hckrnws

I've been helping a bit with OWASP documentation lately and there's been a surge of Indian students eagerly opening nonsensical issues and PRs and all of the communication and code is clearly 100% LLMs. They'll even talk back and forth with each other. It's a huge headache for the maintainers.

I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.

> Indian students

Is this cultural? I ran a small business some years ago (later failed) and was paying for contract work to various people. At the I perceived the pattern that Indian contractors would never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something, etc. Instead they just ran with whatever they happened to have in their mind, until I called them out. And if they did something poorly and I didn't call them out they'd never do back as far as I can tell and wonder "did I get it right? Could I have done better?". I don't get this attitude - at my day job I sometimes "run with it" but I periodically check with my manager to make sure "hey this is what you wanted right?". There's little downside to this.

Your comment reminded me of my experience, in the sense that they're both a sort of "fake it till you make it".

Indian here (~15+ years in tech). I've seen this behavior a lot, and unfortunately, I did some of this myself earlier in my career.

Based on my own experience, here are a few reasons (could be a lot more):

1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.

2. Our education system mainly rewards results, not how good or well-thought-out the results are. Sure, better answers get more marks, but the gap between "okay" and "excellent" is usually not emphasized much. This comes from scale problems (huge number of students), very low median income (~$2400/year), and poorly trained teachers, especially outside big cities. Many teachers themselves memorize answers and expect matching output from students. This is slowly improving, but the damage is already there.

3. Pay in India is still severely (serioualy low, with 12-14+ hour work days, even more than 996 culture of China) low for most people, and the job market is extremely competitive. For many students and juniors, having a long list of "projects", PRs, or known names on their resume most often the only way to stand out. Quantity often wins over quality. With LLMs, this problem just got amplified.

Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.

> 1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.

Way back, when I first started working with Indian offshore teams, the contracting company at the time had a kind of intercultural training that addressed that issue.

> Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.

That's exactly the advice they gave. They advised was to try to make your relationships and interactions as peer-like as possible. The more "authority" is present in the relationship, the more communication breaks down in the way you describe.

To what degree did this change the results?

I've seen an interesting behavior in India. If I ask someone on the street for directions, they will always give me an answer, even if they don't know. If they don't know, they'll make something up.

This was strange. I asked a lot of Indian people about it and they said that it has to do with "saving face". Saying "I don't know" is a disgraceful thing. So if someone does not know the answer, they make something up instead.

Have you seen this?

This behavior appears in software projects as well. It's difficult to work like this.

No, but I have noticed that somehow it's hard for them to say "no". This is impolite apparently. So you ask: "Can you do this before friday" and they say yes and then don't do it at all. Which of course is a lot less polite and causes a lot of friction.

However this was a thing 10-15 years ago. Lately I've not seen that.

> Which of course is a lot less polite and causes a lot of friction.

Most cultures have this, but it goes mostly unnoticed from the inside because one can read between the lines. "How are you?" can be asked just to be polite, and can cause friction when answered truthfully (rather than the politely, as the cultural dance requires). An Eastern European may not appreciate the insincerity of such a question.

Great example.

I work in a radiology practice and greet patients regularly.

99% of them say the are good/great etc.

It’s quite a striking response when they are limping, bandaged and on crutches.

That’s not really an example of cultural lying- that’s an example of a fixed answer to a fixed question.

When somebody sneezes and you say “bless you” you’re not expressing your belief in god, and you’re not lying about one either.

No, most cultures don’t have this, unless you measure by biomass.

Some cultures are better than others, where “better” might mean better at doing stuff (no comment on morally/socially)

similarly, in the west, when your boss takes you to HR for an honest and open discussion, it's not really an honest and open discussion. normies know this instinctively. I didn't.

My experience is the same, to put it charitable a lot of people from that culture are often eager to please. I think about this a lot when I hear about billionaires like Elon Musk wanting more immigration from India specifically. I think this cultural trait often serves them well in western corporate contexts, despite the frustration it causes their coworkers.

Every time I hear any Indian trope, I find it interesting that it's only people in online forum who experience it.

Somehow none of my non/Indian colleagues over the course of more than a decade have faced these ridiculous situations. They must be unlucky.

Many wouldn't be comfortable discussing this with coworkers.

This reminds me of the time when I got lost when visiting LA about 20 year ago. Asked some guy on the street for help. He gave me directions as he was smirking at me. Turns out he pointed me in the opposite direction from where I was going to and most likely he was just being a dick.

> I've seen an interesting behavior in India. If I ask someone on the street for directions, they will always give me an answer, even if they don't know. If they don't know, they'll make something up.

Isn’t this the precise failure pattern that everybody shits on LLMs for?

Yes.

Hence proved

AGI = A Guy/Gal in India

Ah so that's what Anthropic's Amodei meant when saying AGI was attained - they actually reached that guy/gal.

Perhaps they meant detained.

Who do you think RLHFs these models?

Almost like…technology embeds the latent behaviors of the data that produced it!

Imagine that

Someone should really write a paper on that (hint: it’s the entire basis of information theory)

> This was strange. I asked a lot of Indian people about it and they said that it has to do with "saving face". Saying "I don't know" is a disgraceful thing.

I've recently learned that this particular type of "saving face" has a name: "izzat". Look that up if you want to know more.

First I've heard of izzat...

I'm not sure how to write that better, but the way you worded that made me suspect it was NSFW and I hesitated, but eventually decided I'd risk it. At least everything I found was work safe, and I learned a lot. I encourage everyone else who hasn't heard the word to look it up.

A lot of the stuff written on "izzat" is questionable or wrong, but it is true that India has a collective concept of saving face. This can be an adjustment even if you're used to the East Asian concept of saving face.

sounds like an LLM :)

AI ~ Actual Indians in more ways than one.

Lots of the material the LLMs are trained on is Reddit spam written by indians.

It's a weird circle.

I moderate an airline subreddit, and it's interesting that many of the lazy or entitled-sounding questions (e.g. "can I get compensation for this?") come from people flying to/from Indian cities.

Honestly that's just the massive population talking. There really isn't a "Hindi web" for India unlike for the Chinese, so we all come to roost in the WWW. Hence you'll get bad questions like these but you'll also get YouTube videos on obscure engineering and science topics, which I think is a fair deal.

The Chinese web is on similar lines, although there is a lot more country bashing, especially against Indians and Americans. But nevertheless just the same.

At least none of these come nowhere near to the brainrot that is the Arabic web.

I got this so often in every part of the United States that some decades ago I just stopped asking anyone for directions.

Strange. Never had it happen regularly in the US.

I've never once experienced this nor literally ever heard anyone say someone gave them made-up directions in the US.

The only time I've ever experienced made-up directions were trying to get out of the souk in Marrakech.

> I've never once experienced this nor literally ever heard anyone say someone gave them made-up directions in the US.

Wouldn’t know. After the first two instructions I can never remember what came next.

I was unclear. I’m pretty sure the wrong directions I routinely got in the US (I was born and raised in NYC) were not made up, just wrong.

> 1. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.

Having worked in Japan, while there is a strong respect for authority, there's also much less hesitation about asking for clarification. I worked with an Indian offshore team and in a Japanese company and, while there's a lot to dislike in Japanese office culture, this kind of pattern of behaviour doesn't happen.

2 & 3 do make sense though.

I've had mixed result with your advice at the end. I'd say that it worked for about 30% of the offshore engineers I've worked with and indeed I had more success with juniors than with more senior developers.

> Pay in India is still severely (seriously low, with 12-14+ hour workdays, even more than the 996 culture of China) low for most people.

My employer outsources some work to Indian contractors. I know how much we are paying the contracting firm, which is low. Knowing the firm takes a cut before the contractors are paid, I feel terrible for how little they are compensated. I frequently wonder if we’d get better output if we paid more.

Avoid middlemen in India.. sorry for the word, but they are the biggest leechers. We hate them too here.

India is filled with small one-room service-based companies(the middlemens') that hire interns, for ZERO pay, make them work 12-14 hour days under extremely "humiliating" conditions and then when it comes to giving them internship completion certificate, they demand huge sums of money just to release them... think about it.

As for how you are gonna do without the middlemen, I dont have the anwer yet... ideas are welcome.

The good engineers in india know their value and get it. My company has offices in india because you have to manage them yourself not use middlemen. You can train the locals to be great managers (at least some).

wages for good people in india are worse similar people in the us, but often high than in europe. But there are other problems with europe and so it can be the better deal.

Responding to you in this thread, because this is the way: the only success I've seen to offshoing to india, is to actually run the office yourself, have an exec over there, manage and control hiring, pay above market rates, etc...

I've been with two companies that have been aquired, and the first thing the PE/New Companies do is aggressive offshoring for cutting costs.

1) worked, because the aquiring company had an established office in Hyderabad, and we flew the tech leads over to the US to spend six weeks embeddeed with the team, etc.

2) the second one failed miserably becasue we had an Exec VP who told our engineers that he was replacing them in India for half the price, and his strategy was to hire a contracting company.... after several months of "contractors" coming and going, someone else in the company realized what needed to happen....

Could you expand on the other problems with Europe other than hiring and firing laws?

Senior/staff type engineers are not a union position so great people refuse promotions and responsibility because they don't want to leave the union. Thus they won't mentor juniors, and other things that you need great engineers for. (At least that is how the union people I work with in Europe are, there are other unions with different rules)

There is probably more.

Which country is that in? Can you not offer them better conditions than the union? Are they forced to leave the union or just no longer required to be in it?

What union ? In which country ?

Don't apologize for saying "leech", man. That's part of the problem.

I worked for a company that created an Indian subsidiary to cut out the middlemen. The results were the same.

Yes, you would (speaking from experience)

> Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.

Very true. I’ve hired (super cheap) engineering talent and this is the key to getting a project to run the way a westerner expects; where everyone is constantly open to challenging each other, where everyone can bring ideas to the table, and where there’s no such thing as a stupid question. I’ve done this during a big phase of time others locally shunning this huge talent pool as the results were crappy/unpredictable. Even to the point they’ll hire local for 100x the cost. It’s just a management problem though and a pretty simple one at that. The other thing is if you train them in your style, keep using them on the next project if you can. It compounds if you have the ability to work with them over a longer time. You have to be very insistent that you’re not proposing the best solution at expect them as engineers to point out any opportunities for improvement. If something later has to be rebuilt or isn’t working well, sometimes it’s good (if it makes sense, case by case) to do a post mortem and understand why the version 2 wasn’t built during the version 1. I think that helps them really understand it in a concrete way if they’re struggling with it.

