[raywatcher]

For all the discussions about the slopification of the internet, the human toll on open source maintainers isn’t really talked about. It's one thing to get flooded with bad reports; it's another to have to mentally filter AI-generated submissions designed to "sound correct" but offer no real value. Totally agree with the author mentioning the emotional toll it takes to deal with these mind-numbing stupidities.

[Aurornis]

The most notable thing about this article, in my opinion, is the increase in human generated slop.

Everyone is talking about AI in the comments, but the article estimates only 20% of their submissions are AI slop.

The rest are from people who want a curl contribution or bug report for their resume. With all of the talk about open source contributions as a way to boost your career or get a job, getting open source contributions has become a checklist item for many juniors looking for an edge. They don’t have the experience to know what contributions are valuable or correct, they just want something to put on their resume.

[grishka]

Reminds me of those "I updated your dependencies/build system version" and "I reformatted your code" kinds of PRs I got several times for my projects. Yeah, okay, you did this very trivial thing. But didn't you stop to think about the fact that if it's so trivial, there must be a reason I haven't done it myself? "It already works as is" is a valid reason too.

[Aurornis]

I often update README files or documentation comments and submit PRs when I find incorrect documentation.

I’ve had mixed results. Most maintainers are happy to receive a well formatted update to their documentation. Some get angry at me for submitting non-code updates. It’s weird

[grishka]

There's nothing wrong with fixing actual mistakes. It's obviously in everyone's best interest for documentation to be correct.

But updating dependencies and such is totally unproductive. It's contributing for the sake of having contributed in its purest form. The only thing that's worse is opening a PR to add a political banner to someone else's readme, and then getting very pissed off when they respectfully close it.

[Cthulhu_]

It's weird because both of those are or can be fully automated nowadays, which IMO is a great litmus test for "is this merge request just karma farming"

[matusp]

It's human toll everywhere. AI used for peer review effectively forces researchers to implement suggestions between revisions, AI used by managers suggest bad solutions that engineers are forced to implement, etc. Effectively, the number of person-hours that is spent following whatever AI models suggest is increasing rapidly. Some of it might make sense, but uncomfortably many hours are burned in vain. There is a real cost of lost productivity in the economy by command chains not being ready to filter out slop.

[xg15]

Maybe instead of trying to detect LLMs, would a better strategy be to try and detect inconsistent or self-contradictory reports? The reports we see here seem to unravel at some point, either leaving out crucial information, such as code location or steps to reproduce, while insisting the information is present - or straight-up claiming things about a code location that are not there.

Such as the buffer length check in [1] where the report hallucinated an incorrect length calculation and even quoted the line, then completely ignored that the quoted line did not match what the report was talking about and was in fact correct.

So essentially, can we put up a gaslighting filter?

It seems like those kinds of inconsistencies could be found, ironically, by an LLM.

[1] https://news.ycombinator.com/item?id=44561058

[anon191928]

this type of social moderation exist well over decade and FB had thousands of people hired for these. They were filtering liveleak level or even worse type of content for years with human manually watching or flagging the content. So nothing new.

[bravetraveler]

> hired

Do remember "we're" (hi, interjecting) talking about open source maintainers, we didn't all make curl or Facebook

[meindnoch]

My gut tells me that deciding the soundness of a vulnerability report is not in the same complexity class as deciding whether a video showing ISIS torture footage.

[friedel]

> but offer no real value

They could offer value, but just rarely, at least with the LLM/model/context they used.

> toll it takes to deal with these mind-numbing stupidities.

Could have a special area for submitting these where AI does the rejection letter and banning.

[xg15]

I think looking at one example is useful: https://hackerone.com/reports/2823554

What they did was:

1) Prompt LLM for a generic description of potential buffer overflows in strcopy() and a generic demonstration code for a buffer overflow. (With no connection to curl or even OpenSSL at all)

2) Present some stack traces and grep results that show usage of strcopy() in curl and OpenSSL.

3) Simply claim that the strcopy() usages from 2) somehow indicate a buffer overflow, with no additional evidence.

4) When called out, just pretend that the demonstrator code from 1) were the evidence, even though it's obvious that it's just a textbook example and doesn't call any code from curl.

It's not that they found some potentially dangerous code in curl and didn't go all the way to prove an overflow, which could have at least some value.

The entire thing is just bullshit made to look like a vulnerability report. There is nothing behind it at all.

Edit: Oh, cherry on top: The demonstrator doesn't even use strcopy() - nor any other kind of buffer overflow. It tries to construct some shellcode in a buffer, then gives up and literally calls execve("/bin/sh")...

[deepdarkforest]

> The problem is in strcpy in the src files of curl.. have you seen the exploit code ??????

The worst part is that once they are asked for clarifications by the poor maintainers, they go on offense and become aggressive. Like imagine the nerve of some people, to use LLMs to try to gaslight an actual expert that they made a mistake, and then act annoyed/angry when the expert asks normal questions

[xg15]

Yep.

My guess is that the aggression is part of the ruse. Trying to start drama/intimidating the other when your bluff is being called out is the oldest strategy...

(You could see a similar pattern in the xz backdoor scheme, where they were deliberately causing distress for the maintainer to lower their guard.)

Or maybe the guy here hoped that the reviewers would run the demo - blindly - and then somehow believe it was real? Because it prints some scary messages and then does open a shell. Even if that's the only thing it does...

[meindnoch]

>They could offer value, but just rarely, at least with the LLM/model/context they used.

Eating human excrement can also offer value in the form of undigested pieces of corn and other seeds. Are you interested?

[ElFitz]

Funnily enough, fecal transplants (Fecal Microbiota Transplants, FMT) are a thing, used to help treat a range of diseases. It’s even being investigated to help treat depression.

So…

[Applejinx]

Oh, certainly. I know that if I was the test subject, no matter what else happened it wouldn't be the worst thing done to me that day :)

[javcasas]

I'm sure it does. But would you like one every other week like the llm slop?

[ElFitz]

Honestly, regarding the whole "LLM slop" thing, I don’t care. I get why others do, but I just don’t.

I don’t care how that sausage is made. Heck, sometimes gen AI even allows people who otherwise wouldn’t have had the time or skills to come up with funny things.

What annoys me is all the spam SEO-gamed websites with low information density drowning the answer I’m actually looking for in pages of empty sentences.

When they haven’t just gamed their way to the top of search results without actually containing any answer.

And that didn’t need LLMs to exist. Just greed and actors with interests unaligned with mine. Such as Google’s former head of ads, apparently. [0][1]

[0]: https://www.wheresyoured.at/the-men-who-killed-google/

[1]: https://www.wheresyoured.at/requiem-for-raghavan/

[ndepoel]

> They could offer value, but just rarely, at least with the LLM/model/context they used.

Still a net negative overall, given that you have to spend a lot of effort separating the wheat from the chaff.

> Could have a special area for submitting these where AI does the rejection letter and banning.

So we'll just have one AI talking to another AI with an indeterminate outcome and nobody learns anything of value. Truly we live in the future!

[javcasas]

It can be better. On slop detection, shadowban the offender and have it discuss with two AI "maintainers", and after 30 messages go and reveal the ruse. Then ban.