When AI first happened, I was afraid I was going to eventually lose my job. And while I've been lucky since, many did, and that hurt a lot. When people are losing something to automation, regardless of the economics of the situation, you cheer for the humans, or at least hope that society keeps being fair to those who are most affected.
Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.
I'm conflicted, confused and afraid, HN. Look at what I just wrote, yet I use claude and deepseek and all the skills and complex harnesses and MCPs and whatnot... But all now seems like a transition phase. Transition to f-ing what though?
A lot of questions cannot be answered unless we dedicate a meaning to our lives. Human touch? Too late? Also: I liked a song and it was sonos. I unliked it after discovering. I feel so stupid, so often.
Sorry for the unhinged digression.
I love Ladybird (have a sticker on my laptop to prove!), I hope they thrive.
>But all now seems like a transition phase. Transition to f-ing what though?
It feels like being in the middle of a tornado. But I think it helps to turn off screens, sit in a desk, and calmly remember first principles and consider them slowly.
Quoting obama, "reality has a way of catching up with you".
I see a lot of talk, but iOS is not delivering a decade of features and fixes on each yearly release. Literally no one does, if anything people are complaining that existing functionality is breaking down. So it can't be true that we're at 10x productivity, and this fact will eventually catch up with us.
Let's be human, and remember that many people are emotionally invested. Juniors want this to be a chance to shine in a market that otherwise rejected them. CEOs placed their bet on AI and don't want to walk that back. Seniors want to signal that they are not obsolete. AI companies will poison discourse. But all this smoke will eventually clear.
I've been thinking a fair bit about what I'm seeing in terms of the output I experience
It's quite hard to quantify, but I think it's one shot nature really makes it hard to gauge it's capability
Friends have spoken of good days and bad coding days with me, and I find it odd nodding along, it's a strange new normal
At times it feels like we're just coding with one-armed bandits, trying to carefully line them up for a jackpot and just discarding and retrying if we don't hit
I think about some of the more complex systems I've built and I wonder how well we can build them like this
And over engineering, there seems to be over engineering everywhere, and yet, more fragility to our systems
I imagine this stuff is probably really good at iterative changes to improve objective benchmarks like CPU or RAM use. I'm thinking of little contained optimizations that you can understand in and of themselves, that you maybe have done yourself before in other places, found really quickly and applied uniformly. Stuff you can confirm to be what you expect it to be by mostly just scanning. Low hanging fruit for sure, but something where you can actually know what is a fruit and what is crap, and only keep the fruit, and develop some confidence in the process, if that makes sense?
Or trying to reduce complexity, increasing readability and coherence of variable names (the opposite of code golf if you will), while staying within a certain limit of performance regression (e.g. "make this code as nice as you can while making it at most 0.5% slower").
Making the stuff millions of people have been using for decades better, in a way that also makes it better for humans when they read the code. Surely that's possible, some people are probably doing it but it doesn't go viral as much, because it's too mundane.
And of course, making new stuff is more exciting. I mean, you could hit on something with a vibe coded thing, and then know it's now worth to make a non-sloppy version, but you won't get much fame for making ffmpeg twice as fast by prompting an LLM. Though on the other hand, it's like a safe investment (if not in "fame", then in "improving the stuff we all have to use daily"), because you know ffmpeg and many many other things will still be around, whereas a vibe coded thing that wasn't special will be 100% forgotten the next day, or have just the one user forever.
> Juniors want this to be a chance to shine in a market that otherwise rejected them.
I actually am training 2 trainees (Azubi in German) and 1 working student. All three are somewhat anxious about the future but also all are learning in a significantly increased pace, compared to the ones I worked with 1.5 years ago.
They don't have to wait for random senior to answer questions, so they get stuck way less often. They aren't allowed to use AI to generate code though, so not sure how that'd look like learning-wise if we/they went all-in on AI.
I wish I could be so optimistic. Our lives are ruled by distorted, irrational, inefficient, failed markets, and the markets can remain distorted, irrational, inefficient, and failed for longer than we as individuals can remain solvent. "In the long term the market is a weighing machine", for term lengths that include the heat death of the universe.
I sense your comment as saying: "AI is hype, and reality will catch-up.".
But the simple fact is there's massive evidence that in skilled hands 10x or 100x engineers are possible. We're seeing evidence of it across major open source project as well. And definitely behind closed doors across companies.
Reality will catch-up with that too, once the other smoke clears.
> But the simple fact is there's massive evidence that in skilled hands 10x or 100x engineers are possible. We're seeing evidence of it across major open source project as well. And definitely behind closed doors across companies.
Each of these three sentences are in need of some evidence. I'm not actually seing any signs of software velocity notably increasing anywhere. Except perhaps in the AI-reseller sphere, but that seems mostly due to throwing huge amounts of VC money at it and a lack of quality control.
That’s also not possible in “skilled” hands. My output is roughly the same. It does the scaffolding, but I need to rewrite almost every line, because it introduces footguns around that often. And before I had about 20000 LOC it failed even with scaffolding, ie architecture. And it wasn’t taste, just footguns all around, architecture ones. Nowadays for example still introduce mutability or completely unnecessary complexity where it shouldn’t, even when the example code which does almost the same is pristine. Many times it’s like StackOverflow, when a question doesn’t need 90% of the accepted answer, but people happily copy it brainlessly.
This is especially bad with new, or quickly improving frameworks, like Android Compose. LLMs use completely outdated, deprecated APIs all the time, when they are not completely supervised. Or at least, I hope so that the framework causes it. Because if that’s not the case, then your products are fucked.
Also even with the best prompts it could never produce more working code in an hour than what I can produce in a day. Regardless of quality, just “working somehow”. Not even with an uninterrupted session. If that’s the case for some, then there is definitely also a developer skill issue. And so would definitely not trust anything coming out of their “supervision” of an LLM.
I'm not say it's pure hype. Not in the sense of previous hype waves like the metaverse or NFCs. It clearly has uses.
I do think it is hype as a killer of knowledge work. It can certainly remove a lot of friction in the kind of borderline mechanical work that you'd formerly outsource to the lowest priced denominator, serve as an idea bouncer, remove friction for bug tracing, etc.
Attempts to cross the next line ("no need for architecture discussions, ai plans", "no need to read the code, ai reviews", and so on), nope.
As someone else mentioned, 100x is a couple days producing the outcomes (remember, not output) of a year. Or for a team, iOS delivering in a single year ten times as many features as its entire previous existence. It's not something that doesn't get noticed.
> And definitely behind closed doors across companies.
At my large org (+100 engineers), I'd say it's a mixed bag and the overall impact of AI rollout looks to be slightly negative productivity.
They probably won't say it publicly though.
It's not because some people are more productive with it that all of them are and it certainly doesn't mean that the company itself is more productive either as you have other things than code to take into account.
> Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.
These "contributions", while they did exist in small quantities, mostly were not actually what you've described there.
Instead, those boiled down to unsolicited opinions, hostile takeover attempts, value extraction, general drama and just overall overhead over simply building code.
This was not always the case, but the GitHub model of building FOSS (and removal of all friction) certainly made it the new default.
Said model was always unsustainable, but the burn rate made it sustainable enough so that we could just throw more humans at the problem to replace the burnt-out ones.
AI pushed the burn rate over the replacement rate.
=> We will likely see more projects adapt this or a similar stance I think.
It always seemed like a weird default to let people (esp strangers) submit PRs that weren't tied to an issue nor approved.
What do you mean you just spent a week implementing something in secret?
AI makes it extra silly because now you can craft up your unsolicited code change in minutes, making it extra obvious that code changes should spawn from real discussion and agreement.
TFA is part of looking for new processes that actually work. Dunno why people are having such rose tinted glasses about pull requests. Open an issue, talk to people. Have an idea? Then get people to cosign it.
I think it was different pre-AI. Someone might come in and spend days getting some understanding of the codebase before they contribute some minor fix. Over time they might stick around a make some more of these, progressively gaining trust so when they do take on something bigger the maintainers will know they aren't wasting their time reviewing it.
Now they can drop a multi thousand line poorly understood PR day 1.
As someone who maintained FOSS libraries pre-AI, I think the frequency might have changed, but large drive-by PRs with thousands of changes happened before too, I've been on the receiving end of those many times. Usually they fundamentally change the architecture too, then the submitter get offended/sad/surprised when you tell them you impossibly could accept it and they should stop wasting their time contributing without discussing first. Usually ends with some threats how their fork will take all the contributors or something like that.
What I don't get, is why these LLM users aren't asking their LLM for how to contribute and how the project prefers to contribute, and how they can make sure it's accepted? Literally, the very same tools they use to code, can be used to make sure their PR follows all guidelines, from discussions to acceptance of the PR itself, it's right there, they literally just have to prompt for it! Such a lazy group of people.
Good faith PRs were also suffering under the current model. Ive opened PRs by hand on small projects to try and fix personal issues that probably affected others. Then the PRs languish for months or in one case literal years under the deluge of ai slop being spammed at the repo. I’m not going to ping the maintainers constantly when I know they are struggling so I’m left running my fork and no one else gets the benefit.
Big projects pre-AI also can have hundreds of rotting PRs. It's a lot of work to go through them, and unsolicited PRs are kind of the wrong way to spend time as a maintainer.
AI just makes it so obvious how bad of a process it is that we can't ignore it anymore, and now we need to finally figure out good processes.
Even little stuff like: I've created issues on the Claude Code github that got agreement and then led to code changes. Why isn't there a default, built-in way for my issues to rise above the zero-effort chaff? If you finally do the work of vetting someone's PR, why isn't there a built-in (hidden) way to +1 someone so we can see that they have some reputation with the project on their future issues/PRs?
First off, to have conflicting feelings about something is really normal and doesn't immediately point to a problem, it's extremely human, and I feel similar to you to. I'm a creative + programmer, I hate to see what's happening in some communities yet I too use agents for development, it'd be like avoiding Google + SO when they first appeared, feels like there is a clear "before/after" moments with those, and with LLMs as well.
I don't really have anything useful to add here, I think, just that you aren't alone in feeling conflicting feelings here. New things usually are like that, comes with incredible benefits in some areas yet seem to strip humanity away from others, some people use it to produce fluff and crap, others essentially gain new abilities and use those to build even better stuff. I don't think there is any universal truths here, sadly.
I, very genuinely, highly recommend reading the Wikipedia page about the Luddites if you feel confused. This is a class consciousness problem. People feel conflicted because they know they aren't acting in their own best interests when they use generative AI (i.e. it does not lead us, as a society, to a good place -- mainly due to our bought-out legislature).
Again, I don't think there is any universal truths here, no correct nor incorrect answers, it's all very subjective. For example, I'm conflicted about the thing as a whole, but also I wouldn't say "Usage of generative AI for sure leads society to a worse place" like you just implied, that's too absolute for me and not something I'd agree with, and it wouldn't resolve the conflicts we're talking about here.
Maybe your legislative feels bought out, that sucks, but that's not the situation nor the feeling everywhere in the world, certainly not where I live, so also doesn't seem to be related although if I assume where you live, I totally understand why you're currently feeling like that.
> that's not the situation nor the feeling everywhere in the world, certainly not where I live
Do you expect your government to navigate whatever transition might await us in a manner that works out well for the vast majority of your countrymen? What about the governments of other major world powers? Even if your local government does all the right things, will the world as a whole end up in a good place?
That said, I'm not sure that there's much in the way of actionable options, at least not with clearly defined outcomes.
> Do you expect your government to navigate whatever transition might await us in a manner that works out well for the vast majority of your countrymen?
No, but I expect them to do the best they can, with the information they have available, as always, as they just like me, are just humans. Trusting the legislative branch of my government is different from "so you think it'll work out well for everyone then huh?", btw.
> What about the governments of other major world powers?
Why does it matter how much I trust the legislative branch from other countries? They do as they wish, we continue to do as we wish.
> Even if your local government does all the right things, will the world as a whole end up in a good place?
My experience and opinion is that generally the world is getting better almost every day, vast difference even compared to ten years ago, how much better the world is today, for most people. There are some few countries which lately been going in the wrong direction, but for the most part, we (humanity) are getting incrementally better.
> Trusting the legislative branch of my government is different from "so you think it'll work out well for everyone then huh?", btw.
Agreed, and that was exactly my point. Concern about possible impacts of a technology were expressed and you responded that you trust your government. But that's not the same as thinking that everything is headed in a good direction and doesn't require intervention.
> Why does it matter how much I trust the legislative branch from other countries?
Because in a globalized world if everyone else goes to shit you will probably also experience significant negative effects even if it's not as bad.
> for the most part, we (humanity) are getting incrementally better.
It seems to me that it's prudent to perform a risk assessment rather than assuming that everything will work out just because things seem to have been going well enough so far.
I feel like you're trying to move this conversation in a direction of discussing policy, while the context are individuals, their emotions and how they feel about things, that's how the conversation started. I never talked about how much I trust/distrust my government, all I said was that I trust the legislative branch, as parent commentator said they didn't trust their legislative branch. How much I distrust/trust my government at large is hardly on topic here, I also don't think because one (large) country been bought out, doesn't mean the entire world goes to shit, nor do I assume that everything everywhere will work out simply because I'm admitting that I too am conflicted, even though I too use AI-tooling, even though I'm a creative that like manual crafted things, even though I trust the legislative branch of my government.
We can also take some refuge in things like steam engines or electricity or the internet and how if you're just on the cusp of those you'd have similar feelings, but many years later here we are, still with jobs and meaning. A lot of people say this time is different but I guess when electricy showed up people would've said the same? I certainly remember people predicting that Manhattan would stop existing during the dotcom bubble because the internet would kill all street level businesses and people would work from wherever so big cities were over. And here we are.
I'm also conflicted but take a glass half full approach basing myself on the fact that when I'm feeling like "this time is different" it's probably my ego wanting my lifetime to happen at an interesting time in history, so my brain wants the current events to be the most transformative.
It certainly didn’t kill Manhattan, but it did kill or at least seriously maim lots of small towns. We lost a lot of local culture in the switch to everything being available online. I’m not sure we’re better off.
> A lot of people say this time is different but I guess when electricy showed up people would've said the same?
No. Electricity didn't raise the skill floor all that much. Certainly nowhere near the human skill ceiling.
> the internet would kill all street level businesses
That was never going to happen overnight, if at all. But online retail (and food delivery, etc) does seem to be slowly but surely eating away at local shops so I think it's within the realm of possibility.
> But online retail (and food delivery, etc) does seem to be slowly but surely eating away at local shops so I think it's within the realm of possibility.
Online retail eating away at local shops is a problem with two aspects - one of which is largely ignored and much more pernicious.
Yes, many people are shopping online which reduces footfall in the town centres.
If this were a case of all the existing businesses simply shifting away from physical storefronts to virtual ones it would merely be unfortunate.
What's far worse is that the vast majority of the business that shifted away from a diverse collection of bricks-and-mortar stores now goes through one of a very few online retail giants.
Likewise, a couple of food delivery apps are parasitising takeaway food businesses.
And now we're allowing a handful of AI giants to tollbooth software development.
You can stop at any time. It's an unfortunate reality that many will not pay much mind as long as it's other people who are being harmed, but why support something morally and financially when it's now destroying something you personally care about?
It doesn’t help to know that using and supporting private LLMs is only making openai/anthropic/google/etc even richer. I myself cannot justify its usage.
The future is a bit fuzzy, always. That said, here's my take on it.
> Transition to f-ing what though?
Not jobs. Those will be gone once ai can do them cheaper than humans. ai can already do many (most?) of them better than humans. The jury is still out on the cost aspect. Judging by r/LocalLlama, the lower cost is not that far off. There may be some structural adjustments around compute pricing before that happens, though.
In the EU, humans will probably be ok. They have a strong tradition of focus on human needs. Because of lower average salaries [1] than the US [2], human employment will likely carry on longer as well.
In the US, those folks that have capital will likely be ok. They'll be able to purchase services from ai companies and invest in ai companies and corporate armed forces (ai-populated, not human) to protect the Haves. Those that don't have capital? Who knows? America hates poor people, women and minorities.
China? No idea. Though I hear that their demographics are upside-down, so there'll be fewer people to support over the long-term. That they'll supply the robotics and goods for the rest of the world is not in doubt: cheaper electricity from solar/wind, advanced ai and robotic tech, science and industry moving forward while the US regresses, hard.
India? Hard to say. No social net of any consequence. Not enough capital to go full ai/robotics, human labor way cheaper than ai/robotic labor at the moment, so maybe they'll survive as that last major bastion of human work for some time to come. But their economy is growing, and they have a lot of people, so at some point they'll come to that same fork in the road. Hopefully they'll have serious social safety nets by that time.
Africa? In a lot of ways, they're similar to India on the human labor costs side, so their future hasn't been written yet either. India can probably fend off an invasion by rapacious US corporates with ai/robotic armies looking for resources because of sheer numbers, but Africa, fragmented, is a different story. Maybe China will be their friend? If you think this scenario is outlandish, look into the history of European companies colonizing the world. You didn't think the East India Company with its massive private armies were government-owned, did you? Likewise with the Spanish/Dutch/Portugese expansions. The govt. takeovers didn't happen until much later, tens of decades later.
South America? They're an interesting case. Brazil may take a trajectory similar to the EU. Chile, Ecuador, Uruguay too. The others are a ?
Perhaps knowing a human with talent worked on it, putting some small part of themselves and their lived experience into the music has value to them? If so, then their actions make complete sense.
Human created music might have value to them, but it doesn't mean that the AI song was valueless. They admit they enjoyed it. So it doesn't make sense in terms of it not having value.
I wouldn't say it's asinine though. People reject creative output out of personal protest against the creator. Someone might love a movie only to refuse to ever watch it again because they found out the director was accused of something horrible.
Some people just don't want to support anything to do with AI. Although in this case the OP admits to also using AI directly so there's some inconsistency there, which is consistent with the state of confusion and uncertainty OP is expressing.
It's not asinine at all. Context matters in art. Otherwise, more songs exist that I would probably really like than I will ever hear, so I'm going to focus on the human-made ones. Besides, part of the joy of music extends beyond listening. For many people, myself included, if we feel really connected to a song we like to learn about the people who created it.
how was open source managed before GitHub ? you had to find a mailing list, be involved in the mailing list - ask questions, make a proposal, then create code after -- code goes through x rounds in the mailing list. finally it is merged if it suits direction of the project.
this willy nilly of opening pr's while not being an active member of a community I would say decimated open source.
I've been looking a lot at Godot (another big open source project) PRs lately, and there's been kind of a surge of wholy ai-generated PRs (both code and description).
This is agains project-policy, so people creating these PRs usually get mildly told off. What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.
It's kinda surprising to me that even the people who are all in on ai haven't internalized that there's no inherent value in producing a big lump of code. They've massively decreased the work they put in but still expect the same pre-ai reaction/gratitude when submitting a big PR.
The pre-ai reaction was also unwarranted: committing a massive amount of potentially unmaintainable handwritten code isn't a necessarily positive contribution and any decent engineer (or person tbh) would understand that & not expect gratitude, no matter how concerted their effort.
In that context, I wouldn't expect an idiot (of which there has always been far too many in this industry) to change their behaviour in a post-ai world. They were always out of line & continue to be.
Fwiw, a non-technical employee in my workplace has begun submitting ai-generated prs to internal repos I maintain & they're of excellent quality, with review feedback graciously received & expediently addressed, so this isn't a matter of the idiots not being technical, it's an attitude problem.