In any case, I’d much rather take a budget for 1 local dev and spend it on a whole team of Indians and take on the management burden if it means retaining more equity or profits or building something I otherwise wouldn’t do myself due to scale.

Particular topic (1) is also trained in cross cultural trainings.

Another topic is: do not expect a remote dev to pickup ambient knowledge, particular if they are juniors with no life experience. And since outsourcing to India is trying to get the resources for the lowest possible price, the result is: you get them as junior / fake senior / bad senior as you think. Pay better in India, get better people.

How do you stop the better people from moving out of India (and/or to another firm) once they have your work exp on their resume?

With higher salaries (is happening) and better quality of life (I do not know, do not life there). Within company obviously quality of the culture matters there.

However considering how things are worldwide right now, I think that trend stops soonish.

As a gent with some years under his belt, I have to humbly admit that it was quite late in my career before I realized how much culture influences how people operate. Two separate incidents with two different cultural contexts brought it to the fore about ten years ago. I sought some advice from a senior exec that I was close with and he just laid it out in very unflinching way. It was just one conversation but it has helped me tremendously in the years since.

Any chance you could expand that story?

> 996 culture.

I hadn’t heard of this, thanks.

Working 9am to 9pm, 6 days a week.

https://en.wikipedia.org/wiki/996_working_hour_system

This is extremely valuable insight for me, a non-Indian manager.

Thanks a lot!

Glad it was of help :)

This is one reason, the other is just fraud. Being from a developing country, I am well aware of the stigma of saying I don't know, which I had to strip out of me as I became an engineer to the point of me being immediately suspicious when someone tells me they know about some moldy complex topic, even if it's in their profession.

The fraud part is that I developing countries, almost all activities that require some skill have lots of people claiming to be experts. 99% of them are lying. You take your car to a shop and they tell you they will solve your problem. With skepticism, (because they asked no clarifying questions) you try to give them some context and they tell you not to worry.

1 day later they tell you parts X, Y and Z need to be replaced, it will just cost $$$. You ask if there is no way the current parts can just be repaired, and they tell you no, they must be replaced.

You ask what was the actual issue, and they tell you the parts are completely damaged, or worn out, need to replace.

Sure, you pay, and they give you the car, works for a few days, maybe week, then breaks down. You plug in a portable OBD scanner and it tells you the exact component they just put in is failing (likely not even compatible with the car).

You give them back the car, tell them since you paid $$$, you will only take the car back once it works perfectly, and you won't pay a cent more.

They then spend the next few days looking for an actual expert, that comes in and repairs the original parts, for $, and they take the "new" ones back to the store and give you your money back.

They don't know anything about cars, they experiment on yours, with your money, by swapping parts. This was easier when cars were less strict with parts.

This is fraud, not face saving, and it's in every developing country.

Alternatively you could hire people from cultures where this crap doesn’t fly.

Since we are talking about LLMs, what I've noticed about the Indian/Pakistani "LLM" is they follow this way of structuring thoughts:

1. They

2. Always

3. List

4. Things

... and end up with a conclusion/punchline/takeaway.

I always wanted to ask, is that due to training?

I could imagine all schools around there have a specific style, like all their assignments need to follow this general form, and then they just get used to it and it permeates to their everyday life.

Well, imagine that you noticed 3 things instead of only one.

1. The first thing

2. The second thing

3. The last thing

Makes perfect sense in that case.

It's due to training. After almost 10 years in a FAANG I also tend to write like that.

I bet you haven't seriously communicated with others in a language that is not native to you. You'll probably end up doing similar things if you have to.

I am doing that right now.

That's how all LLMs structure content, not just Indian/Pakistani LLMs.

This sounds like a real cross-cultural mismatch, but it’s doing too much work with nationality alone. In a lot of Indian (and broader South Asian) work contexts, questioning instructions can be read as challenging authority or admitting incompetence, so people default to executing without asking. That’s often reinforced by education systems and contractor dynamics where producing something quickly feels safer than pausing to clarify.

Add in time zones, language friction, and fear of losing work, and "just run with it" becomes a rational strategy. Meanwhile, many Western workplaces treat clarification and check-ins as professionalism, so the behavior reads as strange or careless.

The key point is that this usually isn’t lack of curiosity or reflection, but risk management under different norms. The pattern often disappears once expectations are explicit: ask questions, check back, iteration is expected.

Yeah, I agree, the time zones are killer, and this can't be ignored. I work at a company spread over most of the world, with SMEs coming and going as the globe spins.

Back-and-forth iteration and consultation is a genuinely hard problem. Certain kinds of feedback cycles have a minimum latency of "overnight". Which means we need to invest heavily in good communication.

But also, it means more people need to have the "big picture", and they need to be able to make good decisions (not just arbitrary ones). So the ideal goal is to prevent people from going off in random nonsensical directions based on miscommunication, and equip them to actually think strategically about the overall plan. Continent X might make different decisions than continent Y, but they're all talking, and enough people see the goal.

A lot of the international teams I've seen pull this off are ones where an Eastern European or Indian team is just another permanent part of the company, with broad-based professional expertise. Contractors on any continent are a whole different story.

So I think what a lot of people try to blame on Indian management culture (or whatever) really is just a case of "we hired contractors in a different time zone." I mean, there are always cultural issues—Linus Torvalds came from a famously direct management culture, and many US managers tend to present criticism as a not-so-subtle "hint" in between two compliments—but professionals of intelligence and goodwill will figure all that out eventually.

> But also, it means more people need to have the "big picture", and they need to be able to make good decisions (not just arbitrary ones). So the ideal goal is to prevent people from going off in random nonsensical directions based on miscommunication, and equip them to actually think strategically about the overall plan. Continent X might make different decisions than continent Y, but they're all talking, and enough people see the goal.

Very common pattern you see in literature about military strategy, actually. The answer is delegation, heavy use of NCOs, and in general explaining the plan all the way down to the individual soldier. Under the western school it all falls under "initiative".

Notably, a lot of non-western militaries are terrible at it, and a number of military failings in africa, the middle east, and the soviet union (*cough*russia*cough*) are viewed as failures in flexibility with very low initiative, as well as lacking/unskilled NCO corps.

Dunno how you apply that to an organization, but maybe sending skilled workers as a kind of non-comissioned officer could work. Who knows.

> Dunno how you apply that to an organization, but maybe sending skilled workers as a kind of non-comissioned officer could work. Who knows.

The most successful engagements I've had with contracting firms have been when we've shelled out for a team manager and a software architect (in addition to the number of straight developers we want).

The software architect builds a solid understanding of our solution space, and from then on helps translate requirements into terms their engineers are familiar with, and provides code reviews to ensure their contributions are in line with the project goals. The team manager knows how to handle the day-to-day reporting, making sure everyone is on task, escalates blockers over the fence to our engineers and managment, etc.

Without those two roles from the contracting firm's side, I find that timezones and cultural mismatches (engineering culture, that is) pretty much erase the impact of the additional engineering headcount when adding contractors.

Army manual FM 22-100 is a very good read on this topic. The impact of giving NCOs both freedom amd guardrails is immense.

link here (ironically, on a blog that critiques it)

https://armyoe.com/army-leadership-doctrinal-manuals/

Explaining the plan to the individual soldier also works better when the individual soldier is expected to care at all about the overall goal. (Such as believing in the mission of defending the home country.) When the soldier only has extrinsic motivation such as money, top-down command and control and treating soldiers solely as equipment to be spent makes more "sense", in a terrible way.

Maybe that applies to software orgs too, somehow.

IT also only works if the soldier is well trained in the things he can do. I can teach you to shoot a machine gun in a couple hours - and half of that time will be figuring out how to shoot and clean it myself (I've used hunting rifles and have enough mechanical knowledge that I think I can figure out the rest - but someone who knows that gun can likely find something I would not figure out). That will be enough for "spray and pray" which is a large part of what a machine gun is used for.

However in a real war you need to figure out what direction to point the gun, and need to know when to fire and when to not. I don't know how the army handles "we are advancing now so don't shoot", or "we are crawling along the ground so make sure you shoot high": someone else needs to give anyone I train those orders. The army trains their machine gun operators better so they can figure a lot of that out without being told.

> Contractors on any continent are a whole different story.

Having spent the last ~7 years working for different startups before pivoting, my advice to any founder is this: do not hire overseas consultants. They're good, competent people, but you and your company do not have the tools or the culture to actualize them.

> the time zones are killer, and this can't be ignored

100% agree, especially when there is minimal overlap during normal office hours. I was managing a dev team in India from the US and it was a real challenge. The company ended up moving team to the US, relocating most of my team. Despite all the people being the same, management became much easier.

Since then I've done US and EU, and EU and IN, and those have all worked fine because we had sufficient overlap during business hours.

If you needed 8 hour overlap you were micromanaging?

Was that because of the above cultural differences?

He didn't need 8 hours, but zero didn't work. The us and india are about 12 hours apart (there are 4 times zones in the us, day light savings time, and india is offset half an hour, but it rounds out to 12 hours for discussion)

> If you needed 8 hour overlap you were micromanaging?

...ok. I didn't need 8 hours of overlap.

As I mentioned in my first comment, I've also now done US/EU and EU/IN. Both of which have only partial overlap and things have gone well.

With US West Coast and India, I was often doing meetings at 7AM and my devs were doing meetings at 9 or 10PM. That was challenging, irrespective of any cultural differences.

> questioning instructions can be read as challenging authority or admitting incompetence, so people default to executing without asking

That’s ego, assuming doing is the value, not doing RIGHT.

Doing alone has almost zero value.

It’s how not to get fired, ostracized, etc. I don’t understand how you read that as ego.

Way to be culturally blind.

> That’s ego, assuming doing is the value, not doing RIGHT.

No. That's lack of labor protection laws and the effect that this causes on how companies are run.

[flagged]

To add to that, it is culturally acceptable and even lauded in India to achieve something by "gaming the system", something usually considered unethical in the west (okay maybe less so in the US).

