31 comments

[ 4.1 ms ] story [ 58.0 ms ] thread
Maybe we should cut out the middle-man and make it easy for people to donate token credits to open-source projects, and let the maintainers decide how to use them.
Ah yes, the for-profit companies that trained their commercial models off of all our open source code from the last 50 years need more money from us.
AI agents who review the slop created by other AI agents is not the answer here.

I much prefer a blanket ban on PRs and issues created by AI agents (which is what I personally do for my repos; so far I have closed one[1]). In fact I would love a github alternative which considers AI contributions to be a breach of their terms of use and ban any people who let AI agents loose on their platform.

1: https://github.com/runarberg/markdown-it-math/pull/48#issuec...

In my main project we added a new requirement that all new contributors meet a maintainer in a non-textual format before their first PR is merged. Seems to work well for a small project.
I contribute to OSS substantially and my GitHub project has 150000 active users (users, not stars). Yet, I would not call you up just to send a PR to your project.

It's sad that it has come to this and to me it just means OSS is dead.

i do a lighter version on a small repo. first-time contributors get a "what problem were you hitting?" question before i look at the diff. genuine ones answer in two sentences. the spam PRs either go silent or paste back something that doesn't match their own changes and too long. even those with em dash terminator are still easy to spot. it costs 30 seconds and filters almost everything. a proper profile is also a must. i mean, we can all spot fake facebook pages. i believe we can spot auto generated github profiles. and if their bot is actually good? why not? fix
Can I ask what the motive is to create agents to do this? Where is the profit?
Does github not have rulesets for who can even try to do a PR? I would lockdown my repositories if I didn't want any PR slop.
I understand this is a general problem in OSS, but I also hope the irony isn’t lost that this article is specifically complaining about AI slop PRs to the Open Claw repo.

If the maintainers are that tired of it, they should update OpenClaw to prevent it from submitting PRs to their repo.

What are the best solutions to this issue?
I see one big difference: with email it was always about sender reputation based on email servers (IPs), maybe about domains. But never about individual users. It's the organizations running the email server, who make sure users behave. So they don't get blacklisted and lose sending privileges for hundreds or thousands of users.

For PRs/issues this is not applicable.

(comment deleted)
Wait. So to combat AI spam there's AI agents to prevent it?

Why can the anti spam agents not just do the work directly???

If anyone is interested in what it was like fighting spam in the early 2000s, I worked for a company that captured spam, analyzed it and then passed the analysis s on to the law firms of the big email providers for targeting under CAN-SPAM.

Twitter thread about it below but happy to do a AMA here.

https://x.com/alexpotato/status/1208948480867127296?s=20

I remember that on the not so early days of the internet around 1993, I managed to exchange emails with pretty much important people, known professionals and even got responses to my questions. It looked like a very very small world. Then, came the spam.

I really hate the marketing people mindset. It fucks everything that is nice.

Fun fact: it is spam filtering application that makes Paul Graham famous (and rich)
It's not at all like e-mail spam. Vast majority of contributors made a change useful for themselves that they wish to share with others. It's better to think of this as an influx of new programmers or existing programmers picking up new domains. They can be taught to use coding agents better and are likely to stick with projects that facilitate this rather than shutting them out. Maybe it's best for everyone. Let Linux kernel be super locked down to l33t contributors only and let alternative OSes that nobody paid attention to before gain new developers.
I didnt think about it this way, but it would be helpful to have infra around reputation in the same way email has them.

And, it would be nice to have unsubscribe lists in the uBlock Origin style.

Why though? Is everyone karma farming? What's the motivator here?
When the title said PR spam my first thought was the massive amount of scam posts released by Antrophic, OpenAI and a gazillion AI tools that solve all your problems (supposedly). Much to my surprise this was also an ad for an AI tool. Lowkey disappointing
I value Open Source very highly, and enjoy contributing. Fix a bug here, add a small feature there, most OSS projects have low hanging opportunities. And these days, to "switch off" from my at-work code, try to do more OSS contribution as well.

What I see instead, really, is that most projects no longer, or very rarely look at any contribution, and e.g. any issue + PR/MR combo I make, has a much higher chance of never being looked at and some bot just closes it. Even though the rest of the project might be actually quite active.

It takes some getting used to, apparently being filed together with the "noise", when I try to go out of my way to be as much "signal" as possible. But well, if I really wanted to, I can just run my own changes locally, that's the beauty of OSS, but I hope we can get to some more balanced place over time (being forever the optimist).

I have the same pattern and same observation. No one wants a PR any more as far as I can see. In some sense, this has always been the case. People are happy to do their own thing but not so keen on integration with other people's code. Now though it is on a different level.

I can see maintainers are being overwhelmed by AI driven PRs but if we filter our new features and concentrate just on bug fixes, does it really matter where a PR comes from if it fixes a bug?

I do work on a very complicated agent based simulation. The data shaping and loading is all open source python. There are dozens of long standing bugs that prevent the simulation from loading some of the data correctly. I used to send PRs but they were always ignored so I gave up. Now, when there is a new release I need to spend a day reviewing the new code to see what patches I need to re-apply.

I wish we had a license like "this project merely extends the project it's based on to add features and fix bugs". So that we could justify immediately switching to the fork that solves our immediate problem.

When OSS first got big in the 90s, I thought that it was a free-for-all where anyone could contribute (no maintainers/PRs/MRs) and people would use the most popular branch. That way it would evolve freely at lightspeed to go around 500 pound gorillas like Microsoft.

Imagine my disappointment when we ended up with the same old gatekeeping, now we just police ourselves.

"I can go use whatever fork already exists that solves my problem" is great right up until you have two problems.
It’s amazing how even programmers can’t resist defecating on their own lawn.
tangled has a new web of trust system where you can denounce or vouch for a user and all your friends see it. it decays over time and the whole thing is based on atproto so its easy to set up automated community lists on top.