Sure, but I think we should judiciously avoid the false equivalence yielded by only looking at this on a developer-by-developer basis, rather than systemically. The truth is that in practice, AI is not a neutral force. Obviously AI can enhance the output of smart, experienced developers and improve the efficiency of code reviews, mitigating the effects of garbage PRs. However, it increases the percentage of PRs contributed by entirely inexperienced and/or not-smart devs from zero to, potentially, the majority. It entirely removes the barriers inherent to coding that kept Dunning-Krueger cases from submitting ill-conceived or poorly constructed changes— actually getting them to run in some way, even poorly. That makes them much more difficult to distinguish from well-constructed PRs than those from, say, someone cargo-culting code from tutorials.
Moreover, as these tools become more expensive, people with money to blow on tokens will be able to drown maintainers that don’t have enough token-cash to help them deal with it. People see this as mostly a matter of time and energy, but I reckon it will soon be a financial issue.
I see AI as a barrier remover. Unfortunately some barriers are good or minimally necessary.
I think we'll need to revert to artificial barriers such as bonds, e.g., if you want to do a PR to my repository you need to pay a 10 dollar bond. If the PR is good and I want future PRs, you keep your bond. If it's slop and spam, I get 10 dollars for my time.
This is entirely too much friction in the wrong place. Public open source will simply die before a system like that ever becomes the norm.
The previous barriers worked because they were organically perfectly in line with a contributor's internal incentives. A contributor gains very little benefit from submitting a patch; the likelihood is infinitesimally small they'll ever get any career advancement, financial recompense, or even much community recognition for it. At most, it shifts the burden of maintaining the code they're contributing from themselves to the community / long-term maintainers. The real incentive for a contributor was making the patch, because they get to see the feature or fix they want made for the software. The previous barriers were in making the patch, and contributors would overcome that friction to gain the benefit of having the patch they want. Moving the barrier to merely submitting the patch after it has already been made will simply result in people not bothering, because there is very little incentivizing them to deal with the friction.
I agree with the bond in theory, but that would entirely stop contributions from people in economies where a shady maintainer could keep their code, and their weekly food budget.
We already have trouble with people maintaining open source projects without getting paid, now you want people to pay for the privilege to participate in free work?
Gratitude was maybe the wrong word. As the article mentions, before ai I think larger PRs, while sometimes inconsiderate, at least implied some amount of care / effort / good faith. In my experience, that was often rewarded with the maintainers at least taking a look at the code. I meant it's odd to have the same expectation when you dump 3000 lines in a pr that you won't even personally write a description for.
There is certainly a certain... entitlement? (It's not the perfect word, but I fail to find a proper term) from some of the vibe crowd. Like an attachment to the output and refusal to accept that most of the work was not theirs.
It is seen in the way they approach contributions but also in regular language. I created X, insistence that their 'curation' was very influencial to the output, difficulty to mention LLM contribution, attitude of 'I care about building while others lose time in details', refusal to engage with potential flaws, and so on.
It is surprisingly different to what I'm used to from senior devs, which behave like they always suspect their own work is flawed and half assed. Like impostor syndrome was reversed.
I agree it's not "entitlement" specifically but there's something there. I guess by now everyone has experienced that type of person that "tries to help" by copy/pasting a bunch of AI slop and expecting you to work through the cognitive load of validating it.
The original post sums it pretty well, such big output inherently meant big effort, which was a proxy for good faith. Now that's gone.
> It is surprisingly different to what I'm used to from senior devs, which behave like they always suspect their own work is flawed and half assed
I never trust my own code. And one of the motivations of trying to be fluent with my editor, is to be able to quickly look at it when a bug is reported. I also don’t trust another person with their description of their code. Any surprise, and I’m looking at the source if it’s a available.
> What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.
Why is it surprising that some people who expect results without spending any effort also feel entitled to receiving gratitude without putting in any thought?
If I don’t word these critiques in the most diplomatic way possible, this immediately turns into a discussion about the prevalence of anti-ai sentiment on hn. Which would be boring.
I can imagine in these cases the LLM is telling the "contributor" how smart they are and how much the project is loosing out, maybe saying something like: "It's not about maintaining project boundaries, it’s not about ensuring code quality; it’s a gatekeeping mechanism designed by traditionalists who feel threatened by forward-thinking creators like you who truly master the efficiency of AI."
If a project has a rule to not submit AI generated PRs, people should never submit AI generated PRs to that project. It's spam. Or if the rule is more nuanced than that in relation to AI, it should be respected.
It's 100% an issue with the people with submitting these PRs. So, if someone has a history of having no issue with breaking project rules (let alone being arrogant about it), it should be a massive red flag about the person for any possible employer or future collaborator checking their profile, etc.
Why people are wilfully destroying their own reputation like that is beyond me. It's infinitely better to have no activity at all on your profile than to create a track record of bad behaviour.
> What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.
I would be more sympathetic if they actually spent meaningful time on these contributions and could maybe see an argument for wanting their work to be given due consideration (lots of caveats here), but from what I’ve seen that’s the exception rather than the rule with a lot of these case.
It's interesting to see this perspective in the wild. In the age of AI I wonder what "massive value" your PR is bringing to the maintainer. $1 worth of tokens?
I mean, aren't you kind of proving the poster's point?
Fork away. If you want to put in the meaningful effort required to maintain and improve upon a project as significant as Godot, and feel that AI is a mechanism you want in order to do so, go for it. Clearly, the maintainers don't feel that that's the best approach to create the product they want to create, and they are not required to accede to the sense of entitlement of the community.
Even before AI it was trivial to setup a continuous merge script. I did that several years for several projects which refused my PR's.
Nowadays it's even more trivial.
And a community is more of a burden than an advantage nowadays. Users are ok, but a community not so. See python, perl, ruby, node and countless others.
The generalised form of this, which we are rapidly discovering, is that AI breaks the social contract that used to exist between an author and a reader (of prose, code, anything).
That's the most succinct way I have seen someone put it, thanks! It's really the same issue, no matter if it's software, online comments, e-mails, artworks, homework, etc. We engage because we expect to be interacting with the output of another human being. AI fundamentally betrays this expectation.
On the one hand, if you grew up in the baazzar, moving to the cathedral might feel like the "death of open source" even if it is really just a return to an earlier way of working.
On the other hand, while not accepting external code contributions will certainly improve their security posture it will also make it more difficult to identify who to invite to join the priesthood.
Open source development has become more and more superficial aligning with modern social network characteristics. It's more important to have an contribution, a active commit history, a few stars as a proof of pixel fame than the intrinsic value of the contributions or projects.
Before the rise of github, open source projects were heavily walled gardens. Little clubs that gave you a stare when you entered the room. Github commoditized getting in touch and lowered the barrier for how much effort you have to put in or even how much you have to care before you contribute. This is gone now and you have to build trust now before you can contribute to anything.
This isn't the death of open source. It's the death of the global village were everybody can freely roam and it's easy to interact. It's the resurrection of small, social, trusted communities. I hope this spreads to all of the internet.
Yes. Open source existed and thrived before GitHub, before git, and before anyone had ever used the words “pull request“.
It was different, to be sure, but it was not worse. We are living through a transition, but people do that all the time and we adjust our behaviour and we find new equilibriums. We will do that with open source too, and if it ends up looking more like open source in the 80s or 90s, it’s gonna be fine.
Maybe some people who got really good at gaming their Github reputation are going to lose out, but that was never the point. Anyone who likes this kind of work and wants to get involved will find a way.
> it will also make it more difficult to identify who to invite to join the priesthood
The point that this announcement is trying to make is, of course, that AI has already made that particular signal approximately worthless for that purpose.
There are great Open Source projects doing fine with the cathedral style, just look at Sqlite and its siblings (Fossil, …).
So I do not see a problem with Ladybirds decision, in contrary, IMHO it strengthens the human aspect of software development and puts the brakes on AI free riders
I still don't see solutions on how a normal person can become a mantainer though.
If all relevant open source projects close up their contributions, you can't enter the project anymore from an external point of view.
Almost all open-source public figures started by being interested in a project and submitting PR to it, until eventually either joining the project as core mantainer or creating a separate open source project. The path is now closed, and I don't see a way in, outside of creating a popular open source yourself
The path is not closed; it must be earned through trust. It has always been this way. Also, note that "pull requests" are a GitHub invention; the concept is not native to Git or most other SCM systems. Before, you would have to submit your patch by email. It would be reviewed by the "maintainer" (or BDFL), who would then accept or reject it. If your contributions are accepted several times, you may be able to earn the rank of "maintainer."
Returning to the topic at hand, the challenge for new developers is to earn trust. I bet there are ways to do so aside from the muddy swamp of GitHub's (AI) bazaar.
In this case they seem to be firmly closing the path though
> There will not be a separate process for submitting patches by other means. We do not want to create a shadow contribution system through issues, comments, email, or forks. External code can of course exist under the terms of the license, but we will not treat forks or patch dumps as a review queue for upstream Ladybird.
This does raise the question on how they are going to get new maintainers. The only thing I can think of is by active outreach to people contributing to adjacent projects that are still open. But that does not seem ideal to me as that will not yield people specifically interested and caring for the project you invite them to.
They don’t even have an alpha product yet. This used to be called vaporware but I’ll give them the benefit of the doubt that something will come in the future and they’re just focusing on fixing their own crappy code.
The amusing thing is that emailed patches and a listserv aren't actually all that different from github pull requests at the end of the day. In either case you're sending some code you wrote along to a group and asking them to look over it. The only real difference is the lack of a familiar web interface that's uniform across all projects and reduces friction to near zero, but emailing a patch hardly adds much friction in practice.
I think the primary difference is that it removes some of the incentive to status seek because there's no centralized network operator tracking contributions and displaying them on your profile for others to look at.
That said, the linked post explicitly says that Ladybird won't be accepting emailed patches, reviewing changes from downstream forks, or anything else. Hopefully that's not the case since entirely closing off the project would probably be an overreaction as well as jeopardize its future.
It’s really different because there’s no public signal between the email and the project itself. You can maybe search the log and see your patch, but there’s no central identity where you can brag about it. At most you can get a notice in a CONTRIBUTORS text file, or in the copyright header.
> Why would normal people even want to become an unpaid janitor for someone else's stuff?
Social validation. Or, to be slightly more generous, sort of a compulsory way to force someone more experienced to provide some mentorship, by compelling them to review your pull requests.
fwiw I asked Claude to look at GP's post and write me a story titled "The Cathedral, the bazaar and the junkyard" and I have a pretty good time reading his riff.
> it more difficult to identify who to invite to join the priesthood.
How about this. Somebody forks the project and submits their patches to the fork . If the fork is successful (there are users actively using it), upstream can selectively go fish for the patches themselves. The maintainer of the fork eventually gets recognized.
Not ideal, I know, but building a reputation is meant to take time.
In the post, the ladybird maintainers say that they trust pull requests less than they used to, because many pull requests are authored by AI now. A big pull request no longer signals that the submitter put in a lot of work into it and it's committed to developing and maintaining quality code.
Not sure if this happened to ladybird, but the amount of junk vibecoded AI-slop pull requests has been putting an immense amount of strain on many open-source maintainers. Reviewing stuff like that is intensely energy draining an most of the time your comments will just be copy-pasted into claude code and the "contributor" will put in 0 effort themselves to try to make the code readable or maintainable.
Before AI, being open source and having to manage issues and PR's was already a huge task, burning out maintainers left and right. Now with AI, anyone with a terminal and a claude code subscription can open PR's...
This is direct result of AI as you can see in many other public repos.
before AI like 1 in 1000 would spend their time fixing something they had no idea about and even then considering how much time you spent and how few of those happened it made sense to review/talk about it.
now every "dev" with claude submits prs having absolutely no idea what they are even doing.
most of them would not even be able to create PR without AI in the first place.
and on top of that add slop bots that "fix" issues in the loop and create hundreds of PRs daily
I can understand where they come from. If most of the pull-requests were AI-coded, well, the maintainers are equally capable of prompting Claude Code themselves.
I think the whole game of software engineering, open source or not, has completely changed. A lump of code doesn't mean or imply the same thing as it did 2 years ago.
A few years ago, if I send a complex PR that compiles and passes tests, that implies a certain amount of time and cognitive investment on my part. It seems likely that I wouldn't invest that if I didn't also understand the codebase, the feature or bug I'm working on, etc.
Now, that understanding is roughly as expensive as before, but AI has vastly reduced the cost of generating the code that compiles and passes tests.
Probably-well-intentioned community members are happy to contribute the cheap thing( Claude Code tokens) but, because it's so cheap, it's not a good indicator they've contributed the expensive thing (human understanding).
"Writing Code vs. Shipping Code: Productivity Effects Across Generations of AI Coding Tools"
As the FT summarizes,
> They found an explosive impact at the top of this funnel — coders created or edited almost 300 per cent more files — but that boost was halved to 150 per cent by the time they got to the number of discrete pieces of work submitted for review, and that in turn shrunk fivefold to a roughly 30 per cent uplift in the number of full software releases.
So as I wrote, AI vastly improves labor productivity on _coding_, but not nearly as much on code _review_ or other parts of the release pipeline.
And, unfortunately, for many open source projects, it's easy for volunteers to send code for review, but hard for them to volunteer reviewing PRs, managing releases, etc.
The code just isn’t the main effort of work anymore. Anyone can generate the implementation, so it makes more sense than ever to instead hammer out the what, why, and how that underlies any code change.
I see all projects moving this direction. Makes more sense to hash out a plan together.
For anything but the most trivial change, a prompt is not enough though. There's a long iterative process of generating the right code, reviewing it, testing it, experimenting with UX or design for maintainability, fixing bugs... even a predominantly AI-generated PR can capture a lot of value. But apparently trying to distinguish those from the 'one-shot' vibe coded PRs is too much work for the Ladybird team.
> But apparently trying to distinguish those from the 'one-shot' vibe coded PRs is too much work
That is exactly the issue. Projects that are end-user applications - as opposed to libraries or development tools - probably see far more slop than actual work like you've described. The yields are too low for it to make any sense to try to figure out which is which, their time is better spent doing the work.
When I contribute to OSS with AI I’m essentially engaging in a donation matching scheme where Anthropic matches 1 to 20 the dollar value invested (usually I can get ~2k of value per month on the $100 plan) in the open source project.
So any project that doesn’t accept AI PRs is really missing out on significant investment
> There will not be a [..] process for submitting patches by [any] means
> Outside involvement still matters: clear bug reports
So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Instead they have to re-figure it out. The team must be thrilled to re-do work they know was already put in by others, repeatedly.
As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software? It seems much easier to use Firefox or Chromium, where my fixes actually meet open ears.
It was very useful for me in the past when a new Chromium version crashed on my product, that I could go and suggest a fix to V8, and it was rolled out in the next Chromium release so my product worked again (https://github.com/v8/v8/commit/4f8a70adca01c). Without this, maybe Chromium developers would have never bothered to fix it because of lack of time to figure it out.
> a pull request no longer tells us as much as it used to about the person submitting it
Nobody should need to know anything about any person submitting a pull request.
Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review.
Reviewing code fixes is strictly easier than coming up with them yourself.
This holds true automatically: In any situation where it isn't, you can just write the code yourself and done.
As a project you can always ignore or close a PR you want to write yourself instead.
But it seems unwise to bar yourself from the _option_ of reviewing an outside contribution, or using it as input for your own re-write.
> So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Pin pointing the issue is way more than valuable than code. If you wrote a fix, you have analyzed the bug. The value is there, not in the fix. Sharing your fine analysis is the maximized contribution. Code is an optional bonus at most.
exactly. a _proposed_ code fix is a good indicator where the problem is (analysis) but more often than not the actual maintainable and sustainable solution will look different.
a code owner may choose a very different way of fixing things, even for what looks like a trivial fix.
Reviewing code in PRs is not a no-effort action. If there are 3 people working in the project, and thousands of people submitting bugfixes, then no matter how useful those bugfixes might be, the 3 people will be totally overwhelmed by the sheer number of PRs.
There might be value in your bugfix, but maybe that value is not greater than the cost of reviewing and accepting it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
This is completely false, for any sufficiently complex project. The fix might be a single line change, but the consequences might be far reaching.
> As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software?
Please don't! You don't owe the project anything. The other side of that equation is that the project also doesn't owe you anything. As simple as.
Firefox and Chromium are running much larger teams, let alone the Linux kernel, that other people suggested as a model. Maybe they can afford accepting your contributions.
> Nobody should need to know anything about any person submitting a pull request. Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review. Reviewing code fixes is strictly easier than coming up with them yourself.
You state these things as if they are facts, but they are completely contrary to the lived experience of open source maintainers - not only my own and the TFA's but quite a large number of others who have shared similar pieces.
Would you mind sharing a link to one of the open source project you've been maintaining and reviewing contributions on for years that forms the basis of your expertise on this matter?
Yeah, I am employed by an open source company (to be clear not open core) and most of the external code contributions we get are a net cost for us. It takes more time to review than it would have taken for our team to code and review.
The real value we get from being open source is high quality bug reports and trust from our customers, not the external contributions. The only reason we welcome external contributors is marketing and generally being welcoming. If LLMs make this cost even higher for us then we might have to stop accepting external PRs.
You can still tell them how you did it, just not in the form of code/patches. You should be able to describe it in prose so that the maintainer understands your solution approach.
Not necessarily. I just fixed the Ladybird build process so it will successfully build on a system that uses musl instead of glibc. By far the most compact way of explaining what needed to be changed is to share the changes themselves. It is a set of very small changes to a number of individual files.
That sounds more like a new feature than a bugfix, however. That aside, I didn’t claim that it would necessarily be more compact, just that it’s possible. Any change can be described in prose, to whatever level is necessary to get the essential insights across. It’s how the ancient greeks did mathematics, they didn’t have symbols or formulas.
Exactly. You want others to change to fulfill your needs. Their priorities and needs are different. In this case, it was evaluated and found not to be useful (cost > benefits).
> You can still submit a bug report and tell them exactly how you did it.
Can you? The announcement says "There will not be a separate process for submitting patches by other means. We do not want to create a shadow contribution system through issues, comments, email, or forks".
So I, as a human, describe in prose which changes I made to e.g. 20 files?
How is that in the spirit of fighting LLM slop?
Also, if I can do that, the LLM slop contributers can also ... do that.
Fascinating to see that Chromium/Gecko/WebKit are now more "open" browser engines than Ladybird, at least in one important respect.
(Servo is arguably in the middle, accepting outside contributions as long as you don't use AI.)
It's understandable that a team without much funding would have to close off contributions to spare on labor costs. But, it makes me feel that people don't give Google/Mozilla/Apple enough credit for the economic resources they put into enabling openness.
(Personal bias/experience alert: I'm currently retired, but formerly worked at Google on Chrome. I saw many of my coworkers nurture outside contributors, and did some of that myself, both informally and through programs like internships.)
Those corporations are not doing that out of the good of their hearts. They are doing so to assert control, in order to protect their business value. If it stopped being economical for them, they would stop tomorrow.
I do not think we should be eternally grateful for monopoly building.
Reading this leaves a weird taste in my mouth, since the author tends to regularly make nontrivial >1k LOC PRs (sometimes several per day) and merge them on the same day with no reviews at all. This is even ignoring the LLM aspect; I don't know what % of them are assisted, but even if it was 0%, this isn't the pace of development I'd be comfortable with.
That's entirely consistent with what they said here:
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
That's the philosophical argument. In practice, though, the effect of large unreviewed AI commits on the project and its users is likely to be the same regardless of whether those commits were prompted by a core developer or an outside contributor.