I would be ashamed to submit an AI slop PR or vulnerability report.

An indian might just say "I have 25 merged PRs in open source projects"

Term for this is "chalaki"

It is cultural - the whole "not losing face" thing. In a project, I once was squad lead - I was onsite, my squad members were in Bangalore of course. Same experience as you. Once I wanted to talk about a piece of code that we need to improve and refactor, and I was acting in good faith calling the dev that commited that code. When I braught up the code on my screen to start a pair programming, he immediately denied having written the code. Unfortunately for him, being a junior, he did not know about git blame - I entered it in the terminal and his name showed up on that code. Still, he would simply just deny that he wrote it. I then took the git commit hash and looked it up in gitlab, able to bring up the MR he created and the reviewer (wasn't me). Even with that on screen, he still denied being the author - with no arguments or alternative reasoning, he just constantly would repeat "No, I haven't written that". "No no, but I haven't written it". I pulled even the JIRA ticket up, that was about that feature and guess what - he was the assigne and moved it to "In Progress" and "Done". Still with that on screen all I got was a "no, haven't written it".

I had more of those interactions, and we also exchanged some of the indian devs (they were sold to the client by a big consulting group, and immediately replaced by someone else if we wished). I later found out, people that I have had replaced in my sqaud for not being qualified, ended up in different teams in the same corporation, they were basically just moving around inhouse.

After a few month in the project I swore to myself never to work with offshores again. And as a side note, the bank I did the project with, does not exist anymore :)

Denial in the face of incontrovertible evidence undermines trust to an extent incompatible with working in any serious organisation.

Pretty sure the right move as soon as he said "I didn't write that" was to just say. "It isn't important who wrote it, we all make mistakes, let's see together how we could have done better."

I don't know if it is, but I can swear every time I post a job opening (generally contracting work) on LinkedIn 95% of the applicants are Indians/Bangladesh/Pakistanis/Sri Lankans.

I ignore all of their resumes, not because I don't think there's valid individuals among them, I did hire them in the past, but:

1. because the signal to noise ratio is absurd. The overwhelming majority didn't even read the actual post.

2. Even when they are okay developers, communication is always a huge issue. Sync communication in call is though because urdu and other indian area accents are extremely heavy so I really struggle understanding their english, my bad but what can I do about it. If I try to keep it async or chat based then they tend to not ask feedback, clarifications, provide updates, etc. So you feel like you need to micro manage them half the time and they'd rather give you answers to make you immediately happy than surfacing problems.

3. Paying them is always an hassle. Wiring them money through bank accounts is difficult. They generally set up some Paypal or similar service or ask you to pay them on some Hong Kong account from a friend of theirs. I need traceable invoices and simple wires for tax purposes and when sending money to Pakistan multiple times anti-laundering got involved in my country, and we talking low hundreds of euros.

Still, props to the few good ones I've met, they've been critical on some projects of mine. Very professional and knowledgeable. But it's just too bad of a signal/noise ratio, seriously most applicants don't even read job descriptions.

That is a cultural thing, and one of the first things you learn to handle when working tightly together with Indians as an outsider.

I can't remember all the techniques but a simple trick is to ask them to repeat their understanding back to you before they start working on a thing.

But I don't think it's connected to sending "malicious" reports. That seems rather to be to pad their resume and online presence while studying to get an edge in hiring.

You know who also needs a lot of micro-management but doesn’t live in a time zone, is way faster than offshore contractors, scales up and down instantly, has no onboarding period and is (still) cheaper? Opus.

Ehh nothx. I like my slop human powered

Random interjection: if all roads lead to management, I guess I'd prefer a robot

My guess would be yes, it's cultural. I'm not Indian but spent about 5 months there. Overall my impression was that people act much more on direct feedback.

It would be typical to do the first thing that comes to mind, then see what happens. No negative feedback? Done, move on. Negative feedback? Try the next best thing that makes the negative feed back go away.

People will not wonder whether they might bother you. Just start talking. Maybe try to sell you something. That's often annoying. But also just be curious, or offer tea. You react annoyed and tell them to go away? They most likely will and not think anything bad of it. You engage them? They will continue. Most likely won't take "hints" or whatever subtle non-verbal communication a Westerner uses.

I found it quite exhausting in the beginning, it feels like constantly having to defend myself when I want to be left alone. But after I started understanding this mode and becoming more firm in my boundaries, I started to find it quite nice for everyday interactions. Much less guessing involved, just be direct.

Professionally I haven't worked much with Indians, but my expectation would be that it's necessary to be more active in ensuring that things are in track. Ask them to reflect back to you what the stated goal is. Ask them for what you think are obvious implications from the stated goal to ensure they're not just repeating the words. Check work in progress more often.

Of course it’s cultural, they have to compete with thousands people just like them in environment where human life is cheap and anyone is replaceable. Any authority have huge weight, which comes from historical system how society is separated. And then any education they receive assumes cheating at exams, then cheat with CV, then cheat with work they do. It’s all about appearances.

Maybe. I have hated crowds all my life. I can always see filth in people. I have helped people cheating at interviews. I want to vomit everytime somebody asks me to make a CV. Vomit in the sense I genuinely hate overselling myself but if I don't, I just don't. And what I'm open if you want to ask any question about me?

I had the same exact experience with an Indian contractor. I requested that he used git instead of Shopify CLI for his changes to a store's theme. He acknowledged my request but kept using the CLI. I once again asked him to use git and even offered a detailed, step-by-step guide on how to pull, branch and then push changes. He absolutely ignored everything and simply kept using the CLI. That was actually amazing to witness. The only hypothesis I have is that it's some kind of cultural thing where asking for help is worse than doing the opposite of what's expected from you. I don't know, but your story supports my hypothesis.

> Is this cultural?

https://burakpsych.weebly.com/uploads/5/6/0/6/56066915/ethni...

https://en.wikipedia.org/wiki/Power_distance

https://en.wikipedia.org/wiki/Hofstede%27s_cultural_dimensio...

From a half-Indian friend of mine, he described this as "ask vs guess" culture. https://medium.com/redhill-review/navigating-ask-and-guess-c...

Ask culture scales a lot better in a fast changing world full of strangers. Guess culture saves friction, but only in situations where people are mostly guessing correctly because the social structure and expectations are fixed.

Thank you for sharing the article! Now I'm puzzled this about myself - what I am...

How much are the contractors being paid?

The people having a terrible time with Indian contractors always deal with folks making 3k-10k USD/year. Of course the quality is bad.

For reference:

Good Indian devs out of college make atleast 30k USD. Good senior devs make atleast 50k. The really good ones make much more. Most American companies outsource to bottom of the barrel contracting companies like Infosys.

> Good Indian devs out of college make atleast 30k USD. Good senior devs make atleast 50k.

1. How can you be a good dev if you've never developed professionally in your life?

2. I know Indian numbers and this is complete bs. Like complete.

Maybe there are extremely rare exceptions to it, but this is like claiming that good US devs out of college make 350k. That's beyond rare, may happen, but it's beyond rare.

Culture and what companies want there. I was running a operational team with a couple of incredibly talented guys who had been escalation engineers for large software companies in India.

They were trained really hard to "restore" things in a way that hit some minimal level of the SLA, but not really. It created alot of issues initially in the organization as the "don't question anything" had really been ingrained into them. My observation there is that it made many of the useless support engagements I've experienced make sense, and that a place with that level of discipline and process must be pretty awful.

This is called "saving face"[0] and it's very common in some Asian cultures. Western societies prefer directness, and eastern ones prefer harmony.

0: https://en.wikipedia.org/wiki/Face_(sociological_concept)

It's quite strange though when you consider the fastest way to get egg on your face is to do something badly because you didn't understand and just made it up instead of looking it up

That is western culture. Somehow it doesn't apply to India. I don't get it, but I've seen it.

I wish every indian developer to spend 6 months working with dutch people.

That would be interesting.

I used to work with colleagues from China in contracting and I had the same experience with them. If they don't know something they have hard time saying that they don't know something or don't understand something.

Ficticious Example could be

Q: is this car red? A: it's not green. Q: yeah I know it's not green. But is it red? A: today is Thursday.

One thing I leaned it's not worth pressing forward and causing a scene. Instead it's better to use other ways of finding the information.

When guiding team members I always found it useful to have them explain back to me in their own words what they're tasked to do. It become immediately obvious if they were on the right track or not.

> it's not worty pressing forward and causing a scene

Tell me more. Why?

Probably because they find it uncomfortable to be pressed and the net result is a less productive relationship.

Exactly this. You just put them on the spot and they lose face and you're embarrassing them. Besides this interaction has already made it know they they don't know the answer so what's the benefit of forcing them to announce they they don't know something?

Understood.

But is it productive to cooperate with someone who will never admit lack of information?

Because the tail should not be wagging the dog.

If they cannot take a step towards another culture, why should I?

I've only been in a peer to peer type of working relationships with people I'd consider coworkers so I wouldn't think it'd be very fruitful to start agitating people in such a position.

> Is this cultural?

In my experience, yes, but I hope that's just my personal experience over the past 20 years.

I ran into this when I went to India to help train our team over there.

I tried specifically asking questions where the correct answer was “no” and they wouldn’t tell me no. In some cases I told them I was expecting them to say “no” and they still wouldn’t do it.

It was very difficult to figure out what they knew or didn’t know without putting them through a test and seeing how they did.

> Is this cultural?

Absolutely. I've been traveling for the last 10 years and lived in 50+ countries. I believe that all cultures have unique pros and cons and that the cultural diversity of the world is an amazing thing. There are good and bad people everywhere, so I rarely leave a place with such a strong opinion as the multiple times I've been to India. I really wanted to love India because of their rich history and diversity, but I ended up leaving with a feeling that their culture is overwhelmingly objectively bad.

Indians gaming the system, discussed before the AI on Hacker News, about Hacktoberfest

https://news.ycombinator.com/item?id=24658052

> never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something

I experienced this same thing working with offshore Indian contractors 20 years ago. Interesting to hear someone else echo my observations.

I recently heard from a friend that this is due to something called "izzat". Admitting any sort of wrongdoing would reflect poorly on them and their family, to the point they would rather lie or do the wrong thing than damage their family's reputation.

