The project managers also get a cut of all merges, testers also must approve of the merge and that feature X is the one they want. So the project manager gets to work and improve/reject features, the user gets control over the features of the project they want and developers get to pick specific features they would like to work on (sort of). everybody gets what they want (sort of). All via attaching $ to the issues of the software, not the people.
So going back to the GP - pay for software where you're in the largest organized user class. That's how you get power. Paying alone doesn't suffice.
Free Software sure, that wasn't the point.
Open Source, that was exactly the point. Eric S Raymond, one of the original promoters of the concept of Open Source coined Linus' Law:
Given enough eyeballs, all bugs are shallow
They did have things like trolls and zealots that thought "Their one idea" was a gift from god and the maintainers were idiots for not adding it to the application. And eventually those people may have been banned from mailing lists. But in general the people posting code were typically well known and had some interest in fixing the application for some useful purpose.
Simply put, no idealism stands the test of time without change. Nature shows us that everything must evolve or it goes extinct. How 'free software' evolves is now up for debate.
It’s up to you to set boundaries (or prices) and communicate them, like an adult. If one is still rude and entitled then ban them from the repo, or let people fork, but not before looking in the mirror first and reflecting at your own behavior.
(I’m trying to imagine folks painting xfree86 maintainers as victims back in the day when xorg forked them for intransigence. The point is disagreements happen, deal with them.)
... Did they try anything as petty as the xorg maintainers are nowadays?
As always it depends on the circumstances, but should default to quietly closing with WONTFIX. Others have said Daniel is typically helpful and respectful so there we go.
has nothing to do with open source
long time ago
How long does something have to be done a certain way for it to be "to do with"?
I would say we're now two generations deep of software engineers who came up with open source software commonly being mediated through public issue trackers.
That isn't to say it needs to stay that way, just that I think a lot of people do in fact associate public project tracking with open source software.
I partially disagree. It does have to do with open source: Github (et al) are about creating a community around an open source project. It's hard to get adoption without a community; it gives you valid bug reports, use cases you didn't think of, and patches.
You can, if you want, turn off PRs, issues, and literally any feedback from the outside world. But most people don't want that.
> and is not sustainable
I 100% agree. People (including people at for profit companies) are taking advantage of the communities that open source maintainers are trying to build and manipulating guilt and a sense of duty to get their way.
The most insidious burnout I see is in disorganized volunteer communities. A volunteer is praised for jumping in with both feet, pushes themselves really hard, is rewarded vocally and often and with more authority, and is often the one applying the most pressure to themselves. There's no supervisor to tell them to pace themselves. And when their view switches from idealistic to realistic and then falls into pessimistic, they view the environment through a toxic lens.
Then they vanish.
Literally you cannot, you can turn off "Issues", but you cannot turn of pull requests, Microsoft/GitHub forces you to leave that open for others to submit PRs to your repositories no matter what you want.
Just a note, you actually can't turn off PR's on Github repos. At least not permanently.
What's stopping any open source maintainer from charging for their work?
I think there are many insane expectations out there, open source or not, so I don't personally see it that linked with the idea/ideal of open source.
> This is software support, it is a job, it should be paid.
Anything can be paid, nobody says otherwise. Some people prefer nobody pays for their source code (open source). Other people do support for free. And so on.
> The currently default model of having ... has nothing to do with open source and is not sustainable.
There were always arguments why open source will not be sustainable, many having some truth in them. But the current issue can be probably solved with some push-back on the speed of things or how attribution works. Something similar used to happen on some forums: you can't post a new thread for one month if you did not reply at least once without getting down-voted. For the current problem : if contributions are anonymous for the first 3 years of you contributing (if you are not banned) and your name becomes public only after, then all this "noise" for "advertisement" will die. Doubt this will discourage any well intentioned contributor.
But the project is still open for issues and PRs. Can only be disabled on paid accounts, right? Never had anyone try yet. I had feedback through other channels, just not on GitHub, so maybe explicitly keeping all development offline has had the intended effect? I get a trickle of issues and PRs for my other repos where development is out in the open with every commit pushed to GitHub.
But if it was discovered by drive-by LLM contributors I would still have annoying extra work, for no obvious benefit compared to just sharing archives. I do not think anyone (out of at least dozens) discovering any of my repos do that on GitHub, but from seeing my posts elsewhere.
It's not like no one can fork a source code archive, even if it is like 3-4 git-commands to run instead of just a button to click.
FOSS means that the code to be free and open-source, not the schedule or the direction of its developer(s).
It is paid, even if not in money. It seems like maybe you lack awareness of the other forms of capital and reward that exist, because your framing implicitly insists that financial capital is the only form of capital and that monetary reward is the only form of reward. But there are also a bunch of other forms of capital, like social, cultural, symbolic, etc. which you have missed, and there are non-capital (non-convertible) forms of reward, like feeling good about something. It's the entire reason why permissive licenses still preserve attribution.
To wit, people maintain things literally all the time either purely for prestige, or because being a contributing member of a community, even a small one, makes them feel good, or because knowing that maintaining things leads others to also maintain things. There are both intrinsic and extrinsic non-monetary gains here.
Stallman makes the same critical error in his foundational writings, so at least you're not alone in this.
(A foundational read on the subject of the different forms of capital is Pierre Bourdieu's The Forms of Capital: https://www.scribd.com/document/859144970/P-Bourdieu-the-For...)
(See also: https://en.wikipedia.org/wiki/Motivation#Intrinsic_and_extri...)
True, but the expectation means that taking on maintenance involves taking on and leveraging a large amount of reputational debt in a very risky way.
If you release something to the world and place yourself in a high-visibility maintainer position, burn out on it and then decide to drop it, it's very hard to ensure that your legacy and reputation in perpetuity will be "released something great and did the world a solid by maintaining it for a while" as opposed to "person who overcommits, bails, and leaves the world in a jam".
The existence of risk does not eliminate the existence of reward. It's called "expected value", and it's non-zero, and it's for the person to manage for themself like everything else in life. Working for equity also involves risk, and nobody says that it's not compensation.
> If you release something to the world and place yourself in a high-visibility maintainer position, burn out on it and then decide to drop it, it's very hard to ensure that your legacy and reputation in perpetuity will be "released something great and did the world a solid by maintaining it for a while" as opposed to "person who overcommits, bails, and leaves the world in a jam".
This is like saying you suffer reputational damage by retiring from a career. The claim is clearly absurd. It's not hard to step down from leading a project in a way that preserves reputation in the same way that it's not hard to leave a company without burning bridges. Some people are bad at being people and fail at both.
OP said "it should be paid" because "it is a job", and so the rejection of that claim is two-fold: 1) Uncertainty in the expected value of payment does not change the fact that it's payment, 2) Payment in units other than dollars is still payment. If I get paid in bitcoins, the bitcoin market could completely collapse before I cash out. It's not different than that.
OP's specific written framing, that because it's a job it needs to be paid, which is only additive commentary if OP believes that it isn't being paid, disagrees with your prediction about what OP really secretly bases their statement on.
We can look further back in OP's comment as well:
> The movement grew out of frustration that commercial software cannot be freely improved and fixed by the user
This is only fractionally true, and it is only true in an unpaid way for a desire to consume free software. It is not true in an unpaid way for the desires to produce or maintain free software. Those are done because the producers and maintainers experience some kind of reward from doing so.
I can't pay my rent or my server bills in "prestige". Entirely different.
Who cares? That was 30 years ago. How different were computers, programming, and the world back then?
Things change over time. The world is not immutable.
