of average wage in India.
I thought of that, but if you’re wealthy enough to watch YouTube and submit PRs on GitHub, is that really that much of a reward?
You can be pretty damn poor and do both of those things.
My entire youth could be described as having all the time in the world but not a dime to my name.
This was much of my youth too and I grew up in an upper-middle class family in the Bay Area :/ I think this would apply to most children.
* coolness, to claim that you got a T-shirt from big company.

* An entry on resume.

You don't need to be wealthy to get an internet access. You can get it at a school, a public library, a friend's home...
I think you have this backward.

If you had to work for three months to afford your phone, would you be more likely to spend fifteen minutes to get a free shirt, or less?

Yeah I learned this lesson too. I run a coding education nonprofit and for years we have offered free shirts or stickers to people who bring someone totally new to coding (usually artists or musicians who want to work on a game) to one of our events in certain areas.

We tried it with an online event in August and it was immediately flooded with fake signups from people in poorer parts of the world.

(Honestly made me sad more than frustrated. But we're not equipped to give out that many shirts.)

How's the quality of the t-shirt that one gets after completing the challenge?
Couple minutes, free t-shirt, I'm sure folks say "why not?"

At the local sandwich shop folks will stand in line for an hour to get a free crappy sub $5 sandwich...

Otherwise some folks in other theads indicated that in some places, specifically india, participating in hacktoberfest and getting PRs was good for resumes and educational recognition.

Why not? If it takes 3 minutes of effort and you get to say you've been there (a developer) and you got the t-shirt.
A lot of newer developers do it for resume reasons. I know people who have gone around doing spelling fixes to claim they contributed to stuff.
There was a bunch of this on Drupal.org awhile back, you'd get patches in the issue queue where someone just ran phpcs on the whole module.
It's not just the t-shirt, the guys goes on to explain how developer "swag" is something you must have, you'll feel more confident and respected if you have a tech related t-shirt.

It's really sad that a guy who teaches coding asks people to spam FOSS projects to get that so called "swag".

(comment deleted)
Misaligned incentives always cause trouble, scapegoats not withstanding.
> Misaligned incentives always cause trouble, scapegoats not withstanding.

Yes. Exactly. Couldn't have said it better myself.

Stepping on a soapbox, I think a certain kind of economics thinking should be introduced to students at a reasonably young age, no later than secondary education, that thinking being "Incentive Analysis" where students are taught to think through where various people's and groups' incentives are, and why it matters. If nothing else, it should clear up fuzzy cliche-based thinking which can be misleading even though it has a kernel of truth: "If you aren't paying, you're the product" is wrong in some very important ways, starting with the fact that if you are paying, you might still be the product. For example: You pay for a service, in effect giving the company money for selling your information to other companies eager to have a line on a high-value paying customer.

Check your faulty logic there. The statement "if A, then B", does not imply "if not A, then not B".

There's nothing wrong with accuracy of "If you aren't paying, you're the product".

It isn't my faulty logic.
Any sufficient large number of people will behave idiotically (from lat. idiota, ignorant)
The Latin idiota is borrowed from Greek ἰδιώτης idiōtēs which is from ἴδιος idios meaning "private" or "peculiar".

Idiot has historically meant "retarded" so if you wanted to say "ignorantly" you could have just said that, or "idiotically" is fine but don't pretend it has such wholesome roots.

The shitoberfest Twitter account is hilarious. https://mobile.twitter.com/shitoberfest
You know, as one of the people who sat in a room with my colleagues, listening them talk about the hours and hour of thinking they had done around how to contribute meaningfully to OSS, revising and revising till they landed on hacktoberfest, I don't find this hilarious in the least. I talked to many maintainers in the first few years of it's existence who truly benefited from the contributions. Nothing we ever did at DigitalOcean was "just for marketing" - everything we did was because we genuinely cared about developers, that's why the company grew. Certainly it's a shame that a few bad actors are ruining the project, but I take real issue with all the vitriol. Maybe it's gone off the rails and needs to be revised or reconsidered, but creating "shitoberfest" twitter and putting things in blog posts like "Finally, and most importantly, we can remember that this is how DigitalOcean treats the open source maintainer community, and stay away from their products going forward." is certainly not constructive. (I haven't worked at DigitalOcean for 5+ years)
I think this may be a small example of the path to hell being paved with good intentions, or of unintended consequences.
> You know, as one of the people who sat in a room with my colleagues, listening them talk through the hours and hour of thinking they had done around how to contribute meaningfully to OSS, revising and revising till they landed on hacktoberfest

I find it weird that none of your suggestions involved allowing the maintainers of the software project to decide if the contributions were worthy of a reward? I also find it odd that people who had contributed meaningfully to OSS would suggest a numerical bound on PRs as a measure of meaningful contributions.

Perhaps I'm missing something here, but I honestly don't think this was particularly well designed to begin with. The "bad actors" are assholes, sure, but I think you also need to revise your concepts about meaningful OSS contributions.

(comment deleted)
Well I haven't worked for DigitalOcean in many many years. My reply was to calling hacktoberfest "shit". I do agree given the scale the initiative has reached, projects should reach out to DO, get on a list and be the "approved" project. As a point of interest on your "but I honestly don't think this was particularly well designed to begin with" - how would you have designed it?
Fix the broken process:

Do NOT auto-include closed PRs.

Let maintainers choose to add a hacktoberfest label to contributions they think are worth rewarding, if they want to opt-in and they like that particular contribution.

Don't emphasise t-shirts, emphasise fun and the rewards of helping OSS.

These are not difficult challenges, they could fix the process right now if they wanted to. Yes their numbers would go down, but they'd be rewarding genuine contributions, as originally intended.

> You know, as one of the people who sat in a room with my colleagues, listening them talk through the hours and hour of thinking they had done around how to contribute meaningfully to OSS, revising and revising till they landed on hacktoberfest, I don't find this hilarious in the least. I talked to many maintainers in the first few years of its existence who truly benefited from the contributions. Nothing we ever did at DigitalOcean was "just marketing" - everything we did was because we all genuinely cared about developers, that's why the company grew. Certainly it's a real shame that a few bad actors are ruining the project, but I take real issue with all this vitriol. Maybe it's gone off the rails and needs to be revised or reconsidered, but creating shitoberfest twitter and putting things in blog posts like "Finally, and most importantly, we can remember that this is how DigitalOcean treats the open source maintainer community, and stay away from their products going forward." is certainly not constructive.

I find it troublesome that a room full of people and no one raised a concern about how the whole thing would be misused, and wasted time of hundreds of maintainers who now have to clean up their repo. Did "the room" consider this, at all, and what if they did, what was the conclusion?

Edit: I added neom's original comment, still have it on my browser.

Yeah, this really makes me wonder what the room gets up to during threat modelling session at Digital Ocean. But perhaps they don’t do that sort of thing.
Exactly what I thought. I don't really care that digital ocean had "good intentions". The scheme is obviously abuseable and seems to have indeed wasted the time of a number of actual developers.
Why do you think hundreds of maintainers have to clean up their repos? What is your acceptable ratio of misuse to value add?
To be honest, we are well beyond hundreds of maintainers that will need to clean up their repos. I've been crawling the "Improve Docs" spam issues since they started appearing.

As far as I'm aware, there are already 4500+ repos which have had a low quality, single-line-change, "Improve Docs" PR opened in the past two days.

Just to pull out a few repos out for example purposes:

* 7 spam - https://github.com/seductivegeese/softi.es

* 8 spam - https://github.com/easydepot/websiteSwallower/pulls

* 8 spam - https://github.com/tokio-rs/website

* 13 spam - https://github.com/phpmyadmin/website

* 15+ spam - https://github.com/pyvec/elsa

* 15+ spam - https://github.com/justicedemocrats/candidate-website

* 15+ spam - https://github.com/Salamek/blacklist

* 20+ spam - https://github.com/openmaptiles/www.openmaptiles.org

* 25+ spam - https://github.com/blitz-js/blitzjs.com

* 60+ spam - https://github.com/EdmontonPy/edmontonpy

Heck, take look at the PRs and commit history of https://github.com/azmat21/UyghurWebsiteCrawler. It's been two days into October, and this repo has gotten 55 PRs. It hasn't ever gotten a single PR before this as far as I can tell.

Not to be pedantic but I think there is some conflation here between PR/repo and maintainer? How do you define "low quality" hacktoberfest was originally also focused on people learning to code who could help clean up docs/fix typos etc.
(comment deleted)
So it was a net positive thing, and the suffering of some maintainers are acceptable, just so DigitalOcean can slap its name and claim it helps opensource? Just donate money or something man. Jesus fucking christ.
Donate money to whom?
You have no idea what suffering is
I have seen some repos with 3 pages of spam PRs. It's drowning out legitimate PRs.
> I find it troublesome that a room full of people and no one raised a concern about how the whole thing would be misused

As someone completely unaffiliated with Hacktoberfest (only attendee over several years), my impression is that there really haven’t been much issues with it until this year.