What I don't understand about this is that, if you become "the guy that always does the wrong thing", doesn't that also damage your family's reputation? I don't mean to come off insulting here, just trying to understand.

I was contacted by a guy who said he found a vulnerability on my site. Something like phpinfo being available or something. I informed them that I was aware of it and it's not a vulnerability but did offer to give them a small Amazon gift code if they wanted.

This might be part of the motivation. What's pocket change in the west might be good money in the 3rd world.

I believe it has to do with saving face.

I've worked with mixed nationality teams at a certain 4 letter austinite corporation a couple thousand moons ago. One thing in common with my Asian colleagues back then (many of which i still keep in touch with to this day), is that they would usually refrain from saying things that could rock the boat or disappoint you. If they lacked knowledge for the task at hand, they wouldn't let you know. If they were late on a delivery, they'd insist it would be ready by a certain date. This led to situations where other regional managers would have to plan contingencies to work around the issue.

Yes it's "fake till you make it" without the making part

selfishness, laziness, lack of self-awareness, lack of shame, etc are obviously universal traits. But cultures absolutely reinforce them to different degrees. Many cultures around the world are built around the sorts of behaviors we both described.

Whereas other cultures have at least some (if not a lot of) resistance to it - eg publicly ridiculing when people step flagrantly out of line. This is good. My impression is that British culture is like this - "taking the piss", or worse, out of people whose egos start to get too large

Edit: what about this comment could possibly be worth a downvote...? Not that I care about points, but it just seems to be an objective assessment of human nature and cultures, without even singling out any cultures that need improvement.

people who actually have a life generally don't spend time hanging around internet forums so it's important to consider that a disconnection from reality is involved in places like these , thru my eyes you have restated the idea of low trust vs high trust societies without building on top of the idea , which isnt downvote worthy but isnt upvote worthy either

I didn't expect up votes. I also wasn't about to write a treatise. And saying "low trust vs high trust societies" wouldn't be meaningful, nor would it actually be accurate. The issue here isn't trust - it's humility, integrity, conscientiousness, etc. Trust often comes along with such traits, but it's not the core issue.

[flagged]

What grammar and syntax was improper...?

You don't sound like a LLM :)

Your grammar and syntax is fine for the medium and audience. I did downvote that post, somewhat ironically because you edited it to ask about someone else’s downvote. But otherwise carry on.

This is hilarious and reminded me of the two stints I had in India, for about 8 months in total at the turn of the century. I was a hippy traveler and asking directions for almost anything was par for the course. I never had anyone local say they didn't know where something was once asked, even though me following their directions lead to the intended target maybe 10% of the time. It was funny and infuriating at the same time :)

they probably assumed you knew what you were asking for.

it's interesting how it parallels the issue with llms today, they are basically perverse instantiation genies. your wish is my command.

There are also a lot of Indian students (there are 1.4bn Indians). There are lots of IT jobs, therefore presumably lots of IT students, and unlike in China Internet access (e.g. to GitHub) is not restricted.

GitHub is a poor example of Chinese internet restrictions, since access to it is usually fine from China.

Indian students were the reason that Google's Hacktoberfest was critiziced and ultimately terminated

Indian students have a long history of disrupting free/libre projects, this is nothing new

Hacktoberfest was run by Digital Ocean. You might be mixing it up with Google's summer of code.

Possibly as a consequence of this, what I have observed working with Indians is a very hierarchical structure in which you have a "lead" or "architect" who spells out what to do and how to do it in minute details and micromanages, and "devs" who execute as instructed.

Askers vs Guessers: https://www.theatlantic.com/national/2010/05/askers-vs-guess...

It's desperational. The desperation of not having to lose any contract. The desperation of being just one bad year away from being on the streets and having to live a terrible life (no food security).

For students, often there is no pathway to actually become good due to lack of resources. So, the only way is to fake it into a job and then become good.

I think it's mostly not cultural but just bad engineers lying. IT jobs pays the best in India, and it attracts people who have no skills in IT to just fake their way in.

So for every good developer in India there are probably 20 bad ones who have no idea what they are doing.

I honestly think its a symptom of having almost no "career mobility". If it's impossible to get promoted / find better jobs, then being skilled doesn't go as far as brown-nosing.

People will only apply themselves if they think it will help them get to a better place.

Not exactly - there is career mobility in IT, but for many IT is seen as the only place they can get it people who shouldn't be in IT go there.

There also seems to be an expectation that after about 30 you move into management. This means people experienced in IT are not socially valued (they can be paid well if they are great).

I worked at a company where we had a untouchable manager who had some Brahman caste devs report to him and they absolutely HATED this.

Brahmin. Brahman both is you and reports to you, as it were.

https://en.wikipedia.org/wiki/Brahman

In the sense that it's racist, yes.

Facts are racist :(

I'd argue that the or at least one major reason for the downfall of Stackoverflow (and not just a catalyst) has been a surge of Indian IT people triggering an avalanche of extremely low quality questions and answers. I've been a big fan of SO since about 2010. Not just didn't mind the harsh moderation but actually attribute to it learning how to properly ask a question. But at some point round about 2019/2020 it stopped being fun due to it going from knowledge base to garbage dump.

>Indian students

Resume glorification and LinkedIn / GitHub profile attention do that.

I am seeing a lot of people coming up with perceived knowledge that's just LLM echo chambers. Code they contribute comes straight out of LLMs. This is generally fine as long as they know what it does. But when you ask them to make some changes, some are as lost as ever.

Torvalds was right, code maintenance is going to be a headache thanks to LLMs.

> Torvalds was right, code maintenance is going to be a headache thanks to LLMs.

I know someone in a senior engineering position at Epic who does nothing but clean up PR's from their off-shored Ukrainian sweat shop coders handing in AI slop because all they need to do is close a ticket to get paid. They wind up rewriting half or more of it. Epic doesn't seem to care so long as this "solution" works and saves them money by paying a few really smart people to code janitor until hopefully all of them can be replaced by LLMs.

>This is generally fine as long as they know what it does.

Thanks to their LLM reliance they'd soon not know what it does, and forget even the little they know about coding

At this point I won’t consider any GitHub activity after ~2024 as hiring signals unless it’s very substantial work on high profile projects that clearly have high bars.

Sadly that was already the case prior to LLMs.

We had a bootcamp in our city that had all students build a GitHub portfolio. They all built the same projects like a TODO app. Every person’s code would like almost identical because they all did them together and, I suspect, copied from past grads.

They all applied to the same local jobs, too. So we’d get a batch of their resumes with GitHub links, follow the GitHub links, and see basically the same codebase repeated everywhere.

I mean I never considered having GitHub projects as anything. If you have project(s) that seem useful and have let's say a hundred stars or more (rough signal assuming no foul play), I'll have a look. If you say you have meaningful contributions to projects with a thousand stars or more, I may have a look as well.

Now my bars are so massively higher, 99.95% of juniors who don't have pre-2024 work to show can forget about it.

> Resume glorification and LinkedIn / GitHub profile attention do that.

I wondered why people would video themselves going around slapping strangers in public then shouting "its just a prank bro" - turns out it works.

Regard to code maintenance:

I’m actually of the mind it will be easier IF you follow a few rules.

Code maintenance is already a hassle. The solution is to maintain the intent or the original requirements in the code or documentation. With LLMs, that means carrying through any prompts and to ensure there are tests generated which prove that the generated code matches the intent of the tests.

Yes, I get that a million monkeys on typewriters won’t write maintainable code. But the tool they are using makes it remarkably easy to do, if only they learn to use it.

I’m not sure why the downvotes. I think the poster is basically saying the same thing as this YouTube-er. I read “Million monkeys” as referring to LLMs.

https://youtu.be/DNN8cHqRIB8?si=s2VBjZXrP21yziXa

I've seen this - it's tiring even at low volume. Goes something like:

Someone creates a garbage issue. Someone else asks to be assigned. Someone from the project may say "we don't assign issues" (this step has zero effect over later steps). Someone else submits a PR. Maybe someone else will submit another PR. Maintainers then agonise how they can close issues and PR(s) without being rude or discouraging to genuine efforts.

You've been getting PRs? All I've ever seen is "can you assign this issue you me" spam and then disappear. I was nice to them for years but now I just delete the comment and block the users.

Yeah, the "can you assign the issue to me" is the most common. I don't even understand where it came from - does anyone ever actually formally assign issues to anyone?

But they absolutely also create PRs even if you say "don't create a PR. You don't know what you're talking about"

This is precisely what we've seen

Those maintainers should be using LLMs to crate their breakup letter with the Issue/PR submitters!

I contribute regularly to some major open source projects and it’s happening here too. So many issues that aren’t issues. Constant “fixing” of documentation that doesn’t need to be fixed. Bug reports that aren’t bugs, followed by a bad PR “fixing” the “bug.” Or YOLOing an LLM PR to change major behavior that users are relying on. And I click and the authors are always brand new, with only vibe coded or examples projects in their history, and have some truly awful LLM generated GitHub “about me” page complete with emojis and links to their GitHub “projects.”

My suspicion is somehow the perception became that if you’re brand new and land a PR in a major open source repo (even as simple as rewording a phrase in a doc that doesn’t need to be reworded), that would help them get a job (they’re always Open to Work on their GitHub about me page).

It’s so much noise that it’s hard to find the real issues.

Everything about this is exactly what is happening in OWASP repos.

I pick the "block" option on the junk issue, and tick the "Send a user notification and show activity in timeline". The text says "A public timeline entry will show that this user was blocked" which I hope discourages them from wasting our time.

Heh, reminds me of that free T-shirt contest thing... Submit crap PRs to random FOSS projects for a chance of winning a shirt, what could go wrong?

https://ongchinhwee.me/shitoberfest-ruin-hacktoberfest/

worked well for a bit. but then the program became popular and that’s when it hit the curb. terrible loss, imo. it was a brilliant idea to encourage open source work with a token reward. it relied heavily on good intentions, which quickly disappeared with the popularity.

I have one of these and it was really nice in the first 1-n years.

People gamified it and then it sucked, but the idea wasn't so bad. One would expect people would not stoop this low for a free T-Shirt.

