If PR is good, maintainer refunds you ;)
I noticed the same thing in communication. Communication is now so frictionless, that almost all the communication I receive is low quality. If it cost more to communicate, the quality would increase.
But the value of low quality communication is not zero: it is actively harmful, because it eats your time.
In that world there's a process called "staking" where you lock some tokens with a default lock expiry action and a method to unlock based on the signature from both participants.
It would work like this: Repo has a public key. Submitted uses a smart contract to sign the commit with along with the submission of a crypto. If the repo merges it then the smart contract returns the token to the submitter. Otherwise it goes to the repo.
It's technically quite elegant, and the infrastructure is all there (with some UX issues).
But don't do this!!!!
I did some work in crypto. It's made me realize that the love of money corrupts, and because crypto brings money so close to engineering it corrupts good product design.
Would be happy to share the code, just lmk!
But a non-zero cost of communication can obviously also have negative effects. It's interesting to think about where the sweet spot would be. But it's probably very context specific. I'm okay with close people engaging in "low quality" communication with me. I'd love, on the other hand, if politicians would stop communicating via Twitter.
Moreover, I'm not interested in having my money get handed over to folks who aren't incentivized to refund my money. In fact, they're paying processing costs on the charge, so they are disincentivized to refund me! There could be an escrow service that handles this, but now there's another party involved: I just want to fix a damn bug, not deal with this shit.
This, but for an escrow so people can show their actual interest in GitHub Issues, instead of just demanding new features or fixes. So if it gets implemented, the devs get the bounty, if not then they're refunded. I sometimes think about how this could help fund open source at least a little bit.
No comment on making PRs paid, not everyone would react well to that, and some people might be in countries and circumstances where any amount would be problematic.
once notable policy SQL Server enterprise support used to have was you must be available 24/7 if you submit a critical issue. Microsoft was demanding as much of their time as our time.
not sure how that could be rolled out to repos but it worked
Paywalling without any regional pricing consideration it's just going to incentivize people from poor countries to not participate in your project. Maybe that's okay for you but it's something to consider.
We've seen it everywhere, in communication, in globalised manufacturing, now in code generation.
It takes nothing to throw something out there now; we're at a scale that there's no longer even a cost to personal reputation - everyone does it.
Let's say you're a one-of-a-kind kid that already is making useful contributions, but $1 is a lot of money for you, then suddenly your work becomes useless?
It feels weird to pay for providing work anyway. Even if its LLM gunk, you're paying to work (let alone pay for your LLM).
Now with AI-generated spam everywhere, maintainers have even more reason to be suspicious of unknown names. Vouch solves their problem, but think about what it means for someone trying to break in. You need someone to vouch for you before you can contribute, but how do you get someone to vouch for you if you can't contribute?
I get why maintainers need this. But we're formalizing a system that makes OSS even more of an insider's club. The cold start problem doesn't really get any warmer like this.
Ultimately, you need to choose: does your community prioritize its short-term health, or ease of access? If a community never lets anyone in, then it withers and dies eventually, but in the meantime the community can be extremely high-trust. That's what happened to fraternal orders like the Oddfellows and the Free Masons post-Vietnam. If the community has zero barrier to entry, you end up with Twitter: a teeming mass of low-trust members screaming into the void.
The happy medium is allowing in new members just as fast as you can build trust and community cohesion. University clubs are a good example of this: at a massive turnover rate of 25% per year, they need to form processes to not just recruit that many people, but integrate that big of a chunk of their community without destroying the high-trust environment. That's how you end up with the ritualized "rushing" process.
I _think_ this removes the motivation for low-quality PRs. Get on a major blocklist and the GitHub account is basically dead. People could make new GitHub accounts, but then you never get an "impressive" GitHub account.
I get that AI is creating a ton of toil to maintainers but this is not the solution.
FOSS has turned into an exercise in scammer hunting.