I’m quite confident it was all done in good faith.

Unlike all those shit, SPAM PRs.

I can easily see how the original concept is a great idea (honestly, anything that can get more folks into contributing to FOSS is probably worth considering!), but the thing is, after the first few years of people suggesting that this was going to be a problem and that it should be opt-in by the affected maintainers, I think it's fair to say that DO gets the blame. If you do something with good intentions and something bad happens as a result, it's not necessarily on you (and indeed, I would hesitate to assign blame in all but the most extreme "what did you think was going to happen!?" cases). But if you do something with good intentions after being repeatedly told by multiple independent parties on multiple occasions that it's going to cause a problem, then you get to be responsible when that problem actually arises from the actions that you knowingly took while ignoring warnings.
(comment deleted)
(parent post tried to abolish blame and called out the grandparent post as the issue, hence why the lack of continuation)

I don't, you messed up!

The fact that you're actually incentivising contributors to make PRs of any quality and without standards, whilst forcing the burden on to maintainers (without reward) and you do very little (no tutorials about how to make quality PRs, no standards information on what comprises of a good PR, no quality guidance what so ever!).

This seems like a marketing stunt that has backfired and you're saying that you don't deserve some backlash?

(comment deleted)
This isn't highlighted high enough, and the lack of what makes a good PR that shows new contributors the best way forward isn't shown enough.

Yet I standby my statement, you're not blameless here.

Would you be willing to share what you'd recommend? I don't work at DigitalOcean but I know a few of the folks working on hacktoberfesst and I'm happy to forward our suggestions. je at h4x dot club.
Only count pull requests that are merged. Make this fact obvious on the hacktoberfest website so contributors know spamming PRs will not help them.

I know the standard answer to this is that it would exclude some repos (ex: node) that merge PRs manually via git. However:

1. You already are excluding every open source project not on GitHub, so this is a really weak point.

2. I am extremely confident trading off not including a very small subset of repos for removing the incentive to spam bad PRs is a worthwhile trade.

> I talked to many maintainers in the first few years of it's existence who truly benefited from the contributions.

For sure, but the Hacktoberfest promotional website treats this as a second order effect, instead of the primary goal it really should be.

The primary motivation for participants is the free t-shirt, because that's the incentive that's being pushed. What is not promoted - and should be promoted - is the impact of contributing: making a change for the better, the social good, taking a step towards connecting with new people, learning opportunities, making a mark in the world with your name on, etc.

The problem OSS faces is not just finding enough contributors. It's finding contributors who are intrinsically motivated to actively engage with a project.

And so, the current campaign inadvertently targets loads of people who don't really care for the code or the projects themselves: they just want the exclusive t-shirt as a trapping and not much more.

I'm sure the campaign still attracts contributors who genuinely want to submit a good PR (I sure am going to do an effort). But frankly, if the campaign ends up devolving into a frenzy for t-shirts, it's hard not to feel demoralized: that's not the spirit of the campaign, and that's quite likely not what DO originally intended, right?

Yes, you're absolutely correct.
>is certainly not constructive

Digital Ocean is not a student under our guidance that we owe a supportive feedback style. They don't even behave like a peer where things can be discussed eye to eye. They interact like a business: as if they're correct and infallible until sufficiently proven wrong that their face is covered in egg.

>posts like "Finally, and most importantly, we can remember that this is how DigitalOcean treats the open source maintainer community, and stay away from their products going forward." is certainly not constructive

That's entirely constructive advice... for the end consumer. It is smart to remember the results of a business' prior actions when you consider future dealings with them. Even if they're all well-intentioned and lovely people that wielded their one-to-many relationship poorly.

>I take real issue with all the vitriol.

The mirth of a "shitoberfest" twitter account and consumer advice in a blogpost aren't all that vitriolic, what they are is simply not friendly to DO.

> as one of the people who sat in a room with my colleagues, listening them talk about the hours and hour of thinking they had done around how to contribute meaningfully to OSS

Don't let your sunken cost and in-group bias distract you from seeing the unfortunate externalities of decisions here. You're separating intent from effect when that is the exact problem. DO created a program which incentivized spam that puts long-term strain on a community which it derives revenue from long-term, just for short term benefit.

If you or anyone else who designed that program doesn't understand that and take action until a /satirical twitter account/ has to pop up, that's really bad. I don't think you should try and make excuses for it. You should try to understand why the incentive broke and caused unintended side effects first before you go criticizing others.

Talking about how you get paid to pat yourself on the back isn't going to win the sympathy of people you mistreated. Now is the time for apologies and amends not tone-deaf whining about being held accountable by people who are actually giving freely of their time and IP.

Here's some constructive criticism: DO should send $20 to the donation box of every repo owner who got a spam PR.

And since you don't even work for DO but seem to like them: stop creating more bad PR for them by making embarassing comments in their name.

I don't understand why a person or persons create new repos and merge PRs into each others hello world empty repos. This would be be the optimal solution no?
This is still not fair to real participants. People that cheat the system like that should not get rewarded
GitHub actually released a full feature specifically in response to this spam?

That's pretty impressive given that we're still in the first day of this (or maybe great timing if it had already been in development).

It already existed but now it allows a full month instead of shorter timespans.
It has been asked for many times (extended duration) and was likely in development.
I feel like this is the ultimate tutorial syndrome. People doing exactly what the video said!
Fact is, we would have done the same after watching his video if we didn't know what PRs and FOSS contributions are. He doesn't explain what PRs are for, or what good PRs look like. He doesn't even teach how to use git for PR - all those spam are using Github's web editor. There is absolutely no clue given about the harm it would cause. For comparison, imagine a hardware DIY tutorial that never mentions any safety concerns.
A better idea would be for hacktoberfest to send everyone who has made a 1-line change to a README.md as their PRs to be given a dunces hat instead.
An entire honeypot conference would be fun.
Somehow I think that'd just add oil to the fire. I wouldn't mind a dunce hat from digital Ocean
Or maybe they should secretly ship the shirts with a large "spam PR" written on it for those who raised spammy PRs.
If everything that CodeWithHarry says is true, then I don't see how it's his fault.

Also, this doesn't seem like a big deal. Just ignore the spammy emails for a while and close the pull requests.

I speak hindi, and in fact he is actually encouraging spam and is BSing in the response. He has said to look for repos with low traffic and do a pull request changing the readme and to do it 20 times, so if most will be marked as invalid, at least 4 wont.
One preview image of his video literally said they are distributing free t-shirts, still them.

https://twitter.com/shitoberfest/status/1311843369077764097?...

This is literally how DigitalOcean is advertising their program, too. It’s just that they intended their audience to be people who fully understood the goal of what this was supposed to be, and the YouTube video was watched by many who didn’t.
Hindi is my native language. CodeWithHarry, in fact, is actually subliminally asking the users to create very low quality PRs. Or at least very heavily implying it.

In one part of the video he mentions that last year DO was not able to distribute all the t-shirts as they didn't have enough PRs. He goes on to mention that "this year, we don't want any T-shirts to remain".

If I get time, I'll point out more lines from the video where he is promoting PR for the sake of PR.

I do agree that it may not be totally his fault in the whole larger context of things.

I looked at the video and it seemed fine. Only problem is that complete rookies were watching it too.

I hang out in some rookie forums and it seems like every other day someone posts a snippet and I find that they have used foo/bar somewhere in the code without realizing it was supposed to be a placeholder. CWH made a tutorial on how to get some text from your computer into an open source repository and that is commendable, but his viewers have forgotten to do the bit where they actually produce content worth merging and that is not his fault.

This is not only kind of spam going on here.

A twitter user mentioned that some youtubers are themselves creating assignment aggregation type repos, and encouraging their viewers to contribute some copy paste code to those repos and they approve the pull request. That's insane.

I feel ashamed to say I am an Indian.

These type of repositories have existed since the first Hacktoberfest. They might even be useful for beginners to learn how to prepare their first pull request. But the idea of Hacktoberfest is clearly not to submit all your pull requests to such a repository.

It even seems as though DigitalOcean is blocking these type of repositories. From the FAQ:

My pull request is marked as being on an excluded repository. What does this mean?

Unfortunately, your pull request was made on a repository that doesn’t align with the core values of Hacktoberfest. We’ve decided that pull requests made to this repository will not count toward completing the challenge.

Right there with you. It’s a little disheartening that I hesitate to tell people where I’m based because of the precedent these people have set.
I would not be too harsh. This way it does not spam normal repos.
(comment deleted)
> I feel ashamed to say I am an Indian.

I disagree with you.

It's a common thing that online polls/contests/games generate this kind of behaviour. Online polls a trolled, games are hacked and online contests that rely on making others work create a mess.

Reading a lot of these comments ... the number of indians making a point of calling out this bullshit on the part of their countrymen is honestly kind of awesome and I'm kinda proud of y'all.

Too many countries' populations would be more likely to be reflexively defensive instead.

