We will ban you and ridicule you in public if you waste our time on crap reports

With free software, many projects have their own code hosting with separate accounts, sometimes even separate bug trackers with another set of accounts (think Bugzilla + GitLab). Any submission is by definition bigger effort, and thus the culture is significantly different.

As an example, just try submitting a patch to GNU libc (if it hasn't switched to GitHub in the intervening years, though I'd be surprised as it's a GNU project, but it's also largely supported by Red Hat), and see where you get to. Or join the GNOME community and submit a fix. Or FreeDesktop. Or KDE. Or...

If you allow me to go on a meandering tangent/exploration:

___

I mean if you think about it, this outcome is more or less inevitable, given the environment we've created.

The foundational building block being that people will always optimize for their own benefit and personal gain. They fundamentally have to, because no one else will. So that gives us a natural source of conflict, because not everyone is a builder (or at least not everyone believes that they would), meaning that they need to get someone else to do what they want to get done.

You as a builder of course operate no different to that. You also want to optimize for your own personal gain. Where it is different though is that you do not rely that much on external resources to do that, given that you can create by your own.

So these are our building blocks.

To have a functioning societal system, we do want and need to allow people that don't to receive a decent-ish slice of the output of those that create for various reasons.

Something something shared humanity, but also the fact that a society built out of autonomous builders quickly collapses. Plus multi-dimensionality, meaning that person A might be a builder in discipline X, but needs others to sustain themself in discipline Y. Society and all. Shared workload.

The mechanism that regulates the flow of resources between these agents is friction.

For example, social shaming for not sharing the fair part of what you're earning is friction. That is a constant eroding force and cost that is supposed to shift your internal mental calculus to make contributing to society the most sensible outcome.

Equally so, the act of being protective of your time, demanding respect, boundaries and fair compensation is friction that is supposed to shift someone else's mental calculus to make fair treatment of you the most sensible outcome.

____

Okay, many words, but what the fuck am I on about?

Here's where this self-regulating system implodes:

In the last two decades or so, we have absolutely supercharged the mechanism of shaming and public pressure (rel: Twitter).

Simultaneously though, we've also _vastly_ nerfed any forms of friction a builder might employ. (rel: GitHub as the default, being "nice and professional" as the default, etc.)

And that is what simply is not working. But we're not talking about that properly, because any platforms we currently have for talking about stuff are absolutely and utterly dominated by those that do not create; meaning that they get to dictate the rules.

In a very unsustainable way of course (see also collapse of democracy in general) but that is still the reality we find us in.

___

And that is _I think_ also where we can find solutions to these problems. Don't get me wrong, I'm not proposing to return to linus and tell people that they should be retroactively aborted for having made a mistake. There were many very important advancements we made culturally to push out toxicity.

We will need to reintroduce friction though.

Likewise, we will need re-engineer our communication spaces to shift the balance of power back to a sustainable equilibrium. Which doesn't mean "cold uncaring meritocracy" (also, what even is merit?) but it will mean not handing out ever-larger megaphones based on who is already screaming the loudest.

___

Anyway, TL;DR:

It's the system, stupid. It is like this, because it can't be any else given the currently governing rules.

Thanks for attending my Ted Talk.

Have a bot on GitHub that nags people about the pool of committed money towards each feature, to show that they care about it - with the money being placed into an escrow and being released once the feature is implemented and merged, or until a date is reached with no merge and it's given back to everyone / or when the request is closed with no changes. Ofc no idea how you'd validate each individual issue well enough to prevent someone from misusing it, but one could feasibly create such a system, even if it'd probably get a lot of opposition from everyone.

It might be good to have such a system as an option, but I wouldn't want it to become an expectation. I've got a couple of side projects that are out on GitHub. They have open source licenses and anyone is welcome to fork them, send bug reports, or pull requests, but I don't want to have any obligation of supporting those projects.

- A business has some intrinsic motivation however minuscule to fix unsexy issues like security problems or problems that aren't as visible to customers so they don't get hacked and sued and go under; in a pay-what-you-want bounty scheme all of your users are playing chicken to not be the one to put up the money for the fix. Instead they'll wait until it becomes a problem and fix it in their own branch; no reason to bother upstreaming it until someone comes forward putting up the money.

- IMO there's no way to measure cuts for something like this that can't be gamed. If you close out the bountied issue, but you make use of a bunch of utility code I contributed last week, who gets it? Or if the code I contributed is mostly a mechanical refactor of some very complex code someone else wrote? Do we divvy it up by lines of code, number of commits, etc, and that's just for the squint-and-it's-qualifiable metrics for engineers. No idea how you'd measure a cut for project managers. Someone also may be the steward of the repository and handle administrative work but not do a whole lot of feature-fixing, what cut do they get? Instead of juggling KPIs you can just pay all these people for their common contribution - time - and then you're back at something that businesses do really well.