Alternatively they might keep some things open (issues, discussions) while requiring a vouch for PRs. Then, if folks want to get vouched, they can ask for that in discussions. Or maybe you need to ask via email. Or contact maintainers via Discord. It could be anything. Linux isn't developed on GitHub, so how do you submit changes there? Well you do so by following the norms and channels which the project makes visible. Same with Vouch.
Think denying access to production. But allowing changes to staging. Prove yourself in the lower environments (other repos, unlocked code paths) in order to get access to higher envs.
Hell, we already do this in the ops world.
This should be easier with AI. Most LLMs are pretty good at integrating existing code.
This is similar to real life: if you vouch for someone (in business for example), and they scam them, your own reputation suffers. So vouching carries risk. Similarly, if you going around someone is unreliable, but people find out they actually aren't, your reputation also suffers. If vouching or denouncing become free, it will become too easy to weaponize.
Then again, if this is the case, why would you risk your own reputation to vouch for anyone anyway.
Good reason to be careful. Maybe there's a bit of an upside to: if you vouch for someone who does good work, then you get a little boost too. It's how personal relationships work anyway.
----------
I'm pretty skeptical of all things cryptocurrency, but I've wondered if something like this would be an actually good use case of blockchain tech…
The same as when you vouch for your company to hire someone - because you will benefit from their help.
I think your suggestion is a good one.
Maybe your own vouch score goes up when someone you vouched for contributes to a project?
Then you have introverts that can be good but have no connections and won’t be able to get in.
So you’re kind of selecting for connected and good people.
This is a graph search. If the person you’re evaluating vouches for people those you vouch for denounce, then even if they aren’t denounced per se, you have gained information about how trustworthy you would find that person. (Same in reverse. If they vouch for people who your vouchers vouch for, that indirectly suggests trust even if they aren’t directly vouched for.)
One of my (admittedly half baked) ideas was a vouching similar with real world or physical incentives. Basically signing up requires someone vouching, similar to this one where there is actual physical interaction between the two. But I want to take it even further -- when you signup your real life details are "escrowed" in the system (somehow), and when you do something bad enough for a permaban+, you will get doxxed.
Not sure about the trust part. Ideally, you can evaluate the change on its own.
In my experience, I immediately know whether I want to close or merge a PR within a few seconds, and the hard part is writing the response to close it such that they don't come back again with the same stuff.
(I review a lot of PRs for openpilot - https://github.com/commaai/openpilot)
If you zoom out to a few years you can see the same pattern over and over at different scales — big exodus event from Twitter followed by flattening out at level that is lower than the spike but higher than the steady state before the spike. At this point it would make sense to say this is just how Bluesky grows.
Besides that, the entire point of this project is to increase the barrier to entry for potential contributors (while ideally giving good new people a way in). So I really don’t think they’re worried about this problem.
Perhaps that is the plan?
Ah, the giant enemy crab shows its weakpoint. This is where the mask cracks.
I don't really see the issue, 'bubble', is a buzzword for what we used to call a community. You want to shrink viral online platforms to health, which is to say to a sustainable size of trusted and high quality contributors. Unqualified growth is the logic of both cancer and for-profit social media platforms, not of a functioning community of human beings.
Bluesky and Mastodon are a significantly more pleasant experience than Twitter or the Youtube comment section exactly because they turn most people away. If I were to manage a programming project, give me ten reliably contributors rather than a horde of slop programmers.
I get the spirit of this project is to increase safety, but if the above social contract actually becomes prevalent this seems like a net loss. It establishes an exploitable path for supply-chain attacks: attacker "proves" themselves trustworthy on any project by behaving in an entirely helpful and innocuous manner, then leverages that to gain trust in target project (possibly through multiple intermediary projects). If this sort of cross project trust ever becomes automated then any account that was ever trusted anywhere suddenly becomes an attractive target for account takeover attacks. I think a pure distrust list would be a much safer place to start.
Its just a layer to minimize noise.
Think of this like a spam filter, not a "I met this person live and we signed each other's PGP keys" -level of trust.
It's not there to prevent long-con supply chain attacks by state level actors, it's there to keep Mr Slopinator 9000 from creating thousands of overly verbose useless pull requests on projects.