Though I'm in england and grew up considering british indians' self deprecatory sense of humour something to aspire to, so ... I'm not going to tell you not to feel ashamed, but I -am- going to tell you that your comment mostly reminds me why I like the culture that leads you to say that :)

You raise a fascinating point, which is of how different Anglo-Indian and just generally how different anglo south asian culture is from the norm. The subthread author (or a commentator) mentioned that one thing you'll see a lot is when folks don't know the answer to your question, they'll answer a different unrelated question and hope for the best because not knowing something is seen as weakness. Of course, that is generally not the case with any of the anglicized south asian diasporas.
Yeah pointing out what's wrong with a society which is focused on wrong metrics and gaming the system is wrong. And I have also pointed out it makes life harder for genuinely talented people.

You and your godamn pride.

... I said I was proud of the pointing out what was wrong.

I think you may have entirely misunderstood my comment.

Why? They accept pull requests to your own repo. I was merging some stuff to a fork to create a PR and later logged into hacktoberfest to check my progress, when I realized that I already had four pull requests because two of them I had approved myself for myself.
I have a couple of vaguely popular repos on github (~100,000 downloads a month)

Generally speaking, (T-shirt farming aside), if you find a genuine typo, or small way to improve documentation, then that PR will be very much appreciated. README-typos are quite visible, yet easy for maintainers to overlook.

If you are new to GitHub, please do not be discouraged, and as with editing Wikipedia- be bold.

(In the large scheme of things, its really positive that so many people worked out how to make a PR, and were then motivated to do so- lets not shame them too hard. Although occasionally neccessary, we must be mindful about gatekeeping, especially with the young and inexperienced)

I have done one letter typo fixes to doc repos as a 3rd party and felt great about them. One of them was actually a typo in a command line that I found by going through their instructions step by step copying and pasting each line. I was seriously confused when it didn't work!
Yes. Fixing up documentation is always helpful, even if it’s a one letter change!

Now, updating “copyright 2018-2019” to “2020” isn’t.

The point of the date it to tell people when the material was created. In some jurisdictions / situations, copyright expires N years after it was created, so that date tells people when copyright has expired.

Unfortunately, in many cases now, copyright is based on the year the author died, rather than the year the work was created, which means it is much harder to work out if something has entered the public domain.

Changing the date without changing the code significantly is arguably fraudulent.

> Changing the date without changing the code significantly is arguably fraudulent.

In some countries the publishing date is what counts, and they define publishing for websites as when the site was viewed.

Presumably, even if publishing date is relevant, it's only first publication that's relevant. No work should stay copyrighted forever just because it's constantly being republished.
> it's only first publication that's relevant.

No, the publishing date is relevant (not the first publishing date).

doesn't moving the creation date forward in time make you vulnerable?

if you create some content in 2018 and I rip it off in 2019 and then you update your copyright to 2020, what's to stop me from saying I came up with it first?

I want to like that idea. Unfortunately, I can counter with: When you (as an outsider) see two very similar projects, one claiming to be from 2018 the other from 2020, what will you look into/try out first?
Depends on the selling point. A 2 year old library sounds to me like it's just getting mature.
Obviously the one from 2018. It should still be quite modern but with big issues already ironed out.
That's partly why you have a span like "Copyright 2018-2020" - you are saying some of this material is older, some isn't. You need to keep copies of the older version with the older copyright to be clear which parts were invented when.
It's useful in showing the project is maintained and how old it is.

I regularly have to shop around for libraries. Seeing a copyright 2017 doesn't bode well for the documentation or the project being maintained.

(comment deleted)
The pull request I have seen were changing "how to install" into "how to easily install" and such. They were not fixing typos or even making sentences better. They were just meaningless changes.
Not sure why the downvotes... the takeaway is it’s extremely easy for maintainers to tell a well intentioned docs change from the crap referenced in this article
Yes. It is easy to tell them apart. But some people are getting over 50 of these in a day, so even if it is easy to tell, it gets annoying and requires you to deal with spam.

That is the thing with spam in general - you can tell it from legitimate mail easily, but is it still annoying and requires you to deal with it.

That is why I still prefer old-style patch submissions via mailing lists - the bar is higher, so it usually weeds out exactly this kind of trash.

Of course, if a company started offering free t-shirts for mailing list submissions and some foolish (but well-meaning) youtuber would publish a tutorial on how to subscribe and post to a mailing list, I have no doubts that there would be a deluge regardless of this higher bar. :)

As a drive-by contributor to plenty of projects it raises the bar uncomfortably high though. A PR I can rebase and rework based on feedback that can be given right there on the line of code it pertains to. Easy as pie with GitLab or GitHub. Really bothersome with mailing-lists, and excruciatingly painful if they don't even use a modern DVCS like git.
A code mirror and mailing list is a perfectly fine DVCS for the purposes of contributing code to an open-source project, and it doesn't lock a whole ecosystem into a monoculture walled garden.

> feedback that can be given right there on the line of code it pertains to

Done easily with a mailing list, and you can be sure that the comment won't just magically disappear because GitHub decided it was fixed even when it wasn't.

> excruciatingly painful if they don't even use a modern DVCS like git.

As far as local development is concerned, there's no reason you can't use all the git tools to manage your changes.

I don't want the walled garden — I don't care if its GitLab or GitHub or some other tool — as long as I can do stuff like rebase and squash easily and discuss the patch without having to subscribe to a mailing-list, set up inbox filters, prepare the patch for emailing, participate until the patch is in, then not forget to unsubscribe.

Comments about a patch are fleeting and should be gone after the patch lands — and should be treated as such. Any relevant comments will be in the source code.

GitLab (and several others) can be self-hosted for free; and the walled garden (GitHub?) is tolerable enough. And as long as you keep your software development practices sensible (centred around git, not GitHub), there hardly is a wall really.

> As far as local development is concerned, there's no reason you can't use all the git tools to manage your changes.

Certainly possible, but I didn't manage to get git-svn working the last time I wanted to contribute to a SVN repo. In the end I just created a local git repo in-place and generated the patch with git format-patch.

(EDIT: I didn't mean to say that mailing lists are much better in every respect than GitHub/GitLab/etc, just that they don't deserve the hate they seem to get in every discussion about tools for collaborative development.)

As someone who has been contributing to Linux for a few years now, which uses mailing lists exclusively for all development (and not only do they use Git, they wrote it) I've found that mail-based workflows are in some ways better to GitHub/GitLab/etc:

1. You can review individual patches, you cannot do this in GitHub at all (commenting at the bottom of a commit doesn't count because it's not tied to the PR and the comment is lost to ether on force-push). GitHub also defaults to you reviewing the full diff and make reviewing individual commits kind of frustrating (you're just dropped into the commit history view rather than a proper review view).

2. All code reviews end up being line-based because the patch is the main body of the email. Design discussion happens as replies to the cover letter of the patch set, meaning you can easily tell which kind of discussion is happening. You can also directly comment on the git commit message, which the kernel community values a lot more than most projects.

3. You can far more easily be notified on patches sent to sections of the tree (though this is slightly tied to Linux's development workflow with subsystem maintainers). GitHub only lets you watch a repository and get the firehouse of events -- which is about as useful as subscribing to the main LKML and trying to keep up with the notifications.

As for difficulty, honestly the bar to entry to send a patch to a mailing list if you're using Git is just:

  $ git send-email --to ... --cc ... origin/master
I would suggest doing "git format-patch" with --cover-letter and then checking the patch contents first, but you can do it one command for simple patches. Git was designed to make this mailing list approach work, so it shouldn't be surprising that it's actually pretty simple to use.
(comment deleted)
One of the PR I made for hacktoberfest was fixing typo in a command in a doc. In the current case however, it seems people are not even trying to do something trivially useful.
Typo fixes are useful. Adding '- an Amazing Project' to a title is not.

There's a lot that the guy could have done differently to demonstrate what a legitimate pull request looks like. Because this wasn't it.

I love it if people send me PR fixing typos or improving documentation.

The problem a lot of the hacktober fest PR don't do any of that.

E.g. on the rust repo some one added a bunch of PRs which add "### The best" to some readmes.

On the other hand, I was told by boost project that my one line fix for a typo was "waste of maintainer time", so it seems to vary on per-project basis :)
Yeah, some maintainers are friendlier then others, and some seem to care more about their precious time then about encouraging people to make (legitimate) contributions unfortunately...
It's so trivial to cherry-pick or rebase and merge such a commit if you understand enough of git to use it properly with branches and stuff. If the commit message is suitably worded it saves time too.

There are software projects out there, even highly used ones, that only use Github to mirror their SVN repository (or some other yesteryear source code system). For those maintainers these PRs do take up more time than they contribute though.

If they don't want GitHub PRs, they can just disable them.
GitHub doesn't allow you to disable pull requests, despite many project (including notable ones like Linux) asking them to add this feature.
They offer 3 options for doing so, in fact, in direct response to this controversy.

I can limit interactions to non-new users.

I can limit interactions to users that have contributed before.