Yes, I have lost faith in some open source project maintainers that are doing this. There is an open source platform we've used for years at work (we use the paid Enterprise version of it) that introduced some pretty grotesque security flaws and when I looked into it I realized AI had taken over the project - you can clearly see it in the commit log whether it is attributed or not, just based on volume and frequency. It was very disappointing.
LLMs might be part of why Ladybird is making this decision, but they aren’t the only possible one: SQLite, for example, has been developed this way pretty much forever. To each their own, I guess.
Yeah I don't see the big deal here. Some of the best software is made and maintained by a very small group of dedicated folks. It's a perfectly reasonable move to protect their time and project.
It saddens me to see the communities surrounding free software projects going dark because of the threat posed by AI tools, but I don't know what other solutions there are that would mitigate the threat, particularly when browsers are such a compelling target. Perhaps some kind of trust system a la arxiv.org, where existing users have to vouch for new submissions before a user is themselves trusted? Definitely still vulnerable to abuse, but perhaps less so.
Closed-source projects have been dealing with this forever, by having a mostly-static pool of employees replenished through job listings and interviews. A FLOSS project adopting this model would certainly feel weird, but could work if there were enough willing candidates. The question is, who will take on effectively a job without the monetary reward?
It's inevitable that more projects follow this path.
The elephant in the room is so many projects already operate like this without formally announcing it.
If you look at Blender, one of the biggest and most successful OSS projects out there, it's effectively run as source available. Some PRs make it through, but for the most part there have been heavy barriers to entry to get your work into the product. In this example, it's been key to such a large and complex project with millions of users staying afloat. It's an inconvenient truth.
It's one of those unspoken things in open source - the bigger the project the less you can accept or vet contributions. The less able you are to respond to users because there are too many. The amount of code you need to own balloons. The signal to noise to too much. LLMs have massively exacerbated this issue.
I'd argue that was what made Serenity good - a toy OS that anyone can code anything for. Want to spend ages working on a painting program? Make screensavers? Add drivers for your printer? Port Doom? Improve font support because it sounds fun? etc. It celebrated coding for coding's sake, which is the antithesis of AI. There's no point vibe coding features for Serenity because there is no real product there.
On the other hand, Ladybird is gearing up to become a production-ready browser for real users. Adding fun features for the sake of it, and hand-rolling code to parse PNGs and the like, has become a liability for the project.
They are adopting Rust (https://ladybird.org/posts/adopting-rust/) and use LLMs to help with the rewrite, but not all code was migrated yet. Also it's definitely not a big-bang-rewrite-the-world-with-Claude like Bun.
I manage multiple open source Github enterprises for the Linux Foundation. Something like this is under discussion in all of them - the amount of terrible PRs and issues being filed is overwhelming.
Wasn't the entire goal of Ladybird to have an open and independent browser engine? Making it effectively closed to contributions makes it.. Not independent anymore. It's now dependent, on few people who work on it, just like any other closed-source or corporate-controlled browser.
I don’t think that changes the project independence, when a project is open to PRs you have the same dependency on maintainers accepting changes into main. And the project is still open source. But that does make it less community oriented
But opensource has always been about community. This way it becomes "source-open", even if you could make changes to it and run those changes yourself, the latter doesn't sound "opensourcy" to me.
Open source is about rights/freedom, the community aspect is downstream from that. You have “source available” projects with active communities and external contributors (see elastic license v2.0 projects), and open source projects that only rely on core developers. With open source freedoms comes a culture of community oriented development but what makes a project open is the license, nothing else. The right to fork, read, run, edit is what matters.
Unfortunately AI tools are breaking the open community dynamics, it has become more and more expensive to run open community oriented projects due to the noise, it’s really a shame. It’s a lot to expect volunteer project members to triage the increasing amount of AI garbage
The open source definition does not mention community at all - it is a set of licensing requirements that certain rights to modify code must be maintained, not that upstream will accept your change or (for that matter) that you need to package it up and hand it to them.
And submitting a PR is almost wholly dissimilar from a conversation between friends over dinner or drinks. If you want to have a community around an open source project, it always has taken more than just accepting patches.
It is still independent in sense that it doesn't depend on Google Search money and Chrome/Firefox code as most of the alternative browsers. Depending on your definition of dependency, it will always going to be dependent on something.
Also they are not changing the licence or preventing forks.
It is a pragmatic solution to a real problem that can really clog down progress on the project. I hope they (and other open source projects) will figure out how to filter in good, responsible contributors but I guess it will take time.
This seems quite misguided and is sad to see. They have every right to do this, but I was looking forward to continuing testing Ladybird as it improves and contributing in the future. I hope servo stays open to contributions, as it seems like it's all we have left.
It makes sense when you have a somewhat fixed core team size. Frankly, in some regards, this is the responsible thing to do.
It means they’ll never grow modules or the codebase beyond what the team can reasonably maintain.
However on the other hand.. What does this mean for the existing team, are maintainers now worth considerably more to the project? What does this mean for the codebase, or the momentum of the project?
It’s an approach I would have expected for the likes of curl, or single-purpose libraries. But this is a mammoth decision for a mammoth project.
Crappy timing for me. Ladybird has never built on musl based systems. I got that working just a couple of days ago (on Chimera Linux) and was hoping to push the changes to the project. I guess I am maintaining that myself now.
> hoping to push the changes to the project. I guess I am maintaining that myself now.
Not just the changes, you'd push the responsibility, too, for supporting a whole new compilation target. I don't know how big this is, but if it's a big enough hassle to keep maintaining this yourself, then consider that this maintenance work is really what you were hoping to push. So, depeding on which, you might be fine maintaining this, or the maintainers might have rejected the change, anyway.
Linux has WAY more maintainers, and many of them just reviewed other people's commits for years. They had a crazy amount of contributions even before AI.
I think we're past beginning to warn, we've now reached the point of accepting Linux needs to remove drivers and features, because the maintainers just can't keep up.
This is not helped by everyone using the same LLMs to find the same vulnerabilities and flooding maintainers with duplicate reports to be the first to get that CVE and branded vuln on their resume.
There are numerous advantages of microkernels over monoliths, but even if Linux were a microkernel it wouldn't necessarily change the review pressure that the above commenter is talking about, because you still have the same number of components (filesystem, networking, drivers, etc) to develop and review patches for (although you do have more well-defined interfaces between components, which eases security).
Not really - it changes how the lines are drawn between components, rather than removing any of them.
The EXT4 filesystem driver as an example contains most of the same code whether it is part of the kernel process or is a user process. A virtual filesystem abstraction is needed between the two in either case as well.
The kernel also already has a module system to support loading externally maintained code. You won't necessarily see a benefit from separately maintained drivers that wouldn't already be present.
Behind my question was another one: is there too much in the source tree that doesn't _strictly_ need to be?
Maybe not?
I just got the impression that there are a _lot_ of obscure drivers that have to be carried, and are eventually removed causing annoyance. An ABI for the people who cared about that random driver might localise the maintenance burden.
> An ABI for the people who cared about that random driver might localise the maintenance burden.
Yes, but one key reason that a stable ABI isn't provided for drivers is to help encourage companies that ship drivers to make their drivers open source. The idea being, if a driver is mainlined into the Linux kernel, the Linux developers will help maintain support for that driver, in exchange for it being released with an open source licence. There are companies (like NVIDIA) that ship closed source drivers for their devices, but they rely on a kernel-side shim that interacts with the userspace driver, and this is seen as second best compared to mainlining the driver in the kernel.
The core problem is that we don't have a PR respect system. 10kLOC from an unfamiliar person with empty GitHub is much different from a pal regularly contributing that you personally know.
Integrating some kind of proof-of-stake system might be a way forward for open source. Nobody wants to shuffle through a pile of low-quality PRs written by LLM.
They could make two kinds of pull requests and add much more strict criteria for public contributions. For example, they could say that the PR has to be smaller in size and well-documented for human review, otherwise it's closed by an automation.
And then if someone wants to do a larger contribution, they could have a process like making an issue, discussing the approach and then collaborating with a maintainer to get it in.
Blocking public contributions means that they want to have complete control of the project and AI is likely a good excuse to do that.
That doesn't solve the volume or quality problem. LLMs can split one giant PR into 50 smaller PRs just as easily and "well-documented" isn't something you can determine automatically.
Why is it so hard to just accept that AI PRs suck and create an enormous amount of toil?
It says something about the fragility of contemporary software that a fragment of bad code could result in doom. I think we need to move to much more restrictive computation architectures, inherently partitioned, functionally pure, and resistant to type confusion, pointer manipulation, memory issues etc.
I don't disagree with the desire for more inherently secure architectures, but I don't think it's the most relevant issue here.
You're always going to have to trust some core same-privilege code--a browser renderer is a great example of this: it has to be able to see the entirety of the DOM it's rendering, right?
Higher-level languages can still help code review--for example, memory safety makes it harder to hide a backdoor via unsafe memory operations leading to code injection. But you're still, fundamentally, trusting these community contributions.
I think the real problem (as others noted here) is that:
- writing code is now much, much cheaper than ever
- understanding and designing code is still fairly expensive
So doing the former (in the form of a PR that compiles and passes CI) is not a good "staking mechanism" to prove someone has done the latter.
Think about it. Anthropic just reported that their codebase is now improving itself. We're moments away from every open source repo being able to do the same. Think of it like torrenting — you'll be able to open your repo to the public, and have a stream of code flow in from millions of contributors. More code than you could ever write in ten lifetimes, uploaded to your repository in a matter of days.
Ladybird doesn't know it yet, but they just left themselves in the dust.
> open your repo to the public, and have a stream of code flow in from millions of contributors. More code than you could ever write in ten lifetimes, uploaded to your repository in a matter of days.
I don't like this, but I understand it.
I've contributed to the LB project several times, and I have made friends IRL with people who have also contributed to the project. ( we are now friends at uni )
It feels like a stepback because instead of 30-45 contributors every month, you have 15...
i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.
> i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.
They probably could do that as part of the hiring process.
Yes, Ladybird is facing a wall of slop... no... A tsunami of slop overwhelms core maintainers. Probably safe to generalize to other popular open source projects.
The project is important and the code is beautiful! I spent many happy hours trying to understand the code, browser-specs and tried to adapt to their coding style. After 18 months I ended up with a few merged PRs. Some were pure joy to write. I got to work directly with most of their core maintainers in the review cycle. They're great!! From the outside, it seems like their responsiveness to submissions slowed down in the last few months... slop.
Of course, it would be great if there was another way, but here we are.
Love <3 to Andreas and the core maintainer group! Keep up the good fight! Maybe we'll meet again.
1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author’s Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral
Open source has nothing to do with the right to contribute upstream. It's about you being able to use the software how you like and make changes to it and redistribute it.
Hell no, open source is just about the licence, and source available generally refers to proprietary licenses that at least let customers access the source.
This is just the cathedral model to open source, as opposed to the bazaar you clearly prefer, but it's still open source.
Interesting how this post coincides with the Leyden declaration in mathematics: both documents are abot
how human-human trust ("in good faith") is eroded by
large language models, because a substantially-sized
artifact does not necessarily attest to substantial
human effort and skills.
Good point about how the community of mathematicians is struggling to come to terms with the role of language models in their work, and the similarity with the community of software developers. Machine-generated programs and proofs are contributing real value, undeniably, but it's causing social tension and destablizing the community with the sheer volume of its production, the varying quality, unreliability, and lack of humanity in the process. I would guess that similar issues will spread throughout society, in other areas of collective work and living. One potential solution, like with Ladybird and some other open source projects, is for a community to become more exclusive, restrictive and selective about what inputs they accept.
As much as I wanted to see another browser alternative succeed, Ladybird has lost my trust. Using LLMs to rewrite the entire codebase was already extreme. But eliminating external contributors is a precursor to a rug pull. And rewriting the entire codebase can now be seen as another step in a rug pull.
Perhaps we should start to describe projects as Open Contributions from now on. With maybe a few Open Contributions Standards to distinguish how this works.
I once submitted a PR to Ladybird, but even in early AI days there were so many open PRs that mine got lost in the noise. I don't really blame the maintainers here. Once the open PRs get to a certain point, it becomes unmanageable.
I think it's not the issue with the added PR count, but the fact they have to review them. 1 big PR review is the same as 5 small PR reviews if you have to look at how it holds, edge cases and what not...
Well, then add some backpressure. Each contributor gets only a few small PRs a month, until they prove themselves. Contributors that don't have a credible online presence are automatically rejected. Etc
Surprising how little appetite for changing norms exists here on HN. Yes, the transition to agentic coding will be difficult, but to me this is mostly exciting. Despite my AI enthusiasm, I also run into shortcomings that the agents have very often, but that's a more interesting learning experience than the status quo without AI would have been!
We'll have more such disruptions and we'll learn to live with it.
For an open source project, is there any reason to still accept code contributions?
Feature requests are valuable because they tell you what users want.
Error reports are valuable because they tell you under which circumstances the code fails.
But the code that implements those features and fixes those errors can now be written by AI. AI follows all the rules for how code is supposed to be written in your project. Is already producing very high quality code. And soon it will produce a quality that no human can match.
For the same reason software engineers still employed. AI is not yet capable of autonomous software development. From my perspective we're nowhere close.
So basically it will become more or less similar to the structure for SQlite and Fossil by Dr.Richar Hipp et al , basically seems most projects that have the requisite manpower/maturity will end up at that kind of structure.
In the long run may be interesting from a chain of trust (human as well as code) and interop as any dev from these projects (guilds?) would already have some trust build in.
curious what the "did the pipeline actually do what we think" story
looks like now.
"green" and "the right artifact exists" drift apart faster than
expected with more automation. exit code wasn't enough for us —
had to make the output file the thing that proves a run happened.
this is a move in wrong direction, its sad and a bad solution. Ladybird implements specs that must be compliant, making compliance harder is the way to go, proving the code changes does what they are intended for should be made better instead of gate keeping from malicious and "honest" contributors
Ladybird going source-available is quite unfortunate, seems like Gecko is the only production-ready independent browser engine we're left with.
They may, at this point, go ahead and remove "get involved" block from their website https://ladybird.org/, since it's not possible to contribute anymore.
That's not source-available, that's still open-source. Quoting Wikipedia:
> Source-available software is software released through a source code distribution model that includes arrangements where the source can be viewed, and in some cases modified, but without necessarily meeting the criteria to be called open-source.
> Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Open-source software may be developed in a collaborative, public manner.
It's not source available, source available implies some restrictions on what you can do with the source, or with any resulting binaries. This isn't a rugpull; all they're doing is closing off contributions, which has nothing to do with the license of the code.
Make a better Ladybird successfully to the point the original contributors take notice. If the barriers to doing that are truly lower, then it should be easier.
It’s controversial to say, and I may be downvoted, but I’ll share this as a pov: OSS is essentially giving away our work for free. Did that ever really make sense? If it does, why don’t graphic designers give their work away for free? Why don’t authors do that? UX designers?
It’s a very peculiar thing to us nerds.
And the strangest thing is, we may have unwittingly built the data source required to make our skills redundant, as models are trained on the work we gave away for free.
I wonder, if they are really only concerned about trust, will accepting external PRs but never giving commit access to external contributors work for them?
Of course, if they are also concerned about the quality of external PRs then that does not help.
This is not really a valid criticism for an Open Source project. I built Ladybird from source yesterday and I am typing this comment in it now. So, I assure you that the Ladybird browser exists.
Of course, Ladybird is not production ready yet. Feature-wise, it is getting close. I can use it to do most of the things I want to do with a browser. Speed and reliability are another matter. I has gotten dramatically faster but normal users would still find it slow. But the biggest problem is reliability. I would not use it in its current form for anything that matters.
But for a complicated application that was started from scratch, not being ready yet is not an indictment. They claim it will be ready for regular users to try sometime this year and, from where I type, this seems realistic.
That's not entirely true. It's certainly the case that Ladybird is still under an open-source license, but the whole idea of the "Open Source" label was to move the emphasis away from having a free license to actually being open to patches in practice.
RMS would emphatically agree that Free Software doesn't mean being open to contributions; if you asked him about either "FOSS" or "Open Source" he'd probably command you to wash your mouth out with soap. It's the other side of the fighting FOSS family which evangelised for Linux-like development (see the thread from https://news.ycombinator.com/item?id=48410503 ).
Indeed, while there is communication that the situation with merging external pull requests should improve, the reality is that it's easier to land a patch in Linux, than in Zig.
It sounds like all public contribution will simply be impossible. That said, they will continue to develop out in the open on GitHub and you can clone the repo and build whenever you want. You can continue to contribute in other ways.
I hate this change and agree with your PR comment. This change makes me sad as well.
My hope is that public contributions can resume in the future. Part of their justification for this step is that they are trying to stabalize the project to produce a stable public alpha. Fair enough. And many Open Source projects have begun to voice concerns over the burden that the massive increase in contributions is causing, often from AI. Linus Torvalds has certainly been flagging this. The Open Source world in general is going to have to navigate this and come to a solution that works without the entire Open Source ecosystem becoming read only.
Once Ladybird ships a "stable" browser out to the world, I am hoping they can adopt whatever the "best practice" for Open Source has become to be able to accept public participation again.
> Moving to a closed development model => opensource is just a gimmick,
How so? Many projects are open source (GPL, MIT, whatever) while closed development, and no one calls those a gimmick.
In any case, most open-source is going to move towards a closed-development model; there simply isn't the resources to review thousands of lines of PRs per hour.
Maybe, or maybe not. But it will certainly kill the community they've built up, and squander a huge amount of goodwill. Why would anybody who's interested in supporting or using an independent browser (read: techies) choose one that nobody can contribute to? Not to mention how the sponsors might feel about this.
Too early to say. Once they enter "we now accept everyone to use Ladybird as daily driver" then there will be the real test phase. And, IMO, only after that phase has started and continued for some months, perhaps even few years, can a final conclusion be made. If ladybird fails then the Google empire has won permanently. Skynet slop will then be under control of Google, just as they stole all the advertisement money.
It's not the only solution but it might reduce PRs by a decent amount I would think.
If you see a PR and the guy is verified, you can check his name, his linkedin and where he works, at least there is some accountability if he introduces malicious code.
If the goal is to reduce slop, define slop. As a maintainer of a project you should be able to tell if something is slop.
If you don't have time to read PRs (which is the real issue here) that's fine too.
My guess is they want to reduce the amount of PRs, and ensure that the quality of the PRs passes an extremely high bar.
While it would help for some use-cases, it wouldn't necessarily reduce the problem that a browser is facing when dealing with malicious code in a large and complex codebase. And vetted people can be victims of supply-chain attacks, which makes it still hard to evaluate a change properly.
It's not an impossible problem, but it's a resource allocation problem, and they don't seem to have a way to address it at the moment besides closing all PRs.
I suspect that rather than some kind of digital proof-of-competence, communities will shift to in-person meetups at conferences and such. Which is unfortunate for people who can't attend for whatever reason, but I think some solution to that can be worked out.
I been thinking about it for a while that we need some score based system where each PR on GitHub/Gitlab grants you a review form the maintainer as well. You build your rep and the maintainers decide about the thresholds for contribution.
I'm surprised this isn't yet a thing. Heck, this can be made independent of GitHub/Gitlab, like a portal which tracks your rep. Could also help you got hired. Think Stackoverflow rep mixed with LinkedIn but for actual code contribution.
Yes I'm aware it sounds Black Mirror-ish. But we need more meritocracy in the world of OS that is otherwise highly anonymous and with very little public authority.
