zlacker

How does a potential positive contributor pierce through? If they are not contributing to something already and are not in the network with other contributors? They might be a SME on the subject and legit have something to bring to the table but only operated on private source.

I get that AI is creating a ton of toil to maintainers but this is not the solution.

>>Halan+(OP)
Looking at this, it looks like it's intended to handle that by only denying certain code paths.

Think denying access to production. But allowing changes to staging. Prove yourself in the lower environments (other repos, unlocked code paths) in order to get access to higher envs.

Hell, we already do this in the ops world.

>>qmarch+N1
So basically we are back at tagging stuff as good for first contributors like we have been doing since the dawn of GitHub

>>Halan+(OP)
In my OSS projects I appreciate if someone opens an issue or discussion with their idea first rather than starting with a PR. PRs often put me in an awkward position of saying "this code works, but doesn't align with other directions I'm taking this project" (e.g. API design, or a change making it harder to reach longer term goals)

>>Halan+(OP)
One solution is to have a screensharing call with the contributor and have them explain their patch. We have already caught a couple of scammers who were applying for a FOSS internship this way. If they have not yet submitted anything non-trivial, they could showcase personal projects in the same way.

FOSS has turned into an exercise in scammer hunting.

>>buovja+Fa
I'm not sure if I follow, are the PRs legitimate and they are just being made to buff their resume, or are PRs malicious?

>>Halan+(OP)
It seems like it depends on how the authors have configured Vouch. They might completely close the project except to those on the vouch list (other than viewing the repo, which seems always implied).

Alternatively they might keep some things open (issues, discussions) while requiring a vouch for PRs. Then, if folks want to get vouched, they can ask for that in discussions. Or maybe you need to ask via email. Or contact maintainers via Discord. It could be anything. Linux isn't developed on GitHub, so how do you submit changes there? Well you do so by following the norms and channels which the project makes visible. Same with Vouch.

>>swords+si
They are becoming AI slop more and more likely in an attempt to buff their resumes by making it look like they contribute to a bunch of open source. Basically low effort low quality submissions for silly things that just waste maintainers time.

>>Halan+(OP)
Honestly, the entire process of open-source contribution is broken. People should just fork and compete on the free 'market'. If you have a good idea / PR, just keep patchsets. People should mix and match the patch sets as they like. Maintainers who want to keep their version active will be forced to merge proper patch sets. The key argument against this is the difficulty integrating patch sets.

This should be easier with AI. Most LLMs are pretty good at integrating existing code.

>>swords+si
The patches are not malicious, but the submitters are unable to explain them. We require submitting a non-trivial patch in order for someone to be considered for a FOSS internship. As there is money involved, this attracts scammers now more than ever.

>>Halan+(OP)
He answered it in the thread: Basically, the system has no opinion on that, but in his projects he will vouch anyone who introduces themselves like a normal human being when opening a PR.