I can limit interactions to users that I have manually whitelisted in my repo.

Unfortunately, only one of these can be active at a time, but the options do exist now.

Go to your repo -> Settings -> Moderation Settings -> Interaction Limits

Limiting interactions is not the same as disabling pull requests wholesale (you can disable issues completely), they are temporary in nature (you can only disable them for 6 months at a time), and in addition I believe my comment was posted before they announced the new feature -- and this is a feature people have been requesting for a decade now.
Thankfully, they've gone and made it opt-in from now on.
Sure, but those types of PRs aren't what's happening here.

Check out this PR: https://github.com/OscarZhou/CSharpTraining/pull/1/commits/8...

How would you like to receive dozens of PRs like that? You would absolutely consider that blatant spam.

I think they're referring to one example on Twitter (unfortunately, I can't find it again now) which was calling out a legitimate single-character typo fix. As someone who occasionally likes to report typos, I appreciate someone telling us they're appreciated :)
This is the outcome that would really suck - if people making their first contribution a legitimate doc improvement get their PRs caught up and marked as spam by maintainers who understandably mistake it as part of the spam.

I'm sure my first ever PR was adding an example to the docs for something, and if that had been closed with no response and labelled spam I doubt I'd have stayed around to contribute again.

I have literally gotten 4 PRs in previous hacktoberfests with typo fix.

I am internally debating if I should participate in this hacktoberfests given the spams going on

Or be bolder: write an up to date "Getting Started" Guide! Or the actual (for the current version) build instructions for the platform you are on!

A lot of projects have simply no easy guide to get from a git pull to a working build for someone not familiar with the language or build system used.

I'd much rather spend a minimum of $20 for the t-shirt and have the proceeds go to an open-source project of my choosing (or a pre-selected list of projects).
Yeah instead of a t-shirt they should give you github sponsor "credits".
Glad I saw this article! I got two pull requests on one of my otherwise inactive repos last night. The first one just tweaked one thing in the README pointlessly. Seemed odd, but benign. Then a second one came later; another small silly tweak. Good to know the reason now.

Luckily that repo isn't terribly important and was only two pieces of "spam". But I can't imagine the shitstorm real open source projects are going to experience. Either they have to weather the storm or, what, disable PRs for a month? Yikes.

I think this should definitely be opt-in.

DO should make a list of participating repos and only PRs to those make you eligible.

Wouldn't that put too much burden on those repos as all participants would race to submit a PR there?
This shows the utility of being able to throttle buggy clients.
I agree that the spam is problematic, but I feel the need to call out his "data collection".

As evidence that CodeWithHarry is the cause, he says

> A search for "Amazing Project" is now showing 21,177 issues.

and

> A search for "improve docs" shows 319,251 issues.

???

Improve docs has been a common beginner level PR since the beginning of time. Do you really think that 319k spam issues have been filed in the last day?

Amazing Project is more relevant, but if you take a look at those issues (sorted by newest), you see that most of the PRs that show aren't spam at all: https://github.com/search?o=desc&q=amazing+project&s=created...

If you want to count how many spam PRs were directly inspired by the video, you can try searching "an amazing project" (with quotes), and filtering by newest. It looks like there have only been about 50 PRs directly inspired by it.

https://github.com/search?o=desc&q=%22an+amazing+project%22&...

I was wondering about all of that. Appreciate the clarification.
A lot of those accounts also seem to be created just a few hours before October 1st. Can GitHub time gate new accounts before that can make public PRs?
I feel like that would be counterproductive given that GitHub is a tool, not a social network you need to gather account age or fake internet points on to use. Don't really see anything wrong with somebody signing up and immediately creating a PR.

I realize GitHub is one of the most popular choices out there but the activity stream is already social mediaesque enough for my taste. There's other ways to tackle this, DO could make their marketing stunt opt-in and GH could respond to the people wanting to add friction to their repo's workflows in a way that provides value, without crippling the general user experience.

(comment deleted)
I think this would be a bad direction. I bet that most people create an account on GitHub to report an issue or create a pull request directly. I think this should be encouraged.
Love this one — somebody is trying to rename "package.json" into "package":

https://github.com/dinosaurjs/website/pull/28

No, he renamed it to "package: An Amazing Project.json"
OMG even better :-))

My mind did not parse anything after ":"

Windows doesn't even let you have a colon in a filename!
Had a hell of a time downloading a torrent with a colon in the name.
You mean it was a pain in the colon? :)
Wonder if NTFS 'lets' you. I know the API does not let it. But I wonder if you could get it in a different way. I know you can sneak case sensitivity in here and there.

Think I shall go ruin a VM tonight... :)

This is my favourite trash PR
Not even that, the file is actually renamed "package: An Amazing Project.json". Amazing indeed!
My favorite one I saw renamed "README.md" to "My Reading".
What’s this bitboxx? Somebody decided the spam PRs weren’t enough spam so they created a bot to amplify it?
"An amazing project!" is going to part of dev culture for years, at least some circles.
Github allows you to search by dates (newer than, date ranges, etc), so for example, you can add the query "created:>=2020-09-30" (the date the youtube video was uploaded) to get a more accurate list.

From this search, it looks like it's definitely on the order of hundreds:

https://github.com/search?p=5&q=amazing+project+created%3A%3...

I opened a few at random to spot-check, and they all seemed like garbage to me. Like this one, ugh https://github.com/mongodb/docs/pull/4402/files

Sorting by relevance doesn't get you a representative sample - that bubbles PRs who say "amazing project" in the title to the top(which are indeed mostly spam).

If you restrict it to "in:title", you see that there's only 44: https://github.com/search?q=in%3Atitle+amazing+project+creat...

And if you sort by "newest" or "oldest", which provide a more representative sample, you can see that most of them are not spam: https://github.com/search?o=desc&q=amazing+project+created%3...

Why restrict in title though? From parent reply it is obvious that the phrase isn't in title yet it is undeniably spam.
I'm trying to get a lower bound on spam PRs filed. If you sort by oldest (instead of by "relevance" as the parent commenter did) and do a spot check, you'll see that a lot of the PR's are legitimate: https://github.com/search?o=asc&q=amazing+project+created%3A...

Certainly, restricting to the title misses plenty of PRs. But his search provides 252 PRs, and I'd estimate that easily <100 of them are spam.

Typically the PRs are titled something like "Improve docs" and the change is to add "an amazing project" somewhere in the README.md.

Here's a search that finds a lot: https://github.com/search?q=in%3Atitle+improve+created%3A%3E...

This search makes the same mistake I mentioned above - you think it finds a lot because you're sorting by "relevant" and sampling.

Sort by newest and you'll see that the vast majority of these PR's are legitimate: https://github.com/search?o=desc&q=in%3Atitle+improve+create...

The results I got show 4 spam PRs out of 10 on the first page. Same on the second and third pages. 60% is not a vast majority legitimate and 40% spam is not inconsequential when it's 86k PRs.
That doesn't match my experience. I looked at the first and 5th page from my link. No spam PRs.

https://i.imgur.com/VgOteKy.png

https://i.imgur.com/aAZ8xbo.jpg

Presumably the spam onslaught is slowing down with time from the video being posted so looking at the most recent results will give an ever fewer percentage of spam. If you look at page 100 of the results (for example, currently 18 hours old) there's a lot more spam.

For example: https://imgur.com/a/vxCHvcO

It is so indiscriminate that repos that could be considered dead (7+ years without activity) by the maintainer seems to get massive attention from new accounts just to get that T-Shirt. O_O
[edit: Possibly I'm being too hasty in recommending swearing off Open Source contributions. Go forth and contribute, I suppose :) Leaving my original comment below for completeness.]

For other South Asian/Indian people like me, a pessimistic but practical counterpoint to this -- if you happen to be Indian and have a username that marks you as such, just lie low for a bit and don't contribute anything; especially during Hacktoberfest. I promise you that this will actually be a net positive for your career.

Work on proprietary (aka closed source software) and earn money. Open Source was never particularly welcoming to us in the first place, and the tradeoff of marketing freebies versus being viewed negatively as a group is and a society is not worth it.

(comment deleted)
> the tradeoff of marketing freebies versus being viewed negatively as a group is and a society is not worth it.

The reputation comes from mediocre youtube tutorials, sweatshops like TCS and infosys, bullshit sites like geeksforgeeks, and incidents like this.

I am an Indian, and I think I have no right to complain about that reputation.

> I am an Indian, and I think I have no right to complain about that reputation.

I think that we are in agreement regarding that? I have no right to complain about it either.

I can offer advice to bypass Open Source contributions altogether, which would have the side effect of stopping incidents like this. And it's not like projects are starved for README contributions either, coding bootcamps or someone else will pick up the slack.

Then, should we stop writing good code because some shitheads set a bad example?

Let me be clear, when you write open source code there are incentives like creating / improving tool for our own use, experimenting, or having a legitimate contribution, even if it is for sake of resume. The software we want to write as OSS is often not the software we can write as proprietary, sell and make money.