Untrue. Shopping source with _some_ OSI-approved licenses makes the work Free software. Shipping it with others merely makes it open source software.
I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.
Is this cultural? I ran a small business some years ago (later failed) and was paying for contract work to various people. At the I perceived the pattern that Indian contractors would never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something, etc. Instead they just ran with whatever they happened to have in their mind, until I called them out. And if they did something poorly and I didn't call them out they'd never do back as far as I can tell and wonder "did I get it right? Could I have done better?". I don't get this attitude - at my day job I sometimes "run with it" but I periodically check with my manager to make sure "hey this is what you wanted right?". There's little downside to this.
Your comment reminded me of my experience, in the sense that they're both a sort of "fake it till you make it".
Based on my own experience, here are a few reasons (could be a lot more):
1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.
2. Our education system mainly rewards results, not how good or well-thought-out the results are. Sure, better answers get more marks, but the gap between "okay" and "excellent" is usually not emphasized much. This comes from scale problems (huge number of students), very low median income (~$2400/year), and poorly trained teachers, especially outside big cities. Many teachers themselves memorize answers and expect matching output from students. This is slowly improving, but the damage is already there.
3. Pay in India is still severely (serioualy low, with 12-14+ hour work days, even more than 996 culture of China) low for most people, and the job market is extremely competitive. For many students and juniors, having a long list of "projects", PRs, or known names on their resume most often the only way to stand out. Quantity often wins over quality. With LLMs, this problem just got amplified.
Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.
Way back, when I first started working with Indian offshore teams, the contracting company at the time had a kind of intercultural training that addressed that issue.
> Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.
That's exactly the advice they gave. They advised was to try to make your relationships and interactions as peer-like as possible. The more "authority" is present in the relationship, the more communication breaks down in the way you describe.
This was strange. I asked a lot of Indian people about it and they said that it has to do with "saving face". Saying "I don't know" is a disgraceful thing. So if someone does not know the answer, they make something up instead.
Have you seen this?
This behavior appears in software projects as well. It's difficult to work like this.
However this was a thing 10-15 years ago. Lately I've not seen that.
Most cultures have this, but it goes mostly unnoticed from the inside because one can read between the lines. "How are you?" can be asked just to be polite, and can cause friction when answered truthfully (rather than just politely, as the cultural dance requires). An Eastern European may not appreciate the insincerity of such a question.
I work in a radiology practice and greet patients regularly.
99% of them say the are good/great etc.
It’s quite a striking response when they are limping, bandaged and on crutches.
When I do hear people respond in the negative it tends to be an opening up about stress.
Having only lived in the US, I don't have nearly enough firsthand experience with other cultures for me to be the one to comment on them, but I suspect that every culture has some things like this where the actual intent of the communication isn't direct. I suspect that if people in tech were asked to identify which cultures they considered to be the most direct in their communication, American culture probably wouldn't be ranked first. Generally the stereotypes of other cultures that are perceived as more direct get described in more pejorative terms like "blunt" though.
When somebody sneezes and you say “bless you” you’re not expressing your belief in god, and you’re not lying about one either.
That's my whole point! The expected answer seems pretty obvious to you, given the context, doesn't it? Why then are you surprised that a different culture has an equally obvious (to them) fixed answer ("Yes") to any question asked by someone with power/authority to their lesser? Both depend on mutual learned cultural awareness, and can fail spectacularly in cross-cultural contexts.
Edit: my regional favorite is "We should meet for lunch some time" which just means "I'm heading out now", but you have to decode the meaning from the nature of the relationship, passive voice usage, and the lack of temporal specificity.
Some cultures are better than others, where “better” might mean better at doing stuff (no comment on morally/socially)
I have seen that across just about every culture in the software engineering world.
And not just in the 'business' itself. I still remember the argument I had with an Infosec guy where he absolutely insisted that every Jeep had AWD or 4WD from the factory, Even naming ones that didn't did nothing until I more or less passively aggressively sent him wikipedia links to a few vehicles.
At which point he proceeded to claim "No I said it was always a standard option" ... To be clear this whole argument started because someone asked why I swore by Subarus and mentioned 'Every US Model but the BRZ has AWD standard' but Heep owners gotta have false pride, idk.
People do weird shit with imposter syndrome sometimes, IDK.
They must have spent a lot of time out of India or they are in senior roles.
Isn’t this the precise failure pattern that everybody shits on LLMs for?
Imagine that
Someone should really write a paper on that (hint: it’s the entire basis of information theory)
I've recently learned that this particular type of "saving face" has a name: "izzat". Look that up if you want to know more.
I'm not sure how to write that better, but the way you worded that made me suspect it was NSFW and I hesitated, but eventually decided I'd risk it. At least everything I found was work safe, and I learned a lot. I encourage everyone else who hasn't heard the word to look it up.
Lots of the material the LLMs are trained on is Reddit spam written by indians.
It's a weird circle.
The Chinese web is on similar lines, although there is a lot more country bashing, especially against Indians and Americans. But nevertheless just the same.
At least none of these come nowhere near to the brainrot that is the Arabic web.
It's not the population size that's talking.
Somehow none of my non/Indian colleagues over the course of more than a decade have faced these ridiculous situations. They must be unlucky.
The only time I've ever experienced made-up directions were trying to get out of the souk in Marrakech.
Wouldn’t know. After the first two instructions I can never remember what came next.
Semi related to this, one of the biggest 'breakthroughs' in building the right trust/rapport with an offshore team was sending an email to their leadership making it clear and on the record that "Comments against pull requests should not be used against the employee in reviews, if there is a recurring issue I will discuss it via other channels."
That one email changed PR back-and-forth entirely, cause yeah I guess sometimes they'd get dinged for too many PR comments on some metric. At first their management wasn't thrilled, thankfully there was a good enough improvement in quality and defect rate that in a couple months they were won over.
Having worked in Japan, while there is a strong respect for authority, there's also much less hesitation about asking for clarification. I worked with an Indian offshore team and in a Japanese company and, while there's a lot to dislike in Japanese office culture, this kind of pattern of behaviour doesn't happen.
2 & 3 do make sense though.
I've had mixed result with your advice at the end. I'd say that it worked for about 30% of the offshore engineers I've worked with and indeed I had more success with juniors than with more senior developers.
My employer outsources some work to Indian contractors. I know how much we are paying the contracting firm, which is low. Knowing the firm takes a cut before the contractors are paid, I feel terrible for how little they are compensated. I frequently wonder if we’d get better output if we paid more.
India is filled with small one-room service-based companies(the middlemens') that hire interns, for ZERO pay, make them work 12-14 hour days under extremely "humiliating" conditions and then when it comes to giving them internship completion certificate, they demand huge sums of money just to release them... think about it.
As for how you are gonna do without the middlemen, I dont have the anwer yet... ideas are welcome.
wages for good people in india are worse similar people in the us, but often high than in europe. But there are other problems with europe and so it can be the better deal.
I've been with two companies that have been aquired, and the first thing the PE/New Companies do is aggressive offshoring for cutting costs.
1) worked, because the aquiring company had an established office in Hyderabad, and we flew the tech leads over to the US to spend six weeks embeddeed with the team, etc.
2) the second one failed miserably becasue we had an Exec VP who told our engineers that he was replacing them in India for half the price, and his strategy was to hire a contracting company.... after several months of "contractors" coming and going, someone else in the company realized what needed to happen....
There is probably more.
