I mean also shouldn’t somebody be reviewing these MRs? I’m an infra guy not a programmer but doesn’t it like, not really matter how the code in the MR was made as long as it’s reviewed and validated?
The problem with that is that reviewing takes time. Valuable maintainer time.
Curl faced this issue. Hundreds of AI slop “security vulnerabilities” were submitted to curl. Since they are security vulnerabilities, they can’t just ignore them, they had to read every one of them, only to find out they weren’t real. Wasting a bunch of time.
Most of the slop was basically people typing into chatgpt “find me a security vulnerability of a project that has a bounty for finding one” and just copy-pasting whatever it said in a bug report.
With simple MRs at least you can just ignore the AI ones an priorize the human ones if you don’t have enough time. But that will just lead to AI slop not being marked as such in order to skip the low-prio AI queue.
I mean also shouldn’t somebody be reviewing these MRs? I’m an infra guy not a programmer but doesn’t it like, not really matter how the code in the MR was made as long as it’s reviewed and validated?
The problem with that is that reviewing takes time. Valuable maintainer time.
Curl faced this issue. Hundreds of AI slop “security vulnerabilities” were submitted to curl. Since they are security vulnerabilities, they can’t just ignore them, they had to read every one of them, only to find out they weren’t real. Wasting a bunch of time.
Most of the slop was basically people typing into chatgpt “find me a security vulnerability of a project that has a bounty for finding one” and just copy-pasting whatever it said in a bug report.
With simple MRs at least you can just ignore the AI ones an priorize the human ones if you don’t have enough time. But that will just lead to AI slop not being marked as such in order to skip the low-prio AI queue.