Should we give up all the advantages of open source for our side projects? Aren't other people contributing to open source and that's making world better? Should we do a disservice to ourselves and open source community because some people among us have created a bad reputation?

It's not like anyone says "He is Indian, his contribution is probably worthless" about Sanjay Ghemawat or Vikram Adve, right?

> Then, should we stop writing good code because some shitheads set a bad example?

No, I'm saying that we should write great code, and not open source any of it. I don't understand why the concept is so unpopular?

> It's not like anyone says "He is Indian, his contribution is probably worthless" about Sanjay Ghemawat or Vikram Adve, right?

Absolutely not. But I think that today, if Ghemawat made a typo fix contribution to 10 random projects for Hacktoberfest, at least one of those project maintainers who didn't know about him would be yelling about "spam". I'm not sure how to prove this; maybe someone who knows him can ask him to try? :) This is HN after all.

Also, since you bring it up, I'm guessing that the vast majority of Sanjay's code at Google is proprietary and not available to the world.

Which of the article examples (or in-the-wild hacktoberfest PR) is a case of a "typo fix contribution" that you think was unfairly rejected?
I’d really like epithet to reserve that for people who are actively malicious. There are no signs to the contrary for the people submitting spam PRs being enthusiastic developers looking to get into open source and score some swag while they’re at it but lacking the guidance to really understand that they’re being annoying to other people.
> The reputation comes from mediocre youtube tutorials, sweatshops like TCS and infosys, bullshit sites like geeksforgeeks, and incidents like this.

I'm not Indian, and I think the reputation comes largely from the proportion of educated people not behind the Great Firewall of China that are Indian, and people mistaking “the proportion of people who do I see do X thar are from Y background” with “the proportion of people from Y background who do X”.

The above may be the result of large population (with better contact to outside world than china) too..

But the bullshit is real, and its frustrating.

No reason to lie low, just continue making good, earnest PRs which look nothing like this Hacktoberfest spam.

It's not the username in these examples that's the problem.

> It's not the username in these examples that's the problem.

It totally is. Make a profile with a Western-sounding, preferably female name, and submit a similar typo-fix PR. I can guarantee you that it will be accepted, or at the very least, not featured on a Twitter account called "Shitoberfest".

Minor typo fixes and such have been an established way to make a first bite-sized contribution to OSS projects. What changed this year that people are suddenly yelling at the top of their voices about the 30 (yes, thirty!) emails that they got this week?

Have you not seen the PR spam examples people are reacting to in TFA? You can't pick an {avatar, username, nationality, gender} combo that's going to get this diff accepted into React:

    - # React
    + # React an amazing project
These aren't minor "typo fixes".
These aren't typo-fix PRs. Thousands of them simply added "an amazing project" to the title of the readme, as was suggested in the video.
>> It totally is. Make a profile with a Western-sounding, preferably female name, and submit a similar typo-fix PR. I can guarantee you that it will be accepted, or at the very least, not featured on a Twitter account called "Shitoberfest".

I have made a genuine typo fixing PR and it was accepted by the repo. And yes, I don't belong to the group you refer to in your comment. I don't know what's happened with you or why you feel that way. It would be better to support your point with an example or an incident.

That’s not what’s happening here. Have you actually looked at the examples of the PRs linked? They’re not fixing minor typos, they’re introducing nonsensical copy pasted changes. These are not low effort commits that you could argue don’t hurt the project — these are quite literally spam.
>...not featured on a Twitter account called "Shitoberfest".

Do it 20k+ times and it very well may be. You appear uninformed about what is actually happening.

The heck are you talking about? I’ve worked on a good number of open source projects big and small, and spent significant time working with at least one Indian in the process. While a certain subset of people like to force identity politics down everyone else’s throat (mostly by claiming nonexistent discrimination), the vast majority of people don’t give a rat’s ass about whether you’re Indian, or black, or female, or gay, or whatever, and only judge your contributions by what you’re actually contributing. You’re not welcome if you spam, that’s for sure, but even then you’re just a spammer, not an Indian spammer.
No. Just look at my username; you don’t get more Indian-sounding than that. The way forward is to submit high-quality pull requests, not spam them to get a free T-shirt, and certainly not to give up and let people ruin it for you. I personally guarantee you that it’ll work out.
> Just look at my username; you don’t get more Indian-sounding than that.

I know, right! Incidentally, a past draft of my advice was going to refer to you and 'manishearth on the Rust core team as "good" examples to emulate. All this talk about "Shitoberfest" and such is driving me up the wall though.

I don't know, maybe I'm wrong. I feel like we are not welcome, but I guess a lot of people in this thread are saying otherwise, so I should consider that perspective.

> "Shitoberfest" and such is driving me up the wall though.

People are complaining about actual spam that in no way improves their repo, and are angry at DO and GitHub for not being prepared for that. This has nothing to do with actual contributions and the people making them.

People don’t want to be racist. Nobody here (at least, I hope) is getting pleasure from saying that a bunch of Indian people are spamming them with low-quality pull requests. But the fact is that this is happening, and it’s better to try to figure out what is actually happening rather than throwing up your hands and saying “these people have tarnished my ability to ever file a pull request”, it’s much more useful to try to identify what’s really happening and then see if we can fix it.

The fact is that DigitalOcean basically ran a lazy but well-meaning program that was promoted with a poorly-thought-out (but also well-meaning) video on YouTube to a majority Indian audience who largely had no experience with open source etiquette and thus we have the logical result. It’s not that they’re bad people or stupid or whatever, but they were just in the perfect storm of things that told them to do what they’re doing right now because they literally got no guidance at all. This is just “I accidentally sent my feature request email to the development mailing list because I’m unfamiliar with how this process works” but magnified by several orders of magnitude and also slanted towards participation by a certain group of people. The frustration is of course towards the circumstances that led to this happening but it’s often hard to express that and much easier to tweet angrily about “Indian dudes spamming me with PRs”.

> Open Source was never particularly welcoming to us (Indians) in the first place ...

Do you have any evidence to support this? I am an Indian and my own experience has been totally opposite. The open source community welcomed me, guided me, and appreciated my work when I began contributing to open source. See https://issues.apache.org/jira/browse/NUTCH-559 for an example. This was my first significant open source contribution to an Apache project. I was young, naive, and had very little prior software development experience. The change I submitted added new features but it also removed a lot of code that I incorrectly assumed to be not serving any purpose. The Apache committers helped me to refine the change, make it better, and even appreciated it with a "Wow" with this comment: "Sorry for the late review... I have finally reviewed your patch and I have to say: Wow!"

I think this was very welcoming. It filled me with confidence to tackle more complex problems both at work as well as in open source. Thanks to that good experience, I still contribute to open source whenever I can and I write and maintain a few open source projects of my own.

This is crazy that anyone should feel defined by 1 dude who just happens to have the same skin color as them.
I'm an Indian and I beg to disagree. I have made small contributions to open source projects, including fixing typos, and have never felt unwelcome.

I'm a teacher of economics and open source software including Python, Julia, LaTeX, R and Linux are essential to my work. I would find it hard to pay for proprietary equivalents of all the open source software I use. I consider it my duty to contribute back in whatever way I can.

My national pride is not hurt just because another Indian who did something wrong was criticised on the Internet.

I don’t get what the big deal of this is. 1-50 PRs with insignificant changes.

Simple fix, simple scripting of

prs.all().forEach( if pr.MinorChanges, then close w/ comment).

Minor changes are just taking the number of diff files, and checking if it’s less than > 1. That’s just one way to do it.

Feels like enough venting has been done, but why bring up the problem when you can come forth with a solution. Or at least propose one?

Furthermore, does this deserve Twitter attention? How about ours? [hn commubity]

A lot of minor changes are important though and blanket closing all diffs with minor changes will take out legitimate changes with it. Also, it's so easy to get around this by just making diffs with two files changed. Or making a diff that copy pastes the same line 100 times.
Some people are giving him the benefit of doubt because you don't understand hindi. Please don't.

This person really did encourage his 600k+ subscribers to spam the PRs in no uncertain words. He explained how developers with swag clothing and brand stickers look cool and get respect. He told people "it won't improve you much as a developer. But hey, free t-shirt swag, and there's a well defined path to get it. I request every one of my followers to make 20 spam PRs so at least 4 sit for more than a week".

I guess this was bound to happen since hacktoberfest and similar programs have become so popular. Part of me is sad that some influencer is so careless and rallied 20 something enthusiastic kids to do this and adding another bad incident Indians will be remembered for.