Very true. I’ve hired (super cheap) engineering talent and this is the key to getting a project to run the way a westerner expects; where everyone is constantly open to challenging each other, where everyone can bring ideas to the table, and where there’s no such thing as a stupid question. I’ve done this during a big phase of time others locally shunning this huge talent pool as the results were crappy/unpredictable. Even to the point they’ll hire local for 100x the cost. It’s just a management problem though and a pretty simple one at that. The other thing is if you train them in your style, keep using them on the next project if you can. It compounds if you have the ability to work with them over a longer time. You have to be very insistent that you’re not proposing the best solution at expect them as engineers to point out any opportunities for improvement. If something later has to be rebuilt or isn’t working well, sometimes it’s good (if it makes sense, case by case) to do a post mortem and understand why the version 2 wasn’t built during the version 1. I think that helps them really understand it in a concrete way if they’re struggling with it.
In any case, I’d much rather take a budget for 1 local dev and spend it on a whole team of Indians and take on the management burden if it means retaining more equity or profits or building something I otherwise wouldn’t do myself due to scale.
I've found that this is also true of American engineers, particularly those fresh out of college. So many people have internalized that open curiosity will yield no result at best and direct punishment at worst.
Another topic is: do not expect a remote dev to pickup ambient knowledge, particular if they are juniors with no life experience. And since outsourcing to India is trying to get the resources for the lowest possible price, the result is: you get them as junior / fake senior / bad senior as you think. Pay better in India, get better people.
A: You don't. Unless there isn't a better company or better-paying role.
If a person is motivated to move out of the country altogether it's got nothing to do with you and there's nothing you can do.
However considering how things are worldwide right now, I think that trend stops soonish.
You just have to make it easy for others to do their jobs. Removing barriers, of any kind, helps. This is even more true with juniors.
Another question I'd like to ask of you is, do you see any aspects of the western style of cooperation that are the inverse? i.e. which create divides in which the westerner's ways of working can be the source of conflict?
2. None. We absolutely adore the ways westerners work. Your ethics, discipline, hardwork, attention to detail, inventive and creative nature, the support structures, and fair pay (and many more).
I hadn’t heard of this, thanks.
Working 9am to 9pm, 6 days a week.
1. You have no authority and they ignore you. 2. You have authority and they become yes-men.
Real dialogue: - Is it done? - Yes! But not yet.
The fraud part is that I developing countries, almost all activities that require some skill have lots of people claiming to be experts. 99% of them are lying. You take your car to a shop and they tell you they will solve your problem. With skepticism, (because they asked no clarifying questions) you try to give them some context and they tell you not to worry.
1 day later they tell you parts X, Y and Z need to be replaced, it will just cost $$$. You ask if there is no way the current parts can just be repaired, and they tell you no, they must be replaced.
You ask what was the actual issue, and they tell you the parts are completely damaged, or worn out, need to replace.
Sure, you pay, and they give you the car, works for a few days, maybe week, then breaks down. You plug in a portable OBD scanner and it tells you the exact component they just put in is failing (likely not even compatible with the car).
You give them back the car, tell them since you paid $$$, you will only take the car back once it works perfectly, and you won't pay a cent more.
They then spend the next few days looking for an actual expert, that comes in and repairs the original parts, for $, and they take the "new" ones back to the store and give you your money back.
They don't know anything about cars, they experiment on yours, with your money, by swapping parts. This was easier when cars were less strict with parts.
This is fraud, not face saving, and it's in every developing country.
1. A lot more can be done in a given amount of time. Looks good on resume. Recall that India is still extremely poor (dont get influenced by the GDP numbers.. ) and getting a job as fast as you can after college can make a real difference to your living standards here.
2. Our education system is shit. And so are our teachers(mostly). Meaning, when folks are out of college, they generally are not as competitive as maybe their counterparts from western regions are(not in terms of hardwork, but, knowledge and hands-on tasks). LLM's makes it possible to do complete much more complex work than otherwise was possible at current experience.
Indians are extremely hard-working. The problem is people are extremely poor (~2400 median income... that's per YEAR). Even after adjusting for PPP. this translates to less than 10K USD/YEAR. Now think about living on 10K/year and supporting 5 family members (partner with 4 kids, or parents with 2 siblings).
Damn me, Scotland is going to be quite the culture shock for you.
1. They
2. Always
3. List
4. Things
... and end up with a conclusion/punchline/takeaway.
I always wanted to ask, is that due to training?
I could imagine all schools around there have a specific style, like all their assignments need to follow this general form, and then they just get used to it and it permeates to their everyday life.
1. The first thing
2. The second thing
3. The last thing
Makes perfect sense in that case.
Add in time zones, language friction, and fear of losing work, and "just run with it" becomes a rational strategy. Meanwhile, many Western workplaces treat clarification and check-ins as professionalism, so the behavior reads as strange or careless.
The key point is that this usually isn’t lack of curiosity or reflection, but risk management under different norms. The pattern often disappears once expectations are explicit: ask questions, check back, iteration is expected.
Back-and-forth iteration and consultation is a genuinely hard problem. Certain kinds of feedback cycles have a minimum latency of "overnight". Which means we need to invest heavily in good communication.
But also, it means more people need to have the "big picture", and they need to be able to make good decisions (not just arbitrary ones). So the ideal goal is to prevent people from going off in random nonsensical directions based on miscommunication, and equip them to actually think strategically about the overall plan. Continent X might make different decisions than continent Y, but they're all talking, and enough people see the goal.
A lot of the international teams I've seen pull this off are ones where an Eastern European or Indian team is just another permanent part of the company, with broad-based professional expertise. Contractors on any continent are a whole different story.
So I think what a lot of people try to blame on Indian management culture (or whatever) really is just a case of "we hired contractors in a different time zone." I mean, there are always cultural issues—Linus Torvalds came from a famously direct management culture, and many US managers tend to present criticism as a not-so-subtle "hint" in between two compliments—but professionals of intelligence and goodwill will figure all that out eventually.
Very common pattern you see in literature about military strategy, actually. The answer is delegation, heavy use of NCOs, and in general explaining the plan all the way down to the individual soldier. Under the western school it all falls under "initiative".
Notably, a lot of non-western militaries are terrible at it, and a number of military failings in africa, the middle east, and the soviet union (*cough*russia*cough*) are viewed as failures in flexibility with very low initiative, as well as lacking/unskilled NCO corps.
Dunno how you apply that to an organization, but maybe sending skilled workers as a kind of non-comissioned officer could work. Who knows.
The most successful engagements I've had with contracting firms have been when we've shelled out for a team manager and a software architect (in addition to the number of straight developers we want).
The software architect builds a solid understanding of our solution space, and from then on helps translate requirements into terms their engineers are familiar with, and provides code reviews to ensure their contributions are in line with the project goals. The team manager knows how to handle the day-to-day reporting, making sure everyone is on task, escalates blockers over the fence to our engineers and managment, etc.
Without those two roles from the contracting firm's side, I find that timezones and cultural mismatches (engineering culture, that is) pretty much erase the impact of the additional engineering headcount when adding contractors.
link here (ironically, on a blog that critiques it)
Maybe that applies to software orgs too, somehow.
However in a real war you need to figure out what direction to point the gun, and need to know when to fire and when to not. I don't know how the army handles "we are advancing now so don't shoot", or "we are crawling along the ground so make sure you shoot high": someone else needs to give anyone I train those orders. The army trains their machine gun operators better so they can figure a lot of that out without being told.
Having spent the last ~7 years working for different startups before pivoting, my advice to any founder is this: do not hire overseas consultants. They're good, competent people, but you and your company do not have the tools or the culture to actualize them.