Thing is, this system isn't supposed to be perfect. It is supposed to be better, while worth the hassle.
I doubt I'll get vouched anywhere (tho IMO it depends on context), but I firmly believe humanity (including me) will benefit from this system. And if you aren't a bad actor with bad intentions, I believe you will, too.
Only side effect is genuine contributors who aren't popular / in the know need to put in a little bit more effort. But again, that is part of worth the hassle. I'll take it for granted.
Well, yea, I guess? That's pretty much how the whole system already works: if you're an attacker who's willing to spend a long time doing helpful beneficial work for projects, you're building a reputation that you can then abuse later until people notice you've gone bad.
This feels a bit https://xkcd.com/810/
...or spam "RBL" lists which were often shared. https://en.wikipedia.org/wiki/Domain_Name_System_blocklist
Community level enforcement is unfortunately a game of cat and mouse. except the mouse commands an army and you can only catch one mouse per repo. The most effective solution is obviously to ban the commander, but you'll never reach it as a user.
I even see people hopping on chat servers begging to 'contribute' just to get github clout. It's really annoying.
Sounds like a slightly different goal but certainly an interesting system to look at
Look here: https://github.com/mitchellh/vouch/blob/main/CONTRIBUTING.md
It explains how to get vouched. You need to have a person vouch for you after you open an issue with your proposed change. After you are vouched, you may raise a PR.
if someone fresh wants to contribute, now they will have to network before they can write code
honestly i don't see my self networking just so that i can push my code
I think there are valid ways to increase the outcome, like open source projects codifying the focus areas during each month, or verifying the PRs, or making PRs show proof of working etc,... many ways to deter folks who don't want to meaningfully contribute and simply ai generate and push the effort down the real contributors
Once an account is already vouched, it will likely face far less scrutiny on future contributions — which could actually make it easier for bad actors to slip in malware or low-quality patches under the guise of trust.
It's not a perfect solution, but it is a solution that evolves towards a high-trust network because there is a traceable mechanism that excludes abusers.
A few things come to mind (it's late here, so apologies in advance if they're trivial and not thought through):
- Threat Actors compromising an account and use it to Vouch for another account. I have a "hunch" it could fly under the radar, though admittedly I can't see how it would be different from another rogue commit by the compromised account (hence the hunch).
- Threat actors creating fake chains of trust, working the human factor by creating fake personas and inflating stats on Github to create (fake) credibility (like how number of likes on a video can cause other people to like or not, I've noticed I may not like a video if it has a low count which I would've if it had millions - could this be applied here somehow with the threat actor's inflated repo stats?)
- Can I use this to perform a Contribution-DDOS against a specific person?
The reason input should require a text field at least 5 lines long and 80 chars wide. This will influence the user to try to fill the box and provide more reason content, which results in higher quality signals.
Trust is a core security mechanism that the entire world depends on. It must be taken seriously and treated carefully.
[1]: https://blog.discourse.org/2018/06/understanding-discourse-t...
The real problem are reputation-farmers. They open hundreds of low-effort PRs on GitHub in the hope that some of them get merged. This will increase the reputation of their accounts, which they hope will help them stand out when applying for a job. So the solution would be for GitHub to implement a system to punish bad PRs. Here is my idea:
- The owner of a repo can close a PR either neutrally (e.g. an earnest but misguided effort was made), positively (a valuable contribution was made) or negatively (worthless slop)
- Depending on how the PR was closed the reputation rises or drops
- Reputation can only be raised or lowered when interacting with another repo
The last point should prevent brigading, I have to make contact with someone before he can judge me, and he can only judge me once per interaction. People could still farm reputation by making lots of quality PRs, but that's actually a good thing. The only bad way I can see this being gamed is if a bunch of buddies get together and merge each other's garbage PRs, but people can already do that sort of thing. Maybe the reputation should not be a total sum, but per project? Anyway, the idea is for there to be some negative consequences for people opening junk PRs.
GitHub customers really are willing to do anything besides coming to terms with the reality confronting them: that it might be GitHub (and the GitHub community/userbase) that's the problem.