It’s still ongoing. The difference is they now no longer offer t-shirts (at one point they planted trees instead, unsure if that still happens), and projects must opt-in.

They offered T-Shirts in 2025

Thank you for the correction. I thought they had stopped that but I see you’re right. Seems to be more restrictive, though.

https://hacktoberfest.com/participation/

> Swag - Get an exclusive Hacktoberfest T-Shirt, but its only for ‘Super Contributors’ who contribute 6 accepted PR/MRs to a worthy repository. (T&Cs Apply | Valid only for the first 10,000 contributors completing 6 PR/MR)

this is why we cant have nice things

Reminds me of this Indian GitHub tutorial on how to open a PR on GitHub. The video got millions of views and has flooded a specific repo with countless README update PRs of people (mostly Indian) trying to append their name to the README.

Article about it here: https://socket.dev/blog/express-js-spam-prs-commoditization-...

they flooded THE major server side js framework and it's happening to this day, every day. Express is something to backend what jQuery was to frontend 15 years ago

Usually the protection against such spam is social shame but the internet is now full of people who have no shame because shame was never part of their culture. It would be more effective to use GeoIP in this case.

It’s not just the Internet. It’s politicians and businesspeople and more generally, shameless citizens.

There’s a lot to dislike about shame as an enforcement mechanism but I’m starting to miss some of the upside it delivered.

Internet reputation became easy to launder, thus meaningless.

I seem to remember there was a large (indian?) educational YouTuber who did a tutorial on how to use Git where they forked a FOSS repo, made a change to the README.md and then made a PR. This caused a huge influx of garbage PRs for that particular repo and other FOSS repos.

The typo PR's are top-cringe.

I submit typo PRs sometimes. I just really like cleaning up docs, and some typos are important because they affect doc searchability. (But I do bundle them up so there's just one PR, and I generally won't do it for a single typo.)

January 01 race to open hundreds of "update year in readme" PRs

I've noticed this also. But I didn't ascribe it to LLMs, rather figured there is some sort of rogue educator in India who's instructing students to do this on public repos and they just don't know better. But the prof should.

Noticed it in corporate context too. About 40% of the performance feedbacks I saw this year were AI written. India and USA crowd. Everything from Europe looked pretty organic but imagine that’ll change too next cycle

It's likely because of Google Summer of Code. OWASP has participated as an org several times and it's highly likely that they'll participate this time too.

Students often start making PRs around this time to get more familiar with projects before they can put in a proposal when the time comes.

As someone who's been a programmer for a while now, I feel it's pretty easy to identify slop code and when someone is using an LLM to communicate on issues. I'm not against using LLMs for writing code or even for using it to improve your communication, but it cannot be a substitute for critical thinking.

If I was a maintainer of an OSS project, I'd be more likely to _not_ select students who put out slop PRs, proposals, or messages without thought. And also make this clear in the contributing guidelines so contributors know what they're getting into.

What issue added GPU acceleration to Ghostty? It seems silly to add that to a terminal.

The other side of the coin is that many real bug reports are dismissed out of hand. That is frustrating if you have spent hours or days triaging an issue and have submitted a well-written bug report. It would be useful if projects advertised what their de facto bug report policy is. If it involves snide remarks and pointless bureaucracy ("you did not check this box") then that should be stated to help others avoid wasting time. Perhaps an LLM could help with that: "The likelihood of an external bug report being acted upon is X%, given analysis of past interactions on bug tracker."

It's Hacktoberfest all year long, baby!

https://joel.net/how-one-guy-ruined-hacktoberfest2020-drama

I mean, if people adopt, I guess they can also flood the discussions with LLM nonsense. But for now it seems like the better solution.

i f8cking hate being born here.

volume of low quality content, dsa/leetcode, etc. is so high, good people/content gets left out. networking, connections, nepotism so much high. getting job based on actual talent very rare.

MNCs which are good outside are so much sh8t here; well capitalism doesn't give a f8ck anyways.

I think you'll get downvoted to oblivion because outsiders often don't realize the ridiculousness of the whole thing.

I will try to give some context.

To give an example, the CSE undergrad from an average Indian college would've done 500 - 1000 leetcode "problems" for practice. But have little to no idea on how to survive in a UNIX shell, or to troubleshoot an actual problem. Hell, half of them haven't written more than 1000 lines of code for single purpose.

People early in their career (which is most SWEs including yours truly) follow whatever "influencers" on youtube (the local term being bhaiyya-didis), who give them rough "roadmaps" to "crack DSA" or "get high paying remote job". The result is that average CS guy spends most of his time navigating this rat race than studying computer science stuff that matters for the job.

I see similar kind of competition getting created at senior levels too, in the terms of people grinding theory and blog posts on "system design" interviews. I am not old^H^H^H senior enough to comment on it, though.

But it was not all bleak. IIRC, We were producing quite few good OSS contributions through GSoC, LFX etc... until few years ago (not considering my own among good ones). There were talented 1% or so (I known a few very talented people in personally). Nowadays these "hustler" variety people have started "How to crack GSoC" roadmaps [sic] too, and the spamming quoted above see may be related to this. This sort of insane rat race is not good for talented people. It's not good for companies either. Recruitment is basically lottery at higher levels too; I have seen people use AI to shamelessly lie on their resumes and get hired etc... Some of these problems may be present in west but India's scale makes some of these problems difficult.

this is a problem with all indian "education". I work in renewable energy and regularly chat with other Indians at IEEE conferences who are looking for work in the West.

These supposed electrical "engineers" have an IEEE "paper" to their name but regularly confuse power and energy. They have no curiosity, no interest in their work, atrocious communication skills (not language, communication) and swarm you like piranhas once word spreads.

All this combines to devalue Indian degrees and the reputation of Indian STEM talent. The genuinely good people are drowned under this avalanche and there's not much you can do to help them or to find them.

> capitalism doesn't give a f8ck anyways

It doesn't until suddenly it does. A glut of junk can eventually trigger a flight to quality.

Sadly, possibly not on a timeline which works for a given individual.

Yet again poor communal behavior ruining it for the rest of society, and why we can't have nice things and colonize the stars.

[flagged]

Taught by whom? Without evidence, this just comes of as a racist trope. FWIW, the Indians I've worked with have all been very honest and dedicated to their work.

Parent commenter is, as you’ve said just parroting racist tropes.

Anecdotally, I’ve worked with quite a lot of South Asian people, and there is an art to communicating with them - they’re remarkably indirect but thrrr are certain signs that they disagree. If you apply the same amount of skepticism to an Americans “super awesome mega amazing” bluster, you’d be pretty close to the mark IME.

Taught by a general culture where this is even conceivable not just as a covert cheat but as a public outlook:

https://www.cbsnews.com/news/indian-parents-scale-school-wal...

> I have yet to meet one that hasn't openly admitted to grift or caught grifting.

This is just lazy casual racism.

https://www.firstpost.com/tech/news-analysis/indian-scam-cal...

https://www.bbc.com/news/articles/cn8er32715do

https://www.theswaddle.com/coaching-institutes-are-helping-s...

https://www.bloomberg.com/graphics/2024-staffing-firms-game-...

>Indian students

How do you know this?

Because their usernames are Indian and profiles have links to Indian universities, and sometimes descriptions of the 101 classes they're currently taking. That doesn't stop them from saying things like "I see this sort of vulnerability all the time"

Apologies - looks like you have clear evidence for the "student" part.

Sir, I agree with moralestapia. Not a singular one of the 20 lakh lines in the PR were written by ChaiGPT.

Lol. I found it of interest since it's quite hard to make an LLM write like a stereotypical Indian.

If I was an Indian student, I would prompt it to avoid that style instead of keeping it.

Also, generally, people can just make stuff up on the internet so ...

Ever been on Stack Overflow before LLMs became a thing?

"Students" sounds very speculative. "Indian" likely based on usernames, which are often a South Asian first name followed by a random integer.

Why you don’t just put an AI guardian to close or to ask them to change the story. Or shadow ban

Subjecting every real contributor to the "AI guardian" would be unfair, and shadow banning is ineffective when you're dealing with a large number of drive-by nuisances rather than a small number of dedicated trolls. Public humiliation is actually a great solution here.

> Subjecting every real contributor to the "AI guardian" would be unfair

Had my first experience with an "AI guardian" when I submitted a PR to fix a niche issue with a library. It ended up suggesting that I do things a different way which would have to involve setting a field on a struct before the struct existed (which is why I didn't do that in the first place!)

Definitely soured me on the library itself and also submitting PRs on github.

How effective is it against people who just simply does not care?

I suspect people are doing it to pad their resume with "projects contributed to" rather than to troll the maintainers, so if they're paying any attention they probably do care...

Most people do, and those who don't still get banned so...

what you say, is of course the only relavent issue. I can attest to my own experiences on both sides of this situation, one running a small business that is bieng inundated by job seekers who are sending AI written letters and resumes, and dealing with larger companys that have excess capacity to throw at work orders, but an inability to understand detail, AND, AND!, my own fucking need to survive in this mess, that is forceing me to dismiss certain niceties and adhearance to "proffesional" (ha!), norms. so while the inundation from people from India(not just), is sometimes irritating, I have also wrangled with some of them personaly, and under all that is generaly just another human, trying to make by best they can, so....

You could easily guard against bullshit issues. So you can focus on what matters. If the issue is legit goes ahead to a human reviewer. If is run of the mill ai low quality or irrelevant issue, just close. Or even nicer: let the person that opened the issue to "argue" with the ai to further explain that is legit issue for false positives.

How is an llm supposed to identify an llm-generated bullshit issue...? It's the fox guarding the henhouse.

Just try and you'll see if it can work. Just copy paste some of these issues give context of the project and ask if makes sense

the only way to stop a bad guy with a llm is with a good guy with a llm

That's just shoveling money to tech companies

I intensely dislike the idea that we need more AI in order to deal with AI.

If I ever need to start using an AI to summarize text that someone else has generated with AI from a short summary, I'm gonna be so fucking done.

Small brain: create a solution looking for a problem

Big brain: create a solution solving an existing problem

Galaxy brain: create a solution that creates its own problems

I relate, and then realized that's been the basis of spam handling for decades now. It's depressing, and we aren't putting this genie back in the bottle unfortunately.

