I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.
People gamified it and then it sucked, but the idea wasn't so bad. One would expect people would not stoop this low for a free T-Shirt.
Had my first experience with an "AI guardian" when I submitted a PR to fix a niche issue with a library. It ended up suggesting that I do things a different way which would have to involve setting a field on a struct before the struct existed (which is why I didn't do that in the first place!)
Definitely soured me on the library itself and also submitting PRs on github.
If I ever need to start using an AI to summarize text that someone else has generated with AI from a short summary, I'm gonna be so fucking done.
What are you going to do now?
Spam, for decades, has been a matter of just shoveling truckloads of emails out the door and hoping that one or two get a gullible match.
Blocking spam, for decades, has been a matter of heuristic pattern-matching.
I don't see how that is the same as "fighting LLMs with LLMs", or how it could be said to be the same as how spam is made and used.
How do you know this?
Someone creates a garbage issue. Someone else asks to be assigned. Someone from the project may say "we don't assign issues" (this step has zero effect over later steps). Someone else submits a PR. Maybe someone else will submit another PR. Maintainers then agonise how they can close issues and PR(s) without being rude or discouraging to genuine efforts.
Resume glorification and LinkedIn / GitHub profile attention do that.
I am seeing a lot of people coming up with perceived knowledge that's just LLM echo chambers. Code they contribute comes straight out of LLMs. This is generally fine as long as they know what it does. But when you ask them to make some changes, some are as lost as ever.
Torvalds was right, code maintenance is going to be a headache thanks to LLMs.
I’m actually of the mind it will be easier IF you follow a few rules.
Code maintenance is already a hassle. The solution is to maintain the intent or the original requirements in the code or documentation. With LLMs, that means carrying through any prompts and to ensure there are tests generated which prove that the generated code matches the intent of the tests.
Yes, I get that a million monkeys on typewriters won’t write maintainable code. But the tool they are using makes it remarkably easy to do, if only they learn to use it.
I wondered why people would video themselves going around slapping strangers in public then shouting "its just a prank bro" - turns out it works.
Thanks to their LLM reliance they'd soon not know what it does, and forget even the little they know about coding
Is this cultural? I ran a small business some years ago (later failed) and was paying for contract work to various people. At the I perceived the pattern that Indian contractors would never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something, etc. Instead they just ran with whatever they happened to have in their mind, until I called them out. And if they did something poorly and I didn't call them out they'd never do back as far as I can tell and wonder "did I get it right? Could I have done better?". I don't get this attitude - at my day job I sometimes "run with it" but I periodically check with my manager to make sure "hey this is what you wanted right?". There's little downside to this.
Your comment reminded me of my experience, in the sense that they're both a sort of "fake it till you make it".
Add in time zones, language friction, and fear of losing work, and "just run with it" becomes a rational strategy. Meanwhile, many Western workplaces treat clarification and check-ins as professionalism, so the behavior reads as strange or careless.
The key point is that this usually isn’t lack of curiosity or reflection, but risk management under different norms. The pattern often disappears once expectations are explicit: ask questions, check back, iteration is expected.
I would be ashamed to submit an AI slop PR or vulnerability report.
An indian might just say "I have 25 merged PRs in open source projects"
That’s ego, assuming doing is the value, not doing RIGHT.
Doing alone has almost zero value.
No. That's lack of labor protection laws and the effect that this causes on how companies are run.
Back-and-forth iteration and consultation is a genuinely hard problem. Certain kinds of feedback cycles have a minimum latency of "overnight". Which means we need to invest heavily in good communication.
But also, it means more people need to have the "big picture", and they need to be able to make good decisions (not just arbitrary ones). So the ideal goal is to prevent people from going off in random nonsensical directions based on miscommunication, and equip them to actually think strategically about the overall plan. Continent X might make different decisions than continent Y, but they're all talking, and enough people see the goal.
A lot of the international teams I've seen pull this off are ones where an Eastern European or Indian team is just another permanent part of the company, with broad-based professional expertise. Contractors on any continent are a whole different story.
So I think what a lot of people try to blame on Indian management culture (or whatever) really is just a case of "we hired contractors in a different time zone." I mean, there are always cultural issues—Linus Torvalds came from a famously direct management culture, and many US managers tend to present criticism as a not-so-subtle "hint" in between two compliments—but professionals of intelligence and goodwill will figure all that out eventually.
100% agree, especially when there is minimal overlap during normal office hours. I was managing a dev team in India from the US and it was a real challenge. The company ended up moving team to the US, relocating most of my team. Despite all the people being the same, management became much easier.
Since then I've done US and EU, and EU and IN, and those have all worked fine because we had sufficient overlap during business hours.
Very common pattern you see in literature about military strategy, actually. The answer is delegation, heavy use of NCOs, and in general explaining the plan all the way down to the individual soldier. Under the western school it all falls under "initiative".
Notably, a lot of non-western militaries are terrible at it, and a number of military failings in africa, the middle east, and the soviet union (*cough*russia*cough*) are viewed as failures in flexibility with very low initiative, as well as lacking/unskilled NCO corps.