100% agree, especially when there is minimal overlap during normal office hours. I was managing a dev team in India from the US and it was a real challenge. The company ended up moving team to the US, relocating most of my team. Despite all the people being the same, management became much easier.
Since then I've done US and EU, and EU and IN, and those have all worked fine because we had sufficient overlap during business hours.
Was that because of the above cultural differences?
...ok. I didn't need 8 hours of overlap.
As I mentioned in my first comment, I've also now done US/EU and EU/IN. Both of which have only partial overlap and things have gone well.
With US West Coast and India, I was often doing meetings at 7AM and my devs were doing meetings at 9 or 10PM. That was challenging, irrespective of any cultural differences.
That’s ego, assuming doing is the value, not doing RIGHT.
Doing alone has almost zero value.
No. That's lack of labor protection laws and the effect that this causes on how companies are run.
While there is real talent there, there is also a lot of overhead to find people you can trust.
This is probably just a reflection of the competitive nature of the market and the social ladder tech salaries enable there.
I would be ashamed to submit an AI slop PR or vulnerability report.
An indian might just say "I have 25 merged PRs in open source projects"
I had more of those interactions, and we also exchanged some of the indian devs (they were sold to the client by a big consulting group, and immediately replaced by someone else if we wished). I later found out, people that I have had replaced in my sqaud for not being qualified, ended up in different teams in the same corporation, they were basically just moving around inhouse.
After a few month in the project I swore to myself never to work with offshores again. And as a side note, the bank I did the project with, does not exist anymore :)
It happens basically constantly, I have never heard my family admit to a mistake unless violently confronted by someone with authority.
Leads to all sorts of issues and societal breakdowns, like police beating people up before even trying to communicate.
I ignore all of their resumes, not because I don't think there's valid individuals among them, I did hire them in the past, but:
1. because the signal to noise ratio is absurd. The overwhelming majority didn't even read the actual post.
2. Even when they are okay developers, communication is always a huge issue. Sync communication in call is though because urdu and other indian area accents are extremely heavy so I really struggle understanding their english, my bad but what can I do about it. If I try to keep it async or chat based then they tend to not ask feedback, clarifications, provide updates, etc. So you feel like you need to micro manage them half the time and they'd rather give you answers to make you immediately happy than surfacing problems.
3. Paying them is always an hassle. Wiring them money through bank accounts is difficult. They generally set up some Paypal or similar service or ask you to pay them on some Hong Kong account from a friend of theirs. I need traceable invoices and simple wires for tax purposes and when sending money to Pakistan multiple times anti-laundering got involved in my country, and we talking low hundreds of euros.
Still, props to the few good ones I've met, they've been critical on some projects of mine. Very professional and knowledgeable. But it's just too bad of a signal/noise ratio, seriously most applicants don't even read job descriptions.
I can't remember all the techniques but a simple trick is to ask them to repeat their understanding back to you before they start working on a thing.
But I don't think it's connected to sending "malicious" reports. That seems rather to be to pad their resume and online presence while studying to get an edge in hiring.
It would be typical to do the first thing that comes to mind, then see what happens. No negative feedback? Done, move on. Negative feedback? Try the next best thing that makes the negative feed back go away.
People will not wonder whether they might bother you. Just start talking. Maybe try to sell you something. That's often annoying. But also just be curious, or offer tea. You react annoyed and tell them to go away? They most likely will and not think anything bad of it. You engage them? They will continue. Most likely won't take "hints" or whatever subtle non-verbal communication a Westerner uses.
I found it quite exhausting in the beginning, it feels like constantly having to defend myself when I want to be left alone. But after I started understanding this mode and becoming more firm in my boundaries, I started to find it quite nice for everyday interactions. Much less guessing involved, just be direct.
Professionally I haven't worked much with Indians, but my expectation would be that it's necessary to be more active in ensuring that things are in track. Ask them to reflect back to you what the stated goal is. Ask them for what you think are obvious implications from the stated goal to ensure they're not just repeating the words. Check work in progress more often.
Many of my Indian friends say it is, but sometimes I feel they can be as self-critical of their country as many Americans are of the USA.
Demographics show that it doesn't have to be cultural - it could just be that India has 9x as many people under the age of 35 compared to the USA. Even if we were culturally similar, for every annoying US youngster "hustling" to try to get employment, there would be 9 early-career Indians doing the same. That alone is enough to drown the "Vox Agora" with Indian voices. Chinese citizens generally don't participate in English-language fora, so their large numbers would be massively under-represented.
If anything else is biasing the populations, the difference in numbers could be even more stark.
Ask culture scales a lot better in a fast changing world full of strangers. Guess culture saves friction, but only in situations where people are mostly guessing correctly because the social structure and expectations are fixed.
> Is this cultural?
Could be, but there are a number of very popular Youtube and other video based classes/bootcamps (taught and targeted from/to Indian students) that teach how to work with git and github that show how to create PR's and comments in repos, and then a lot of students do that, on public (and popular) repos.
There are a couple very famous examples of this.
Ficticious Example could be
Q: is this car red? A: it's not green. Q: yeah I know it's not green. But is it red? A: today is Thursday.
One thing I leaned it's not worth pressing forward and causing a scene. Instead it's better to use other ways of finding the information.
When guiding team members I always found it useful to have them explain back to me in their own words what they're tasked to do. It become immediately obvious if they were on the right track or not.
Tell me more. Why?
But is it productive to cooperate with someone who will never admit lack of information?
If they cannot take a step towards another culture, why should I?
If they are working for a western company, they should adjust their behaviour, not the company. Just imagine working for an Indian company (or manager), and expecting them to tolerate your individualist behaviour and audacious questions. You would be punished immediately.
If it's a peer-to-peer relationship, all the more reason to be firm. If you don't speak up you will never be respected. And don't think that just because you keep quiet the shitty types of people won't stab you in your back at their first opportunity (ask me how I know).
The people having a terrible time with Indian contractors always deal with folks making 3k-10k USD/year. Of course the quality is bad.
For reference:
Good Indian devs out of college make atleast 30k USD. Good senior devs make atleast 50k. The really good ones make much more. Most American companies outsource to bottom of the barrel contracting companies like Infosys.
1. How can you be a good dev if you've never developed professionally in your life?
2. I know Indian numbers and this is complete bs. Like complete.
Maybe there are extremely rare exceptions to it, but this is like claiming that good US devs out of college make 350k. That's beyond rare, may happen, but it's beyond rare.
2. They are not. FAANG in India pays higher than what I quoted. My senior numbers are especially on the lower end of the spectrum. If your numbers are lower then you aren't working with good devs.
These are the numbers for good devs. The ones who get into great startups/companies. 95% make less and it shows in the quality. Infosys pays new grads 4000 USD/yr.
You build these skills by writing good software under constraints not by building personal pet projects and farming leetcode.
> you can't interview for those
Also yes you absolutely can!
I experienced this same thing working with offshore Indian contractors 20 years ago. Interesting to hear someone else echo my observations.
I tried specifically asking questions where the correct answer was “no” and they wouldn’t tell me no. In some cases I told them I was expecting them to say “no” and they still wouldn’t do it.
It was very difficult to figure out what they knew or didn’t know without putting them through a test and seeing how they did.
0: https://en.wikipedia.org/wiki/Face_(sociological_concept)
That would be interesting.