- For any bounty system to work you need somewhere to track the bounties and hold money in escrow for payouts. Those services exist, they cost money to run, and they are going to take a cut. I'd assume they'd also invest and grow that money while they have it unless that's illegal for some reason I'm not aware of. An incorporated business keeps its bounties in the issue tracker, and its money in an account that accumulates interest that can go toward further development on the actual product instead of third-party support services. Crypto is a no-go here because that limits your contributor pool to exclusively crypto perverts, otherwise normal people have to speculate on it and convert it to normal useful money for a fee.

- I've worked at a place where the devs got to work on whatever they wanted. Required to, really, because there was very little interest or hands-on management from the owner in the direction of the product as long as sales were stable. We had a great time and got paid and we all learned a lot on company time and last I checked they are no longer in business.

- Timelines are a big factor too. If some open-source software I'm using is missing a big feature I'd like (and if post-2024, it's too substantial to just make a copy and have Copilot customize it for my use) I'm still not going to kick in the first $10 in the hopes that somebody someday builds that feature for me. I'm going to be dead or not using the software by then. If I thought the feature I wanted was worth $10,000 and I had $10,000 to kick towards it in the hopes that somebody somewhere would decide to build it, I would instead hire somebody on contract terms to do the work with a greater guarantee of results and some recourse if they screw me.

They did have things like trolls and zealots that thought "Their one idea" was a gift from god and the maintainers were idiots for not adding it to the application. And eventually those people may have been banned from mailing lists. But in general the people posting code were typically well known and had some interest in fixing the application for some useful purpose.

Simply put, no idealism stands the test of time without change. Nature shows us that everything must evolve or it goes extinct. How 'free software' evolves is now up for debate.

  https://www.catb.org/~esr/faqs/hacker-howto.html#believe5

... Did they try anything as petty as the xorg maintainers are nowadays?

Literally you cannot, you can turn off "Issues", but you cannot turn of pull requests, Microsoft/GitHub forces you to leave that open for others to submit PRs to your repositories no matter what you want.

Just a note, you actually can't turn off PR's on Github repos. At least not permanently.

True, but the expectation means that taking on maintenance involves taking on and leveraging a large amount of reputational debt in a very risky way.

If you release something to the world and place yourself in a high-visibility maintainer position, burn out on it and then decide to drop it, it's very hard to ensure that your legacy and reputation in perpetuity will be "released something great and did the world a solid by maintaining it for a while" as opposed to "person who overcommits, bails, and leaves the world in a jam".

Based on my own experience, here are a few reasons (could be a lot more):

1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.

2. Our education system mainly rewards results, not how good or well-thought-out the results are. Sure, better answers get more marks, but the gap between "okay" and "excellent" is usually not emphasized much. This comes from scale problems (huge number of students), very low median income (~$2400/year), and poorly trained teachers, especially outside big cities. Many teachers themselves memorize answers and expect matching output from students. This is slowly improving, but the damage is already there.

3. Pay in India is still severely (serioualy low, with 12-14+ hour work days, even more than 996 culture of China) low for most people, and the job market is extremely competitive. For many students and juniors, having a long list of "projects", PRs, or known names on their resume most often the only way to stand out. Quantity often wins over quality. With LLMs, this problem just got amplified.

Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.

Add in time zones, language friction, and fear of losing work, and "just run with it" becomes a rational strategy. Meanwhile, many Western workplaces treat clarification and check-ins as professionalism, so the behavior reads as strange or careless.

The key point is that this usually isn’t lack of curiosity or reflection, but risk management under different norms. The pattern often disappears once expectations are explicit: ask questions, check back, iteration is expected.

I had more of those interactions, and we also exchanged some of the indian devs (they were sold to the client by a big consulting group, and immediately replaced by someone else if we wished). I later found out, people that I have had replaced in my sqaud for not being qualified, ended up in different teams in the same corporation, they were basically just moving around inhouse.

After a few month in the project I swore to myself never to work with offshores again. And as a side note, the bank I did the project with, does not exist anymore :)

I ignore all of their resumes, not because I don't think there's valid individuals among them, I did hire them in the past, but:

1. because the signal to noise ratio is absurd. The overwhelming majority didn't even read the actual post.