How so?

Spam, for decades, has been a matter of just shoveling truckloads of emails out the door and hoping that one or two get a gullible match.

Blocking spam, for decades, has been a matter of heuristic pattern-matching.

I don't see how that is the same as "fighting LLMs with LLMs", or how it could be said to be the same as how spam is made and used.

You're done dude. I'm sure it's already happening.

What are you going to do now?

It's not happening because I'm not using an AI to summarize text. At the moment slop text is also fairly easy to recognise, so I can just ignore it instead.

It's not already happening as of today? You can adapt or... You heard of Darwin right?

Long time ago Sourceforge and then GitHub promoted into the current default the model of open source distribution which is not sustainable and I doubt it is something that the founding fathers of Free Software/Open Source had in mind. Open source licenses are about freedom of using and modifying software. The movement grew out of frustration that commercial software cannot be freely improved and fixed by the user to better fit the user's needs. To create Free software, you ship sources together with your binaries and one of the OSI-approved licenses, that is all. The currently default model of having an open issue tracker, accepting third party pull requests, doing code reviews, providing support by email or chat, timely security patches etc, has nothing to do with open source and is not sustainable. This is OK if it is done for a hobby project as long as the author is having fun doing this work, but as soon as the software is used for commercial, production critical systems, the default expectation that authors will be promptly responding to new GitHub issues, bug reports and provide patches for free is insane. This is software support, it is a job, it should be paid.

> I doubt it is something that the founding fathers of Free Software/Open Source had in mind.

Free Software sure, that wasn't the point.

Open Source, that was exactly the point. Eric S Raymond, one of the original promoters of the concept of Open Source coined Linus' Law:

    Given enough eyeballs, all bugs are shallow

Linus’ Law doesn’t really imply anything about maintainers behavior though. As an example, you can imagine maintainers that never update their repos. Every bug fix is a forking of the repo, and people only use the repo with the latest commits. Eventually, the bug count goes down as well!

I thought about this a lot recently and decided a that the small, mostly complete, project I work on now, if I release it (I probably will), I will just post an archive somewhere with the source code, like in old days.

> This is software support, it is a job, it should be paid.

It is paid, even if not in money. It seems like maybe you lack awareness of the other forms of capital and reward that exist, because your framing implicitly insists that financial capital is the only form of capital and that monetary reward is the only form of reward. But there are also a bunch of other forms of capital, like social, cultural, symbolic, etc. which you have missed, and there are non-capital (non-convertible) forms of reward, like feeling good about something. It's the entire reason why permissive licenses still preserve attribution.

To wit, people maintain things literally all the time either purely for prestige, or because being a contributing member of a community, even a small one, makes them feel good, or because knowing that maintaining things leads others to also maintain things. There are both intrinsic and extrinsic non-monetary gains here.

Stallman makes the same critical error in his foundational writings, so at least you're not alone in this.

(A foundational read on the subject of the different forms of capital is Pierre Bourdieu's The Forms of Capital: https://www.scribd.com/document/859144970/P-Bourdieu-the-For...)

(See also: https://en.wikipedia.org/wiki/Motivation#Intrinsic_and_extri...)

> has nothing to do with open source

I partially disagree. It does have to do with open source: Github (et al) are about creating a community around an open source project. It's hard to get adoption without a community; it gives you valid bug reports, use cases you didn't think of, and patches.

You can, if you want, turn off PRs, issues, and literally any feedback from the outside world. But most people don't want that.

> and is not sustainable

I 100% agree. People (including people at for profit companies) are taking advantage of the communities that open source maintainers are trying to build and manipulating guilt and a sense of duty to get their way.

The most insidious burnout I see is in disorganized volunteer communities. A volunteer is praised for jumping in with both feet, pushes themselves really hard, is rewarded vocally and often and with more authority, and is often the one applying the most pressure to themselves. There's no supervisor to tell them to pace themselves. And when their view switches from idealistic to realistic and then falls into pessimistic, they view the environment through a toxic lens.

Then they vanish.

    has nothing to do with open source

    long time ago

How long does something have to be done a certain way for it to be "to do with"?

I would say we're now two generations deep of software engineers who came up with open source software commonly being mediated through public issue trackers.

That isn't to say it needs to stay that way, just that I think a lot of people do in fact associate public project tracking with open source software.

Thanks for making me feel old.

> I doubt it is something that the founding fathers of Free Software/Open Source had in mind

Who cares? That was 30 years ago. How different were computers, programming, and the world back then?

Things change over time. The world is not immutable.

> the default expectation that authors will be promptly responding to new GitHub issues, bug reports and provide patches for free is insane.

I think there are many insane expectations out there, open source or not, so I don't personally see it that linked with the idea/ideal of open source.

> This is software support, it is a job, it should be paid.

Anything can be paid, nobody says otherwise. Some people prefer nobody pays for their source code (open source). Other people do support for free. And so on.

> The currently default model of having ... has nothing to do with open source and is not sustainable.

There were always arguments why open source will not be sustainable, many having some truth in them. But the current issue can be probably solved with some push-back on the speed of things or how attribution works. Something similar used to happen on some forums: you can't post a new thread for one month if you did not reply at least once without getting down-voted. For the current problem : if contributions are anonymous for the first 3 years of you contributing (if you are not banned) and your name becomes public only after, then all this "noise" for "advertisement" will die. Doubt this will discourage any well intentioned contributor.

> To create Free software, you ship sources together with your binaries and one of the OSI-approved licenses, that is all.

Untrue. Shopping source with _some_ OSI-approved licenses makes the work Free software. Shipping it with others merely makes it open source software.

It sounds funny, but it's not. I once issued a bug to them that didn't have enough information about how to reproduce... and I was lambasted on Reddit and eventually just deleted my account there it was so terrifying. Some dev teams do not mess around. In fact I've shied off most social media since and no longer issue bug reports to any company, I was scarred deep over the treatment.

I've read their reports before. When there's not enough information to reproduce, they do a good job of asking for more information first, and I've never seen a reasonable good-faith report elicit anything overt.

If you failed to give them proper reproduction information when asked, then yeah, you were wasting their time and they should rightfully close your issue.

I've never seen anyone on the curl team undeservedly "lambast" someone, and for a project that has a quite good reputation, I think the burden of proof is on you. Can you link to these supposedly terrifying comments?

It says in the curl file that they will ridicule time-wasters in public and here is one pression confirming that it happened to them, yet somehow that's not enough? Come on.

We don’t need anecdotes, every single bug is public. Just looking now I see respectful responses to genuine reports. This document is clearly in response to AI slop and spam.

I skimmed the "slop" collection they maintain that was posted here yesterday, and even under those HackerOne submissions, Daniel was perfectly reasonable and respectful.

It is entirely possible I merely chanced upon his highlights, but this announcement to me really just signifies a final straw breaking than anything else. His historical conduct is all public and speaks for itself. I wish I had the patience and perseverance he does, and I wish he didn't need it.

That is sad, sorry to hear it.

But at the same time, sometimes you have to really persevere to get a bug fixed.

Consider the perspective of the maintainer of a popular project: to them, you're one person in a big queue of people all reporting problems. Most issues turn out to be "I need free technical support, which you don't offer, so I'll phrase it in the form of a bug", and it saps their time to look into the details of each issue to find whether it's genuine-bug or user-error.

So that's why you should try to give reproduction instructions as best you can, and be up-front if they're incomplete, or you only saw it happen once.

If the maintainer responds harshly, or even if you get commentary from others, remember they are (or should be) criticising the bug report, not you. Try not to take it personally.

And even if they decide to close it, or not investigate further, you've still done the world a favour by adding genuine details about something you saw. The bug report is still searchable when closed. Other people who get the same problem as you are likely to find it, and it might spur them to reproducing the bug where you couldn't, and re-opening or re-reporting the bug and driving it forward to completion.

It’s not my job to fix their bugs. It’s not my job to handhold them through it. You are better off anonymously posting the full bug online and let god sort it out.

That surprises me -- from what I've seen, Daniel is actually remarkably tolerant of incomplete/unclear reports. (Too tolerant.) But I imagine that could depend on the day.

(Now, if you used AI to generate the report, well... that's different. Especially if you didn't disclose it up front.)

On the flip side I’ve been following him for a while on Mastodon.

I’ve basically watched the AI crap cycle go from “this is a weird report, oh it’s fake” to “all the reports are trash, it’s so hard to find real humans in the flood” through his posts.

I suspect I would’ve stepped down long ago. I feel so bad for the open source maintainers who are just being assaulted with nonsense.

How does Reddit come up in this?

The only official community spaces they maintain are:

- their GitHub projects (Issues, Pull Requests, Discussions)

- their mailing lists

- their HackerOne page

If you were harassed on Reddit that is still shitty of course, but it's not gonna be on the project's dev team:

> Some dev teams do not mess around.

Unless some of the devs have verifiable, pseudo-official presence there at least.

What was the bug?

Wouldn’t it be ironic if GP never answered this request for simple follow-up.

Yeo without any sort of context, it's just like throwing a stone and then running away.

Yeah I had to downvote because of this. If you don't bring receipts then it's just slander.

Gotta let the legal team know about that I hadn't heard they changed it.

Please ignore everyone else and do not share any more information about this experience or yourself. These people do not have your best interests in mind and will not mind, or are intending to, make this experience even worse for you.

Share the issue or reddit thread.

I'm sorry but if you deleted your reddit account because someone on the internet over reacted that's a you thing. You have to be tougher than that.

> (...) that's a you thing. You have to be tougher than that.

They really don't, lol

If a community is full of assholes, unwilling to change, walk away! Don't contribute to what you don't want to support. It's just like voting with your wallet.

All contingent on whether you can actually afford to do so though, as usual, but I have a hard time believing that interacting on Reddit would be so essential, especially these days.

He rubs me the wrong way, too. Curl is overhyped and a pain to work with. And he's getting high on the "success" while crying about not being paid for something he offers for free. I think Americans have a nice phrase about having cake and eating it, too.

Seems like a lot of the problems had by the low friction of first eternal september and now LLM genrated reports and contributions, could be resolved by restoring friction. First time reporters/contributers could be required to send their report or PR by paper mail. Strict requirements for the sender: all text printed on postcards (no letter opening) as QR or other data codes according to a standard formatting. Anything even slightly off goes straight to the trash, high signal/interest contributors can still get their foot in the door.