To the point that they'll wax openly about the whole reason to stay with GitHub over modern alternatives is because of the community, and then turn around and implement and/or ally themselves with stuff like Vouch: A Contributor Management System explicitly designed to keep the unwashed masses away.
Just set up a Bugzilla instance and a cgit frontend to a push-over-ssh server already, geez.
Ya, I'm just wondering how this system avoids a 51% attack. Simply put there are a fixed number of human contributers, but effectively an infinite number of bot contributers.
After that ships we'll continue doing a lot of rapid exploration given there's still a lot of ways to improve here. We also just shipped some issues related features here like comment pinning and +1 comment steering [1] to help cut through some noise.
Interested though to see what else emerges like this in the community, I expect we'll see continued experimentation and that's good for OSS.
[1] https://github.blog/changelog/2026-02-05-pinned-comments-on-...
With just those primitives, CI is a service that emits "ci/tested." Review emits "review/approved." A merge controller watches for sufficient attestations and requests a ref update. The forge kernel only evaluates whether claims satisfy policy.
Vouch shifts this even further left: attestations about people, not just code. "This person is trusted" is structurally the same kind of signed claim as "this commit passed CI." It gates participation itself, not just mergeability.
All this should ideally be part of a repo, not inside a closed platform like github. I like it and am curious to see where this stands in 5 years.
So is there value in a three state system, rather than a 2 state?
https://github.com/mitchellh/vouch?tab=readme-ov-file#local-...
Local Commands
Check a user's vouch status:
vouch check <username>
Exit codes: 0 = vouched, 1 = denounced, 2 = unknown.
Your solution advocates a
( ) technical (X) social ( ) policy-based ( ) forge-based
approach to solving AI-generated pull requests to open source projects. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws.)
( ) PR spammers can easily use AI to adapt to detection methods
( ) Legitimate non-native English speakers' contributions would be affected
( ) Legitimate users of AI coding assistants would be affected
( ) It is defenseless against determined bad actors
( ) It will stop AI slop for two weeks and then we'll be stuck with it
(X) Project maintainers don't have time to implement it
(X) Requires immediate total cooperation from maintainers at once
(X) False positives would drive away genuine new contributors
Specifically, your plan fails to account for
(X) Ease of creating new GitHub accounts
(X) Script kiddies and reputation farmers
( ) Armies of LLM-assisted coding tools in legitimate use
(X) Eternal arms race involved in all detection approaches
( ) Extreme pressure on developers to use AI tools
(X) Maintainer burnout that is unaffected by automated filtering
( ) Graduate students trying to pad their CVs
( ) The fact that AI will only get better at mimicking humans
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
(X) Allowlists exclude new contributors
(X) Blocklists are circumvented in minutes
( ) We should be able to use AI tools without being censored
(X) Countermeasures must work if phased in gradually across projects
( ) Contributing to open source should be free and open
(X) Feel-good measures do nothing to solve the problem
(X) This will just make maintainer burnout worse
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out what project you maintain and
send you 50 AI-generated PRs!Your strongest point is that allowlists exclude new contributors. (You're right about blocklists, but this seems to me like a primarily allowlist-based approach.) Thing is, new contributors are already being excluded by a flood of slop PRs within which they are indistinguishable. Whatever strategy they would currently use to distinguish themselves (reaching out through social channels, volunteering in the issue for an important problem, etc) should still work with vouch. But when it does work and they are vouched for, they will get a reputational shortcut to contribute again in this repo and to contribute in other repos sharing the same vouchlist.
Like any good social solution, `vouch` is trying to codify & extend the existing ad-hoc practices that have arisen to cope with slop PRs (i.e. largely ignoring PRs submitted by strangers). Obviously it's not a full solution, but I'm suspicious of solutions that claim to fully solve a difficult problem. It's a step forward.
The problem is at the social level. People will not want to maintain their own vouch/denounce lists because they're lazy. Which means if this takes off, there will be centrally maintained vouchlists. Which, if you've been on the internet for any amount of time, you can instantly imagine will lead to the formation of cliques and vouchlist drama.