2. Even when they are okay developers, communication is always a huge issue. Sync communication in call is though because urdu and other indian area accents are extremely heavy so I really struggle understanding their english, my bad but what can I do about it. If I try to keep it async or chat based then they tend to not ask feedback, clarifications, provide updates, etc. So you feel like you need to micro manage them half the time and they'd rather give you answers to make you immediately happy than surfacing problems.

3. Paying them is always an hassle. Wiring them money through bank accounts is difficult. They generally set up some Paypal or similar service or ask you to pay them on some Hong Kong account from a friend of theirs. I need traceable invoices and simple wires for tax purposes and when sending money to Pakistan multiple times anti-laundering got involved in my country, and we talking low hundreds of euros.

Still, props to the few good ones I've met, they've been critical on some projects of mine. Very professional and knowledgeable. But it's just too bad of a signal/noise ratio, seriously most applicants don't even read job descriptions.

I can't remember all the techniques but a simple trick is to ask them to repeat their understanding back to you before they start working on a thing.

But I don't think it's connected to sending "malicious" reports. That seems rather to be to pad their resume and online presence while studying to get an edge in hiring.

It would be typical to do the first thing that comes to mind, then see what happens. No negative feedback? Done, move on. Negative feedback? Try the next best thing that makes the negative feed back go away.

People will not wonder whether they might bother you. Just start talking. Maybe try to sell you something. That's often annoying. But also just be curious, or offer tea. You react annoyed and tell them to go away? They most likely will and not think anything bad of it. You engage them? They will continue. Most likely won't take "hints" or whatever subtle non-verbal communication a Westerner uses.

I found it quite exhausting in the beginning, it feels like constantly having to defend myself when I want to be left alone. But after I started understanding this mode and becoming more firm in my boundaries, I started to find it quite nice for everyday interactions. Much less guessing involved, just be direct.

Professionally I haven't worked much with Indians, but my expectation would be that it's necessary to be more active in ensuring that things are in track. Ask them to reflect back to you what the stated goal is. Ask them for what you think are obvious implications from the stated goal to ensure they're not just repeating the words. Check work in progress more often.

Ask culture scales a lot better in a fast changing world full of strangers. Guess culture saves friction, but only in situations where people are mostly guessing correctly because the social structure and expectations are fixed.

Many of my Indian friends say it is, but sometimes I feel they can be as self-critical of their country as many Americans are of the USA.

Demographics show that it doesn't have to be cultural - it could just be that India has 9x as many people under the age of 35 compared to the USA. Even if we were culturally similar, for every annoying US youngster "hustling" to try to get employment, there would be 9 early-career Indians doing the same. That alone is enough to drown the "Vox Agora" with Indian voices. Chinese citizens generally don't participate in English-language fora, so their large numbers would be massively under-represented.

If anything else is biasing the populations, the difference in numbers could be even more stark.

Ficticious Example could be

Q: is this car red? A: it's not green. Q: yeah I know it's not green. But is it red? A: today is Thursday.

One thing I leaned it's not worth pressing forward and causing a scene. Instead it's better to use other ways of finding the information.

When guiding team members I always found it useful to have them explain back to me in their own words what they're tasked to do. It become immediately obvious if they were on the right track or not.

The people having a terrible time with Indian contractors always deal with folks making 3k-10k USD/year. Of course the quality is bad.

For reference:

Good Indian devs out of college make atleast 30k USD. Good senior devs make atleast 50k. The really good ones make much more. Most American companies outsource to bottom of the barrel contracting companies like Infosys.

0: https://en.wikipedia.org/wiki/Face_(sociological_concept)

I experienced this same thing working with offshore Indian contractors 20 years ago. Interesting to hear someone else echo my observations.

I tried specifically asking questions where the correct answer was “no” and they wouldn’t tell me no. In some cases I told them I was expecting them to say “no” and they still wouldn’t do it.

It was very difficult to figure out what they knew or didn’t know without putting them through a test and seeing how they did.

https://burakpsych.weebly.com/uploads/5/6/0/6/56066915/ethni...

https://en.wikipedia.org/wiki/Power_distance

https://en.wikipedia.org/wiki/Hofstede%27s_cultural_dimensio...

I've worked with mixed nationality teams at a certain 4 letter austinite corporation a couple thousand moons ago. One thing in common with my Asian colleagues back then (many of which i still keep in touch with to this day), is that they would usually refrain from saying things that could rock the boat or disappoint you. If they lacked knowledge for the task at hand, they wouldn't let you know. If they were late on a delivery, they'd insist it would be ready by a certain date. This led to situations where other regional managers would have to plan contingencies to work around the issue.