It's surprising to me how many people here seem offended that someone might just not want their code.
I guess it takes quite a lot of experience as a maintainer to realize that 'free' in 'free code contributions by strangers' is like 'free' in 'free puppy'.
What made open source great, is the fact that if you find a problem, you can patch it. It's what motivated me, anyway. Ladybird is not SQLite, it's under development and very likely will be forever. To me it looks like they are transitioning into a company, where this model makes sense.
I truly understand why this step was taken, but it is still sad to see the death of open source or rather open contribution. Every project that turns away from open contributions is a project lost to the whims and fuckery of AI Bros.
What I realy want to know how sustainable a model like this is. How does one find new maintainers when old ones leave. When you cannot contribute anymore.
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
It probably accelerated the decision, but I don't think that's all of it. I think they're moving in the WebKit/Safari direction: open for you to look at, but not really an open source project.
WebKit does allow outside contributions, though that example is perhaps not the most illustrative as it is from an Igalia employee. Igalia maintains substantial parts of WebKit and at this point has to be the #2 contributor other than Apple themselves.
That's not really right, though the license is still Open Source compliant. Linux was practising an open, patches-welcome developement style before the forges existed, on its mailing list. This did indeed contrast with how eg. the FSF was running its projects, though even in those the door wasn't shut as hard on people wanting to contribute as Ladybird's now is, I think. Then Eric Raymond wrote "The Cathedral and the Bazaar" specifically to talk up Linux's patches-welcome development model, and to move the emphasis away from (just) licensing terms and source accessibility, to openness to patches. Netscape then launched the Mozilla Project specifically on the CatB model. In response to the surge of momentum, the "Open Source" label was created basically as a brand name for the CatB perspective. After all this, "doing it as open source" was established as a clear mental category in people's heads, and the forges popped up as low-friction SaaS solutions for something that people already wanted to do, and by then were often already doing. (In the process helping to make Web-based SaaS a well-established concept and business model in people's heads, something with ironic consequences.) So Ladybird's current development model is much more clearly in line with the Free Software philosophy than the Open Source philosophy. To be clear, that's not the only disagreement or difference of emphasis between "Free Software" and "Open Source": most obvioulsy, Ladybird's BSD license is a failing in the FSF's view of things, just not enough of a failing make Ladybird not Free Software. But it is a real one.
"The Cathedral and Bazaar" is orthogonal to open source. Its argument is that open source is most valuable when paired with the bazaar model, not that the cathedral model cannot be considered open.
The open source definition was created in that mind. It does not state or imply open development or a community are requirements.
CatB and Open Source aren't coaxial, but there wasn't a very clean separation between them either: https://www.free-soft.org/literature/papers/esr/cathedral-ba...https://web.archive.org/web/20021001164015/http://www.openso... . "[T]he same pragmatic, business-case grounds that motivated Netscape" was CatB. Even now OSI doesn't emphasise any separation: https://opensource.org/about . You are correct: the Open Source Definition does not mandate an open development model. However that's probably at least in a small part because, well, how would one craft a legal requirement for open development in a software license that wasn't either unenforceable or very burdensome and abusable? It's also quite definitely because the expectation was that forks and/or the threat of forks would in practice enforce a certain level of open development on OSD-compatibly-licensed software: this was in fact what ended up happening to GCC at least once https://en.wikipedia.org/wiki/GNU_Compiler_Collection#EGCS_f... . If software projects all largely go the way Ladybird is going now, and stay that way, then it's a crushing (though not total) defeat for what the Open Source movement promoted and what it hoped to achieve; but sure, to be clear, Ladybird remains OSD-compliant. (Not total because at least the source remains available, without paying or signing anything, for bug-hunting.)
I think I didn't put the emphasis right in my comment above. The code is still fully open source, but the project that produces the code isn't. It's not dissimilar to other projects producing open source software.
This is the first time I've seen a project with this much history in community contributions close down, though. I suspect AI will cause more projects to follow in Ladybird's footsteps.
AI contributions are only a part of the issue. Another part is where a contributor decides they want a specific feature and contributes it but then disappears off into the sunset when it comes to needing maintenance later.
A bit sad to see this. Of course they are free to do it the way they prefer, and there are successful projects like this (Notably SQLite) but there has to be a reasonable middle ground between "everyone can just flood us with 30,000-line 'Claude implement feature X make no mistakes' PRs" and "we're not open to outside contributions"
How would you decide what is the middle ground though? If a project allows some AI-generated PR if its good quality, then it is a burden on the reviewer on what is considered good or not.
You can introduce a social/trust element to it, something like: Join our Discord, chat to us, come to our "office hours" video calls first, then you get to contribute.
Maybe also limit the size/scope of external contributions (only small bug fixes allowed for your first few PRs)
I wasn’t around much before GitHub so. I believe I tried submitting patches to the XFCE project but I didn’t get anything accepted to FOSS before GitHub.
In this type of system, if I am competent and can contribute how to do I? By reviewing the maintainers PRs, helping fill out more info for bug reports / root causing?
There had to be some way for a competent user to get involved enough to become a familiar handle to the maintainers and be seen as a possible future maintainer/ expert contributor right?
Newspapers are adopting it too, so soon we may see slop dominate even high brow publications.
Feels like a huge shift in human intellectual capabilities. Honestly quite worrying, I don’t think it’s a Luddite position to say that removing writing is removing thinking.
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
Applies so, so widely. Glad they’re taking (very necessary) action here.
I paid for Kagi's Orion (even though it's actually a little crappy) because I want options in the browser landscape. I'm really rooting for Ladybird, and just in case they don't offer a paid version in the future, here's a link to how you can sponsor its development: https://opencollective.com/ladybird
Oh well, AI bros ruined it. I'm actually glad in some twisted way, because if more projects follow suit and close their development, it will again become an actual badge of honor to get on those teams. Having contributed to such projects will mean something.
While I understand the motivation for this change, I have to highlight something: GitHub's slogan 'social coding' is becoming more and more true these days. Now opensource will become a thing that only "influential" people can contribute to. We're back to nepotism, not meritocracy. Down hill we go.
> Now opensource will become a thing that only "influential" people can contribute to.
No. Having access to a slop generator doesn't entitle you to acceptance to any and all open source projects. You're still responsible for the quality of your contributions. Something that is completely lost on bullshit artists.
Don't put words in my ~mouth~ (keyboard) that I didn't ~say~ (type), I'm not saying I want my contributions to be accepted on equal footing even if they are generated by AI. What I'm saying is that solving this problem this way is going to make opensource much worse. We need a better way, and I'm not sure which is the better way, sorry.
You aren't really contributing anything except funding to Anthropic/oai/MS/etc if you're sending genAI content. The better way will be fairly similar to the previous status quo: humans interacting with humans, with the change that there will be higher barriers to gaining access to the web of trust.
> You aren't really contributing anything except funding to Anthropic/oai/MS/etc if you're sending genAI content.
Why people keep saying that I'm advocating for AI use? I'm not happy with the decision of Ladybird maintainers, but that doesn't mean I'm willing to spam them with AI slop.
Your prior message could be taken that this was an elitist move, and not a move that is being taken by many different projects for survival with limited review capacity.
LLMs in general change the balance of how much effort generating content takes, sometimes by orders of magnitude. They unfortunately do not significantly change how much effort it takes to understand and evaluate the quality of that content. The result is that the base value of a piece of content (including code) is plummeting.
Opensource is already much worse and is drowning in slop. Until a better way is found (if it can be found), severely restricting contributions is the only sane response.
And it has nothing to do with the perceived "only influential people can do it". You're always welcome to fork any and all projects and run your AI on those
I don't know about you, but as for me, when I contribute to opensource it's because I find some improvement that makes the project better because it probably polishes some rough edge around a kind-of particular use case (that maybe few people face, but still, it makes the project better for them; it amplifies the range of usecases that it can span to). If everybody does the same with their small improvements, the project becomes better for everyone, but none of the contributors of these small changes would have time to embark on maintaining a fork. Mantaining a fork is hard work, not only because software breaks over time (dependencies going obsolete or insecure, builds stop working because of old toolkits), but also because not pulling the latest changes from master would mean that your fork gets stagnated (and thus not worth to run it).
> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.
The solution, IMO, is a strictly worse version than what we chose in the Zig project (banning LLM contributions).
> AI tools have changed the economics of this very quickly. We use them ourselves every day, but a pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.
Things that worry me about this choice:
- open source is a tough business and you need to leverage the good things about it to make it worth doing. contributors bring in a huge amount of value that they offer you essentially for free (see contributor poker: https://kristoff.it/blog/contributor-poker-and-ai/), on top of being a hugely valuable recruitment funnel. They're rejecting all of that, which seems insane to me.
- one could argue that LLMs could fill that gap but, first of all they could have just banned LLM usage only in PRs from untrusted contributors, and second even the best LLM:
1. is a cost, not just free value, and the price of tokens is increasing
2. the code has to be reviewed anyway, unless you think that just passing tests is good enough for a browser
3. ultimately can't become a trusted core contributor able of taking ownership of a part of the codebase
- removing the influx of code that comes from PRs means that over time the whole project will have a small number of contributors that own all the code, making it easier for the project to do a license rugpull. when copyright ownership is well distributed this kind of thing is harder to pull off.
Overall, this is not good in my opinion. They're making open source a more problematic business model for them than it has to be, while at the same time making it harder to recruit more core contributors, as the code ownership coalesces to small group of people.
This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors are playing a mean game of Secret Hitler. I guess only time will tell.
The Zig project is making a real difference in the culture of open source software. I'm so glad for the leadership and community. It's a refuge from the mania of large language models disrupting this and other industries, steamrolling over human connection, decency, ingenuity, class, taste. These intangible qualities that make it worthwhile, joyous and fun, will be destroyed unless people put in effort to protect them.
Comments in this thread that insist open source has nothing to do with community, that it's simply a licensing matter, is disappointing and shows a lack of understanding of what's it's all about. Similarly with the community of mathematicians. Some people reduce it to "Math is just a tool", which is just ignorant and sadly misses the beauty, wisdom, camaraderie, and the humanity of the endeavor which is what matters.
>This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors are playing a mean game of Secret Hitler. I guess only time will tell.
When I first read this I checked the license and saw that a rugpull would be permitted. However, if someone wants to continue the project after the rugpull they could do something thing like the redis rename to redict.[0]
I want someone to resolve the contradiction you have highlighted. Why don’t we now have an AI built web browser that is much better faster than chrome?
To that mind, why hasn’t chrome itself become 1000x better?
There is a disconnect between the narrative and reality.
"A browser runs untrusted input from the entire internet on the user’s machine, and one well-disguised vulnerability is all an attacker needs. We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it."
Cool - how about fewer perma-bans on github for participating in discussions?
Also, as I have pointed out before, they seem to develop too slowly for a solid beta this year. You only have to look at the issue tracker and check for URLs not working or even crashing the browser. Ladybird may have gotten better in the last months, but imagine if 50.000 people are using it, you will see more bugs. How do they then handle bug reports?
I wonder how can a new browser engine survive with the source available model. Like, why would anyone support this, unless they have business association with the Ladybird developers?
It's not source available. It's OpenSource(TM) because of the BSD-2 license.
This is not unheard of. The most famous models are emacs & SQLite. SQLite doesn't accept outside patches, emacs is developed opaquely and only releases are put forward.
You can do this with GPL, too. You put out tarballs of the releases only.
There's a great misconception between Free Software, Open Source, and Open Development (bazaar model). They complement each other, but they are completely independent things.
Addenda: Looks like emacs' Git repo is publicly accessible now, but it's not a requirement for GPL or Free or Open Source software.
It's actually common, many companies develop their products this way. The source is available, you can see the VCS, but you can't participate in the development. That's why I see this as signal that it's going to turn into a company.
However many if not most of these companies use "Source Available" licenses which say "Thou shall look, thou shan't compile". This is very different than Open Source license of Ladybird itself.
Seems cold how they present this, but on the other hand I’ve ignored Ladybird because I just don’t think they’ll have meaningful impact, so I remain unaffected by this policy change.
When AI first happened, I was afraid I was going to eventually lose my job. And while I've been lucky since, many did, and that hurt a lot. When people are losing something to automation, regardless of the economics of the situation, you cheer for the humans, or at least hope that society keeps being fair to those who are most affected.
Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.
I'm conflicted, confused and afraid, HN. Look at what I just wrote, yet I use claude and deepseek and all the skills and complex harnesses and MCPs and whatnot... But all now seems like a transition phase. Transition to f-ing what though?
A lot of questions cannot be answered unless we dedicate a meaning to our lives. Human touch? Too late? Also: I liked a song and it was sonos. I unliked it after discovering. I feel so stupid, so often.
Sorry for the unhinged digression.
I love Ladybird (have a sticker on my laptop to prove!), I hope they thrive.
>But all now seems like a transition phase. Transition to f-ing what though?
It feels like being in the middle of a tornado. But I think it helps to turn off screens, sit in a desk, and calmly remember first principles and consider them slowly.
Quoting obama, "reality has a way of catching up with you".
I see a lot of talk, but iOS is not delivering a decade of features and fixes on each yearly release. Literally no one does, if anything people are complaining that existing functionality is breaking down. So it can't be true that we're at 10x productivity, and this fact will eventually catch up with us.
Let's be human, and remember that many people are emotionally invested. Juniors want this to be a chance to shine in a market that otherwise rejected them. CEOs placed their bet on AI and don't want to walk that back. Seniors want to signal that they are not obsolete. AI companies will poison discourse. But all this smoke will eventually clear.
I've been thinking a fair bit about what I'm seeing in terms of the output I experience
It's quite hard to quantify, but I think it's one shot nature really makes it hard to gauge it's capability
Friends have spoken of good days and bad coding days with me, and I find it odd nodding along, it's a strange new normal
At times it feels like we're just coding with one-armed bandits, trying to carefully line them up for a jackpot and just discarding and retrying if we don't hit
I think about some of the more complex systems I've built and I wonder how well we can build them like this
And over engineering, there seems to be over engineering everywhere, and yet, more fragility to our systems
It's all a little surreal
I imagine this stuff is probably really good at iterative changes to improve objective benchmarks like CPU or RAM use. I'm thinking of little contained optimizations that you can understand in and of themselves, that you maybe have done yourself before in other places, found really quickly and applied uniformly. Stuff you can confirm to be what you expect it to be by mostly just scanning. Low hanging fruit for sure, but something where you can actually know what is a fruit and what is crap, and only keep the fruit, and develop some confidence in the process, if that makes sense?
Or trying to reduce complexity, increasing readability and coherence of variable names (the opposite of code golf if you will), while staying within a certain limit of performance regression (e.g. "make this code as nice as you can while making it at most 0.5% slower").
Making the stuff millions of people have been using for decades better, in a way that also makes it better for humans when they read the code. Surely that's possible, some people are probably doing it but it doesn't go viral as much, because it's too mundane.
And of course, making new stuff is more exciting. I mean, you could hit on something with a vibe coded thing, and then know it's now worth to make a non-sloppy version, but you won't get much fame for making ffmpeg twice as fast by prompting an LLM. Though on the other hand, it's like a safe investment (if not in "fame", then in "improving the stuff we all have to use daily"), because you know ffmpeg and many many other things will still be around, whereas a vibe coded thing that wasn't special will be 100% forgotten the next day, or have just the one user forever.
> Juniors want this to be a chance to shine in a market that otherwise rejected them.
I actually am training 2 trainees (Azubi in German) and 1 working student. All three are somewhat anxious about the future but also all are learning in a significantly increased pace, compared to the ones I worked with 1.5 years ago.
They don't have to wait for random senior to answer questions, so they get stuck way less often. They aren't allowed to use AI to generate code though, so not sure how that'd look like learning-wise if we/they went all-in on AI.
> But all this smoke will eventually clear.
I wish I could be so optimistic. Our lives are ruled by distorted, irrational, inefficient, failed markets, and the markets can remain distorted, irrational, inefficient, and failed for longer than we as individuals can remain solvent. "In the long term the market is a weighing machine", for term lengths that include the heat death of the universe.
I sense your comment as saying: "AI is hype, and reality will catch-up.".
But the simple fact is there's massive evidence that in skilled hands 10x or 100x engineers are possible. We're seeing evidence of it across major open source project as well. And definitely behind closed doors across companies.
Reality will catch-up with that too, once the other smoke clears.
> But the simple fact is there's massive evidence that in skilled hands 10x or 100x engineers are possible. We're seeing evidence of it across major open source project as well. And definitely behind closed doors across companies.
Each of these three sentences are in need of some evidence. I'm not actually seing any signs of software velocity notably increasing anywhere. Except perhaps in the AI-reseller sphere, but that seems mostly due to throwing huge amounts of VC money at it and a lack of quality control.
100x is achieving something in two days, what it took an entire year before. I strongly doubt that is happening for an individual.
> 100x is achieving something in two days, what it took an entire year before.
Reduce your scale: "100x achieves in 1 hour what used to take 1 week."
One year of work could require levels of complexity and human judgement that can't be accelerated past a certain point.
1 week of work can be reduced to an hour and some change.
That requires that you not only one-shot the thing. You will also not have the time to verify the solution yourself in that time period.
Besides 1h what used to to take 1 week is basically 40x given a workweek is 40h.
That’s also not possible in “skilled” hands. My output is roughly the same. It does the scaffolding, but I need to rewrite almost every line, because it introduces footguns around that often. And before I had about 20000 LOC it failed even with scaffolding, ie architecture. And it wasn’t taste, just footguns all around, architecture ones. Nowadays for example still introduce mutability or completely unnecessary complexity where it shouldn’t, even when the example code which does almost the same is pristine. Many times it’s like StackOverflow, when a question doesn’t need 90% of the accepted answer, but people happily copy it brainlessly.
This is especially bad with new, or quickly improving frameworks, like Android Compose. LLMs use completely outdated, deprecated APIs all the time, when they are not completely supervised. Or at least, I hope so that the framework causes it. Because if that’s not the case, then your products are fucked.
Also even with the best prompts it could never produce more working code in an hour than what I can produce in a day. Regardless of quality, just “working somehow”. Not even with an uninterrupted session. If that’s the case for some, then there is definitely also a developer skill issue. And so would definitely not trust anything coming out of their “supervision” of an LLM.
The baseline engineer in that case must really be something incompetent.
Ironic. The best way to turn 1x engineers into 100x engineers is to reduce the median skill level by 100x.
I'm not say it's pure hype. Not in the sense of previous hype waves like the metaverse or NFCs. It clearly has uses.
I do think it is hype as a killer of knowledge work. It can certainly remove a lot of friction in the kind of borderline mechanical work that you'd formerly outsource to the lowest priced denominator, serve as an idea bouncer, remove friction for bug tracing, etc.
Attempts to cross the next line ("no need for architecture discussions, ai plans", "no need to read the code, ai reviews", and so on), nope.
As someone else mentioned, 100x is a couple days producing the outcomes (remember, not output) of a year. Or for a team, iOS delivering in a single year ten times as many features as its entire previous existence. It's not something that doesn't get noticed.
> And definitely behind closed doors across companies.
At my large org (+100 engineers), I'd say it's a mixed bag and the overall impact of AI rollout looks to be slightly negative productivity.
They probably won't say it publicly though.
It's not because some people are more productive with it that all of them are and it certainly doesn't mean that the company itself is more productive either as you have other things than code to take into account.
Name a single project that has a 10x increase. I mean real production ready code, not some single person hobby project.