I've worked with mixed nationality teams at a certain 4 letter austinite corporation a couple thousand moons ago. One thing in common with my Asian colleagues back then (many of which i still keep in touch with to this day), is that they would usually refrain from saying things that could rock the boat or disappoint you. If they lacked knowledge for the task at hand, they wouldn't let you know. If they were late on a delivery, they'd insist it would be ready by a certain date. This led to situations where other regional managers would have to plan contingencies to work around the issue.
They were trained really hard to "restore" things in a way that hit some minimal level of the SLA, but not really. It created alot of issues initially in the organization as the "don't question anything" had really been ingrained into them. My observation there is that it made many of the useless support engagements I've experienced make sense, and that a place with that level of discipline and process must be pretty awful.
Disingenuous. Other groups can and do create different cultures that are more tolerant of asking for help, clarification and feedback.
This might be part of the motivation. What's pocket change in the west might be good money in the 3rd world.
Absolutely. I've been traveling for the last 10 years and lived in 50+ countries. I believe that all cultures have unique pros and cons and that the cultural diversity of the world is an amazing thing. There are good and bad people everywhere, so I rarely leave a place with such a strong opinion as the multiple times I've been to India. I really wanted to love India because of their rich history and diversity, but I ended up leaving with a feeling that their culture is overwhelmingly objectively bad.
In my experience, yes, but I hope that's just my personal experience over the past 20 years.
Whereas other cultures have at least some (if not a lot of) resistance to it - eg publicly ridiculing when people step flagrantly out of line. This is good. My impression is that British culture is like this - "taking the piss", or worse, out of people whose egos start to get too large
Edit: what about this comment could possibly be worth a downvote...? Not that I care about points, but it just seems to be an objective assessment of human nature and cultures, without even singling out any cultures that need improvement.
Sounds like an LLM
I guess that's one way to stand out when you are lost in an ocean of people, working thousands of kilometers away from the white dude exploiting you.
Always consider relative status and power imbalance regardless of nationality too. If someone is afraid to say no you have to factor that in - and 'calling them out on it' is maybe not the most effective reaction, especially if in public.
I always had frustrations with this as a manager until I could establish a personal relationship. Sounds extra hard with short-term remote contractors!
Indian students have a long history of disrupting free/libre projects, this is nothing new
it's interesting how it parallels the issue with llms today, they are basically perverse instantiation genies. your wish is my command.
For students, often there is no pathway to actually become good due to lack of resources. So, the only way is to fake it into a job and then become good.
So for every good developer in India there are probably 20 bad ones who have no idea what they are doing.
People will only apply themselves if they think it will help them get to a better place.
There also seems to be an expectation that after about 30 you move into management. This means people experienced in IT are not socially valued (they can be paid well if they are great).
Its incentives. If you’re an Indian student in India, unless you go to a prestigious university, your prospects of landing a job, let alone a good one are very small. Even tech companies that claim to be meritocratic elsewhere, rarely screen resumes beyond the top universities in India. The only other real prospect is to get your resume to stand out. Open source contributions, research papers etc are some ways to do that. And the talented ones make contributions, while the rest just try to fake it in the hopes to make it (it obviously doesn’t work).
There are similar incentives if you want your college application to stand out if you’re trying to go abroad for higher education. And if you’re already outside India, those incentives extend to job applications outside India. If you’re an international student looking for a job, even if you have work experience at known multinational companies, if it’s in India, the experience doesn’t count.
It’s all about incentives and responding to them.
Resume glorification and LinkedIn / GitHub profile attention do that.
I am seeing a lot of people coming up with perceived knowledge that's just LLM echo chambers. Code they contribute comes straight out of LLMs. This is generally fine as long as they know what it does. But when you ask them to make some changes, some are as lost as ever.
Torvalds was right, code maintenance is going to be a headache thanks to LLMs.
Thanks to their LLM reliance they'd soon not know what it does, and forget even the little they know about coding
We had a bootcamp in our city that had all students build a GitHub portfolio. They all built the same projects like a TODO app. Every person’s code would like almost identical because they all did them together and, I suspect, copied from past grads.
They all applied to the same local jobs, too. So we’d get a batch of their resumes with GitHub links, follow the GitHub links, and see basically the same codebase repeated everywhere.
Now my bars are so massively higher, 99.95% of juniors who don't have pre-2024 work to show can forget about it.
I know someone in a senior engineering position at Epic who does nothing but clean up PR's from their off-shored Ukrainian sweat shop coders handing in AI slop because all they need to do is close a ticket to get paid. They wind up rewriting half or more of it. Epic doesn't seem to care so long as this "solution" works and saves them money by paying a few really smart people to code janitor until hopefully all of them can be replaced by LLMs.
For a company as financially focused as Epic it's surprising to me they'll pay the offshored devs for simply submitting code even if it doesn't work and needs to be rewritten.
I don't understand, are you threatening to avoid hiring talented people or just their brain dead management?
I wondered why people would video themselves going around slapping strangers in public then shouting "its just a prank bro" - turns out it works.
I’m actually of the mind it will be easier IF you follow a few rules.
Code maintenance is already a hassle. The solution is to maintain the intent or the original requirements in the code or documentation. With LLMs, that means carrying through any prompts and to ensure there are tests generated which prove that the generated code matches the intent of the tests.
Yes, I get that a million monkeys on typewriters won’t write maintainable code. But the tool they are using makes it remarkably easy to do, if only they learn to use it.
Someone creates a garbage issue. Someone else asks to be assigned. Someone from the project may say "we don't assign issues" (this step has zero effect over later steps). Someone else submits a PR. Maybe someone else will submit another PR. Maintainers then agonise how they can close issues and PR(s) without being rude or discouraging to genuine efforts.
Would love your thoughts on some of the things we're thinking about: - Would it help to disable all PRs? All non-contributor PRs? - Would a "close as admin" button help address the issue of not wanting to be rude or discouraging? - What about Copilot doing an initial review and proposing to close anything that doesn't meet contribution guidelines - would that help a "close this" decision feel less personal?
Disabling PRs or limiting PRs to "contributors" would be a signal to me that I should just keep doing that and not contribute back to the main repo.
But they absolutely also create PRs even if you say "don't create a PR. You don't know what you're talking about"
My suspicion is somehow the perception became that if you’re brand new and land a PR in a major open source repo (even as simple as rewording a phrase in a doc that doesn’t need to be reworded), that would help them get a job (they’re always Open to Work on their GitHub about me page).
It’s so much noise that it’s hard to find the real issues.
We have tried a lot here in the past (good first issues, more community support for new users), but haven't found a perfect solution yet. Internally, we're looking at options for admins to disable PRs on repos, or limit PRs to collaborators only, for example. From your comment, it seems like part of the challenge you're experiencing as a user is around Issues specifically. We've also been looking at options to delete PRs and Issues individually and in bulk, which could help after the event. Would welcome any feedback on other paths we could take here.
You could estimate quality with: number of PRs accepted before (only counting repos >2 years old), age of account, size of diff, number of PRs reported as spam.
Thank you for looking into this. It's a huge problem for maintainers these days... something needs to be done.
Another suggestion would be trying to figure out if a PR was vibe-coded and marking them as such. Same as image-based social media tries to do.
Turning off PRs would be a good option for several of my repos
From https://en.wikipedia.org/wiki/Perverse_incentive
"According to the story, the British government, concerned about the number of venomous cobras in Delhi, offered a bounty for every dead cobra. Initially, this was a successful strategy; large numbers of snakes were killed for the reward. Eventually, however, people began to breed cobras for the income. When the government became aware of this, the reward program was scrapped, and the cobra breeders set their snakes free, leading to an overall increase in the wild cobra population."
