It’s starting to feel like we may need to go back to the model where you need to be invited to be able to submit code or PRs. The barrier is just too low now for popular projects.
It’s not just popular projects. On a small utility I have I received a PR that was more lines than the project had. I’m happy to be a good maintainer, but reviewing something that’s effectively an AI rewrite isn’t something I care to review and since I can’t vet it, can’t blindly accept it.
Logistically & brand-wise, they're messy to deal with, but they result in a "filter" of sorts that the original project can pick & choose to upstream back into their code.
No one's going to be trusting forks or new projects for a while. The bar for merely generating new code is now too low to give a meaningful signal. Reputation and longevity will likely be useful metrics, hence the AI pull-requests will continue to be opened against high-reputation projects that have strong brands. Not unlike Ethereums the switch from proof of work to proof if stake
Perhaps something where you can build a graph of who invited whom so you could prune entire sections that act maliciously. One might even consider it a to be a web of connections which are built on (or torn down by the loss of) trust.
Sounds futuristic. Maybe it's an NFT on an agentic blockchain for deep-sea solar farm mining?
Because it's by far the dominant strategy for distributed trust-ranking systems out there, with decades of research around it. Might as well look at the forest when realizing that it'd be nice if trees existed.
And I don't think anyone actually trusts any major actor to verify anything, so a fully centralized system is likely out. Otherwise people would be hype about WorldCoin, instead of recognizing it for the stupendously malicious grift that it is.