> Now I see communities being affected. When you kill PRs, you not only kill the code contributions, but also massively impact the other, non-tangible contributions like ideas, eyes on code, etc. That feels way worse.
These "contributions", while they did exist in small quantities, mostly were not actually what you've described there.
Instead, those boiled down to unsolicited opinions, hostile takeover attempts, value extraction, general drama and just overall overhead over simply building code.
This was not always the case, but the GitHub model of building FOSS (and removal of all friction) certainly made it the new default.
Said model was always unsustainable, but the burn rate made it sustainable enough so that we could just throw more humans at the problem to replace the burnt-out ones.
AI pushed the burn rate over the replacement rate.
=> We will likely see more projects adapt this or a similar stance I think.
It always seemed like a weird default to let people (esp strangers) submit PRs that weren't tied to an issue nor approved.
What do you mean you just spent a week implementing something in secret?
AI makes it extra silly because now you can craft up your unsolicited code change in minutes, making it extra obvious that code changes should spawn from real discussion and agreement.
TFA is part of looking for new processes that actually work. Dunno why people are having such rose tinted glasses about pull requests. Open an issue, talk to people. Have an idea? Then get people to cosign it.
I think it was different pre-AI. Someone might come in and spend days getting some understanding of the codebase before they contribute some minor fix. Over time they might stick around a make some more of these, progressively gaining trust so when they do take on something bigger the maintainers will know they aren't wasting their time reviewing it.
Now they can drop a multi thousand line poorly understood PR day 1.
As someone who maintained FOSS libraries pre-AI, I think the frequency might have changed, but large drive-by PRs with thousands of changes happened before too, I've been on the receiving end of those many times. Usually they fundamentally change the architecture too, then the submitter get offended/sad/surprised when you tell them you impossibly could accept it and they should stop wasting their time contributing without discussing first. Usually ends with some threats how their fork will take all the contributors or something like that.
What I don't get, is why these LLM users aren't asking their LLM for how to contribute and how the project prefers to contribute, and how they can make sure it's accepted? Literally, the very same tools they use to code, can be used to make sure their PR follows all guidelines, from discussions to acceptance of the PR itself, it's right there, they literally just have to prompt for it! Such a lazy group of people.
Good faith PRs were also suffering under the current model. Ive opened PRs by hand on small projects to try and fix personal issues that probably affected others. Then the PRs languish for months or in one case literal years under the deluge of ai slop being spammed at the repo. I’m not going to ping the maintainers constantly when I know they are struggling so I’m left running my fork and no one else gets the benefit.
Big projects pre-AI also can have hundreds of rotting PRs. It's a lot of work to go through them, and unsolicited PRs are kind of the wrong way to spend time as a maintainer.
AI just makes it so obvious how bad of a process it is that we can't ignore it anymore, and now we need to finally figure out good processes.
Even little stuff like: I've created issues on the Claude Code github that got agreement and then led to code changes. Why isn't there a default, built-in way for my issues to rise above the zero-effort chaff? If you finally do the work of vetting someone's PR, why isn't there a built-in (hidden) way to +1 someone so we can see that they have some reputation with the project on their future issues/PRs?
First off, to have conflicting feelings about something is really normal and doesn't immediately point to a problem, it's extremely human, and I feel similar to you to. I'm a creative + programmer, I hate to see what's happening in some communities yet I too use agents for development, it'd be like avoiding Google + SO when they first appeared, feels like there is a clear "before/after" moments with those, and with LLMs as well.
I don't really have anything useful to add here, I think, just that you aren't alone in feeling conflicting feelings here. New things usually are like that, comes with incredible benefits in some areas yet seem to strip humanity away from others, some people use it to produce fluff and crap, others essentially gain new abilities and use those to build even better stuff. I don't think there is any universal truths here, sadly.
I, very genuinely, highly recommend reading the Wikipedia page about the Luddites if you feel confused. This is a class consciousness problem. People feel conflicted because they know they aren't acting in their own best interests when they use generative AI (i.e. it does not lead us, as a society, to a good place -- mainly due to our bought-out legislature).
Again, I don't think there is any universal truths here, no correct nor incorrect answers, it's all very subjective. For example, I'm conflicted about the thing as a whole, but also I wouldn't say "Usage of generative AI for sure leads society to a worse place" like you just implied, that's too absolute for me and not something I'd agree with, and it wouldn't resolve the conflicts we're talking about here.
Maybe your legislative feels bought out, that sucks, but that's not the situation nor the feeling everywhere in the world, certainly not where I live, so also doesn't seem to be related although if I assume where you live, I totally understand why you're currently feeling like that.
> that's not the situation nor the feeling everywhere in the world, certainly not where I live
Do you expect your government to navigate whatever transition might await us in a manner that works out well for the vast majority of your countrymen? What about the governments of other major world powers? Even if your local government does all the right things, will the world as a whole end up in a good place?
That said, I'm not sure that there's much in the way of actionable options, at least not with clearly defined outcomes.
> Do you expect your government to navigate whatever transition might await us in a manner that works out well for the vast majority of your countrymen?
No, but I expect them to do the best they can, with the information they have available, as always, as they just like me, are just humans. Trusting the legislative branch of my government is different from "so you think it'll work out well for everyone then huh?", btw.
> What about the governments of other major world powers?
Why does it matter how much I trust the legislative branch from other countries? They do as they wish, we continue to do as we wish.
> Even if your local government does all the right things, will the world as a whole end up in a good place?
My experience and opinion is that generally the world is getting better almost every day, vast difference even compared to ten years ago, how much better the world is today, for most people. There are some few countries which lately been going in the wrong direction, but for the most part, we (humanity) are getting incrementally better.
> Trusting the legislative branch of my government is different from "so you think it'll work out well for everyone then huh?", btw.
Agreed, and that was exactly my point. Concern about possible impacts of a technology were expressed and you responded that you trust your government. But that's not the same as thinking that everything is headed in a good direction and doesn't require intervention.
> Why does it matter how much I trust the legislative branch from other countries?
Because in a globalized world if everyone else goes to shit you will probably also experience significant negative effects even if it's not as bad.
> for the most part, we (humanity) are getting incrementally better.
It seems to me that it's prudent to perform a risk assessment rather than assuming that everything will work out just because things seem to have been going well enough so far.
I feel like you're trying to move this conversation in a direction of discussing policy, while the context are individuals, their emotions and how they feel about things, that's how the conversation started. I never talked about how much I trust/distrust my government, all I said was that I trust the legislative branch, as parent commentator said they didn't trust their legislative branch. How much I distrust/trust my government at large is hardly on topic here, I also don't think because one (large) country been bought out, doesn't mean the entire world goes to shit, nor do I assume that everything everywhere will work out simply because I'm admitting that I too am conflicted, even though I too use AI-tooling, even though I'm a creative that like manual crafted things, even though I trust the legislative branch of my government.
We can also take some refuge in things like steam engines or electricity or the internet and how if you're just on the cusp of those you'd have similar feelings, but many years later here we are, still with jobs and meaning. A lot of people say this time is different but I guess when electricy showed up people would've said the same? I certainly remember people predicting that Manhattan would stop existing during the dotcom bubble because the internet would kill all street level businesses and people would work from wherever so big cities were over. And here we are.
I'm also conflicted but take a glass half full approach basing myself on the fact that when I'm feeling like "this time is different" it's probably my ego wanting my lifetime to happen at an interesting time in history, so my brain wants the current events to be the most transformative.
It certainly didn’t kill Manhattan, but it did kill or at least seriously maim lots of small towns. We lost a lot of local culture in the switch to everything being available online. I’m not sure we’re better off.
> A lot of people say this time is different but I guess when electricy showed up people would've said the same?
No. Electricity didn't raise the skill floor all that much. Certainly nowhere near the human skill ceiling.
> the internet would kill all street level businesses
That was never going to happen overnight, if at all. But online retail (and food delivery, etc) does seem to be slowly but surely eating away at local shops so I think it's within the realm of possibility.
> But online retail (and food delivery, etc) does seem to be slowly but surely eating away at local shops so I think it's within the realm of possibility.
Online retail eating away at local shops is a problem with two aspects - one of which is largely ignored and much more pernicious.
Yes, many people are shopping online which reduces footfall in the town centres. If this were a case of all the existing businesses simply shifting away from physical storefronts to virtual ones it would merely be unfortunate.
What's far worse is that the vast majority of the business that shifted away from a diverse collection of bricks-and-mortar stores now goes through one of a very few online retail giants.
Likewise, a couple of food delivery apps are parasitising takeaway food businesses.
And now we're allowing a handful of AI giants to tollbooth software development.
You can stop at any time. It's an unfortunate reality that many will not pay much mind as long as it's other people who are being harmed, but why support something morally and financially when it's now destroying something you personally care about?
For many, there's a cost involved in stopping, and not all can bear it.
Sonos? Did you mean Suno?
It doesn’t help to know that using and supporting private LLMs is only making openai/anthropic/google/etc even richer. I myself cannot justify its usage.
> When people are losing something to automation, regardless of the economics of the situation, you cheer for the humans
As in cheer for the humans because they've been liberated from the drudgery they have lost?
Side question: what's wrong with Sonos playing a song? Are they generating AI music now?
> Transition to f-ing what though?
The future is a bit fuzzy, always. That said, here's my take on it.
> Transition to f-ing what though?
Not jobs. Those will be gone once ai can do them cheaper than humans. ai can already do many (most?) of them better than humans. The jury is still out on the cost aspect. Judging by r/LocalLlama, the lower cost is not that far off. There may be some structural adjustments around compute pricing before that happens, though.
In the EU, humans will probably be ok. They have a strong tradition of focus on human needs. Because of lower average salaries [1] than the US [2], human employment will likely carry on longer as well.
In the US, those folks that have capital will likely be ok. They'll be able to purchase services from ai companies and invest in ai companies and corporate armed forces (ai-populated, not human) to protect the Haves. Those that don't have capital? Who knows? America hates poor people, women and minorities.
China? No idea. Though I hear that their demographics are upside-down, so there'll be fewer people to support over the long-term. That they'll supply the robotics and goods for the rest of the world is not in doubt: cheaper electricity from solar/wind, advanced ai and robotic tech, science and industry moving forward while the US regresses, hard.
India? Hard to say. No social net of any consequence. Not enough capital to go full ai/robotics, human labor way cheaper than ai/robotic labor at the moment, so maybe they'll survive as that last major bastion of human work for some time to come. But their economy is growing, and they have a lot of people, so at some point they'll come to that same fork in the road. Hopefully they'll have serious social safety nets by that time.
Africa? In a lot of ways, they're similar to India on the human labor costs side, so their future hasn't been written yet either. India can probably fend off an invasion by rapacious US corporates with ai/robotic armies looking for resources because of sheer numbers, but Africa, fragmented, is a different story. Maybe China will be their friend? If you think this scenario is outlandish, look into the history of European companies colonizing the world. You didn't think the East India Company with its massive private armies were government-owned, did you? Likewise with the Spanish/Dutch/Portugese expansions. The govt. takeovers didn't happen until much later, tens of decades later.
South America? They're an interesting case. Brazil may take a trajectory similar to the EU. Chile, Ecuador, Uruguay too. The others are a ?
[1] https://en.wikipedia.org/wiki/Economy_of_the_European_Union [2] https://en.wikipedia.org/wiki/Economy_of_the_United_States
Very related: https://graymirror.substack.com/p/sam-altmans-lamplighter
> Also: I liked a song and it was sonos. I unliked it after discovering. I feel so stupid, so often.
This is asinine. Keep depriving yourself of things you enjoy I guess?
Perhaps knowing a human with talent worked on it, putting some small part of themselves and their lived experience into the music has value to them? If so, then their actions make complete sense.
Human created music might have value to them, but it doesn't mean that the AI song was valueless. They admit they enjoyed it. So it doesn't make sense in terms of it not having value.
I wouldn't say it's asinine though. People reject creative output out of personal protest against the creator. Someone might love a movie only to refuse to ever watch it again because they found out the director was accused of something horrible.
Some people just don't want to support anything to do with AI. Although in this case the OP admits to also using AI directly so there's some inconsistency there, which is consistent with the state of confusion and uncertainty OP is expressing.
It's not asinine at all. Context matters in art. Otherwise, more songs exist that I would probably really like than I will ever hear, so I'm going to focus on the human-made ones. Besides, part of the joy of music extends beyond listening. For many people, myself included, if we feel really connected to a song we like to learn about the people who created it.
I think your response is reactionary.
how was open source managed before GitHub ? you had to find a mailing list, be involved in the mailing list - ask questions, make a proposal, then create code after -- code goes through x rounds in the mailing list. finally it is merged if it suits direction of the project.
this willy nilly of opening pr's while not being an active member of a community I would say decimated open source.
I've been looking a lot at Godot (another big open source project) PRs lately, and there's been kind of a surge of wholy ai-generated PRs (both code and description). This is agains project-policy, so people creating these PRs usually get mildly told off. What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.
It's kinda surprising to me that even the people who are all in on ai haven't internalized that there's no inherent value in producing a big lump of code. They've massively decreased the work they put in but still expect the same pre-ai reaction/gratitude when submitting a big PR.
The pre-ai reaction was also unwarranted: committing a massive amount of potentially unmaintainable handwritten code isn't a necessarily positive contribution and any decent engineer (or person tbh) would understand that & not expect gratitude, no matter how concerted their effort.
In that context, I wouldn't expect an idiot (of which there has always been far too many in this industry) to change their behaviour in a post-ai world. They were always out of line & continue to be.
Fwiw, a non-technical employee in my workplace has begun submitting ai-generated prs to internal repos I maintain & they're of excellent quality, with review feedback graciously received & expediently addressed, so this isn't a matter of the idiots not being technical, it's an attitude problem.
Sure, but I think we should judiciously avoid the false equivalence yielded by only looking at this on a developer-by-developer basis, rather than systemically. The truth is that in practice, AI is not a neutral force. Obviously AI can enhance the output of smart, experienced developers and improve the efficiency of code reviews, mitigating the effects of garbage PRs. However, it increases the percentage of PRs contributed by entirely inexperienced and/or not-smart devs from zero to, potentially, the majority. It entirely removes the barriers inherent to coding that kept Dunning-Krueger cases from submitting ill-conceived or poorly constructed changes— actually getting them to run in some way, even poorly. That makes them much more difficult to distinguish from well-constructed PRs than those from, say, someone cargo-culting code from tutorials.
Moreover, as these tools become more expensive, people with money to blow on tokens will be able to drown maintainers that don’t have enough token-cash to help them deal with it. People see this as mostly a matter of time and energy, but I reckon it will soon be a financial issue.
I see AI as a barrier remover. Unfortunately some barriers are good or minimally necessary.
I think we'll need to revert to artificial barriers such as bonds, e.g., if you want to do a PR to my repository you need to pay a 10 dollar bond. If the PR is good and I want future PRs, you keep your bond. If it's slop and spam, I get 10 dollars for my time.
This is entirely too much friction in the wrong place. Public open source will simply die before a system like that ever becomes the norm.
The previous barriers worked because they were organically perfectly in line with a contributor's internal incentives. A contributor gains very little benefit from submitting a patch; the likelihood is infinitesimally small they'll ever get any career advancement, financial recompense, or even much community recognition for it. At most, it shifts the burden of maintaining the code they're contributing from themselves to the community / long-term maintainers. The real incentive for a contributor was making the patch, because they get to see the feature or fix they want made for the software. The previous barriers were in making the patch, and contributors would overcome that friction to gain the benefit of having the patch they want. Moving the barrier to merely submitting the patch after it has already been made will simply result in people not bothering, because there is very little incentivizing them to deal with the friction.
I don't disagree, where is the right place for the friction?
I agree with the bond in theory, but that would entirely stop contributions from people in economies where a shady maintainer could keep their code, and their weekly food budget.
Or create pull requests and earn crypto!
https://gitearn.vercel.app/
https://gitreward.com/
We already have trouble with people maintaining open source projects without getting paid, now you want people to pay for the privilege to participate in free work?
It's a bond not a fee. If the maintainer feels that it's spam, they keep the bond. If they feel like it's not, they leave it.
That sounds like a massive headache for maintainers and opportunity for people to cry foul. That gets messy so fast.
Gratitude was maybe the wrong word. As the article mentions, before ai I think larger PRs, while sometimes inconsiderate, at least implied some amount of care / effort / good faith. In my experience, that was often rewarded with the maintainers at least taking a look at the code. I meant it's odd to have the same expectation when you dump 3000 lines in a pr that you won't even personally write a description for.
There is certainly a certain... entitlement? (It's not the perfect word, but I fail to find a proper term) from some of the vibe crowd. Like an attachment to the output and refusal to accept that most of the work was not theirs.
It is seen in the way they approach contributions but also in regular language. I created X, insistence that their 'curation' was very influencial to the output, difficulty to mention LLM contribution, attitude of 'I care about building while others lose time in details', refusal to engage with potential flaws, and so on.
It is surprisingly different to what I'm used to from senior devs, which behave like they always suspect their own work is flawed and half assed. Like impostor syndrome was reversed.
I've experienced the following sequence more than once at work, and I remain baffled by it each time:
- Receive a huge vibecoded PR for complicated new feature.
- Complain that this needs some design doc to figure out the right approach first.
- Author says no need for design doc, easier to have vibed implementation and discuss the concrete code instead of abstract document.
- I disagree (obviously), but review the PR with feedback along the lines: this entire approach is flawed, throw this out and start over.
- Author gets defensive, says "but this is already working and ready, let's just merge".
- I tell them there is no chance in hell this is getting merged. They go sulk to their manager that I'm not interested in helping them launch.
I agree it's not "entitlement" specifically but there's something there. I guess by now everyone has experienced that type of person that "tries to help" by copy/pasting a bunch of AI slop and expecting you to work through the cognitive load of validating it.
The original post sums it pretty well, such big output inherently meant big effort, which was a proxy for good faith. Now that's gone.
It was a proof of work system. When work becomes cheap, it stops being proof.
> It is surprisingly different to what I'm used to from senior devs, which behave like they always suspect their own work is flawed and half assed
I never trust my own code. And one of the motivations of trying to be fluent with my editor, is to be able to quickly look at it when a bug is reported. I also don’t trust another person with their description of their code. Any surprise, and I’m looking at the source if it’s a available.
> What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.
Why is it surprising that some people who expect results without spending any effort also feel entitled to receiving gratitude without putting in any thought?
If I don’t word these critiques in the most diplomatic way possible, this immediately turns into a discussion about the prevalence of anti-ai sentiment on hn. Which would be boring.
I can imagine in these cases the LLM is telling the "contributor" how smart they are and how much the project is loosing out, maybe saying something like: "It's not about maintaining project boundaries, it’s not about ensuring code quality; it’s a gatekeeping mechanism designed by traditionalists who feel threatened by forward-thinking creators like you who truly master the efficiency of AI."
I wouldn’t be surprised to find out this is part of their RHLF training, the attitude is so prevalent in these models.
If a project has a rule to not submit AI generated PRs, people should never submit AI generated PRs to that project. It's spam. Or if the rule is more nuanced than that in relation to AI, it should be respected.
It's 100% an issue with the people with submitting these PRs. So, if someone has a history of having no issue with breaking project rules (let alone being arrogant about it), it should be a massive red flag about the person for any possible employer or future collaborator checking their profile, etc.
Why people are wilfully destroying their own reputation like that is beyond me. It's infinitely better to have no activity at all on your profile than to create a track record of bad behaviour.