Dunno how you apply that to an organization, but maybe sending skilled workers as a kind of non-comissioned officer could work. Who knows.
Whereas other cultures have at least some (if not a lot of) resistance to it - eg publicly ridiculing when people step flagrantly out of line. This is good. My impression is that British culture is like this - "taking the piss", or worse, out of people whose egos start to get too large
Edit: what about this comment could possibly be worth a downvote...? Not that I care about points, but it just seems to be an objective assessment of human nature and cultures, without even singling out any cultures that need improvement.
For students, often there is no pathway to actually become good due to lack of resources. So, the only way is to fake it into a job and then become good.
I can't remember all the techniques but a simple trick is to ask them to repeat their understanding back to you before they start working on a thing.
But I don't think it's connected to sending "malicious" reports. That seems rather to be to pad their resume and online presence while studying to get an edge in hiring.
It would be typical to do the first thing that comes to mind, then see what happens. No negative feedback? Done, move on. Negative feedback? Try the next best thing that makes the negative feed back go away.
People will not wonder whether they might bother you. Just start talking. Maybe try to sell you something. That's often annoying. But also just be curious, or offer tea. You react annoyed and tell them to go away? They most likely will and not think anything bad of it. You engage them? They will continue. Most likely won't take "hints" or whatever subtle non-verbal communication a Westerner uses.
I found it quite exhausting in the beginning, it feels like constantly having to defend myself when I want to be left alone. But after I started understanding this mode and becoming more firm in my boundaries, I started to find it quite nice for everyday interactions. Much less guessing involved, just be direct.
Professionally I haven't worked much with Indians, but my expectation would be that it's necessary to be more active in ensuring that things are in track. Ask them to reflect back to you what the stated goal is. Ask them for what you think are obvious implications from the stated goal to ensure they're not just repeating the words. Check work in progress more often.
Based on my own experience, here are a few reasons (could be a lot more):
1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.
2. Our education system mainly rewards results, not how good or well-thought-out the results are. Sure, better answers get more marks, but the gap between "okay" and "excellent" is usually not emphasized much. This comes from scale problems (huge number of students), very low median income (~$2400/year), and poorly trained teachers, especially outside big cities. Many teachers themselves memorize answers and expect matching output from students. This is slowly improving, but the damage is already there.
3. Pay in India is still severely (serioualy low, with 12-14+ hour work days, even more than 996 culture of China) low for most people, and the job market is extremely competitive. For many students and juniors, having a long list of "projects", PRs, or known names on their resume most often the only way to stand out. Quantity often wins over quality. With LLMs, this problem just got amplified.
Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.
My employer outsources some work to Indian contractors. I know how much we are paying the contracting firm, which is low. Knowing the firm takes a cut before the contractors are paid, I feel terrible for how little they are compensated. I frequently wonder if we’d get better output if we paid more.
India is filled with small one-room service-based companies(the middlemens') that hire interns, for ZERO pay, make them work 12-14 hour days under extremely "humiliating" conditions and then when it comes to giving them internship completion certificate, they demand huge sums of money just to release them... think about it.
As for how you are gonna do without the middlemen, I dont have the anwer yet... ideas are welcome.
Thanks a lot!
So for every good developer in India there are probably 20 bad ones who have no idea what they are doing.
I had more of those interactions, and we also exchanged some of the indian devs (they were sold to the client by a big consulting group, and immediately replaced by someone else if we wished). I later found out, people that I have had replaced in my sqaud for not being qualified, ended up in different teams in the same corporation, they were basically just moving around inhouse.
After a few month in the project I swore to myself never to work with offshores again. And as a side note, the bank I did the project with, does not exist anymore :)
The people having a terrible time with Indian contractors always deal with folks making 3k-10k USD/year. Of course the quality is bad.
volume of low quality content, dsa/leetcode, etc. is so high, good people/content gets left out. networking, connections, nepotism so much high. getting job based on actual talent very rare.
MNCs which are good outside are so much sh8t here; well capitalism doesn't give a f8ck anyways.
It doesn't until suddenly it does. A glut of junk can eventually trigger a flight to quality.
Sadly, possibly not on a timeline which works for a given individual.
My suspicion is somehow the perception became that if you’re brand new and land a PR in a major open source repo (even as simple as rewording a phrase in a doc that doesn’t need to be reworded), that would help them get a job (they’re always Open to Work on their GitHub about me page).
It’s so much noise that it’s hard to find the real issues.
Article about it here: https://socket.dev/blog/express-js-spam-prs-commoditization-...
Fair play to them.
Students would often abuse it since there’s no adult in the room to teach them how to behave. I guess this is one hard way to f around and find out. But this is by no means condoning this sort of behavior.
Point is, LLMs made the situation more dire: it’s cheap to generate code, whereas reviewing still scales sublinearly. The only way to prevent this is by being rude to people who are rude to you.
He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.
He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.
And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.
I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
As one does in academia, so to the market, because now we have financial incentive. It ain't going to stop.
