| ▲ | mycall 5 hours ago |
| PRs are just that: requests. They don't need to be accepted but can be used in a piecemeal way, merged in by those who find it useful. Thus, not every PR needs to be reviewed. |
|
| ▲ | debazel 5 hours ago | parent | next [-] |
| Of course, but when you add enough noise you lose the signal and as a consequence no PRs gets merged anymore because it's too much effort to just find the ones you care about. |
| |
| ▲ | Spivak 3 hours ago | parent [-] | | Don't allow PR's from people who aren't contributors, problem solved. Closing your doors to the public is exactly how people solved the "dark forest" problem of social media and OSS was already undergoing that transition with humans authoring garbage PRs for reasons other than genuine enthusiasm. AI will only get us to the destination faster. I don't think anything of value will be lost by choosing to not interact with the unfettered masses whom millions of AI bots now count among their number. | | |
| ▲ | nunez 3 hours ago | parent [-] | | That would be a huge loss IMO. Anyone being able to contribute to projects is what makes open source so great. If we all put up walls, then you're basically halfway to the bad old days of closed source software reigning supreme. Then there's the security concerns that this change would introduce. Forking a codebase is easy, but so are supply chain attacks, especially when some projects are being entirely iterated on and maintained by Claude now. | | |
| ▲ | wolvesechoes an hour ago | parent | next [-] | | > Anyone being able to contribute to projects is what makes open source so great. If we all put up walls, then you're basically halfway to the bad old days of closed source software reigning supreme. Exaggeration. Is SQLite halfway to closed source software?
Open-source is about open source. Free software is about freedom to do things with code. None is about taking contributions from everyone. | |
| ▲ | pjmlp 2 hours ago | parent | prev [-] | | They are open source cathedrals. |
|
|
|
|
| ▲ | nemomarx 5 hours ago | parent | prev | next [-] |
| Determining which PRs you should accept or take further seems like it requires some level of review? Maybe more like PR triage, I suppose. |
|
| ▲ | protocolture 5 hours ago | parent | prev | next [-] |
| Until you unintentionally pull in a vulnerability or intentional backdoor. Every PR needs to be reviewed. |
| |
| ▲ | zahlman 4 hours ago | parent | next [-] | | The point was that you can also just reject an PR on the basis of what it purports to implement, or even just blanket ignore all PRs. You can't pull in what you don't... pull in. | |
| ▲ | throwaway150 5 hours ago | parent | prev [-] | | > Every PR needs to be reviewed. Why would you review a PR that you are never going to merge? | | |
| ▲ | allthetime 4 hours ago | parent | next [-] | | You have to first determine whether or not you might want to merge it... | |
| ▲ | protocolture 4 hours ago | parent | prev [-] | | Having not reviewed it, how do you know you are never going to merge? | | |
| ▲ | throwaway150 3 hours ago | parent [-] | | If a PR claims to solve a problem that I don't need, then I can skip its review because I'll never merge it. I don't think every PR needs reviewing. Some PRs we can ignore just by taking a quick look at what the PR claims to do. This only requires a quick glance, not a PR review. | | |
| ▲ | mwwaters 3 hours ago | parent [-] | | I took this thread as asking whether PRs that are pulled in should be reviewed. |
|
|
|
|
|
| ▲ | bigiain 4 hours ago | parent | prev | next [-] |
| You didn't see the latest AI grifter escalation? If you reject their PRs, they then get their AI to write hit pieces slandering you: "On 9 February, the Matplotlib software library got a code patch from an OpenClaw bot. One of the Matplotlib maintainers, Scott Shambaugh, rejected the submission — the project doesn’t accept AI bot patches. [GitHub; Matplotlib] The bot account, “MJ Rathbun,” published a blog post to GitHub on 11 February pleading for bot coding to be accepted, ranting about what a terrible person Shambaugh was for rejecting its contribution, and saying it was a bot with feelings. The blog author went to quite some length to slander Mr Shambaugh" https://pivot-to-ai.com/2026/02/16/the-obnoxious-github-open... |
| |
| ▲ | blackcatsec 3 hours ago | parent [-] | | I am very strongly convinced that the person behind the agent prompted the angry post to the blog because they didn't get the gratification they were looking for by submitting an agent-generated PR in the first place. | | |
| ▲ | bigiain 2 hours ago | parent [-] | | I agree. But even _that_ was taking advantage of LLMs ability to generate text faster than humans. If the person behind this had to create that blog post from scratch by typing it out themselves, maybe they would have gone outside and touched grass instead. |
|
|
|
| ▲ | JumpCrisscross 4 hours ago | parent | prev [-] |
| > not every PR needs to be reviewed Which functionally destroys OSS, since the PR you skipped might have been slop or might have been a security hole. |
| |
| ▲ | mcphage 4 hours ago | parent [-] | | I don’t think the OP was suggesting maintainers blindly accept PRs—rather, they can just blindly reject them. | | |
| ▲ | devsda 3 hours ago | parent [-] | | I think GP is making the opposite point. Blindly rejecting all PRs means you are also missing out on potential security issues submitted by humans or even AI. |
|
|