> What's surprising is that while many submitters take that fairly well, some people get really indignant, essentially calling the maintainers ungrateful.
I would be more sympathetic if they actually spent meaningful time on these contributions and could maybe see an argument for wanting their work to be given due consideration (lots of caveats here), but from what I’ve seen that’s the exception rather than the rule with a lot of these case.
There massive value in AI PR's.
If a feature and ignored, it can forked to provide more value to the users.
If unaccepted bugfixes, the maintainers are just silly. They need to be forked off.
It's interesting to see this perspective in the wild. In the age of AI I wonder what "massive value" your PR is bringing to the maintainer. $1 worth of tokens?
As explained: New features. Bugfixes. Better analysis.
Only stoneagers would say that they are better than a good AI.
I mean, aren't you kind of proving the poster's point?
Fork away. If you want to put in the meaningful effort required to maintain and improve upon a project as significant as Godot, and feel that AI is a mechanism you want in order to do so, go for it. Clearly, the maintainers don't feel that that's the best approach to create the product they want to create, and they are not required to accede to the sense of entitlement of the community.
Even before AI it was trivial to setup a continuous merge script. I did that several years for several projects which refused my PR's.
Nowadays it's even more trivial.
And a community is more of a burden than an advantage nowadays. Users are ok, but a community not so. See python, perl, ruby, node and countless others.
The generalised form of this, which we are rapidly discovering, is that AI breaks the social contract that used to exist between an author and a reader (of prose, code, anything).
That's the most succinct way I have seen someone put it, thanks! It's really the same issue, no matter if it's software, online comments, e-mails, artworks, homework, etc. We engage because we expect to be interacting with the output of another human being. AI fundamentally betrays this expectation.
On the one hand, if you grew up in the baazzar, moving to the cathedral might feel like the "death of open source" even if it is really just a return to an earlier way of working.
On the other hand, while not accepting external code contributions will certainly improve their security posture it will also make it more difficult to identify who to invite to join the priesthood.
Open source development has become more and more superficial aligning with modern social network characteristics. It's more important to have an contribution, a active commit history, a few stars as a proof of pixel fame than the intrinsic value of the contributions or projects.
Before the rise of github, open source projects were heavily walled gardens. Little clubs that gave you a stare when you entered the room. Github commoditized getting in touch and lowered the barrier for how much effort you have to put in or even how much you have to care before you contribute. This is gone now and you have to build trust now before you can contribute to anything.
This isn't the death of open source. It's the death of the global village were everybody can freely roam and it's easy to interact. It's the resurrection of small, social, trusted communities. I hope this spreads to all of the internet.
Yes. Open source existed and thrived before GitHub, before git, and before anyone had ever used the words “pull request“.
It was different, to be sure, but it was not worse. We are living through a transition, but people do that all the time and we adjust our behaviour and we find new equilibriums. We will do that with open source too, and if it ends up looking more like open source in the 80s or 90s, it’s gonna be fine.
Maybe some people who got really good at gaming their Github reputation are going to lose out, but that was never the point. Anyone who likes this kind of work and wants to get involved will find a way.
> it will also make it more difficult to identify who to invite to join the priesthood
The point that this announcement is trying to make is, of course, that AI has already made that particular signal approximately worthless for that purpose.
There are great Open Source projects doing fine with the cathedral style, just look at Sqlite and its siblings (Fossil, …).
So I do not see a problem with Ladybirds decision, in contrary, IMHO it strengthens the human aspect of software development and puts the brakes on AI free riders
I still don't see solutions on how a normal person can become a mantainer though.
If all relevant open source projects close up their contributions, you can't enter the project anymore from an external point of view.
Almost all open-source public figures started by being interested in a project and submitting PR to it, until eventually either joining the project as core mantainer or creating a separate open source project. The path is now closed, and I don't see a way in, outside of creating a popular open source yourself
The path is not closed; it must be earned through trust. It has always been this way. Also, note that "pull requests" are a GitHub invention; the concept is not native to Git or most other SCM systems. Before, you would have to submit your patch by email. It would be reviewed by the "maintainer" (or BDFL), who would then accept or reject it. If your contributions are accepted several times, you may be able to earn the rank of "maintainer."
Returning to the topic at hand, the challenge for new developers is to earn trust. I bet there are ways to do so aside from the muddy swamp of GitHub's (AI) bazaar.
In this case they seem to be firmly closing the path though
> There will not be a separate process for submitting patches by other means. We do not want to create a shadow contribution system through issues, comments, email, or forks. External code can of course exist under the terms of the license, but we will not treat forks or patch dumps as a review queue for upstream Ladybird.
This does raise the question on how they are going to get new maintainers. The only thing I can think of is by active outreach to people contributing to adjacent projects that are still open. But that does not seem ideal to me as that will not yield people specifically interested and caring for the project you invite them to.
They don’t even have an alpha product yet. This used to be called vaporware but I’ll give them the benefit of the doubt that something will come in the future and they’re just focusing on fixing their own crappy code.
The amusing thing is that emailed patches and a listserv aren't actually all that different from github pull requests at the end of the day. In either case you're sending some code you wrote along to a group and asking them to look over it. The only real difference is the lack of a familiar web interface that's uniform across all projects and reduces friction to near zero, but emailing a patch hardly adds much friction in practice.
I think the primary difference is that it removes some of the incentive to status seek because there's no centralized network operator tracking contributions and displaying them on your profile for others to look at.
That said, the linked post explicitly says that Ladybird won't be accepting emailed patches, reviewing changes from downstream forks, or anything else. Hopefully that's not the case since entirely closing off the project would probably be an overreaction as well as jeopardize its future.
It’s really different because there’s no public signal between the email and the project itself. You can maybe search the log and see your patch, but there’s no central identity where you can brag about it. At most you can get a notice in a CONTRIBUTORS text file, or in the copyright header.
Just uh.. build your own thing?
Boom. Maintainer. Easy.
Why would normal people even want to become an unpaid janitor for someone else's stuff?
> Why would normal people even want to become an unpaid janitor for someone else's stuff?
Social validation. Or, to be slightly more generous, sort of a compulsory way to force someone more experienced to provide some mentorship, by compelling them to review your pull requests.
If you grew up in a junkyard, getting adjusted to the social norms of a bazaar might feel like your way of life is being threatened.
In your analogy, is the junkyard the development model of vibe coding?
I look forward to the book: The Cathedral, The Bazaar and The Junkyard.
fwiw I asked Claude to look at GP's post and write me a story titled "The Cathedral, the bazaar and the junkyard" and I have a pretty good time reading his riff.
“Its riff”
You're absolutely right...
> it more difficult to identify who to invite to join the priesthood.
How about this. Somebody forks the project and submits their patches to the fork . If the fork is successful (there are users actively using it), upstream can selectively go fish for the patches themselves. The maintainer of the fork eventually gets recognized.
Not ideal, I know, but building a reputation is meant to take time.
Stuff like this makes me wish AI had never happened.
An open-source projects losing the ability to find and mentor new maintainers is so disappointing.
They have rewritten a huge change of their project using llms.
How is it really related to AI? there have been issues with open-source and maintainers for a long long time
In the post, the ladybird maintainers say that they trust pull requests less than they used to, because many pull requests are authored by AI now. A big pull request no longer signals that the submitter put in a lot of work into it and it's committed to developing and maintaining quality code.
Not sure if this happened to ladybird, but the amount of junk vibecoded AI-slop pull requests has been putting an immense amount of strain on many open-source maintainers. Reviewing stuff like that is intensely energy draining an most of the time your comments will just be copy-pasted into claude code and the "contributor" will put in 0 effort themselves to try to make the code readable or maintainable.
Before AI, being open source and having to manage issues and PR's was already a huge task, burning out maintainers left and right. Now with AI, anyone with a terminal and a claude code subscription can open PR's...
Maintainers can also use the exact same tools to help review and validate PRs
Read the post
My friend, the very article we are talking about this mentions this directly
This is direct result of AI as you can see in many other public repos.
before AI like 1 in 1000 would spend their time fixing something they had no idea about and even then considering how much time you spent and how few of those happened it made sense to review/talk about it.
now every "dev" with claude submits prs having absolutely no idea what they are even doing. most of them would not even be able to create PR without AI in the first place.
and on top of that add slop bots that "fix" issues in the loop and create hundreds of PRs daily
I can understand where they come from. If most of the pull-requests were AI-coded, well, the maintainers are equally capable of prompting Claude Code themselves.
I think the whole game of software engineering, open source or not, has completely changed. A lump of code doesn't mean or imply the same thing as it did 2 years ago.
I think this is the key point.
A few years ago, if I send a complex PR that compiles and passes tests, that implies a certain amount of time and cognitive investment on my part. It seems likely that I wouldn't invest that if I didn't also understand the codebase, the feature or bug I'm working on, etc.
Now, that understanding is roughly as expensive as before, but AI has vastly reduced the cost of generating the code that compiles and passes tests.
Probably-well-intentioned community members are happy to contribute the cheap thing( Claude Code tokens) but, because it's so cheap, it's not a good indicator they've contributed the expensive thing (human understanding).
Also, this paper seems relevant: https://www.nber.org/papers/w35275
"Writing Code vs. Shipping Code: Productivity Effects Across Generations of AI Coding Tools"
As the FT summarizes,
> They found an explosive impact at the top of this funnel — coders created or edited almost 300 per cent more files — but that boost was halved to 150 per cent by the time they got to the number of discrete pieces of work submitted for review, and that in turn shrunk fivefold to a roughly 30 per cent uplift in the number of full software releases.
https://www.ft.com/content/8e9ae7a4-7209-4e2c-aa36-f3af77d6c...
So as I wrote, AI vastly improves labor productivity on _coding_, but not nearly as much on code _review_ or other parts of the release pipeline.
And, unfortunately, for many open source projects, it's easy for volunteers to send code for review, but hard for them to volunteer reviewing PRs, managing releases, etc.
> that implies a certain amount of time and cognitive investment on my part
Yes, this is the takeaway for me. A PR can no longer be a reasonable proof of work.
The code just isn’t the main effort of work anymore. Anyone can generate the implementation, so it makes more sense than ever to instead hammer out the what, why, and how that underlies any code change.
I see all projects moving this direction. Makes more sense to hash out a plan together.
As they say, just send me the prompt instead, at least that's more useful.
For anything but the most trivial change, a prompt is not enough though. There's a long iterative process of generating the right code, reviewing it, testing it, experimenting with UX or design for maintainability, fixing bugs... even a predominantly AI-generated PR can capture a lot of value. But apparently trying to distinguish those from the 'one-shot' vibe coded PRs is too much work for the Ladybird team.
> But apparently trying to distinguish those from the 'one-shot' vibe coded PRs is too much work for the Ladybird team.
Yes, that is exactly what this announcement is about. That it was too much work for them to tell those two apart.
Migh as well just write the thing out yourself - you will learn something by doin that and it will be easier next time. :)
> But apparently trying to distinguish those from the 'one-shot' vibe coded PRs is too much work
That is exactly the issue. Projects that are end-user applications - as opposed to libraries or development tools - probably see far more slop than actual work like you've described. The yields are too low for it to make any sense to try to figure out which is which, their time is better spent doing the work.
yeah but they could get free token usage from the community
When I contribute to OSS with AI I’m essentially engaging in a donation matching scheme where Anthropic matches 1 to 20 the dollar value invested (usually I can get ~2k of value per month on the $100 plan) in the open source project.
So any project that doesn’t accept AI PRs is really missing out on significant investment
Yeah, but then it’s either an arduous manual review or incurring a bunch of token usage to review something that may be slop.
> There will not be a [..] process for submitting patches by [any] means
> Outside involvement still matters: clear bug reports
So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Instead they have to re-figure it out. The team must be thrilled to re-do work they know was already put in by others, repeatedly.
As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software? It seems much easier to use Firefox or Chromium, where my fixes actually meet open ears.
It was very useful for me in the past when a new Chromium version crashed on my product, that I could go and suggest a fix to V8, and it was rolled out in the next Chromium release so my product worked again (https://github.com/v8/v8/commit/4f8a70adca01c). Without this, maybe Chromium developers would have never bothered to fix it because of lack of time to figure it out.
> a pull request no longer tells us as much as it used to about the person submitting it
Nobody should need to know anything about any person submitting a pull request. Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review.
Reviewing code fixes is strictly easier than coming up with them yourself.
This holds true automatically: In any situation where it isn't, you can just write the code yourself and done.
As a project you can always ignore or close a PR you want to write yourself instead. But it seems unwise to bar yourself from the _option_ of reviewing an outside contribution, or using it as input for your own re-write.
> So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
Pin pointing the issue is way more than valuable than code. If you wrote a fix, you have analyzed the bug. The value is there, not in the fix. Sharing your fine analysis is the maximized contribution. Code is an optional bonus at most.
exactly. a _proposed_ code fix is a good indicator where the problem is (analysis) but more often than not the actual maintainable and sustainable solution will look different.
a code owner may choose a very different way of fixing things, even for what looks like a trivial fix.
Reviewing code in PRs is not a no-effort action. If there are 3 people working in the project, and thousands of people submitting bugfixes, then no matter how useful those bugfixes might be, the 3 people will be totally overwhelmed by the sheer number of PRs.
There might be value in your bugfix, but maybe that value is not greater than the cost of reviewing and accepting it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
This is completely false, for any sufficiently complex project. The fix might be a single line change, but the consequences might be far reaching.
> As a user-and-eveloper, why would I sink time into a project with such rules that put a barrier to improving my life with the software?
Please don't! You don't owe the project anything. The other side of that equation is that the project also doesn't owe you anything. As simple as.
Firefox and Chromium are running much larger teams, let alone the Linux kernel, that other people suggested as a model. Maybe they can afford accepting your contributions.
> Nobody should need to know anything about any person submitting a pull request. Hopefully whether code that makes it into Firefox or Chromium was never based on the "effort" or "faith" of the submitter, but based on the correctness of the code in review. Reviewing code fixes is strictly easier than coming up with them yourself.
You state these things as if they are facts, but they are completely contrary to the lived experience of open source maintainers - not only my own and the TFA's but quite a large number of others who have shared similar pieces.
Would you mind sharing a link to one of the open source project you've been maintaining and reviewing contributions on for years that forms the basis of your expertise on this matter?
Yeah, I am employed by an open source company (to be clear not open core) and most of the external code contributions we get are a net cost for us. It takes more time to review than it would have taken for our team to code and review.
The real value we get from being open source is high quality bug reports and trust from our customers, not the external contributions. The only reason we welcome external contributors is marketing and generally being welcoming. If LLMs make this cost even higher for us then we might have to stop accepting external PRs.
You can still tell them how you did it, just not in the form of code/patches. You should be able to describe it in prose so that the maintainer understands your solution approach.
Not necessarily. I just fixed the Ladybird build process so it will successfully build on a system that uses musl instead of glibc. By far the most compact way of explaining what needed to be changed is to share the changes themselves. It is a set of very small changes to a number of individual files.
That sounds more like a new feature than a bugfix, however. That aside, I didn’t claim that it would necessarily be more compact, just that it’s possible. Any change can be described in prose, to whatever level is necessary to get the essential insights across. It’s how the ancient greeks did mathematics, they didn’t have symbols or formulas.
> It was very useful for me
Exactly. You want others to change to fulfill your needs. Their priorities and needs are different. In this case, it was evaluated and found not to be useful (cost > benefits).
> So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
You're allowed, they'll just ignore it. Same as how sqlite and some other projects operate.
> So I can find a bug, I can fix it, but I am not allowed to tell them how exactly I did it.
You can still submit a bug report and tell them exactly how you did it.
> Reviewing code fixes is strictly easier than coming up with them yourself.
Unless it's hundreds or thousands of AI slop PRs each pretending "here's a bug I fixed it"
> You can still submit a bug report and tell them exactly how you did it.
Can you? The announcement says "There will not be a separate process for submitting patches by other means. We do not want to create a shadow contribution system through issues, comments, email, or forks".
So I, as a human, describe in prose which changes I made to e.g. 20 files?
How is that in the spirit of fighting LLM slop?
Also, if I can do that, the LLM slop contributers can also ... do that.
> Can you? The announcement says
That you can still report bugs
> So I, as a human, describe in prose which changes I made to e.g. 20 files?
Rarely does a bug require a description of what needs to be done in 20 files
> Also, if I can do that, the LLM slop contributers can also ... do that.
Yes, they can. Yes, they will. And yes, it's a problem.
Fascinating to see that Chromium/Gecko/WebKit are now more "open" browser engines than Ladybird, at least in one important respect.
(Servo is arguably in the middle, accepting outside contributions as long as you don't use AI.)
It's understandable that a team without much funding would have to close off contributions to spare on labor costs. But, it makes me feel that people don't give Google/Mozilla/Apple enough credit for the economic resources they put into enabling openness.
(Personal bias/experience alert: I'm currently retired, but formerly worked at Google on Chrome. I saw many of my coworkers nurture outside contributors, and did some of that myself, both informally and through programs like internships.)
Those corporations are not doing that out of the good of their hearts. They are doing so to assert control, in order to protect their business value. If it stopped being economical for them, they would stop tomorrow.
I do not think we should be eternally grateful for monopoly building.
Yeah, they are essentially praising price dumping.
Chrome is Google's loss leader.
Reading this leaves a weird taste in my mouth, since the author tends to regularly make nontrivial >1k LOC PRs (sometimes several per day) and merge them on the same day with no reviews at all. This is even ignoring the LLM aspect; I don't know what % of them are assisted, but even if it was 0%, this isn't the pace of development I'd be comfortable with.
That's entirely consistent with what they said here:
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
That's the philosophical argument. In practice, though, the effect of large unreviewed AI commits on the project and its users is likely to be the same regardless of whether those commits were prompted by a core developer or an outside contributor.
My own experience is far from this. Steering the AI, early and while developing a change, matters sigificantly.
Therefore a maintainer is more likely to steer the AI in a direction that is aligned with the codebase.
Yes, I have lost faith in some open source project maintainers that are doing this. There is an open source platform we've used for years at work (we use the paid Enterprise version of it) that introduced some pretty grotesque security flaws and when I looked into it I realized AI had taken over the project - you can clearly see it in the commit log whether it is attributed or not, just based on volume and frequency. It was very disappointing.
Why not name the project in question?
LLMs might be part of why Ladybird is making this decision, but they aren’t the only possible one: SQLite, for example, has been developed this way pretty much forever. To each their own, I guess.
Lua is the same IIRC: open source but not open development.
It’s MIT licensed, and the maintainers are always grateful for bug reports, but all the code in the project was written by just 3 people.
Yeah I don't see the big deal here. Some of the best software is made and maintained by a very small group of dedicated folks. It's a perfectly reasonable move to protect their time and project.
It saddens me to see the communities surrounding free software projects going dark because of the threat posed by AI tools, but I don't know what other solutions there are that would mitigate the threat, particularly when browsers are such a compelling target. Perhaps some kind of trust system a la arxiv.org, where existing users have to vouch for new submissions before a user is themselves trusted? Definitely still vulnerable to abuse, but perhaps less so.
I think a trust system is the only way. Ladybird will need new/different maintainers at some point in the future. How are you going to find them now?
I don’t disagree with their choice, but it’s not sustainable in the long term.
Closed-source projects have been dealing with this forever, by having a mostly-static pool of employees replenished through job listings and interviews. A FLOSS project adopting this model would certainly feel weird, but could work if there were enough willing candidates. The question is, who will take on effectively a job without the monetary reward?