Edit: I'm college student (graduating in about 8 months) and I'll highlight that there's a very massive guidance problem here. Enthusiastic students have no one to mentored and direct them and it makes them act on lot of bad advice. In my college, sophomores teach freshmen about Google's Summer of Code, open source and events like hacktoberfest. These endeavours are headed by the one or two guys among the students who happen to get into GSoC/ICPC or (in majority of the cases) have a good competitive coding profile. When everyone involved is a beginner, you get unintended outcomes. It's just so much of a convoluted mess, that even the capable students distance themselves from it (convoluted, as in these capable folks are outnumbered by the enthusiastic kids, who, despite their best intentions shouldn't be guiding others right now. And the one club head is a former part of these guys who really hasn't improved in the 2 years after that). Much of this bad guidance contributes to that statistics you see on how "90% of Indian coders are unqualified"

Edit 2: (just dropping my reply down the thread from) Someone mentioned that I shouldn't drag other Indians into this. I guess that was bad judgement on my part as it doesn't really matter here, I apologise it I came off as disrespectful to fellow South Asian demographic, that wasn't my intention, I just wanted to bring attention to an underlying issue. We have a lot of bad rep for filling sites like Quora and Medium with loads of low effort content, sending unsolicited messages on LinkedIn and AngelList, and in general bad etiquette in messaging others over the internet. Much of this can be attributed to us having 1/6 of world's population (more if you just count English speaking populace), but that doesn't excuse people's bad behaviour. I personally believe that there's a need to teach people on how to conduct written communication and how to behave in casual to semi-formal settings in the internet.

I don’t know why the protagonist being Indian is something that would be strongly remembered. I’d guess anyone whose audience has more time than money could’ve hatched a scheme like this, regardless of nationality.
I mentioned this because I've seen people bash Indians for ruining sites like Quora and Medium with lot of bad quality content. Spam job offers, freelancing sites with bloated profiles, sending unsolicited messages and resume to people in LinkedIn and AngelList. Much of this comes from us having 1/6 of world's population, but that doesn't excuse a big group from their misdeeds. I personally believe that there's a need to teach people about etiquette in written communication and how to behave in semi-formal to casual internet settings
I'm almost afraid to ask this, so please assume good intent and bear with me - I promise this is a genuine question :)

Different cultures definitely consider different things to be acceptable / polite / etc in the same situation (e.g., do you take your shoes off when entering another person's house?). I've heard that there's groups of Indians (possibly the descendants of certain castes?) that place a high value on entrepreneurship and that "go get'em" attitude you often see in motivated sales / business people.

I wonder if that's a factor the behavior you observed - if there's a cultural pressure to assertively put themselves out there and actively look for jobs in these ways.

So with that said - I'm interested in other people's takes and happy to accept constructive criticism :)

Certainly there are cultures where this holds to some extent. However, the spammy PR, the low-effort oncoming nature that is being discussed is not associated with folks from this culture, as much as it is by some commonly prevalent sentiment in CS colleges, which generally move you to be proactive, get your name known, have a colorful (green) github commit frequency chart (?), and other faux markers of excellence which (are believed to ) increase the chance of getting hired for good positions.
> if there's a cultural pressure to assertively put themselves out there and actively look for jobs in these ways.

I am a student so my world-view is highly myopic. That said, in my personal experience, there is a pressure among engineers to stand out, else they won't get a good job. Also there's a rat race mentality inculcated by our parents to excel and always one-up others, rather than to co-operate and collaborate. It was okay when we were school-students and had to contest for entrance into a renowned college. But, the "I was the topper in high school, I gotta excel in adult life, be it through hook or by crook" mentality still runs in college and (hearing from seniors and relatives) in jobs. People are eager to do the 4 hour course on Tensorflow and mention "Tensorflow expert" in their resume to get an edge, people will and do write "Hacktoberfest 2018 and 2019" in their resume, a guy who can fire up an EC2 instance will call himself "moderately proficient in AWS". I'm not joking about these, job-hunting season is starting and I've seen resume of other students mention all this. People see videos of conferences where engineers wear swag t-shirts, and associate swag with good developers, that was further intensified by this guy's video and people wanted this swag for all these reasons.

I guess I've gone slightly OT here, so I'll summarise: Herd mentality due to poor guidance, peer pressure among engineers and the societal pressure to stand out (for securing jobs) is a big culprit here

> I'm not joking about these, job-hunting season is starting and I've seen resume of other students mention all this.

Be very careful with this. At a company I used to work for, the hiring managers started to have a negative view of Indians as they became known for their inflated resumes.

A year ago I was required to hire two developers from TCS. One pattern I noticed is that a lot of developers from TCS, when they don't know the answer to a question, just answer a different question. Another Indian that I did hire, explained that this is a product from Indian culture where not knowing something is seen as a weakness, so people don't want to admit they don't know something, and hide it by answering something else and hoping for the best. I really strongly prefer developers who know and are honest about their limitations. Nobody knows everything, so it's fine if you say you don't know. That makes it a learning opportunity. That opportunity gets closed off when you pretend to know something you don't.

This makes it really hard to hire people from TCS. I did eventually find two good ones, fortunately.

> Different cultures definitely consider different things to be acceptable / polite / etc in the same situation (e.g., do you take your shoes off when entering another person's house?). I've heard that there's groups of Indians (possibly the descendants of certain castes?) that place a high value on entrepreneurship and that "go get'em" attitude you often see in motivated sales / business people.

I have been told something to this effect. That some families, for example, are "business oriented" and raise their children to view everything as negotiable and for the taking. While other families may be focused on engineering or something else. It fits with strong parental involvement there, and the expectation that the children must support the prior generation. Easiest to push children in a direction you know. Basically multi-generational career goals.

Nope. As the parent comment said, there is lack of guidance and mentorship. Many people are unaware of the spam they are creating and genuinely believe what they are doing is acceptable.

Culturally, India is not really homogenous so I can't say anything for the 1.34 billion people but at least in the region I live in, cheating is normalized since first grade. Be it contests, exams or any other status games. Shortcuts are encouraged. There is little incentive for anyone to play fair. Schools want to look good on paper and competitive so they help students cheat, pay for false advertisements and enrollment. Parents do the same and well, kids will learn it if you incentivise that.

For the job seeking, it's pretty much desperation and high unemployment rate.

Unfortunately the largest demographic always gets demonized even if spam is not just limited to a particular group.

Through sheer scale, spammers of Indian origin may be more noticeable than others and thus reinforcing the stereotype.

Eh, I would the say the ratio itself looks bad here. I am always surprised by how normalized and acceptable spamming is in the form of whatsapp forwarding. It's truly frightening watching my family use facebook and whatsapp groups. The spam to content ratio is like 10:1 or heck 20:1. Maybe even worse. .
I am guessing you havent been on the internet 20 years ago when Indians were barely on the internet and email spam and forwarding was a huge thing.

The issue was solved by Google (and others) stepping up their spam detection game. The spam problem can and should be stopped with the technology, but I am not sure if Facebook has the motivations to do this.

I literally came here to say this. The first thought I had by looking at the screenshot of the PR(without watching the video) and reading the highlighted comment was that "This guy must be an Indian". I wanted to give him the benefit of the doubt but after watching the video, I was appalled by what I was hearing. And the worst part is, that he says you will learn how to make a PR. Sorry, but no, you will not learn how to make a genuine PR by watching the video. Another thought that I had was, how many kids are getting into software development because of the "swag" and how many of them are genuinely interested in understanding the intricacies involved in building good software.

Disclaimer: I am an Indian

If you go through some of his other videos, it seems he gains viewers by making clickbait-ish videos. One of videos says "Learn python in 1 video". The video is about 2 hours long.
> When everyone involved is a beginner, you get unintended outcomes.

This is on DigitalOcean for coming up with a half-baked scheme, not those folks themselves.

Edit: it’s amusing to see Indians taking swipes on fellow Indians. It’s a systemic problem, and the fact that you’ve somehow “risen above it” is not a reason to virtue signal.

> It’s a systemic problem, and the fact that you’ve somehow “risen above it” is not a reason to virtue signal.

(As an Indian) As much as I agree with you, I feel like this is different. I'm worried spam on this scale will damage the reputation of Indian OSS contributors.

Blame DigitalOcean for not making this opt-in. Blame a bad implementation. Blame anything.

But are you seriously gonna blame people looking for free swag? How many of us haven’t done something for swag before?

I completely agree with you, but at the end of the day, it doesn't matter who shoulders the blame if OSS maintainers start to get wary of README/docs PRs from github users with Indian-sounding names.
It’s fairly trivial to tell a spammy PR from a legitimate one by just looking at the content of it. Even if a docs change by an Indian account who joined yesterday, if it fixes a real typo or something then it is legitimate is it not?
I've gotten very tired of the term "virtue signal" being thrown around as a means to discredit someone's argument. It's both not persuasive, and it attacks the other person's intentions and not their arguments, which is not a good thing.
>I'm college student (graduating in about 8 months) and I'll highlight that there's a very massive guidance problem here. Enthusiastic students have no one to mentored and direct them and it makes them act on lot of bad advice.

Hey, I'd like to help if possible. I'd probably not have the time to mentor, but I can help with learning resources. All my books are free to read online (https://github.com/learnbyexample/scripting_course#ebooks) and I have lots of bookmarks collected over the years. For example, Python(https://learnbyexample.github.io/py_resources/) and CS(https://github.com/learnbyexample/curated_resources/blob/mas...)