The web badly under-uses reputation and cryptographic content signing. A simple web of trust, where people vouch for others and for content using their private keys, would create a durable public record of what you stand behind. We’ve had the tools for decades but so far people decline to use them properly. They don't see the urgency. AI slop creates the urgency and yet everybody is now wringing their hands on what to do. In my view the answer to that has been kind of obvious for a while: we need a reputation based web of trust.
In an era of AI slop and profit-driven bots, the anonymous web is just broken. Speech without reputational risk is essentially noise. If you have no reputation, the only way to build one is by getting others to stake theirs on you. That's actually nothing new. That's historically how you build reputation with family, friends, neighbors, colleagues, etc. If you misbehave, they turn their backs on you. Why should that work differently on the web?
GitHub actually shows how this might work but it's an incomplete solution. It has many of the necessary building blocks though. Public profiles, track records, signed commits, and real artifacts create credibility that is hard to fake except by generating high quality content over a long time. New accounts deserve caution, and old accounts with lots of low-quality (unvouched for) activity deserve skepticism. This is very tough to game.
Stackoverflow is a case study in what not to do here. It got so flooded by reputation hungry people without one that it got super annoying to use. But that might just be a bad implementation of what otherwise wasn't a bad idea.
Other places that could benefit from this are websites. New domains should have rock bottom reputation. And the link graphs of older websites should tell you all you need to know. Social networks can add the social bias: people you trust vouching for stuff. Mastodon would be perfect for this as an open federated network. Unfortunately they seem to be pushing back on the notion that content should be signed for reasons I never understood.
I've theorized what a solution would look like, though it'd have a different end goal to ignore bots so true discourse could be achieved. The theorized solution would be less communal though - instead, institutions would be "vouchers" and be provided the ability to confirm individuals as a real person. This could be colleges, workplaces, unions, banks, etc. There'd be no "denouncing", only "vouching" the individual as a real person. The individual's identity would never exposed - social media platforms would use a key, such as an e-mail, to verify the individual's existence as a real person, not their identity. Platforms could identify what rules would qualify an individual's recognized "existence", such as what institutions they allow, minimum number of institutions, etc. In theory, the individual "existence" could be built before they ever register for a platform. This could go way beyond social media platforms too - some examples could be vetting job applications, accepting contributors on OSS projects.
This would create a digital fingerprint of a real individual using their unique identifiers (email, phone number, etc) which may be undesirable, but individuals would absolutely have the ability to revoke their unique identifiers from participating in the program if they desire.
For a single organisation, a list of vouched users sounds great. GitHub permissions already support this.
My concern is with the "web" part. Once you have orgs trusting the vouch lists of other orgs, you end up with the classic problems of decentralised trust:
1. The level of trust is only as high as the lax-est person in your network 2. Nobody is particularly interested in vetting new users 3. Updating trust rarely happens
There _is_ a problem with AI Slop overrunning public repositories. But WoT has failed once, we don't need to try it again.
It didn't work for links as reputation for search once "SEO" people started creating link farms. It's worse now. With LLMs, you can create fake identities with plausible backstories.
This idea won't work with anonymity. It's been tried.
There's likely no perfect solution, only layers and data points. Even if one of the layers only provides a level of trust as high as the most lax person in the network, it's still a signal of something. The internet will continue to evolve and fracture into segments with different requirements IMHO.
You're always free to create a fork.
2. Being able to denounce people with noxious political views is a feature, not a bug. If someone shows up in your issues complaining about how your CoC is "woke," they're a bad actor stirring up pointless drama. At best, this is just a waste of everyone's time, and at worst they're haranguing your actual contributors who happen to be trans or something. Respectful contributors naturally will not fall afoul of this, regardless of their beliefs or party affiliation or what-have-you.
Have they shared the lists of developers they want prophylactically blackballed from the community yet?
If you get denounced on a popular repo and everyone "inherits" that repo as a source of trust (e.g. think email providers - Google decides you are bad, good luck).
