aster
Jeff GeerlingI was hoping it wouldn't hit my repos, but the trickle is turning into a wave of AI-generated PRs that... all they do is suck up what little time I have available for PR review trying to see if there's anything of value in the AI-generated code. There usually isn't.
Bonkers
Alex@geerlingguy ahh weird. I just saw a bunch of PRs to the #qemu #github mirror but they get auto-closed as we are hosted on #gitlab. I did look at one and it seemed to be twenty odd commits messing around with README.rst. I shall investigate more later once I can actually log in to github - but currently I keep getting unicorns.
Paul Schn@geerlingguy Hey Jeff, i switched to @Codeberg and host my own forgejo instance. I use https://iocaine.madhouse-project.org/
to feel a bit better about incoming bot traffic. I really like the documentation style and had fun to read it and set it up.
to feel a bit better about incoming bot traffic. I really like the documentation style and had fun to read it and set it up.
Lawrence Miller@geerlingguy what do you think the intent is? My only guess is that it's an attack vector similar to what hit xz that time; submit a bunch of innocuous prs to build reputation and then submit one with malicious code and hope your clout prevents detailed review. Is this widely accepted as the purpose for ai slop submissions?
Troy@ldpm @geerlingguy I’ve come across a few web dev candidates which have clearly had their GitHub profiles juiced up by spamming prs. If someone isn’t looking closely they might seem like an outstanding dev from a quick look.
Also yeah probably a really good attack vector too.
jomonbre
Dave Alvarado@geerlingguy I'm about 2 seconds away from figuring out how to use PGP as an allow-list for submitting PRs.
Like, PR must be signed by somebody I agree can send me PRs or it's auto-rejected. Which is of course the opposite of how open source is *supposed* to work, but people sure are trying hard to ruin it for everyone.
Kassim@geerlingguy Sounds similar to what was happening with the curl project and their torrent of AI bug reports. @bagder talk at FOSDEM had an interesting point - it wasn’t the AI that was the problem, it was the abuse. Spending no time on you “contribution” but expecting someone else to spend the time to review it.
Adam Sørensen@geerlingguy just read about @mitchellh new project https://github.com/mitchellh/vouch that might be helpful.