If you are interested, connect with me on twitter (https://twitter.com/learn_byexample) or mail me on gmail (use HN username)

PS: I'm Indian too, but I don't think that'll necessarily help here.

This is exactly the kind of spam we’re talking about. And I saw the repositories.
Man, they're awful :(

I looked into Python and regex

I can understand Hindi well enough to skim the video, which I just did. The impression I got was that this person was an enthusiastic YouTuber with somewhat good intentions: “get free swag”, “learn how to open a pull request which you’ll need to know how to do”, “if your pull request is garbage it’ll get rejected and you won’t get credit”. The issue was that he picked some random repository and made a useless change for sake of demonstration-I assume to make it fit in the video, but this basically set the example for everyone watching it. So unintentionally he’s taught a bunch of people who are really motivated in getting this free shirt and also maybe learning how to get into open source (not necessarily the wrong audience, but maybe a bit wet behind the ears) to spam projects. And there is nobody to guide these people but this video. I think the outcome is obvious in retrospect, but I forgive this dude for making this video although I would very much like him to make a follow up where he shows how it’s really done.

There is a general problem (everywhere, but particularly in India where there are a lot of people but very little guidance) of eager people who are willing to participate in programs that get them interested in software development and open source and coding. And I think that’s really great. The issue is that providing people with free swag and walking away is really just pretending to help, rather than actually doing work to help.

I am curious, when you say there is very little guidance what do you mean? To me in some european states there is zero guidance in IT, or what exactly do you mean.
Well, I’m not saying that Indians are the only people without guidance in this area; it’s just that India in general has it relatively bad. This video was in Hindi-the amount of material actually telling you how to file a good pull request in that language (as opposed to English) is comparatively much lower. In the United States I mostly figured this out by looking at other pull requests, and schools are beginning to teach it as well, but for many in India this video is the best they know of.
As far as I can tell his video only did damage: it taught people to spam open source projects, created a lot of bad blood, probably made open source maintainers more suspicious of new contributors, and gave a large number of potential contributors a bad experience.

It could have been so much better if he'd actually put in the effort to create a real, meaningful pull request. Show how to clone the project, run it, fix a bug, write a test for the fix, and then submit the pull request. That would have put a lot of people on the right path.

But it's much easier and quicker to just do a quick, meaningless change, and as a result give a really bad example.

I entirely understand why this change was picked and will maintain it was a bad choice. However, I don’t think I can fault them for doing that when the alternative would take significantly more time and effort and detract from the point they were trying to make, which is the steps necessary to make a pull request and not the expected content of one. Given the results, however, I would very much appreciate it if the author of the first video made another one which filled in the gaps of their first one.
He still could have prepared a legitimate pull request in advance. It was a terrible example, and the more I read about it, the more I think it was intentional and never had the intention to help Open Source projects in any way.
He could (and should) have, but I do not think that he intentionally tried to hurt open source projects.
I don’t think I can fault them for doing that when the alternative would take significantly more time and effort

Isn't that basically the definition of spam: "but making something useful would take significantly more time and effort"?

Well, I'm considering it in the context of a YouTube video, where there's a length limit and such. Usually you get around this by actually doing the work beforehand and swapping it out, or doing something simple and then saying that this isn't actually representative which is easier and doesn't require a cut but can lead to the issue we see here. Again, I can't fault them for choosing to do this, but I can still say it ended up being a poor choice.
Even worse, since he's speaking Hindi, his campaign rallied Indians into a massive cloud of bad behavior and made thousands of GitHub community members a little more prejudices against Indians in the future. Even if he meant well and didn't profit at all, he hurt the people he tried to help
Yep. Most spam PRs were on website repositories, which is exactly what he used as an example in the video.

I don't know Hindi, but since it's a "free swag" video I assume some people with limited or none technical knowledge also saw it. There's a big chance people are just following it without knowing the consequences of their actions.

> capable folks are outnumbered by the enthusiastic kids, who, despite their best intentions shouldn't be guiding others right now.

I am also an Indian student and can confirm this is very true.

There are so many people posting 20 line tensorflow 'projects', often copied code, for the "swag" of it.

Even competitive coding is gamed a lot. You can't judge people on competitive coding profiles.

> Much of this can be attributed to us having 1/6 of world's population (more if you just count English speaking populance), but that doesn't excuse people's bad behaviour.

This is mostly better attributed to the rat race mentality that is so common among Indians. Everything wrong with education in India stems from this. The rote learning based education, high competition for entering CS degrees despite lack of interest, low quality work in indian outsourcing firms, and company politics to become manager ASAP.

> CodeWithHarry is not a bad guy, I don't want to cancel or shame him

I say, cancel him. And all his fans. CC's think they're hot shit because they can produce a video and upload it to youtube, forgetting entirely that it is the content of the video that gives it any worth. We hate on moronic Medium posts idiotic PR releases, and other low-effort media, why should this be any different? If he deputizes his audience to be assholes he should pay for it.

Stop letting ignorance be an excuse with these folks.

Disagree. It is a problem with hype and code being more centralized. Yes, an annoying for many, but to say this ruined anything is probably exaggerated.
I mean, you could fairly objectively make the judgement that this one video had a net-negative impact on the productivity of humanity.
> I request every one of my followers to make 20 spam PRs so at least 4 sit for more than a week

Is this true? I don’t speak Hindi but this is exactly opposite to what the pull quotes on the original article say that he said.

He did, his statements (translated to English) were:

-"Don't send PR to popular repos, they'll mark it as spam"

-"Send PR to repo with little activity, it'll increase the chances that it'll sit for 7 days. The lesser known a repo is the better, 4 out of 20 is doable"

-"Hacktoberfest has had seasons when they didn't get enough participants and had leftover merch. I request every single one of you to go grab one"

The thumbnail can be translated to "Big Co. distributing free t-shirts, go grab 'em"

Also, his previous pinned comment asked people to tell him about swag-grabbing tactics from other events so he can make another video on it (There was a comment where he was enquiring a guy on how to get Azure merch). His entire video was appalling to go through.

Is "I request every one of my followers to make 20 spam PRs so at least 4 sit for more than a week"

The same translation of:

"Send PR to repo with little activity, it'll increase the chances that it'll sit for 7 days. The lesser known a repo is the better, 4 out 20 is doable"

It is times like this that a third translation would be nice, preferable with a bit more context around the "4 out 20" quote.

"4 out of 20" was directly mentioned by him, stating that a it's unlikely that you open 20 PR to random repos and every one of them is marked spam in next 7 days.

> I request every one of my followers to make 20 spam PRs

This is the translation of his long winded explanation rationalizing on how "Improved docs" PR which adds "Awesome project" to docs is actually an improvement, and the PR is just asking the owner to incorporate these "improvements" to his codebase. Spam wasn't directly worded (I don't remember there being a hindi word for that), but he explicitly mentioned to write random crap in the docs and post it to repos they find on page 100 of repo search, so I guess that's a plausible enough to be translated as "spam".

Is there any translated transcription of the video? It seems established that "I request every one of my followers to make 20 spam PRs" is not an translated quote but rather an interpretation of the underlying meaning. That is good and all but I would prefer seeing the original source myself, and since it is in a different language, an translation that is as close to the original as possible.

The translation I am most interested in is the 1 minute before and after the "4 out of 20".

Languages aren't mathematics, you can't losslessly translate between them. All translations are at least to some degree "an interpretation of the underlying meaning".

As someone who was raised bilingual, I always struggle when asked to translate a specific phrase between languages because literal translations are often less useful or accurate than the "interpreted" translation. I would be very suspicious of anyone who claims they have translated something someone else said without changing its meaning at all.

I have huge respect for the difficult job of translators and there is a definitive distinction between a paraphrase and a quote. I personal know professional translators and a key aspect of that role that they like to talk about is how they are proud to avoid making personal interpretation of the underlying meaning and instead relay as exact as possible what has been said and how it was said so that the client can interpret the meaning.

As an example of that, translators sometimes get jobs to translate at parties like weddings, and sometimes a drunk person comes up to the client and try to hit on them. If the person is muttering then the translator translate the muttering. If they are rambling they translate the rambling. They don't interpret and tell the client that the person is hitting on them, and they don't hide the drunk speech by making it sounds more coherent. Their job is to relay what is being said as exact as the two languages allows it. Naturally as languages has different concepts and ways to express things you do not get a lossless translation, but you do get the nearest translation based on the skill of the translator.

Yes, skilled professional translators who are native-level in both languages are possibly the closest to a perfect translation you can find and arguably they are one of the reasons that international diplomacy is at all workable (though they are still imperfect, purely because languages represent concepts with different nuances, and translating the nuance of any given phrase could require distilling an entire lifetime of cultural experience into a few sentences). That being said, I doubt you'll find one on HN who is going to bother to translate a Hindi video about how to create spam PRs, so you'll have to make do with a native speaker (who isn't a professional translator) has said -- hence my comment.