People gamified it and then it sucked, but the idea wasn't so bad. One would expect people would not stoop this low for a free T-Shirt.
https://hacktoberfest.com/participation/
> Swag - Get an exclusive Hacktoberfest T-Shirt, but its only for ‘Super Contributors’ who contribute 6 accepted PR/MRs to a worthy repository. (T&Cs Apply | Valid only for the first 10,000 contributors completing 6 PR/MR)
Article about it here: https://socket.dev/blog/express-js-spam-prs-commoditization-...
There’s a lot to dislike about shame as an enforcement mechanism but I’m starting to miss some of the upside it delivered.
Check the closed PR's on express https://github.com/expressjs/express
Yikes!
I was reading some GitHub comments earlier and the AI tone and structure in the comments posted by some users made me feel really uneasy for some reason.
I know a Brazilian who puts lots of emails through ChatGPT because they aren't confident in their English, but this seemed to be AI generating the majority of the content of the message too.
Students often start making PRs around this time to get more familiar with projects before they can put in a proposal when the time comes.
As someone who's been a programmer for a while now, I feel it's pretty easy to identify slop code and when someone is using an LLM to communicate on issues. I'm not against using LLMs for writing code or even for using it to improve your communication, but it cannot be a substitute for critical thinking.
If I was a maintainer of an OSS project, I'd be more likely to _not_ select students who put out slop PRs, proposals, or messages without thought. And also make this clear in the contributing guidelines so contributors know what they're getting into.
would be so awesome if github supported all that. probably kills their business model though
volume of low quality content, dsa/leetcode, etc. is so high, good people/content gets left out. networking, connections, nepotism so much high. getting job based on actual talent very rare.
MNCs which are good outside are so much sh8t here; well capitalism doesn't give a f8ck anyways.
I will try to give some context.
To give an example, the CSE undergrad from an average Indian college would've done 500 - 1000 leetcode "problems" for practice. But have little to no idea on how to survive in a UNIX shell, or to troubleshoot an actual problem. Hell, half of them haven't written more than 1000 lines of code for single purpose.
People early in their career (which is most SWEs including yours truly) follow whatever "influencers" on youtube (the local term being bhaiyya-didis), who give them rough "roadmaps" to "crack DSA" or "get high paying remote job". The result is that average CS guy spends most of his time navigating this rat race than studying computer science stuff that matters for the job.
I see similar kind of competition getting created at senior levels too, in the terms of people grinding theory and blog posts on "system design" interviews. I am not old^H^H^H senior enough to comment on it, though.
But it was not all bleak. IIRC, We were producing quite few good OSS contributions through GSoC, LFX etc... until few years ago (not considering my own among good ones). There were talented 1% or so (I known a few very talented people in personally). Nowadays these "hustler" variety people have started "How to crack GSoC" roadmaps [sic] too, and the spamming quoted above see may be related to this. This sort of insane rat race is not good for talented people. It's not good for companies either. Recruitment is basically lottery at higher levels too; I have seen people use AI to shamelessly lie on their resumes and get hired etc... Some of these problems may be present in west but India's scale makes some of these problems difficult.
These supposed electrical "engineers" have an IEEE "paper" to their name but regularly confuse power and energy. They have no curiosity, no interest in their work, atrocious communication skills (not language, communication) and swarm you like piranhas once word spreads.
All this combines to devalue Indian degrees and the reputation of Indian STEM talent. The genuinely good people are drowned under this avalanche and there's not much you can do to help them or to find them.
Hell, CVPR is now the top conference/journal in the world, beating out every medical journal, Nature, etc. NeurIPS I think is also beating out every medical journal ever.
If you're not targeting a top 20 listed conference/journal in your field as ranked by google scholar (i.e shows up on the leaderboards at all), you might as well not even publish, as those papers at worse venues act as a black stain on your academic career.
These folks should instead target workshops at prestigious venues.
It doesn't until suddenly it does. A glut of junk can eventually trigger a flight to quality.
Sadly, possibly not on a timeline which works for a given individual.
Anecdotally, I’ve worked with quite a lot of South Asian people, and there is an art to communicating with them - they’re remarkably indirect but thrrr are certain signs that they disagree. If you apply the same amount of skepticism to an Americans “super awesome mega amazing” bluster, you’d be pretty close to the mark IME.
https://www.cbsnews.com/news/indian-parents-scale-school-wal...
This is just lazy casual racism.
How do you know this?
If I was an Indian student, I would prompt it to avoid that style instead of keeping it.
Also, generally, people can just make stuff up on the internet so ...
Had my first experience with an "AI guardian" when I submitted a PR to fix a niche issue with a library. It ended up suggesting that I do things a different way which would have to involve setting a field on a struct before the struct existed (which is why I didn't do that in the first place!)
Definitely soured me on the library itself and also submitting PRs on github.
If I ever need to start using an AI to summarize text that someone else has generated with AI from a short summary, I'm gonna be so fucking done.
Big brain: create a solution solving an existing problem
Galaxy brain: create a solution that creates its own problems
Spam, for decades, has been a matter of just shoveling truckloads of emails out the door and hoping that one or two get a gullible match.
Blocking spam, for decades, has been a matter of heuristic pattern-matching.
I don't see how that is the same as "fighting LLMs with LLMs", or how it could be said to be the same as how spam is made and used.
What are you going to do now?
If the discussion leads to the insight, that this is worth a feature, the maintainer will implement it.
I think the same goes for PRs. If you think you have made something cool, then discuss it and offer your implementation and the maintainer makes it fit with you to integrate.
On the other side, if you want a feature it just doesnt have, simply forking it and updating from the source-repo is fair enough.
If you failed to give them proper reproduction information when asked, then yeah, you were wasting their time and they should rightfully close your issue.
I've never seen anyone on the curl team undeservedly "lambast" someone, and for a project that has a quite good reputation, I think the burden of proof is on you. Can you link to these supposedly terrifying comments?
So if you follow what’s been happening, you know the types of reports this message is talking about. What they consider time-wasters are slop reports where the reporter didn’t do any effort to even test the “bug” and then keeps pasting whatever the LLM says in replies and lying about using them.
In other words, for a legitimate report it’s hard to believe that was the reaction. I would expect them to be patient with a human contributor which really put in the work. It’s particularly hard to believe the maintainers would even waste their time to lambast someone on Reddit. Doesn’t seem like their style.
Maybe the person in this thread is exaggerating, maybe they misinterpreted it, or maybe it did happen. But it seems so out-of-character that some proof would be warranted, especially since it’s a single report.
It is entirely possible I merely chanced upon his highlights, but this announcement to me really just signifies a final straw breaking than anything else. His historical conduct is all public and speaks for itself. I wish I had the patience and perseverance he does, and I wish he didn't need it.
But at the same time, sometimes you have to really persevere to get a bug fixed.
Consider the perspective of the maintainer of a popular project: to them, you're one person in a big queue of people all reporting problems. Most issues turn out to be "I need free technical support, which you don't offer, so I'll phrase it in the form of a bug", and it saps their time to look into the details of each issue to find whether it's genuine-bug or user-error.
So that's why you should try to give reproduction instructions as best you can, and be up-front if they're incomplete, or you only saw it happen once.
If the maintainer responds harshly, or even if you get commentary from others, remember they are (or should be) criticising the bug report, not you. Try not to take it personally.
And even if they decide to close it, or not investigate further, you've still done the world a favour by adding genuine details about something you saw. The bug report is still searchable when closed. Other people who get the same problem as you are likely to find it, and it might spur them to reproducing the bug where you couldn't, and re-opening or re-reporting the bug and driving it forward to completion.