Maybe it is, if they can somehow vet potential new contributors in-person at e.g. conferences.
This is needed for more projects than just ladybird, and I'm sure will be worked out.
For now this makes sense.
It's inevitable that more projects follow this path.
The elephant in the room is so many projects already operate like this without formally announcing it.
If you look at Blender, one of the biggest and most successful OSS projects out there, it's effectively run as source available. Some PRs make it through, but for the most part there have been heavy barriers to entry to get your work into the product. In this example, it's been key to such a large and complex project with millions of users staying afloat. It's an inconvenient truth.
It's one of those unspoken things in open source - the bigger the project the less you can accept or vet contributions. The less able you are to respond to users because there are too many. The amount of code you need to own balloons. The signal to noise to too much. LLMs have massively exacerbated this issue.
This rather feels like it's completely stepping away from the thing that made the community around Serenity and Ladybird so good.
What made the community so good, is that it was a community.
Any rando armed with an LLM is not a community.
I'd argue that was what made Serenity good - a toy OS that anyone can code anything for. Want to spend ages working on a painting program? Make screensavers? Add drivers for your printer? Port Doom? Improve font support because it sounds fun? etc. It celebrated coding for coding's sake, which is the antithesis of AI. There's no point vibe coding features for Serenity because there is no real product there.
On the other hand, Ladybird is gearing up to become a production-ready browser for real users. Adding fun features for the sake of it, and hand-rolling code to parse PNGs and the like, has become a liability for the project.
I lost all trust in the project since the LLM rewrite. This new step is another red flag to me.
what rewrite? I thought it would switch to Rust but I still see it to be C++
They are adopting Rust (https://ladybird.org/posts/adopting-rust/) and use LLMs to help with the rewrite, but not all code was migrated yet. Also it's definitely not a big-bang-rewrite-the-world-with-Claude like Bun.
I manage multiple open source Github enterprises for the Linux Foundation. Something like this is under discussion in all of them - the amount of terrible PRs and issues being filed is overwhelming.
Wasn't the entire goal of Ladybird to have an open and independent browser engine? Making it effectively closed to contributions makes it.. Not independent anymore. It's now dependent, on few people who work on it, just like any other closed-source or corporate-controlled browser.
I don’t think that changes the project independence, when a project is open to PRs you have the same dependency on maintainers accepting changes into main. And the project is still open source. But that does make it less community oriented
But opensource has always been about community. This way it becomes "source-open", even if you could make changes to it and run those changes yourself, the latter doesn't sound "opensourcy" to me.
Open source is about rights/freedom, the community aspect is downstream from that. You have “source available” projects with active communities and external contributors (see elastic license v2.0 projects), and open source projects that only rely on core developers. With open source freedoms comes a culture of community oriented development but what makes a project open is the license, nothing else. The right to fork, read, run, edit is what matters.
Unfortunately AI tools are breaking the open community dynamics, it has become more and more expensive to run open community oriented projects due to the noise, it’s really a shame. It’s a lot to expect volunteer project members to triage the increasing amount of AI garbage
The open source definition does not mention community at all - it is a set of licensing requirements that certain rights to modify code must be maintained, not that upstream will accept your change or (for that matter) that you need to package it up and hand it to them.
And submitting a PR is almost wholly dissimilar from a conversation between friends over dinner or drinks. If you want to have a community around an open source project, it always has taken more than just accepting patches.
It is still independent in sense that it doesn't depend on Google Search money and Chrome/Firefox code as most of the alternative browsers. Depending on your definition of dependency, it will always going to be dependent on something.
Also they are not changing the licence or preventing forks.
It is a pragmatic solution to a real problem that can really clog down progress on the project. I hope they (and other open source projects) will figure out how to filter in good, responsible contributors but I guess it will take time.
Exactly! It's not opensource anymore: it's fork-or-transparent source.
Accepting contribution has never been a requirement for open source.
I know, but opensource was not just about freedoms, it was about community.
This seems quite misguided and is sad to see. They have every right to do this, but I was looking forward to continuing testing Ladybird as it improves and contributing in the future. I hope servo stays open to contributions, as it seems like it's all we have left.
It makes sense when you have a somewhat fixed core team size. Frankly, in some regards, this is the responsible thing to do.
It means they’ll never grow modules or the codebase beyond what the team can reasonably maintain.
However on the other hand.. What does this mean for the existing team, are maintainers now worth considerably more to the project? What does this mean for the codebase, or the momentum of the project?
It’s an approach I would have expected for the likes of curl, or single-purpose libraries. But this is a mammoth decision for a mammoth project.
I guess we’ll just have to see.
>This seems quite misguided
Does it? Seems the only sane option. The other being being drowned in AI slop PRs.
Crappy timing for me. Ladybird has never built on musl based systems. I got that working just a couple of days ago (on Chimera Linux) and was hoping to push the changes to the project. I guess I am maintaining that myself now.
> hoping to push the changes to the project. I guess I am maintaining that myself now.
Not just the changes, you'd push the responsibility, too, for supporting a whole new compilation target. I don't know how big this is, but if it's a big enough hassle to keep maintaining this yourself, then consider that this maintenance work is really what you were hoping to push. So, depeding on which, you might be fine maintaining this, or the maintainers might have rejected the change, anyway.
Why don’t they take the Linux approach? A browser is like an OS. Linux continues to accept public contributions, through an esoteric process that discourages lazy contributors: https://www.kernel.org/doc/html/latest/process/submitting-pa...
Linux has WAY more maintainers, and many of them just reviewed other people's commits for years. They had a crazy amount of contributions even before AI.
The only problem with that nowadays might be that AI can do all the incantations that formerly acted as gates to contributors.
Maybe not. Sqlite has some kind of hand-written license-agreement waiver procedure.
The Linux approach is under pressure too. Maintainers are beginning to warn about too many contributions and too much churn to review it all.
I think we're past beginning to warn, we've now reached the point of accepting Linux needs to remove drivers and features, because the maintainers just can't keep up.
This is not helped by everyone using the same LLMs to find the same vulnerabilities and flooding maintainers with duplicate reports to be the first to get that CVE and branded vuln on their resume.
I know is a naive question, but it's genuine!
Is this the direct result of a monolithic kernel? And would moving more drivers out-of-tree mitigate this?
The kernel has many different subsystems and the subsystems have their own maintainers and mailing lists.
There are numerous advantages of microkernels over monoliths, but even if Linux were a microkernel it wouldn't necessarily change the review pressure that the above commenter is talking about, because you still have the same number of components (filesystem, networking, drivers, etc) to develop and review patches for (although you do have more well-defined interfaces between components, which eases security).
Not really - it changes how the lines are drawn between components, rather than removing any of them.
The EXT4 filesystem driver as an example contains most of the same code whether it is part of the kernel process or is a user process. A virtual filesystem abstraction is needed between the two in either case as well.
The kernel also already has a module system to support loading externally maintained code. You won't necessarily see a benefit from separately maintained drivers that wouldn't already be present.
Behind my question was another one: is there too much in the source tree that doesn't _strictly_ need to be?
Maybe not?
I just got the impression that there are a _lot_ of obscure drivers that have to be carried, and are eventually removed causing annoyance. An ABI for the people who cared about that random driver might localise the maintenance burden.
> An ABI for the people who cared about that random driver might localise the maintenance burden.
Yes, but one key reason that a stable ABI isn't provided for drivers is to help encourage companies that ship drivers to make their drivers open source. The idea being, if a driver is mainlined into the Linux kernel, the Linux developers will help maintain support for that driver, in exchange for it being released with an open source licence. There are companies (like NVIDIA) that ship closed source drivers for their devices, but they rely on a kernel-side shim that interacts with the userspace driver, and this is seen as second best compared to mainlining the driver in the kernel.
One commit per logical change, `git send-email` instead of `git push` and open a PR. Sending patches is not the difference maker here.
The core problem is that we don't have a PR respect system. 10kLOC from an unfamiliar person with empty GitHub is much different from a pal regularly contributing that you personally know.
Integrating some kind of proof-of-stake system might be a way forward for open source. Nobody wants to shuffle through a pile of low-quality PRs written by LLM.
mitchell hashimoto https://github.com/mitchellh/vouch implemented this idea
https://github.com/PThorpe92/fossier
the ghostty developer introduced a system similar to what you describe!
They could make two kinds of pull requests and add much more strict criteria for public contributions. For example, they could say that the PR has to be smaller in size and well-documented for human review, otherwise it's closed by an automation.
And then if someone wants to do a larger contribution, they could have a process like making an issue, discussing the approach and then collaborating with a maintainer to get it in.
Blocking public contributions means that they want to have complete control of the project and AI is likely a good excuse to do that.
That doesn't solve the volume or quality problem. LLMs can split one giant PR into 50 smaller PRs just as easily and "well-documented" isn't something you can determine automatically.
Why is it so hard to just accept that AI PRs suck and create an enormous amount of toil?
It says something about the fragility of contemporary software that a fragment of bad code could result in doom. I think we need to move to much more restrictive computation architectures, inherently partitioned, functionally pure, and resistant to type confusion, pointer manipulation, memory issues etc.
I don't disagree with the desire for more inherently secure architectures, but I don't think it's the most relevant issue here.
You're always going to have to trust some core same-privilege code--a browser renderer is a great example of this: it has to be able to see the entirety of the DOM it's rendering, right?
Higher-level languages can still help code review--for example, memory safety makes it harder to hide a backdoor via unsafe memory operations leading to code injection. But you're still, fundamentally, trusting these community contributions.
I think the real problem (as others noted here) is that:
- writing code is now much, much cheaper than ever
- understanding and designing code is still fairly expensive
So doing the former (in the form of a PR that compiles and passes CI) is not a good "staking mechanism" to prove someone has done the latter.
Their loss.
Think about it. Anthropic just reported that their codebase is now improving itself. We're moments away from every open source repo being able to do the same. Think of it like torrenting — you'll be able to open your repo to the public, and have a stream of code flow in from millions of contributors. More code than you could ever write in ten lifetimes, uploaded to your repository in a matter of days.
Ladybird doesn't know it yet, but they just left themselves in the dust.
Every idea can seem quite nice if you only imagine the good parts, gloss over the nitty-gritty and ignore the bad.
> open your repo to the public, and have a stream of code flow in from millions of contributors. More code than you could ever write in ten lifetimes, uploaded to your repository in a matter of days.
why would you want this. this sounds terrible
I don’t understand how you’re supposed to cultivate new maintainers if you shut down contribution.
Is this a sponsored project where maintainers are just hired?
You are also not cultivating any new contributors by just accepting slop the submitter did not write or understand.
I guess they will have to introduce some kind of trust-based system.
I don't like this, but I understand it. I've contributed to the LB project several times, and I have made friends IRL with people who have also contributed to the project. ( we are now friends at uni ) It feels like a stepback because instead of 30-45 contributors every month, you have 15...
i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.
> i feel like there should be a way to trust a PR ID verification or in-person verification at FOSDEM/DEFCON/Chaos Communication Congress,UNI's, for example.
They probably could do that as part of the hiring process.
This is a very sad day.
Yes, Ladybird is facing a wall of slop... no... A tsunami of slop overwhelms core maintainers. Probably safe to generalize to other popular open source projects.
The project is important and the code is beautiful! I spent many happy hours trying to understand the code, browser-specs and tried to adapt to their coding style. After 18 months I ended up with a few merged PRs. Some were pure joy to write. I got to work directly with most of their core maintainers in the review cycle. They're great!! From the outside, it seems like their responsiveness to submissions slowed down in the last few months... slop.
Of course, it would be great if there was another way, but here we are.
Love <3 to Andreas and the core maintainer group! Keep up the good fight! Maybe we'll meet again.
> Ladybird remains open source. The source code will continue to be publicly available under an open source license.
We usually call open source software without open collaboration source available software.
This is terrible news, defeating core beliefs people had in Ladybird. Not an open browser I wished for.
Hell no, open source is just about the licence, and source available generally refers to proprietary licenses that at least let customers access the source.
This is just the cathedral model to open source, as opposed to the bazaar you clearly prefer, but it's still open source.
By definition yes, but I believe most people consider open contribution essential for OSS.
Abandoning editorial control is poison for all composed works.
Amen to that. Let's not redefine an already very precise terminology.
"A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds."
This is probably the best, most succinct explanation of what we're seeing happening in the OS world right now.
Interesting how this post coincides with the Leyden declaration in mathematics: both documents are abot how human-human trust ("in good faith") is eroded by large language models, because a substantially-sized artifact does not necessarily attest to substantial human effort and skills.
Good point about how the community of mathematicians is struggling to come to terms with the role of language models in their work, and the similarity with the community of software developers. Machine-generated programs and proofs are contributing real value, undeniably, but it's causing social tension and destablizing the community with the sheer volume of its production, the varying quality, unreliability, and lack of humanity in the process. I would guess that similar issues will spread throughout society, in other areas of collective work and living. One potential solution, like with Ladybird and some other open source projects, is for a community to become more exclusive, restrictive and selective about what inputs they accept.
As much as I wanted to see another browser alternative succeed, Ladybird has lost my trust. Using LLMs to rewrite the entire codebase was already extreme. But eliminating external contributors is a precursor to a rug pull. And rewriting the entire codebase can now be seen as another step in a rug pull.
Perhaps we should start to describe projects as Open Contributions from now on. With maybe a few Open Contributions Standards to distinguish how this works.
For every person wanting to do good in the world there are ten windup merchants of which at least one has darker motives
I once submitted a PR to Ladybird, but even in early AI days there were so many open PRs that mine got lost in the noise. I don't really blame the maintainers here. Once the open PRs get to a certain point, it becomes unmanageable.
Surely you can just autoclose any PRs from 1. People you don't know and 2. That are over 100 or even 50 lines?
That way new contributors are forced to start small.
I think it's not the issue with the added PR count, but the fact they have to review them. 1 big PR review is the same as 5 small PR reviews if you have to look at how it holds, edge cases and what not...
Well, then add some backpressure. Each contributor gets only a few small PRs a month, until they prove themselves. Contributors that don't have a credible online presence are automatically rejected. Etc
Surprising how little appetite for changing norms exists here on HN. Yes, the transition to agentic coding will be difficult, but to me this is mostly exciting. Despite my AI enthusiasm, I also run into shortcomings that the agents have very often, but that's a more interesting learning experience than the status quo without AI would have been!
We'll have more such disruptions and we'll learn to live with it.
For an open source project, is there any reason to still accept code contributions?
Feature requests are valuable because they tell you what users want.
Error reports are valuable because they tell you under which circumstances the code fails.
But the code that implements those features and fixes those errors can now be written by AI. AI follows all the rules for how code is supposed to be written in your project. Is already producing very high quality code. And soon it will produce a quality that no human can match.
It was alluded to in the post - contributors turn into maintainers. Someone who contributes has a small but plausible chance of sticking around.
For an open source project that isn't a business, that's really the only way to recruit people
But why recruit people, now that we have AI?
Couldn't an agent monitor feature requests and bug reports, reason about them, and then implement and fix the ones it deems important?
For the same reason software engineers still employed. AI is not yet capable of autonomous software development. From my perspective we're nowhere close.
So basically it will become more or less similar to the structure for SQlite and Fossil by Dr.Richar Hipp et al , basically seems most projects that have the requisite manpower/maturity will end up at that kind of structure. In the long run may be interesting from a chain of trust (human as well as code) and interop as any dev from these projects (guilds?) would already have some trust build in.
curious what the "did the pipeline actually do what we think" story looks like now.
"green" and "the right artifact exists" drift apart faster than expected with more automation. exit code wasn't enough for us — had to make the output file the thing that proves a run happened.
this is a move in wrong direction, its sad and a bad solution. Ladybird implements specs that must be compliant, making compliance harder is the way to go, proving the code changes does what they are intended for should be made better instead of gate keeping from malicious and "honest" contributors
Ladybird going source-available is quite unfortunate, seems like Gecko is the only production-ready independent browser engine we're left with.
They may, at this point, go ahead and remove "get involved" block from their website https://ladybird.org/, since it's not possible to contribute anymore.
That's not source-available, that's still open-source. Quoting Wikipedia:
> Source-available software is software released through a source code distribution model that includes arrangements where the source can be viewed, and in some cases modified, but without necessarily meeting the criteria to be called open-source.
https://en.wikipedia.org/wiki/Source-available_software
> Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Open-source software may be developed in a collaborative, public manner.
https://en.wikipedia.org/wiki/Open-source_software
And as said here, SQLite was operating like this forever.
It's not source available, source available implies some restrictions on what you can do with the source, or with any resulting binaries. This isn't a rugpull; all they're doing is closing off contributions, which has nothing to do with the license of the code.
This is not the same as source available - you can fork it, the license didn't change.
So the new way to contribute is to fork
Make a better Ladybird successfully to the point the original contributors take notice. If the barriers to doing that are truly lower, then it should be easier.
I see this as the slow death of OpenSource.
It’s controversial to say, and I may be downvoted, but I’ll share this as a pov: OSS is essentially giving away our work for free. Did that ever really make sense? If it does, why don’t graphic designers give their work away for free? Why don’t authors do that? UX designers?
It’s a very peculiar thing to us nerds.
And the strangest thing is, we may have unwittingly built the data source required to make our skills redundant, as models are trained on the work we gave away for free.
I think this is an interesting narrative.
I wonder, if they are really only concerned about trust, will accepting external PRs but never giving commit access to external contributors work for them?
Of course, if they are also concerned about the quality of external PRs then that does not help.
This project gets a lot of publicity for the product it has to show (which, as far as I know, is effectively still inexistent).
This is not really a valid criticism for an Open Source project. I built Ladybird from source yesterday and I am typing this comment in it now. So, I assure you that the Ladybird browser exists.
Of course, Ladybird is not production ready yet. Feature-wise, it is getting close. I can use it to do most of the things I want to do with a browser. Speed and reliability are another matter. I has gotten dramatically faster but normal users would still find it slow. But the biggest problem is reliability. I would not use it in its current form for anything that matters.
But for a complicated application that was started from scratch, not being ready yet is not an indictment. They claim it will be ready for regular users to try sometime this year and, from where I type, this seems realistic.
To be honest, judging by their repository, it doesn't look like they've stopped accepting third-party PRs.
Opensource doesn't mean open to contributions. The source code is available, you can fork it and apply your patches there.
This is the way to go to reduce supply chain vulnerabilities and to reduce time of mainters reviewing LLM slop.
> Opensource doesn't mean open to contributions.
That's not entirely true. It's certainly the case that Ladybird is still under an open-source license, but the whole idea of the "Open Source" label was to move the emphasis away from having a free license to actually being open to patches in practice.
Not even the most extreme FOSS zealots (RMS, FSF, …) ever claimed that taking public contributions was ever a part of that.
RMS would emphatically agree that Free Software doesn't mean being open to contributions; if you asked him about either "FOSS" or "Open Source" he'd probably command you to wash your mouth out with soap. It's the other side of the fighting FOSS family which evangelised for Linux-like development (see the thread from https://news.ycombinator.com/item?id=48410503 ).
I wonder if adding an artificial barrier in form of a donation could help. That's probably the only remaining way to show the good faith.
Zig is moving to this direction is well.
That is the opposite of what's going on, read this https://kristoff.it/blog/contributor-poker-and-ai/
Indeed, while there is communication that the situation with merging external pull requests should improve, the reality is that it's easier to land a patch in Linux, than in Zig.
Now that I think about it, moving away from GitHub surely filtered many low-quality contributions fueled by clout/GH profile reputation.