And my follow-up comment about being suspicious was about the vast majority of people who do translations (especially online), and I would go so far as to argue that some degree of suspicion should also be applied when newspapers use translations as though they are direct quotations. But I wasn't (generally speaking) talking about professional translators.

I don't think that I will get a professional translation but sometimes HN do surprise me, and I generally consider it worth a shot to ask for it when I see two people making quotes with quotations marks about the same translation.

I fully agree that translation should make one suspicious, especially those involving politics. When news in my native language has translations from English (second language) that sounds just a bit too much on the nose it usually prompt me to go and read the original source. Almost every time i find that the original statements involve a lot of contextual nuances.

It's also bad from Hacktoberfest that they reward unmerged PRs. It would be better if they only rewarded PRs that are actually accepted or at least do something meaningful.
I worry the spammy set would then turn into a competition on how to harass maintainers to "merge my PR really quickly please please please!", but maybe.
I've already seen (and dismissed) almost exactly that wording.
If the DO team weren't completely self-serving anti-socials, they'd have set it up to spend 5 seconds eyeballing each PR before sending out a t-shirt, and warning people that only good PRs would count, and giving a few examples from past years.

Or just direct newbies to a bunch of volunteer/sample repos dedicated to helping newbies learn the system, and maybe offer a competitive higher tier of prizes for PRs nominated by repo owned and chosen by DO.

Ah that’s why my 10 year old dormant repository got multiple PRs yesterday
> Enthusiastic students have no one to mentored and direct them and it makes them act on lot of bad advice.

I think this gives the spammers too easy an out.

They're adults who live in a society. They know full well that spamming is not OK, either offline or online. They also know that what they're doing is spamming, not accidentally overly fervent contributions.

Don't cut them any slack. This is pure and simple vandalism with a profit motive.

The thing is they may not. For all we know, they're hearing about pull requests the first time and just seeing the presenter showing how easy it is to do, by altering/adding a few words, and get a free t-shirt. I think the blame is all on the channel. The least he could've made a proper pull request by fixing an issue. That said, the blame should also go on DO since they could've made hacktoberfest opt-in. Instead they encourage PRs on any public repo.
Plenty of blame for both. The channel is appealing to people to spam crap PRs to inactive projects for the sole purpose of winning some swag, and his followers go spam projects for the sole purpose of winning swag.

One guy encourages people to be assholes, and the people respond by acting like assholes. Both leader and followers are wrong in this case.

Very good point. I certainly did not want to give the guy who encouraged them a break.
They live in a society that is not your society. I think it is entirely possible, and anecdotally even likely, that they do not realize what they are doing.
You alone are not a spammer. You would need to anticipate the behavior of others. That there are 4 or 5 people on the internet is something that is slowly learned.
I would say he probably should have shown that many repos have a todo or even suggested starter issues that one could look at instead of just making some unnecessary change for no reason.
(comment deleted)
> Enthusiastic students have no one to mentored and direct them and it makes them act on lot of bad advice. In my college, sophomores teach freshmen about Google's Summer of Code, open source and events like hacktoberfest. These endeavours are headed by the one or two guys among the students who happen to get into GSoC/ICPC or (in majority of the cases) have a good competitive coding profile

In my mind the problem lies with the college, they should be teaching their students how to contribute meaningfully. Spamming behaviors will only hurt the reputations of everyone from that college.

I received two pull requests for two projects on GitHub last night. I am the author of one and the maintainer of the other.

At first, the pull requests did not make sense at all. One of them made minor changes to a README, e.g., changing "this book" to "the book". It was not fixing a typo or incorrect grammar. It was merely choosing a word different from the one I had chosen. In fact, I preferred "this book", so the pull request (PR) was inconsistent with my preference. There was no explanation whatsoever regarding why this change was warranted. Then I looked at the PR author's profile and found that the same person had submitted several such trivial PRs to other projects too, all of them changing "this" to "the" at some places in README files.

It all began to make sense when I looked at the calendar. It was Oct 01. This looked like PR spam due to Hacktoberfest. For now, I just labelled the PRs as "invalid" (as suggested by https://hacktoberfest.digitalocean.com/faq/), closed the PRs, and moved on.

Like all good things created with good intentions on the Internet, spam is hurting this event and bringing bad reputation to it. The possibility of large scale, endless spam should be worked into the design of any new Internet-based event or solution.

I also received one pull request that I thought was spam, where the author made several nonsensical changes like changing "#Features" into "#Features:" in the README. Now it makes sense.

I'll probably tell thank them for their contribution and point out a few ideas for things that would really help us, instead of merging this just for the sake of Hacktoberfest.

Yeah. Best approach I can think of would be something like:

  Cool, looks like you've getting the hang of creating Pull
  Requests on GitHub. :)

  The actual change here though isn't useful to us. :(

  Would you be ok spending some time improving [XYZ] instead? :)
eg combine encouragement for the bit they got right + info on what needs work, and point them in the right direction for fixing it

Some people will probably just not be bothered, but others might get involved in the suggested way. Hopefully. :)

The problem is that this takes time. On one PR, sure, okay. But if you have 50 of the spammy PRs, even with Copy and Paste, this will take several minutes (maybe up to an hour, depending) of a maintainers day (and really, per day, however long Hacktoberfest goes on). That's time that they're not spending coding or updating docs in a valid way or spending with family. It would probably be tenable if there were some heuristic that was 100% certain that this was a spammy PR, but I'm pretty sure that's not the case.
This assumes that the spammers can code/contribute in a meaningful way.
Don't waste your time. The people doing this don't know anything about programming.

There's no reason to ever look at or respond to PR from someone who doesn't at least have their own repo (or at least a fork of a repo) with non trivial commits (at least to a toy/learning project)

But this is not spam. It's based on morons trying to make it in the software world without any basis that they should be there.

They're doing this so that they can put "I have x amount of accepted pullrequests on github" and fool an employer to hire them. To become shit team members or outsourced to become shit offshore team members*.

I have seen these kinds in many a project. Real world experience. Real talk.

The major incentive here is a free tshirt
Good point. I guess that's even worse. Hillarious really. Like something out of a Rick and Morty episode. You couldn't make this up.
The episode name would be something like "haker man" And Ricky (drunk like always) would probably say: "Morty, gonna tell you something, everybody these days call themselves 'programmers/coders/hackers' all they do is watch a Javascript Course, barely, type some stupid shit like 'Hello World' and they feel like a great scientist Morty, you really understand how stupid is this, Morty?! They share that in all the 'social media' trendy moron stuffy like Twitter, a place even more cancerous than me Morty. In the end Morty, burrp, I'm actually the Genius who discovered Time Travel and invented the Portal Gun."
Why would you nedd dozens of PRs for this?
To get at least one through the spam filters.
...that you can wear to an interview?
It is for publicity purposes of digital ocean. Gray area, they do incentivize participation in open source but also are responsible for this hug of death.
These contributions are junk and spam. I don’t think any maintainer will be upset if they get 100 legitimate and well intentioned pull requests, but we’re talking about spam here.
> They're doing this so that they can put "I have x amount of accepted pullrequests on github" and fool an employer to hire them.

Yes, I have seen a bunch of those on popular repositories over the years. It is an annoyance, but usually so little, even on popular repos (I contributed much to PHP as example of project size) that it's easy to ignore (or even simply merge if it's somewhat useful, the fooling won't lead them far)

The difference with this marketing stunt is that there is way more active encouragement for that and way more of it at once ... multiple a day instead of one every few months

No kidding

There is a good amount of questions on SO or tutorial blog posts that are basic, really basic stuff. Things that if you had barely any idea of what you were doing you would figure out but you don't.

Oh and now guess what, this flood of PRs raises the bar and annoyances for everybody.

Spam is like weeds: it is anything excessive, unwanted, and relatively useless.
This has become a pet peeve of mine ever since a former co-worker told me his scheme of setting up a cronjob to add a single commit with a timestamp to a project on his Github profile on a daily basis, so future employers would think he was a 10xer or something to that effect
https://mobile.twitter.com/avestura/status/13117539940716666...

This guy is just straight up begging for a PR merge so that he can get his free T shirt -- I'd wager a good portion of these PR submitters have no idea what they're getting into, they just think they can get a free shirt if they do this according to what the youtube video said.

Most of them will because Hacktoberfest relies on project maintainers to flag the PR as `invalid` within a certain window and close it, AFAIK.

Though I imagine with all the outrage over this that will definitely be changing.

Wow, that's weird. IIRC the first year the PRs had to be merged for them to count.
They said that they didn’t want you to not get credit because you worked for hours on a PR only for it to be not accepted because the maintainers didn’t like it for some reason. Even if that reason was that it wasn’t any work at all. But I think they want people to mark real-bad PRs as spam so they can not count them.
Is there a reason why some repo get a lot of spam, but some don't? Is there a similarity between repos getting a lot of spam?