While crypto style AI hype man can claim Claude is the best thing since sliced bread the output of such systems is brittle and confidently wrong.
We may have to ride out the storm, to continue investing in self learning as big tech cannot truly spend 1.5 trillion on the AI investment in 2025 without a world changing return on revenue, a one billion revenue last year from OpenAI is nothing.
I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.
If shame worked, then slop reports would've stopped being made already. Public ridicule only creates a toxic environment where good faith actors are caught up in unnecessary drama because a maintainer felt their time was being wasted. Ban them, close your bug bounty program, whatever, but don't start attacking people when you feel slighted because that never ends well for anyone (including curl maintainers)
Shaming does not work, you look like an idiot, people will start to despise you and then you end up ostracizing yourself from the rest of the community and the only ones left within your bubble, are circle jerk assholes.
It's one of those cases where you end up causing more harm than the ones you were complaining about.
Just pathetic behaviour.
Besides, I've seen plenty of profiles here on HN who advertise their real name and espouse (in my view) awful takes that would most likely not fly in real life. I'd recommend reading this article[0] for an example of when people, with their real names exposed, can still cause a shitstorm of misunderstanding.
And then maybe they will give you money.
(from https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...)
"As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities"
Why have a code of conduct while being hostile to contributors?
I think they should handle this differently.
I understand they people hate to to waste time. They should just be polite about it.
Or you know .. update or delete the CoC.
"You can't be a contributor if you're an Indian using AI".
I don't think this is the way ..
I guess people would complain if it was tied to Github.
But not the motivation. GitHub incentives this type of behaviour, they push you to use their LLMs.
GitHub is under Microsoft’s AI division.
https://www.geekwire.com/2025/github-will-join-microsofts-co...
Finally an explanation to why GitHub suddenly have way more bugs than usual for the last months (year even?), and seemingly whole UX flows that no longer work.
I don't understand how it happens, do developers not at least load the pages their changes presumable affects? Or is the developers doing 100% vibe-coding for production code? Don't get me wrong, I use LLMs for development too, but not so I can sacrifice quality, that wouldn't make much sense.
I understand where it's coming from, and I too think the current situation sucks, but making Microsoft responsible for something like that is bound to create bad times for everyone involved.
This was entirely predictable. When you give everyone the ability to be good at something with no effort, everyone is going to do it (and think they are the first).
My partner recently bought a book from Amazon, and when it arrived, I looked at the cover, flicked through it, and said it was AI slop. She complained to Amazon, and they just refunded her, no questions asked, and the book went in the fire.
- For example, there is this +1 comment pasted like 500 times that I have seen a lot over issues
- Cant we have a github regex bot of sorts ^(\W+)?\+(\W+)?1(\W+)?$ that removes all such comments? or let the author of the repo control what kind of regex based stuff to remove?
- I know regex kind of sounds old fashioned in the age of LLMs but it is kinda simple to manage and doesnt require crazy infra to run
has nothing to do with open source
long time ago
How long does something have to be done a certain way for it to be "to do with"?
I would say we're now two generations deep of software engineers who came up with open source software commonly being mediated through public issue trackers.
That isn't to say it needs to stay that way, just that I think a lot of people do in fact associate public project tracking with open source software.
But from I hear it affects other projects too. It affected curl more because with the bug bounty they actually need to invest work and look at those.
[1] https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-f...
[2] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...
There are much better ways to communicate the intended message. This comes off as childish to me and makes me think that I'd rather not contribute to the project.
jraph•1h ago
> Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports.
> cURL has been flooded with AI-generated error reports. Now one of the incentives to create them will go away.
[1] https://news.ycombinator.com/item?id=46701733
[2] https://etn.se/index.php/nyheter/72808-curl-removes-bug-boun...
dotancohen•1h ago
hobs•1h ago
johnisgood•1h ago
mikkupikku•1h ago
latexr•1h ago
creata•1h ago
That sounds wonderfully meritocratic, but in the real world, a machine generating it is a very strong signal that it's bullshit, and the people are flooding maintainers using the machines. Maintainers don't have infinite time.
jraph•1h ago
If I find a security issue, I'm willing to responsibly disclose it, but if you make me pay, I don't think I will bother.
Punishing bad behavior to disincentivize it seems more sensible.
ezst•39m ago
jraph•36m ago
Hence the threat to shame publicly I suppose.
Actually, Daniel Stenberg responds to this proposal the same way as me [1]. Coincidentally, I was reading your answer at about the same time as this part of the talk.
[1] https://www.youtube.com/watch?v=6n2eDcRjSsk&t=1823s (via https://news.ycombinator.com/item?id=46717556#46717822)
ezst•33m ago
josefx•54m ago
Why? If it is a purely machine generated report there is no need to have dozens of third parties that throw them around blindly. A project could run it internally without having to deal with the kind of complications third parties introduce, like duplicates, copy paste errors or nonsensical assertions that they deserve money for unrelated bugfixes.
A purely machine generated report without any meaningfull contribution by the submitter seems to be the first thing you would want to exclude from a bug bounty program.