The eternal-september; or its international equivalent, kills things because the nature of the public you are interacting with has changed.

These issues with reports and junk contributions come about because there is a huge payoff for pretending to be part of the community, but the benefit from actually contributing is generally less direct.

I dont think you can solve this with "friction", because the people you want to dissuade are more tolerant to these kinds of barriers than the ones you want invite in.

I wonder if there is a way to blanket prevent these types of problems.

Possible solutions I can think of:

- Require an account with a paid service. Fix = require money - Require an account verified with real ID/passport etc. Fix = link to real person - Automated reply system to "waste tokens" if it is an AI that is responding. Fix is increased cost of spammer. - Have some kind of "vetting system" where you get on an allowed list to report these types of things. Seems not good to me, but perhaps there is something in it.

I wonder how much open source code is lost because maintainers must deal with this type of thing versus the "good" that AI can bring in productivity.

Ah, brings back memories when TPB did something similar to when MPAA and their "associates" emailed them. I think this is probably the best page where one could still see them: https://web.archive.org/web/20111223101839/http://thepirateb...

I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.

I am friends with a solo maintainer of a major open source project.

He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.

He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.

And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.

I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.

Kryptos K4 seems to me like a potential candidate for AI systems to solve if they're capable of actual innovation. So far I find LLMs to be useful tools if carefully guided, but more like an IDE's refactoring feature on steroids than an actual thinking system.

LLMs know (as in have training data) everything about Kryptos. The first three messages, how they were solved including failed attempts, years of Usenet / forum messages and papers about K4, the official clues, it knows about the World Clock in Berlin, including things published in German, it can certainly write Python scripts that would replicate any viable pen-and-paper technique in milliseconds, and so on.

Yet as far as I know (though I don't actively follow K4 work), LLMs haven't produced any ideas or code useful to solving K4, let alone a solution.

As a human being I really enjoy knowing things and being challenged to grow.

While crypto style AI hype man can claim Claude is the best thing since sliced bread the output of such systems is brittle and confidently wrong.

We may have to ride out the storm, to continue investing in self learning as big tech cannot truly spend 1.5 trillion on the AI investment in 2025 without a world changing return on revenue, a one billion revenue last year from OpenAI is nothing.

In china medical students are required to publish original papers. Instead they just pay someone to write it for them and pollute the literature.

So much for the curation argument of the price justification of professional journals.

The typical graduation-requirement paper doesn't get published in a professional journal, so I think professional journals do provide significant curation.

Medical? What's the point? I'm happy with 98% of doctors being able to handle known conditions and only the few percent that are really interested to do research.

>I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.

As one does in academia, so to the market, because now we have financial incentive. It ain't going to stop.

The new era of AI.

Everybody saw it coming. Frankly I'm surprised it took this long.

I think this is probably less effective than if there was some sort of "credit" or reputational score for reporting that seems like something GitHub would have the information to implement.

> seems like something GitHub would have the information to implement.

But not the motivation. GitHub incentives this type of behaviour, they push you to use their LLMs.

GitHub is under Microsoft’s AI division.

https://www.geekwire.com/2025/github-will-join-microsofts-co...

> GitHub is under Microsoft’s AI division.

Finally an explanation to why GitHub suddenly have way more bugs than usual for the last months (year even?), and seemingly whole UX flows that no longer work.

I don't understand how it happens, do developers not at least load the pages their changes presumable affects? Or is the developers doing 100% vibe-coding for production code? Don't get me wrong, I use LLMs for development too, but not so I can sacrifice quality, that wouldn't make much sense.

I just listened to podcast from a higher echelon MSFT person, the internal orders basically are “focus on AI”, non-AI work gets deprioritized company wide.

But that by itself shouldn't mean that people suddenly don't even review and think what they're doing, right? Again, I too use LLMs for lots of work, yet I'm putting out better code than before, because I'm a software engineer, not a software slopper, is this not the common workflow?

I wouldn’t be surprised if experienced people left because of policies like this. It doesn’t matter if you are reasonable your colleagues won’t necessarily be.

I think one of the last thing I'd like on the web is for Microsoft to start keeping a "social score" for developers who participate in FOSS.

I understand where it's coming from, and I too think the current situation sucks, but making Microsoft responsible for something like that is bound to create bad times for everyone involved.

I’d hate to see GitHub assigning reputation to users.

Why no go the other direction and make it hard to identify a user, so people do not do it for fame. Open source worked before people were using it as self advertisement.

Might even be good for Microsoft - they would be the only one knowing who is who.

the berne convention copyright defines inalienable authors rights that can not be sold or taken away from the author. the author of any copyright works always has the right to identify themselves with the work, and therefore your suggestion is not legally possible.

This already exists on the previous platform curl was using (HackerOne), it does not prevent the slop.

At my previous employer, I had access to the company’s bug bounty submissions and I can assure you no matter what you try to do, people will submit slop anyway. This is why many companies will pay for “triage services” that do some screening to try to ensure that the exploit actually works.

Unfortunately this means that the first reply to many credible reports are from people who aren’t familiar with the service, meaning that reports often take a long time to be triaged for no reason other than the fact that the reporter assumed that the person reviewing the report would actually understand the product. It’s hard to write good, concise reports if you can’t assume this fact.

Honestly, I don’t know what can be done to fix all of this. It’s a bad situation for everyone involved, and only getting worse.

Yeah this seems like a good idea. Plenty of games have "you have to have this much reputation to play in ranked games" sort of things.

I guess people would complain if it was tied to Github.

Context: [1, 2]

> Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports.

> cURL has been flooded with AI-generated error reports. Now one of the incentives to create them will go away.

[1] https://news.ycombinator.com/item?id=46701733

[2] https://etn.se/index.php/nyheter/72808-curl-removes-bug-boun...

Money for a report and a patch, with convincing test cases, might be worthwhile. Even if a machine generates them.

> Even if a machine generates them.

Why? If it is a purely machine generated report there is no need to have dozens of third parties that throw them around blindly. A project could run it internally without having to deal with the kind of complications third parties introduce, like duplicates, copy paste errors or nonsensical assertions that they deserve money for unrelated bugfixes.

A purely machine generated report without any meaningfull contribution by the submitter seems to be the first thing you would want to exclude from a bug bounty program.

Not necessarily. Reviewing an issue report is already enough time. Reviewing a patch is even more developer time.

The problem they had before was a financial incentive to sending reports, leading to crap reports that wasted time to review. Incentivizing sending reports + patches has the same failure mode, but they now have to waste even more time to review the larger quantity of input.

Anyway, for most cases I'd bet that Daniel can produce and get reviewed a correct patch for a given security bug quicker than the curl team can review a third-party patch for the same, especially if it's "correct, but ai-written".

I've read this idea that we could make people pay for security reports a few times here on HN (and you get back the money if the report is deemed good). That feels very wrong.

If I find a security issue, I'm willing to responsibly disclose it, but if you make me pay, I don't think I will bother.

Punishing bad behavior to disincentivize it seems more sensible.

For a person finding bugs for a living, an up-front fee to have their report reviewed by a maintainer would amount to an investment towards receiving a bug bounty if their report is valid and valuable. Just the cost of doing business.

It would discourage drive-by reports by people who just happened to notice a bug and want to let the maintainers know, but I think for a project that's high-profile enough to be flooded by bogus bug reports, bugs that random users just happen to notice will probably also get found by professional bug hunters at some point.

Only if the system is fair. If I as a maintainer want to scam I can just close the report as invalid, collect the $$$. Then a week latter I fix the issue with a commit that looks like it is unrelated.

I wouldn't do the above, but it is easy to see how I could run that scam.

You can look at how the maintainer dealt with previous bug reports to decide whether you can trust them or not. If there haven't been any previous bug reports but they nonetheless ask for a fee to help deal with the large volume of bug reports, yeah, that might be a scam. If you're running their software, maybe also check whether it's full of malware.

Punishing bad behaviour does close to nothing, because the problem at hand is one of high asymmetry between the low effort to submit vs the high effort to review. I do agree that paying for reports isn't ideal, and we should find other ways to level the playing field, but in the meantime I haven't heard of anything as effective.

> the problem at hand is one of high asymmetry between the low effort to submit vs the high effort to review

Hence the threat to shame publicly I suppose.

Actually, Daniel Stenberg previously responded to this proposal the same way as me [1] (and maybe would still do). Coincidentally, I was reading your answer at about the same time as this part of the talk.

[1] https://www.youtube.com/watch?v=6n2eDcRjSsk&t=1823s (via https://news.ycombinator.com/item?id=46717556#46717822)

Doesn't work when using throwaway accounts, the low effort gets only marginally higher.

What was a kind design to thank good contributors is now a lottery.

Throw enough AI crap at enough projects and you may get a payout.

The incentives fail in the face of no-effort flooding. They accidentally encourage it.

> Even if a machine generates them.

That sounds wonderfully meritocratic, but in the real world, a machine generating it is a very strong signal that it's bullshit, and the people are flooding maintainers using the machines. Maintainers don't have infinite time.

To be clear, no, it is not, because of the opportunity cost of all the other slop. That's what this is all about.

Then no bug reports and no fixes. Sounds good enough.

Of course there are still bug reports and fixes without financial compensation. The proof is all of open-source, including cURL.

They'll still get bug reports and fixes from people who actually give a shit and aren't just trying to get some quick money.

- I notice a lot of stuff in github issues all the time

- For example, there is this +1 comment pasted like 500 times that I have seen a lot over issues

- Cant we have a github regex bot of sorts ^(\W+)?\+(\W+)?1(\W+)?$ that removes all such comments? or let the author of the repo control what kind of regex based stuff to remove?

- I know regex kind of sounds old fashioned in the age of LLMs but it is kinda simple to manage and doesnt require crazy infra to run

Yes you can, and those comments will then say "plus one", which you will add to your regex, and then they will say "++", which you will add to your regex, and then they will say "I agree", which you will add to your regex, and then they will say "me too", ......

There's going to be avalanches of code everywhere. You can no longer expect some human to know what some code does or maintain it.

You certainly can expect “some” human to know what “some” code does.