Are they going to be using gerrit or a private repo and push changes back regularly?
Sometimes the discussions on PRs are equally valuable to see how a commit was arrived at, and I'd be sad if that got lost in this change.
It sounds like all public contribution will simply be impossible. That said, they will continue to develop out in the open on GitHub and you can clone the repo and build whenever you want. You can continue to contribute in other ways.
https://ladybird.org/#contribute
I hate this change and agree with your PR comment. This change makes me sad as well.
My hope is that public contributions can resume in the future. Part of their justification for this step is that they are trying to stabalize the project to produce a stable public alpha. Fair enough. And many Open Source projects have begun to voice concerns over the burden that the massive increase in contributions is causing, often from AI. Linus Torvalds has certainly been flagging this. The Open Source world in general is going to have to navigate this and come to a solution that works without the entire Open Source ecosystem becoming read only.
Once Ladybird ships a "stable" browser out to the world, I am hoping they can adopt whatever the "best practice" for Open Source has become to be able to accept public participation again.
I feel like the project just died.
> I feel like the project just died.
Why? This seems to be a strengthening move, not a weakening one.
Moving to a closed development model => opensource is just a gimmick, especially with a BSD licence.
> Moving to a closed development model => opensource is just a gimmick,
How so? Many projects are open source (GPL, MIT, whatever) while closed development, and no one calls those a gimmick.
In any case, most open-source is going to move towards a closed-development model; there simply isn't the resources to review thousands of lines of PRs per hour.
Maybe, or maybe not. But it will certainly kill the community they've built up, and squander a huge amount of goodwill. Why would anybody who's interested in supporting or using an independent browser (read: techies) choose one that nobody can contribute to? Not to mention how the sponsors might feel about this.
> Why would anybody who's interested in supporting or using an independent browser (read: techies) choose one that's only source-available?
It's not source-available, it's open-source.
Sure, edited.
Too early to say. Once they enter "we now accept everyone to use Ladybird as daily driver" then there will be the real test phase. And, IMO, only after that phase has started and continued for some months, perhaps even few years, can a final conclusion be made. If ladybird fails then the Google empire has won permanently. Skynet slop will then be under control of Google, just as they stole all the advertisement money.
seems reasonable.
"Gain trust through plausible contributions" is a new angle on AI-produced PRs I haven't seen yet.
Though in retrospect we should have seen it. It's been an angle of attack since forever, it only took a lot of effort.
isn't linux-kernel-development operating on exactly the same model since forever ?
We need stricter verifications / credentials behind GitHub accounts and PRs.
And this we should have had already before AI.
How does that help? People gladly post slop PRs under their real names.
It's not the only solution but it might reduce PRs by a decent amount I would think.
If you see a PR and the guy is verified, you can check his name, his linkedin and where he works, at least there is some accountability if he introduces malicious code.
If the goal is to reduce slop, define slop. As a maintainer of a project you should be able to tell if something is slop.
If you don't have time to read PRs (which is the real issue here) that's fine too.
My guess is they want to reduce the amount of PRs, and ensure that the quality of the PRs passes an extremely high bar.
While it would help for some use-cases, it wouldn't necessarily reduce the problem that a browser is facing when dealing with malicious code in a large and complex codebase. And vetted people can be victims of supply-chain attacks, which makes it still hard to evaluate a change properly.
It's not an impossible problem, but it's a resource allocation problem, and they don't seem to have a way to address it at the moment besides closing all PRs.
I suspect that rather than some kind of digital proof-of-competence, communities will shift to in-person meetups at conferences and such. Which is unfortunate for people who can't attend for whatever reason, but I think some solution to that can be worked out.
What does verified means? Anyone can create fake linkedin profiles claiming they have worked for faang.
> As a maintainer of a project you should be able to tell if something is slop.
Of course they can, the problem is they have to spend time digging through a ton of garbage looking for the ones that aren't low quality slop.
If you're getting DDOSed, you start by putting up a firewall lol.
I been thinking about it for a while that we need some score based system where each PR on GitHub/Gitlab grants you a review form the maintainer as well. You build your rep and the maintainers decide about the thresholds for contribution.
I'm surprised this isn't yet a thing. Heck, this can be made independent of GitHub/Gitlab, like a portal which tracks your rep. Could also help you got hired. Think Stackoverflow rep mixed with LinkedIn but for actual code contribution.
Yes I'm aware it sounds Black Mirror-ish. But we need more meritocracy in the world of OS that is otherwise highly anonymous and with very little public authority.
It's surprising to me how many people here seem offended that someone might just not want their code.
I guess it takes quite a lot of experience as a maintainer to realize that 'free' in 'free code contributions by strangers' is like 'free' in 'free puppy'.
What made open source great, is the fact that if you find a problem, you can patch it. It's what motivated me, anyway. Ladybird is not SQLite, it's under development and very likely will be forever. To me it looks like they are transitioning into a company, where this model makes sense.
> What made open source great, is the fact that if you find a problem, you can patch it. It's what motivated me, anyway.
What exactly is different now?
> it's under development and very likely will be forever.
So is Sqlite. Last time I checked they are still actively developing Sqlite.
Do you mean you can't just grab a current release and hold on to that? Well it's pre-alpha... That's the point...
I truly understand why this step was taken, but it is still sad to see the death of open source or rather open contribution. Every project that turns away from open contributions is a project lost to the whims and fuckery of AI Bros.
What I realy want to know how sustainable a model like this is. How does one find new maintainers when old ones leave. When you cannot contribute anymore.
This is one way to rephrase "we don't want your AI slop, thanks.".
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
It probably accelerated the decision, but I don't think that's all of it. I think they're moving in the WebKit/Safari direction: open for you to look at, but not really an open source project.
> I think they're moving in the WebKit/Safari direction: open for you to look at, but not really an open source project.
Webkit absolutely takes third party submissions. https://webkit.org/contributing-code/ .
I believe this is an external PR merged a few hours ago at the time of this writing. https://github.com/WebKit/WebKit/pull/66507
Safari does not accept third party submissions, but the chrome has never been open (even before Google Chrome recycled the term).
WebKit does allow outside contributions, though that example is perhaps not the most illustrative as it is from an Igalia employee. Igalia maintains substantial parts of WebKit and at this point has to be the #2 contributor other than Apple themselves.
It's still open source, but not open for public contributions. That's pretty much how it was before the advent of these forges.
That's not really right, though the license is still Open Source compliant. Linux was practising an open, patches-welcome developement style before the forges existed, on its mailing list. This did indeed contrast with how eg. the FSF was running its projects, though even in those the door wasn't shut as hard on people wanting to contribute as Ladybird's now is, I think. Then Eric Raymond wrote "The Cathedral and the Bazaar" specifically to talk up Linux's patches-welcome development model, and to move the emphasis away from (just) licensing terms and source accessibility, to openness to patches. Netscape then launched the Mozilla Project specifically on the CatB model. In response to the surge of momentum, the "Open Source" label was created basically as a brand name for the CatB perspective. After all this, "doing it as open source" was established as a clear mental category in people's heads, and the forges popped up as low-friction SaaS solutions for something that people already wanted to do, and by then were often already doing. (In the process helping to make Web-based SaaS a well-established concept and business model in people's heads, something with ironic consequences.) So Ladybird's current development model is much more clearly in line with the Free Software philosophy than the Open Source philosophy. To be clear, that's not the only disagreement or difference of emphasis between "Free Software" and "Open Source": most obvioulsy, Ladybird's BSD license is a failing in the FSF's view of things, just not enough of a failing make Ladybird not Free Software. But it is a real one.
"The Cathedral and Bazaar" is orthogonal to open source. Its argument is that open source is most valuable when paired with the bazaar model, not that the cathedral model cannot be considered open.
The open source definition was created in that mind. It does not state or imply open development or a community are requirements.
CatB and Open Source aren't coaxial, but there wasn't a very clean separation between them either: https://www.free-soft.org/literature/papers/esr/cathedral-ba... https://web.archive.org/web/20021001164015/http://www.openso... . "[T]he same pragmatic, business-case grounds that motivated Netscape" was CatB. Even now OSI doesn't emphasise any separation: https://opensource.org/about . You are correct: the Open Source Definition does not mandate an open development model. However that's probably at least in a small part because, well, how would one craft a legal requirement for open development in a software license that wasn't either unenforceable or very burdensome and abusable? It's also quite definitely because the expectation was that forks and/or the threat of forks would in practice enforce a certain level of open development on OSD-compatibly-licensed software: this was in fact what ended up happening to GCC at least once https://en.wikipedia.org/wiki/GNU_Compiler_Collection#EGCS_f... . If software projects all largely go the way Ladybird is going now, and stay that way, then it's a crushing (though not total) defeat for what the Open Source movement promoted and what it hoped to achieve; but sure, to be clear, Ladybird remains OSD-compliant. (Not total because at least the source remains available, without paying or signing anything, for bug-hunting.)
I think I didn't put the emphasis right in my comment above. The code is still fully open source, but the project that produces the code isn't. It's not dissimilar to other projects producing open source software.
This is the first time I've seen a project with this much history in community contributions close down, though. I suspect AI will cause more projects to follow in Ladybird's footsteps.
> The code is still fully open source, but the project that produces the code isn't.
I think your thought was cut off. What is the project no longer?
AI contributions are only a part of the issue. Another part is where a contributor decides they want a specific feature and contributes it but then disappears off into the sunset when it comes to needing maintenance later.
Nobody wants ai slop
A bit sad to see this. Of course they are free to do it the way they prefer, and there are successful projects like this (Notably SQLite) but there has to be a reasonable middle ground between "everyone can just flood us with 30,000-line 'Claude implement feature X make no mistakes' PRs" and "we're not open to outside contributions"
How would you decide what is the middle ground though? If a project allows some AI-generated PR if its good quality, then it is a burden on the reviewer on what is considered good or not.
You can introduce a social/trust element to it, something like: Join our Discord, chat to us, come to our "office hours" video calls first, then you get to contribute.
Maybe also limit the size/scope of external contributions (only small bug fixes allowed for your first few PRs)
I wasn’t around much before GitHub so. I believe I tried submitting patches to the XFCE project but I didn’t get anything accepted to FOSS before GitHub.
In this type of system, if I am competent and can contribute how to do I? By reviewing the maintainers PRs, helping fill out more info for bug reports / root causing?
There had to be some way for a competent user to get involved enough to become a familiar handle to the maintainers and be seen as a possible future maintainer/ expert contributor right?
LLMs are killing open source just like they're killing online discussion forums.
It's heartbreaking, my two favorite things about the internet are dying off because human interaction can't outscale AI slop.
And most social media, and blogs.
Newspapers are adopting it too, so soon we may see slop dominate even high brow publications.
Feels like a huge shift in human intellectual capabilities. Honestly quite worrying, I don’t think it’s a Luddite position to say that removing writing is removing thinking.
Honesty. WTF is Ladybird? Feel like as a normal guy doing normal software development I'm living in an alternate reality or something.
How is this the top post on my favorite website?
> Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.
Applies so, so widely. Glad they’re taking (very necessary) action here.
I paid for Kagi's Orion (even though it's actually a little crappy) because I want options in the browser landscape. I'm really rooting for Ladybird, and just in case they don't offer a paid version in the future, here's a link to how you can sponsor its development: https://opencollective.com/ladybird
One more data point that AI is ruining open source. It's disgusting what these people are doing.
Oh well, AI bros ruined it. I'm actually glad in some twisted way, because if more projects follow suit and close their development, it will again become an actual badge of honor to get on those teams. Having contributed to such projects will mean something.
Legit
I think we are going to see a lot opensource project switching to Humans Need Not Apply Mode.
While I understand the motivation for this change, I have to highlight something: GitHub's slogan 'social coding' is becoming more and more true these days. Now opensource will become a thing that only "influential" people can contribute to. We're back to nepotism, not meritocracy. Down hill we go.
> Now opensource will become a thing that only "influential" people can contribute to.
No. Having access to a slop generator doesn't entitle you to acceptance to any and all open source projects. You're still responsible for the quality of your contributions. Something that is completely lost on bullshit artists.
Don't put words in my ~mouth~ (keyboard) that I didn't ~say~ (type), I'm not saying I want my contributions to be accepted on equal footing even if they are generated by AI. What I'm saying is that solving this problem this way is going to make opensource much worse. We need a better way, and I'm not sure which is the better way, sorry.
You aren't really contributing anything except funding to Anthropic/oai/MS/etc if you're sending genAI content. The better way will be fairly similar to the previous status quo: humans interacting with humans, with the change that there will be higher barriers to gaining access to the web of trust.
> You aren't really contributing anything except funding to Anthropic/oai/MS/etc if you're sending genAI content.
Why people keep saying that I'm advocating for AI use? I'm not happy with the decision of Ladybird maintainers, but that doesn't mean I'm willing to spam them with AI slop.
Your prior message could be taken that this was an elitist move, and not a move that is being taken by many different projects for survival with limited review capacity.
LLMs in general change the balance of how much effort generating content takes, sometimes by orders of magnitude. They unfortunately do not significantly change how much effort it takes to understand and evaluate the quality of that content. The result is that the base value of a piece of content (including code) is plummeting.
Opensource is already much worse and is drowning in slop. Until a better way is found (if it can be found), severely restricting contributions is the only sane response.
And it has nothing to do with the perceived "only influential people can do it". You're always welcome to fork any and all projects and run your AI on those
> You're always welcome to fork any and all projects and run your AI on those
I already replied to the forking thing here: https://news.ycombinator.com/item?id=48410121
> If everybody does the same with their small improvements, the project becomes better for everyone
That assumes everyone does that. Instead, with LLMs everyone just does "do a thing, no mistakes".
And when that backfires, uses LLMs to start an automated bullying and smearing campaign: https://cybernews.com/security/openclaw-bot-attacks-develope...
> Now opensource will become a thing that only "influential" people can contribute to. We're back to nepotism, not meritocracy. Down hill we go.
Or people can just start their own projects instead of working on someone else's. Many projects instead of potential large points of failure.
I don't know about you, but as for me, when I contribute to opensource it's because I find some improvement that makes the project better because it probably polishes some rough edge around a kind-of particular use case (that maybe few people face, but still, it makes the project better for them; it amplifies the range of usecases that it can span to). If everybody does the same with their small improvements, the project becomes better for everyone, but none of the contributors of these small changes would have time to embark on maintaining a fork. Mantaining a fork is hard work, not only because software breaks over time (dependencies going obsolete or insecure, builds stop working because of old toolkits), but also because not pulling the latest changes from master would mean that your fork gets stagnated (and thus not worth to run it).
The problem statement is clear to everybody.
> For decades, code contributions have been how open source projects learned who to trust. People would show up, do the work, take responsibility for their changes, and stick around. Over time, trust emerged from the work itself.
The solution, IMO, is a strictly worse version than what we chose in the Zig project (banning LLM contributions).
> AI tools have changed the economics of this very quickly. We use them ourselves every day, but a pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds.
Things that worry me about this choice:
- open source is a tough business and you need to leverage the good things about it to make it worth doing. contributors bring in a huge amount of value that they offer you essentially for free (see contributor poker: https://kristoff.it/blog/contributor-poker-and-ai/), on top of being a hugely valuable recruitment funnel. They're rejecting all of that, which seems insane to me.
- one could argue that LLMs could fill that gap but, first of all they could have just banned LLM usage only in PRs from untrusted contributors, and second even the best LLM: 1. is a cost, not just free value, and the price of tokens is increasing 2. the code has to be reviewed anyway, unless you think that just passing tests is good enough for a browser 3. ultimately can't become a trusted core contributor able of taking ownership of a part of the codebase
- removing the influx of code that comes from PRs means that over time the whole project will have a small number of contributors that own all the code, making it easier for the project to do a license rugpull. when copyright ownership is well distributed this kind of thing is harder to pull off.
Overall, this is not good in my opinion. They're making open source a more problematic business model for them than it has to be, while at the same time making it harder to recruit more core contributors, as the code ownership coalesces to small group of people.
This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors are playing a mean game of Secret Hitler. I guess only time will tell.
The Zig project is making a real difference in the culture of open source software. I'm so glad for the leadership and community. It's a refuge from the mania of large language models disrupting this and other industries, steamrolling over human connection, decency, ingenuity, class, taste. These intangible qualities that make it worthwhile, joyous and fun, will be destroyed unless people put in effort to protect them.
Comments in this thread that insist open source has nothing to do with community, that it's simply a licensing matter, is disappointing and shows a lack of understanding of what's it's all about. Similarly with the community of mathematicians. Some people reduce it to "Math is just a tool", which is just ignorant and sadly misses the beauty, wisdom, camaraderie, and the humanity of the endeavor which is what matters.
>This is an obvious recipe for disaster (a rugpull), and I'm forced to wonder if this is just by mistake or if some of the Ladybird sponsors are playing a mean game of Secret Hitler. I guess only time will tell.
When I first read this I checked the license and saw that a rugpull would be permitted. However, if someone wants to continue the project after the rugpull they could do something thing like the redis rename to redict.[0]
[0] https://andrewkelley.me/post/redis-renamed-to-redict.html
I don't understand why people contribute AI slop to existing projects. You move 1000x faster. Just write your own browser in 2 days.
I want someone to resolve the contradiction you have highlighted. Why don’t we now have an AI built web browser that is much better faster than chrome?
To that mind, why hasn’t chrome itself become 1000x better?
There is a disconnect between the narrative and reality.
"A browser runs untrusted input from the entire internet on the user’s machine, and one well-disguised vulnerability is all an attacker needs. We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it."
Then the linux kernel is doomed. /s
Cool - how about fewer perma-bans on github for participating in discussions?
Also, as I have pointed out before, they seem to develop too slowly for a solid beta this year. You only have to look at the issue tracker and check for URLs not working or even crashing the browser. Ladybird may have gotten better in the last months, but imagine if 50.000 people are using it, you will see more bugs. How do they then handle bug reports?
Can we see some discussions that got people perma-banned?
I wonder how can a new browser engine survive with the source available model. Like, why would anyone support this, unless they have business association with the Ladybird developers?
It's not source available. It's OpenSource(TM) because of the BSD-2 license.
This is not unheard of. The most famous models are emacs & SQLite. SQLite doesn't accept outside patches, emacs is developed opaquely and only releases are put forward.
You can do this with GPL, too. You put out tarballs of the releases only.
There's a great misconception between Free Software, Open Source, and Open Development (bazaar model). They complement each other, but they are completely independent things.
Addenda: Looks like emacs' Git repo is publicly accessible now, but it's not a requirement for GPL or Free or Open Source software.
It's actually common, many companies develop their products this way. The source is available, you can see the VCS, but you can't participate in the development. That's why I see this as signal that it's going to turn into a company.
Well, technically it is a "company" already as it is registered formally as a non-profit. They have income (sponsors) and paid employees.
To my eye, this change does not appear to be driven by a change in corporate governance or profit motive.
They explain that the change and the timing is driven by two things.
1 - The burden and of processing public contributions has increased with the rise of AI
2 - They need to focus and stabliize the code base in preparation to introduce a public alpha
Those reasons ring true enough for me that I do not need to go looking for other motivations. I do not like this change but I can see why they would.
However many if not most of these companies use "Source Available" licenses which say "Thou shall look, thou shan't compile". This is very different than Open Source license of Ladybird itself.
Seems cold how they present this, but on the other hand I’ve ignored Ladybird because I just don’t think they’ll have meaningful impact, so I remain unaffected by this policy change.