Couple with the fact that usually new contributors take some time to find their feet.
I've only been at this game (SWE) for ~10 years so not a long time. But I can tell you my first few contributions were clumsy and perhaps would have earned my a denouncement.
I'm not sure if I would have contributed to the AWS SDK, Sendgrid, Nunit, New Relic (easily my best experience) and my attempted contribution to Npgsql (easily my worst experience) would have definitely earned me a denouncement.
Concept is good, but I would omit the concept of denouncement entirely.
I'd hesitate to create the denounce function without speaking to an attorney; when someone's reputation and career are torpedoed by the chain reaction you created - with the intent of torpedoing reputations - they may name you in the lawsuit for damages and/or to compel you to undo the 'denounce'.
Not vouching for someone seems safe. No reason to get negative.
Feels like making a messaging app but "how messages are delivered and to whom is left to the user to implement".
I think "who and how someone is vouched" is like 99.99% of the problem and they haven't tried to solve it so it's hard to see how much value there is here. (And tbh I doubt you really can solve this problem in a way that doesn't suck.)
Probably the idea is to eventually have these as some sort of public repo where you can merge files from arbitrary projects together? Or inherit from some well known project’s config?
How many important emails have been lost due to spam filters, how many important packets have been dropped by firewalls? Or, how much important email or important packets weren't sent because "it wasn't worth the hassle"? I'm sure all of that happened, but to which proportions? If it wasn't worth it, the measures would have been dropped. Same here: I regard it as a test, and if it isn't worth it, it'll be stopped. Personally, I run with a 'no spam' sticker on my physical postbox, as well as a 'no spam' for salesmen the former of which is enforced by national law.
FWIW, it is very funny to me, the people who ignore it: 1) very small businesses 2) shady businesses (possibly don't understanding the language?) 3) some charities who believe they're important (usually a nice response: 'oh, woops') 4) alt-right spammers who complain about the usual shit they find important (e.g. foreigners) 5) After 10 years I can report Jehova's have figured out the meaning of the texts (or remember to not bother here)!
It is my time, it is my door, my postbox. I'm the one who decide about it, not you.
Same here. It is their time, it is their project. They decide if you get to play along, and how. Their rules.
I think that’ll also happen to most open source projects that adopt a policy of silent auto-rejection of contributions without review.
You might think this is science fiction, but the companies that brought you LLMs had the goal to pursue AGI and all its consequences. They failed today, but that has always been the end game.
(EDIT: Thanks sparky_z for the correction of my spelling!)
Major congratulations to the creator, you're doing god's work. And even if this particular project struggles or outright fails, I hope that it provides valuable insight for any follow-up web-of-trust projects on how to establish trust online.
Assuming the list is under source control, the commit history can answer this question but it's manual work whereas a tree/graph system shows you directly who is making the bad judgement calls (may be intentional or not, so this person can keep contributing so long as those contribs are good, but not invite further people). I don't understand the added value of a bunch of software around what is essentially an allowlist where the commit history already shows why someone was added or removed
¹ https://github.com/mitchellh/vouch?tab=readme-ov-file#vouche...
Key differences: - Based on commit history, with nuance around relatedness of projects, types of projects, age, etc. - Requires no ongoing work. Just add it to your GH Actions CI. - Agent ready with an MCP interface, Python lib, and CLI
Discussion on HN here: https://news.ycombinator.com/item?id=46960412
Feedback and PRs welcome.
“After we left Samble I began trying to obtain access to certain reticules,” Sammann explained. “Normally these would have been closed to me, but I thought I might be able to get in if I explained what I was doing. It took a little while for my request to be considered. The people who control these were probably searching the Reticulum to obtain corroboration for my story.”
“How would that work?” I asked.
Sammann was not happy that I’d inquired. Maybe he was tired of explaining such things to me; or maybe he still wished to preserve a little bit of respect for the Discipline that we had so flagrantly been violating. “Let’s suppose there’s a speelycaptor at the mess hall in that hellhole town where we bought snow tires.”
“Norslof,” I said.