You're paying exactly $0 for support for this software. So any support (eg: bug fixes) you get are a gift. That means that if you (1) use their software, (2) don't provide a good bug reports to help them fix their bugs, and (3) complain about how it's not your job to fix them then... you, my dear person, are acting like an entitled ass.
It's not hand-holding to provide a good bug report, it's essential to make the bug report actionable. curl is so widely-used that bugs often come from a combination of the software and the environment (OS, libraries, etc). Without enough details to reproduce a bug, then the bug is often impossible to track down. This means: recreate the environment, the actions that led to the bug, and create the bug itself.
The only official community spaces they maintain are:
- their GitHub projects (Issues, Pull Requests, Discussions)
- their mailing lists
- their HackerOne page
If you were harassed on Reddit that is still shitty of course, but it's not gonna be on the project's dev team:
> Some dev teams do not mess around.
Unless some of the devs have verifiable, pseudo-official presence there at least.
(Now, if you used AI to generate the report, well... that's different. Especially if you didn't disclose it up front.)
I’ve basically watched the AI crap cycle go from “this is a weird report, oh it’s fake” to “all the reports are trash, it’s so hard to find real humans in the flood” through his posts.
I suspect I would’ve stepped down long ago. I feel so bad for the open source maintainers who are just being assaulted with nonsense.
They really don't, lol
If a community is full of assholes, unwilling to change, walk away! Don't contribute to what you don't want to support. It's just like voting with your wallet.
All contingent on whether you can actually afford to do so though, as usual, but I have a hard time believing that interacting on Reddit would be so essential, especially these days.
You can post the problems you find there, and if you're half decent it will be picked up and put in search engines for people that have similar problems.
You at that point don't have to defend yourself, at least directly, to the community.
Immediate conclusion: "community is full of assholes, unwilling to change".
This escalated quickly, didn't it?
https://news.ycombinator.com/item?id=46720626
Rather they seem to be arguing “if there is a community that is like that (whatever that community is)…”.
Should be a highlight of the 2020's decade.
It's not just open projects, it's anything that accepts unvetted information at all. Bug lists full of shit. Forums full of shit. News feeds full of fake shit. Ads full of fake shit. Cultural zeitgeist full of fake shit.
Culture and society has not figured out how to inoculate themselves yet.
These issues with reports and junk contributions come about because there is a huge payoff for pretending to be part of the community, but the benefit from actually contributing is generally less direct.
I dont think you can solve this with "friction", because the people you want to dissuade are more tolerant to these kinds of barriers than the ones you want invite in.
I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.
He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.
He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.
And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.
I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
While crypto style AI hype man can claim Claude is the best thing since sliced bread the output of such systems is brittle and confidently wrong.
We may have to ride out the storm, to continue investing in self learning as big tech cannot truly spend 1.5 trillion on the AI investment in 2025 without a world changing return on revenue, a one billion revenue last year from OpenAI is nothing.
LLMs know (as in have training data) everything about Kryptos. The first three messages, how they were solved including failed attempts, years of Usenet / forum messages and papers about K4, the official clues, it knows about the World Clock in Berlin, including things published in German, it can certainly write Python scripts that would replicate any viable pen-and-paper technique in milliseconds, and so on.
Yet as far as I know (though I don't actively follow K4 work), LLMs haven't produced any ideas or code useful to solving K4, let alone a solution.
As one does in academia, so to the market, because now we have financial incentive. It ain't going to stop.
> Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports.
> cURL has been flooded with AI-generated error reports. Now one of the incentives to create them will go away.
[1] https://news.ycombinator.com/item?id=46701733
[2] https://etn.se/index.php/nyheter/72808-curl-removes-bug-boun...
Why? If it is a purely machine generated report there is no need to have dozens of third parties that throw them around blindly. A project could run it internally without having to deal with the kind of complications third parties introduce, like duplicates, copy paste errors or nonsensical assertions that they deserve money for unrelated bugfixes.
A purely machine generated report without any meaningfull contribution by the submitter seems to be the first thing you would want to exclude from a bug bounty program.
The problem they had before was a financial incentive to sending reports, leading to crap reports that wasted time to review. Incentivizing sending reports + patches has the same failure mode, but they now have to waste even more time to review the larger quantity of input.
Anyway, for most cases I'd bet that Daniel can produce and get reviewed a correct patch for a given security bug quicker than the curl team can review a third-party patch for the same, especially if it's "correct, but ai-written".
If I find a security issue, I'm willing to responsibly disclose it, but if you make me pay, I don't think I will bother.
Punishing bad behavior to disincentivize it seems more sensible.
It would discourage drive-by reports by people who just happened to notice a bug and want to let the maintainers know, but I think for a project that's high-profile enough to be flooded by bogus bug reports, bugs that random users just happen to notice will probably also get found by professional bug hunters at some point.
I wouldn't do the above, but it is easy to see how I could run that scam.
Not saying I have a better solution, just that it's a hard problem. Maybe dissuading some good people who have genuine security issues but don't feel like paying just has to be a cost of doing business.
Hence the threat to shame publicly I suppose.
Actually, Daniel Stenberg previously responded to this proposal the same way as me [1] (and maybe would still do). Coincidentally, I was reading your answer at about the same time as this part of the talk.
[1] https://www.youtube.com/watch?v=6n2eDcRjSsk&t=1823s (via https://news.ycombinator.com/item?id=46717556#46717822)
That sounds wonderfully meritocratic, but in the real world, a machine generating it is a very strong signal that it's bullshit, and the people are flooding maintainers using the machines. Maintainers don't have infinite time.
Throw enough AI crap at enough projects and you may get a payout.
The incentives fail in the face of no-effort flooding. They accidentally encourage it.
But not the motivation. GitHub incentives this type of behaviour, they push you to use their LLMs.
GitHub is under Microsoft’s AI division.
https://www.geekwire.com/2025/github-will-join-microsofts-co...
Finally an explanation to why GitHub suddenly have way more bugs than usual for the last months (year even?), and seemingly whole UX flows that no longer work.
I don't understand how it happens, do developers not at least load the pages their changes presumable affects? Or is the developers doing 100% vibe-coding for production code? Don't get me wrong, I use LLMs for development too, but not so I can sacrifice quality, that wouldn't make much sense.
I understand where it's coming from, and I too think the current situation sucks, but making Microsoft responsible for something like that is bound to create bad times for everyone involved.
Might even be good for Microsoft - they would be the only one knowing who is who.
At my previous employer, I had access to the company’s bug bounty submissions and I can assure you no matter what you try to do, people will submit slop anyway. This is why many companies will pay for “triage services” that do some screening to try to ensure that the exploit actually works.
Unfortunately this means that the first reply to many credible reports are from people who aren’t familiar with the service, meaning that reports often take a long time to be triaged for no reason other than the fact that the reporter assumed that the person reviewing the report would actually understand the product. It’s hard to write good, concise reports if you can’t assume this fact.
Honestly, I don’t know what can be done to fix all of this. It’s a bad situation for everyone involved, and only getting worse.
I guess people would complain if it was tied to Github.
Possible solutions I can think of:
- Require an account with a paid service. Fix = require money - Require an account verified with real ID/passport etc. Fix = link to real person - Automated reply system to "waste tokens" if it is an AI that is responding. Fix is increased cost of spammer. - Have some kind of "vetting system" where you get on an allowed list to report these types of things. Seems not good to me, but perhaps there is something in it.