Things you cannot expect:

- ALL humans to know what SOME code does

- SOME humans to know what ALL code does.

[flagged]

The policy link[0] page still has a link to the bug bounty program[1] which still discuss monetary compensation.

[0] https://curl.se/dev/vuln-disclosure.html

[1] https://curl.se/docs/bugbounty.html

Although it's not mentioned in those, it's going away at the end of the month: https://news.ycombinator.com/item?id=46701733 https://news.ycombinator.com/item?id=46678710

It is a bit naive to expect Indian students to even know about /security.txt existence, let alone reading it.

Seems fair.

Can anyone tell me in 2025 how much big tech made in revenue from AI..

Revenue or profit?

I'll leave this chart to speak for itself https://ourworldindata.org/grapher/number-of-internet-users?...

Having an overly long captcha for bug bounties / reports may be the one place where it serves a purpose

Why do I always hear the cURL guy's opinions on this and that?

Every site and every service is going to be swamped with AI-generated slop and will have to deal with it by banning it, and then detecting and deleting it.

This was entirely predictable. When you give everyone the ability to be good at something with no effort, everyone is going to do it (and think they are the first).

My partner recently bought a book from Amazon, and when it arrived, I looked at the cover, flicked through it, and said it was AI slop. She complained to Amazon, and they just refunded her, no questions asked, and the book went in the fire.

> ridicule you in public

love this. more projects should use this kind of language. cut the bullshit

Somehow, I knew this would be curl before finishing reading the headline. Good on them!

I was going to add “cURL: “ at the start of the title, but it didn’t fit. The current title is exactly the allowed length, so it seemed more appropriate to keep the message verbatim.

Links to all those crap reports: https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d...

(from https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...)

they're suffering from this big time: https://www.youtube.com/watch?v=6n2eDcRjSsk&t=2453s

> We will ban you and ridicule you in public if you waste our time on crap

If shame worked, then slop reports would've stopped being made already. Public ridicule only creates a toxic environment where good faith actors are caught up in unnecessary drama because a maintainer felt their time was being wasted. Ban them, close your bug bounty program, whatever, but don't start attacking people when you feel slighted because that never ends well for anyone (including curl maintainers)

It worked well for me when people were stealing my articles, pretending they wrote them. One tweet or mention in Linkedin and the article is gone.

Plagiarism is much different than collaborating on open source projects but I'm glad that calling them out worked.

Test your hypothesis by attaching your offline name to your internet profiles.

That's sort of the whole point of this thought exercise, no? If shame worked in an environment with anonymous/pseudonymous users, then we wouldn't be here. The only people you stand to harm are the ones who attach their real identities to their profile (and they're more likely to be good faith IMO)

Besides, I've seen plenty of profiles here on HN who advertise their real name and espouse (in my view) awful takes that would most likely not fly in real life. I'd recommend reading this article[0] for an example of when people, with their real names exposed, can still cause a shitstorm of misunderstanding.

0: https://lwn.net/Articles/973782/

This is 100% true. I've seen this happen over and over again.

Shaming does not work, you look like an idiot, people will start to despise you and then you end up ostracizing yourself from the rest of the community and the only ones left within your bubble, are circle jerk assholes.

It's one of those cases where you end up causing more harm than the ones you were complaining about.

Just pathetic behaviour.

Creating crap vuln reports or PRs on popular OSS projects has been an issue long before LLMs. Remember Hacktoberfest?

Students would often abuse it since there’s no adult in the room to teach them how to behave. I guess this is one hard way to f around and find out. But this is by no means condoning this sort of behavior.

Point is, LLMs made the situation more dire: it’s cheap to generate code, whereas reviewing still scales sublinearly. The only way to prevent this is by being rude to people who are rude to you.

It's never fine to be rude.

Moving off github into a more niche platform was the best choice I have ever made to curb such zero-effort issue and feature requests. It raises the barrier just enough.

On the other hand, I'm a dev, and I hate the "start a discussion first" gatekeeping. I participated in projects where the approach is to start a discussion on a forum first, and I get the same feeling you have as a tech guy calling ISP support on the phone.

The discussion requirement is often to prevent disappointment, waste of time, and anger, when maintainers simple close PRs, because it's not the direction they want the project to go. A lot of people will take this very personally, so it's much better to have a conversation about it beforehand.

This note isn't going to stop even 1% of the jackasses who would have submitted AI slop.

There are much better ways to communicate the intended message. This comes off as childish to me and makes me think that I'd rather not contribute to the project.

> This comes off as childish to me and makes me think that I'd rather not contribute to the project.

It's unfortunately the new normal, with FFmpeg's core team acting similarly. No doubt the result of what is considered socially acceptable expanding in ways it probably shouldn't.

Wouldn’t be surprised if there’s a fork of curl that addresses it.

I think this is the perfect application of a micro payment service. Each PR must be signed with a nominal amount of money, say $0.15 give or take. You send in a commit, with no expectation to get it back.

I think a deposit would be better then. You make a deposit of ¢15 for each issue and PR you open, and then the maintainers can decide to give it back to you if it was opened in good-faith/useful/merged/whatever policy they decide on.

Agreed. Could be fiat or some sort of crypto currency that requires the submitter to have a vested interest in the outcome.

Honestly, I would love it if I could front some money in order to have the devs look at my PRs. Half my PRs just go into the void and nobody looks at them until some staleness bot inevitably closes it.

This is a similar problem to resume spam. I always wish I could pay $5 when submitting a resume with the guarantee that someone would actually look at it and give me a fair shot. If I ever run a place I want to experiment with only accepting resumes through letter mail or in person.

I think this idea doesn't go far enough. If it's money that's motivating slop, fine - let's make it about money. $50 to submit a bug report. If it's legitimate, we send you back $60; the judgement is on the curl maintainers' honor. If it wastes time, well, at least the curl maintainer gets a steak dinner.

I like the idea of refundable submission fee for bug bounties. No refunds for slop and poorly researched submissions.

It's been an issue for a while and it's even bigger now in the age of AI. Lots of people use security as a way to "have their moment" and don't really care about adding value.

But scaring people off from security reports also isn't a great idea either.

This is great actually. I can feel the sentiment of the slop they've had to deal with.

Fair play to them.

Fair enough.

Dog whistle to AI. Love it.

Why is cURL specifically receiving so many slop contributions? Or is this a recent phenomenon for every open-source project, and cURL are the ones most spoken of? First time commenting on HN!

They offered a bug bounty, so people think "let me just use ChatGPT to make money for myself".

But from I hear it affects other projects too. It affected curl more because with the bug bounty they actually need to invest work and look at those.

[1] https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-f...

[2] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...

cUrl as a project has a lot of conceptual attack surface for someone looking to find _anything_.

It is large, very popular (hence impact) and written in C. It supports many many many protocols with all of their real-world implementation quirks. Obscure or mainstream. And always handling user-controlled data.

If your motivation is a cool CVE for your CV, you'd pick such a project as the target of your efforts.

One way this can backfire: if you have no reputation and are nobody, and get banned and publically ridiculed, this is now a badge of honor you can take to wealthy and deluded people convinced of the AI future, to say 'look, I have been shot at! I'm a true believer!'

And then maybe they will give you money.

Only if there's a wealthy political group that hates the thing you just got ridiculed by. When you get expelled from a climate conference you can become a right-wing figurehead, but when you get expelled from the cURL vulnerability program, nobody cares.

lol, fair and square

[dead]

[flagged]

Can you elaborate? What does trump have to do with allowing early denial of bad ORs

Reading between the lines a bit, but I think the point is that public ridicule and personal attacks as well a general lack professionalism is a page out of his book.

So I think OP is trying to insinuate POTUS' behavior inspires a general lack of decorum, a la trickle-down dickonomics. Which is a sentiment I can't in good faith disagree with entirely, but it seems like a stretch in this case.

is public ridiculing of somebody who intentionally submits garbage in order to potentially earn a few bucks a bad thing? it's like with patent trolls, dragging their shady actions to public and ridiculing them is best thing that can happen

Why bring politics into this discussion?

Edit: that person (or bot) has almost exclusively posted on this website about the current US president. I think it's a waste engaging and I already regret my comment here

This is clearly a bot or a troll.

Nothing to do with politics and everything to do with crappy AI slop. There was some list somewhere of some of those reports and it was painful to look at

Not Trump specifically but the various prevalent trends of online "cancel culture" experienced for the past decade or longer.

why are you linking this to politics? I have to deal with crap "security disclosures" every week. those, so called security experts, report security vulnerabilities for features I don't even have! They should be ridiculed in public!

Nice. But it deters people like me who aren't totally confident in sending reports, trading false positives for false negatives

> it deters people like me who aren't totally confident in sending reports

This is by design, you shouldn't be submitting reports on anything less than certainty. It's not the maintainers responsibility to prove out your idea. It's yours, and when you're sure, reproduceable, and documented it, then you can submit it.

Let's not beat around the bush. The problem is Indians

From https://curl.se/docs/code-of-conduct.html:

"As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities"

Why have a code of conduct while being hostile to contributors?

I think they should handle this differently.

I don't think that telling a LLM to create a fake bug report is "contributing".

They are not contributors, they are spammers. There is a difference. Do you reply to spammers with friendly greetings?

With the extra work that LLM slop has been causing to core maintainers, I think they're quite friendly. Hopefully the volume of the bullshit they receive goes down once they stop paying bug bounties. The people who got upset that their hacker alias got called out for submitting bullshit LLM slop got what they deserve.

"Contribute" comes from the Latin con- "with, together" and tribuere "bestow". We need a new word for these slop submissions. "Detribute" might work well, for something that takes away from the common good, rather than adding to it.

Perhaps because they are not really contributors, so it doesn't apply.

Then they should exclude specific groups from their CoC.

"You can't be a contributor if you're an Indian using AI".

I don't think this is the way ..

The simpler part is to say that AI generated text / code is not a contribution and will be banned if found, probably.

You won't get a hundred percent hit rate on identifying it, but it at least filters really low effort obvious stuff?

[dead]

all curl team came here to downvote you, don't be so cruel :D

Heh.

I understand they people hate to to waste time. They should just be polite about it.

Or you know .. update or delete the CoC.