“Whatever. This speelycaptor is there as a security measure. It sees us walking to the till to pay for our terrible food. That information goes on some reticule or other. Someone who studies the images can see that I was there on such-and-such a date with three other people. Then they can use other such techniques to figure out who those people are. One turns out to be Fraa Erasmas from Saunt Edhar. Thus the story I’m telling is corroborated.”
“Okay, but how—”
“Never mind.” Then, as if he’d grown weary of using that phrase, he caught himself short, closed his eyes for a moment, and tried again. “If you must know, they probably ran an asamocra on me.”
“Asamocra?”
“Asynchronous, symmetrically anonymized, moderated open-cry repute auction. Don’t even bother trying to parse that. The acronym is pre-Reconstitution. There hasn’t been a true asamocra for 3600 years. Instead we do other things that serve the same purpose and we call them by the old name. In most cases, it takes a few days for a provably irreversible phase transition to occur in the reputon glass—never mind—and another day after that to make sure you aren’t just being spoofed by ephemeral stochastic nucleation. The point being, I was not granted the access I wanted until recently.” He smiled and a hunk of ice fell off his whiskers and landed on the control panel of his jeejah. “I was going to say ‘until today’ but this damned day never ends.”
“Fine. I don’t really understand anything you said but maybe we can save that for later.”
“That would be good. The point is that I was trying to get information about that rocket launch you glimpsed on the speely.”*
The contributions I’ve seen from such people in the open source projects I’ve worked on ranged from zero to negative value, and involved unusually large amounts of drama.
I can imagine things are different for some projects. Like maybe debian is trying to upstream a fix?
Even then, can’t they start the PR with a verifiable intro like “I maintain this package for debian.”?
For the other 99% of welcome contributions, intros typically are of the form: “I was hired to work on this by one of the industrial teams that maintain it”
I understand that projects will probably get floods of PRs and such given how easy it is to do stuff with AI now... And maybe it's AI that is to blame for it all. That's fair.
But no good will come of this strategy. I think it's even possible that we will see a massive stall in innovation now.
Another thing that is amusing is that Sam Altman invented this whole human validation device (Worldcoin) but it can't actually serve a useful purpose here because it's not enough to say you are who you are. You need someone to say you're a worthwhile person to listen to.
But using this to vouch for others as a way to indicate trust is going to be dangerous. Accounts can be compromised, people make mistakes, and different people have different levels of trust.
I'd like to see more attention placed in verifying released content. That verification should be a combination of code scans for vulnerabilities, detection of a change in capabilities, are reproducible builds of the generated artifacts. That would not only detect bad contributions, but also bad maintainers.
If upstream can’t be bothered to fix such stuff (we’re talking major functionality gaps that a $10-100/month LLM can one-shot), isn’t my extremely well tested fix (typically a few dozen or maybe hundred lines) something they should accept?
The alternative is getting hard forked by an LLM, and having the fork evolve faster / better than upstream.
Telling people like me to f—— off is just going to accelerate irrelevance in situations like this.
I'm pretty doubtful a handful of one-shot AI patches is a viable fork. Bug fixes are only one part of the workload.
You have your fork and the fixes, the PR is just kindness on your part. If they don’t want it then just move on with your fork.
I once submitted a PR to some Salesforce helper SDK and the maintainer went on and on about approaches and refactoring etc. I just told him to take it or leave it, I don’t really care. I have my fork and fix already. They eventually merged it but I mean I didn’t care either way, I was just doing something nice for them.
https://weblog.masukomi.org/2018/03/25/zed-shaws-utu-saving-...
https://savingtheinternetwithhate.com/
DEFCON presentation: https://www.youtube.com/watch?v=ziTMh8ApMY4
This project though tries to solve a platform policy problem by throwing unnecessary barriers in front of casual but potentially/actually useful contributors.
Furthermore, it creates an "elite-takes-all", self-amplifying hierarchy of domination and rejection of new participants because they don't have enough inside friends and/or social credit points.
Fail. Stop using GH and find a platform that penalizes AI properly at its source.