I wonder how much open source code is lost because maintainers must deal with this type of thing versus the "good" that AI can bring in productivity.
I can imagine GitHub becoming this filter somehow
First requiring a deposit system. This might work in the sense that someone dedicated can put down $5 and report a bug, and even if it's not a bug but their work is legitimate they get refunded at the end of the process.
- This doesn't scale well globally as $5 is nothing to me, but significant to someone that lives in a place almost no one in the US can pronounce correctly.
- Once you become trusted you no longer need a deposit.
- Most people what would submit a single, real, bug won't do this and you lose this information.
- How is management of this deposit system paid for? How is fraud dealt with?
This was entirely predictable. When you give everyone the ability to be good at something with no effort, everyone is going to do it (and think they are the first).
My partner recently bought a book from Amazon, and when it arrived, I looked at the cover, flicked through it, and said it was AI slop. She complained to Amazon, and they just refunded her, no questions asked, and the book went in the fire.
When you give them the ability to think they’re good. If they truly became good, this wouldn’t be an issue.
- For example, there is this +1 comment pasted like 500 times that I have seen a lot over issues
- Cant we have a github regex bot of sorts ^(\W+)?\+(\W+)?1(\W+)?$ that removes all such comments? or let the author of the repo control what kind of regex based stuff to remove?
- I know regex kind of sounds old fashioned in the age of LLMs but it is kinda simple to manage and doesnt require crazy infra to run
Things you cannot expect:
- ALL humans to know what SOME code does
- SOME humans to know what ALL code does.
(from https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...)
There are much better ways to communicate the intended message. This comes off as childish to me and makes me think that I'd rather not contribute to the project.
It's unfortunately the new normal, with FFmpeg's core team acting similarly. No doubt the result of what is considered socially acceptable expanding in ways it probably shouldn't.
Fair play to them.
Honestly, I would love it if I could front some money in order to have the devs look at my PRs. Half my PRs just go into the void and nobody looks at them until some staleness bot inevitably closes it.
This is a similar problem to resume spam. I always wish I could pay $5 when submitting a resume with the guarantee that someone would actually look at it and give me a fair shot. If I ever run a place I want to experiment with only accepting resumes through letter mail or in person.
Update the email protocol so that all messages must be encrypted. Not "by default", but by necessity. The server rejects them if they aren't encrypted and signed in a way that proves the decryption key is on a block chain.
The only way to put the key in the chain is to submit a micro payment. By "courtesy" , but completely subject to the recipient, the users client will refund the payment 48 hrs after it has been decrypted/read. Only if they click "spam" then the payment stays on their ledger. This would kill spam overnight.
The two downsides I see so far are that the chain is a single point of failure for everyone, and it would cost people a few bucks and some friction to get the clients set up. Plus the coin would have to be very low transaction cost, and still fully redeemable for actual value somewhere.
love this. more projects should use this kind of language. cut the bullshit
But scaring people off from security reports also isn't a great idea either.
Students would often abuse it since there’s no adult in the room to teach them how to behave. I guess this is one hard way to f around and find out. But this is by no means condoning this sort of behavior.
Point is, LLMs made the situation more dire: it’s cheap to generate code, whereas reviewing still scales sublinearly. The only way to prevent this is by being rude to people who are rude to you.
Moving off github into a more niche platform was the best choice I have ever made to curb such zero-effort issue and feature requests. It raises the barrier just enough.
On the other hand, I'm a dev, and I hate the "start a discussion first" gatekeeping. I participated in projects where the approach is to start a discussion on a forum first, and I get the same feeling you have as a tech guy calling ISP support on the phone.
Seems like a completely appropriate way to handle things if you're still on Github. You said yourself the spam drove you off.
They could let people who are proven not to be spammers open PRs directly.
CURL is free to try it, but I'm doubtful being rude will meaningfully improve things. I'm confident it won't improve the ratio of good to bad reports because non-chatbot powered submitters are sensitive to rudeness or even the threat of potential rudeness, and so this approach could easily reduce total volume some but mostly in the reduction of good submissions.
But from I hear it affects other projects too. It affected curl more because with the bug bounty they actually need to invest work and look at those.
[1] https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-f...
[2] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...
It is large, very popular (hence impact) and written in C. It supports many many many protocols with all of their real-world implementation quirks. Obscure or mainstream. And always handling user-controlled data.
If your motivation is a cool CVE for your CV, you'd pick such a project as the target of your efforts.
That’s a bad combination with LLMs which are almost perfect for letting the user think they’re being more productive than they actually are because the output sounds authoritative. You don’t have to be acting in bad faith to submit a slop report, just being inexperienced and over-confident will work if you don’t have enough experience in the area to reason about the security of the entire system.
And then maybe they will give you money.
So I think OP is trying to insinuate POTUS' behavior inspires a general lack of decorum, a la trickle-down dickonomics. Which is a sentiment I can't in good faith disagree with entirely, but it seems like a stretch in this case.
If shame worked, then slop reports would've stopped being made already. Public ridicule only creates a toxic environment where good faith actors are caught up in unnecessary drama because a maintainer felt their time was being wasted. Ban them, close your bug bounty program, whatever, but don't start attacking people when you feel slighted because that never ends well for anyone (including curl maintainers)
Besides, I've seen plenty of profiles here on HN who advertise their real name and espouse (in my view) awful takes that would most likely not fly in real life. I'd recommend reading this article[0] for an example of when people, with their real names exposed, can still cause a shitstorm of misunderstanding.
Shaming does not work, you look like an idiot, people will start to despise you and then you end up ostracizing yourself from the rest of the community and the only ones left within your bubble, are circle jerk assholes.
It's one of those cases where you end up causing more harm than the ones you were complaining about.
Just pathetic behaviour.
There's no such thing as a reasonable "false positive" on a security report. There is such a thing as a false positive on a bug report. (A real bug, that happens to have no security impact, is still a true positive, just without a security risk)
If you can make it crash, or behave incorrectly, or have some repeatable, weird behavior; but you have no idea how you could exploit that for an articulable advantage, or access to the system you shouldn't have. What you have is a bug, not a security issue. You can, and should submit a bug report.
Then, critically; "if you waste our time" seems to be an important part of the statement.
If you don't know, you suspect it's a security bug because you shouldn't be able to do this, and it is leaking information that you think is suspicious, and you can easily demonstrate that you can make it happen on demand. And you report that bug, and make it easy for them to understand and either confirm the security, or reject because [reason]. You haven't wasted anyone's time and this wouldn't apply to your bug.
This is by design, you shouldn't be submitting reports on anything less than certainty. It's not the maintainers responsibility to prove out your idea. It's yours, and when you're sure, reproduceable, and documented it, then you can submit it.
Proving out a security vulnerability from beginning to end is often very difficult for someone who isn't a domain expert or hasn't seen the code. Many times I've been reasonably confident that an issue was exploitable but unable to prove it, and a 10s interaction with the maintainer was enough to uncover something serious.
Exhausting these report channels is making this unfeasible. But the number of issues that will go undetected, that would have been detected with minimal collaboration between the reporter and the maintainer, is going to be high.
"As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities"
Why have a code of conduct while being hostile to contributors?
I think they should handle this differently.
I think the parent is correct in calling out the inconsistency of promoting personal attacks when that is explicitly forbidden in the CoC.
I'll try to strike a conversation with a spammer next time I can't sleep. Thanks for a great suggestion.
"You can't be a contributor if you're an Indian using AI".
I don't think this is the way ..
You won't get a hundred percent hit rate on identifying it, but it at least filters really low effort obvious stuff?