Relevant since we started outright rejecting agent-made PRs in awesome-selfhosted [1] and issuing bans for it. Some PRs made in good faith could probably get caught in the net, but it’s currently the only decent tradeoff we could make to absorb the massive influx of (bad) contributions. >99.9% of them are invalid for other reasons anyway. Maybe a good solution will emerge over time.
I’m not sure I totally understand your comment, so bear with me if I’m agreeing with you and just not understanding that.
Before LLMs, there was a kind of symmetry about pull requests. You could tell at a glance how much effort someone had put into creating the PR. High effort didn’t guarantee that the PR was high quality, but you could be sure you wouldn’t have to review a huge number of worthless PRs simply because the work required to make something that even looked plausibly decent was too much for it to be worth doing unless you were serious about the project.
Now, however, that’s changed. Anyone can create something that looks, at first glance, like it might be an actual bug fix, feature implementation, etc. just by having the LLM spit something out. It’s like the old adage about arguing online–the effort required to refute bullshit is exponentially higher than the effort required to generate it. So now you don’t need to be serious about advancing a project to create a plausible-looking PR. And that means that you can get PRs coming from people who are just trolls, people who have no interest in the project but just want to improve their ranking on github so they look better to potential employers, people who build competing closed-source projects and want to waste the time of the developers of open-source alternatives, people who want to sneak subtle backdoors into various projects (this was always a risk but used to require an unusual degree of resources, and now anyone can spam attempts to a bunch of projects), etc. And there’s no obvious way to tell all these things apart; you just have to do a code review, and that’s extremely labor-intensive.
So yeah, even if the LLMs were good enough to produce terrific code when well-guided, you wouldn’t be able to discern exactly what they’d been instructed to make the code do, and it could still be a big problem.
I agree with everything you wrote but I’m not sure how it helps clarify what I said earlier. So… I think we agree?
On your final point I think the big difference between then (before LLMs) and now is that until recently a very demanding PR, in the sense that the person asking for the merge would have a good idea yet didn’t really get something about the project and thus needed a lot of guidance, it was seen as an investment. It was a risky bet, maybe that person would just leave after a lengthy discussion, maybe they’d move to their own project, etc… but a bit like with a young intern, the person from the project managing that PR was betting that it was worth spending time on it. They were maybe hoping to get some code they themselves didn’t have the expertise on (say some very specific optimization for very specific hardware they didn’t have) or that this new person would one day soon become a more involved contributor. So there was an understanding that yes it would be a challenging process but both parties would benefit from it.
Now I believe the situation has changed. The code submitted might actually be good, maybe not. It will though always, on the surface, look plausible because that’s exactly what LLM have been trained for, for code or otherwise, to “look” realistic in their context.
So… I would argue that it’s this dynamic that has change, from the hope of onboarding a new person on a project to a 1-shot gamble.
Yeah, agreed. I must have misunderstood your original comment.