Spam filters exist. Why do we need to bring politics into it? Reminds me of the whole CoC mess a few years back.
Every time somebody talks about a new AI thing the lament here goes:
> BUT THINK OF THE JUNIORS!
How do you expect this system to treat juniors? How do your juniors ever gain experience committing to open source? who vouches for them?
This is a permanent social structure for a transient technical problem.
Surely you mean this the other way around?
Mitchell is trying to address a social problem with a technical solution.
I think the comparisons to dating apps are quite apt.
Edit: it also assumes contributors can't change opinions, which I suppose is also a dating issue
Doesn't require money, just computing power.
https://en.wikipedia.org/wiki/Hashcash
If HiveCoin were still around, we could donate the hashing power to some tech-related non-profit.
It spreads the effort for maintaining the list of trusted people, which is helpful. However I still see a potential firehose of randoms requesting to be vouched for. Various ways one might manage that, perhaps even some modest effort preceding step that would demonstrate understanding of the project / willingness to help, such as A/B triaging of several pairs of issues, kind of like a directed, project relevant CAPTCHA?
This is from the twitter post referenced above, and he says the same thing in the ghostty issue. Can anyone link to discussion on that or elaborate?
(I briefly looked at the pi repo, and have looked around in the past but don't see any references to this vouching system.)
However, it's not hard to envision a future where the exact opposite will be occur: a few key AI tools/models will become specialized and better at coding/testing in various platforms than humans and they will ignore or de-prioritize our input.
Maybe something like this could be useful for open source collaboration as well?
*with the notable exception of craigslist
Traditional karma scores, star counts, etc, are mostly just counters. I can see that a bunch of people upvoted, but these days it's very easy for most of those votes to come from bots or spam farms.
The important difference that I see with Vouch is not just that I'm incrementing a counter when I vouch for you, but that I am publicly telling the world "you can trust this person". And if you turn out to be untrustworthy, that will cost me something in a much more meaningful way than if some Github project that I starred turns out to be untrustworthy. If my reputation stands to suffer from being careless in what I vouch for, then I have a stronger incentive to verify your trustworthiness before I vouch for you, AND I have an ongoing incentive to discourage you from abusing the trust you've been given.
But then the actions implementation starts with "pull_request_target" :(
Problem 2 - getting banned by any single random project for any reason, like CoC disagreement, a heated Rust discussion, any world politics views etc. would lead to a system-wide ban in all involved project. Kinda like getting a ban for a bad YT comment and then your email and files are blocked forever too.
The idea is nice, like many other social improvement ideas. The reality will 99% depend on the actual implementation and actual usage.
But I like the idea and principle. OSS need this and it's traded very lightly.
Simple as. He who is without sin can cast the first stone.
Would people recommend it? I feel like I have such huge inertia for changing shells at this point that I've rarely seriously considered it.
Something to keep in mind if I'm ever looking to switch I guess.
zig is too low level.
It makes sense if you are collaborating over IRC, but I feel the need to face palm when people sitting next to each other do it.
What is your preferred way to talk to your team?
No English, only code
Slack
Zoom
In a meeting room
Over lunch
On a walk
One thing I’ve learned over time is that the highest bandwidth way of talking is face to face because you can read body language in addition to words. Video chat is okay, but an artificial and often overly formal setting. Phone is faster than text. Text drops the audio/visual/emotional signal completely. Code is precise but requires reverse engineering intent.
I personally like a walk, and then pair programming a shared screen.
There are obvious cases in Europe (well, were if you mean the EU) where there need not be criminal behaviour to maintain a list of people that no landlord in a town will allow into their pubs, for example.
This is perhaps good for massive projects like curl which are tired of AI slop.
It also addresses the issue in tolerating unchecked or seemingly plausible slop PRs from outside contributors from ever getting merged in easily. By default, they are all untrusted.
Now this social issue has been made worse by vibe-coded PRs; and untrusted outside contributors should instead earn their access to be 'vouched' by the core maintainers rather than them allowing a wild west of slop PRs.
A great deal.
The enshitification of GitHub continues