84 comments

[ 2.8 ms ] story [ 75.1 ms ] thread
I've been helping a bit with OWASP documentation lately and there's been a surge of Indian students eagerly opening nonsensical issues and PRs and all of the communication and code is clearly 100% LLMs. They'll even talk back and forth with each other. It's a huge headache for the maintainers.

I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.

I was going to comment something similar.

I was reading some GitHub comments earlier and the AI tone and structure in the comments posted by some users made me feel really uneasy for some reason.

I know a Brazilian who puts lots of emails through ChatGPT because they aren't confident in their English, but this seemed to be AI generating the majority of the content of the message too.

> everything starts as discussions - only maintainers create issues, and PRs can only come from issues.

would be so awesome if github supported all that. probably kills their business model though

Little bit offtopic; is anyone getting more reports of site vulnerabilities I wonder? There are how many AI tools claiming to find those automatically and we get a lot of reports, some even have the tool name on. Thing is, most, well, all so far in the past months, are not true. They seem hallucinations or false positives. We have closed source SaaS products, so these are external scans making these reports.
(comment deleted)
This is great actually. I can feel the sentiment of the slop they've had to deal with.

Fair play to them.

Creating crap vuln reports or PRs on popular OSS projects has been an issue long before LLMs. Remember Hacktoberfest?

Students would often abuse it since there’s no adult in the room to teach them how to behave. I guess this is one hard way to f around and find out. But this is by no means condoning this sort of behavior.

Point is, LLMs made the situation more dire: it’s cheap to generate code, whereas reviewing still scales sublinearly. The only way to prevent this is by being rude to people who are rude to you.

Problem is that the LLM operators don't care if you're rude. They copy and paste your response to the LLM and probably don't read it themselves. If they do read it they don't suffer any ego hit from it because if there was any error it was the LLM's not theirs and their LLM is busy telling them how brilliant and unparalleled they are and how wrong the haters are in any case.

CURL is free to try it, but I'm doubtful being rude will meaningfully improve things. I'm confident it won't improve the ratio of good to bad reports because non-chatbot powered submitters are sensitive to rudeness or even the threat of potential rudeness, and so this approach could easily reduce total volume some but mostly in the reduction of good submissions.

I am friends with a solo maintainer of a major open source project.

He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.

He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.

And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.

I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.

Ah, brings back memories when TPB did something similar to when MPAA and their "associates" emailed them. I think this is probably the best page where one could still see them: https://web.archive.org/web/20111223101839/http://thepirateb...

I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.

> We will ban you and ridicule you in public if you waste our time on crap

If shame worked, then slop reports would've stopped being made already. Public ridicule only creates a toxic environment where good faith actors are caught up in unnecessary drama because a maintainer felt their time was being wasted. Ban them, close your bug bounty program, whatever, but don't start attacking people when you feel slighted because that never ends well for anyone (including curl maintainers)

One way this can backfire: if you have no reputation and are nobody, and get banned and publically ridiculed, this is now a badge of honor you can take to wealthy and deluded people convinced of the AI future, to say 'look, I have been shot at! I'm a true believer!'

And then maybe they will give you money.

I like the idea of refundable submission fee for bug bounties. No refunds for slop and poorly researched submissions.
From https://curl.se/docs/code-of-conduct.html:

"As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities"

Why have a code of conduct while being hostile to contributors?

I think they should handle this differently.

I think this is probably less effective than if there was some sort of "credit" or reputational score for reporting that seems like something GitHub would have the information to implement.
(comment deleted)
Somehow, I knew this would be curl before finishing reading the headline. Good on them!
Dog whistle to AI. Love it.
AI doesn't mind you'll be ridiculing it in public
There's going to be avalanches of code everywhere. You can no longer expect some human to know what some code does or maintain it.
Which is exactly what the AI companies want. An unmaintainable mountain of code that you need their cloud-based, paywalled LLMs to handle for you.
Can anyone tell me in 2025 how much big tech made in revenue from AI..
(comment deleted)
(comment deleted)