They were trained really hard to "restore" things in a way that hit some minimal level of the SLA, but not really. It created alot of issues initially in the organization as the "don't question anything" had really been ingrained into them. My observation there is that it made many of the useless support engagements I've experienced make sense, and that a place with that level of discipline and process must be pretty awful.

https://news.ycombinator.com/item?id=24658052

Indian students have a long history of disrupting free/libre projects, this is nothing new

> Is this cultural?

Could be, but there are a number of very popular Youtube and other video based classes/bootcamps (taught and targeted from/to Indian students) that teach how to work with git and github that show how to create PR's and comments in repos, and then a lot of students do that, on public (and popular) repos.

There are a couple very famous examples of this.

This might be part of the motivation. What's pocket change in the west might be good money in the 3rd world.

Sounds like an LLM

Its incentives. If you’re an Indian student in India, unless you go to a prestigious university, your prospects of landing a job, let alone a good one are very small. Even tech companies that claim to be meritocratic elsewhere, rarely screen resumes beyond the top universities in India. The only other real prospect is to get your resume to stand out. Open source contributions, research papers etc are some ways to do that. And the talented ones make contributions, while the rest just try to fake it in the hopes to make it (it obviously doesn’t work).

There are similar incentives if you want your college application to stand out if you’re trying to go abroad for higher education. And if you’re already outside India, those incentives extend to job applications outside India. If you’re an international student looking for a job, even if you have work experience at known multinational companies, if it’s in India, the experience doesn’t count.

It’s all about incentives and responding to them.

Always consider relative status and power imbalance regardless of nationality too. If someone is afraid to say no you have to factor that in - and 'calling them out on it' is maybe not the most effective reaction, especially if in public.

I always had frustrations with this as a manager until I could establish a personal relationship. Sounds extra hard with short-term remote contractors!

Whereas other cultures have at least some (if not a lot of) resistance to it - eg publicly ridiculing when people step flagrantly out of line. This is good. My impression is that British culture is like this - "taking the piss", or worse, out of people whose egos start to get too large

Edit: what about this comment could possibly be worth a downvote...? Not that I care about points, but it just seems to be an objective assessment of human nature and cultures, without even singling out any cultures that need improvement.

Absolutely. I've been traveling for the last 10 years and lived in 50+ countries. I believe that all cultures have unique pros and cons and that the cultural diversity of the world is an amazing thing. There are good and bad people everywhere, so I rarely leave a place with such a strong opinion as the multiple times I've been to India. I really wanted to love India because of their rich history and diversity, but I ended up leaving with a feeling that their culture is overwhelmingly objectively bad.

In my experience, yes, but I hope that's just my personal experience over the past 20 years.

it's interesting how it parallels the issue with llms today, they are basically perverse instantiation genies. your wish is my command.

So for every good developer in India there are probably 20 bad ones who have no idea what they are doing.

For students, often there is no pathway to actually become good due to lack of resources. So, the only way is to fake it into a job and then become good.

Thanks to their LLM reliance they'd soon not know what it does, and forget even the little they know about coding

I know someone in a senior engineering position at Epic who does nothing but clean up PR's from their off-shored Ukrainian sweat shop coders handing in AI slop because all they need to do is close a ticket to get paid. They wind up rewriting half or more of it. Epic doesn't seem to care so long as this "solution" works and saves them money by paying a few really smart people to code janitor until hopefully all of them can be replaced by LLMs.

I wondered why people would video themselves going around slapping strangers in public then shouting "its just a prank bro" - turns out it works.

I’m actually of the mind it will be easier IF you follow a few rules.

Code maintenance is already a hassle. The solution is to maintain the intent or the original requirements in the code or documentation. With LLMs, that means carrying through any prompts and to ensure there are tests generated which prove that the generated code matches the intent of the tests.

Yes, I get that a million monkeys on typewriters won’t write maintainable code. But the tool they are using makes it remarkably easy to do, if only they learn to use it.

Would love your thoughts on some of the things we're thinking about: - Would it help to disable all PRs? All non-contributor PRs? - Would a "close as admin" button help address the issue of not wanting to be rude or discouraging? - What about Copilot doing an initial review and proposing to close anything that doesn't meet contribution guidelines - would that help a "close this" decision feel less personal?

We have tried a lot here in the past (good first issues, more community support for new users), but haven't found a perfect solution yet. Internally, we're looking at options for admins to disable PRs on repos, or limit PRs to collaborators only, for example. From your comment, it seems like part of the challenge you're experiencing as a user is around Issues specifically. We've also been looking at options to delete PRs and Issues individually and in bulk, which could help after the event. Would welcome any feedback on other paths we could take here.

From https://en.wikipedia.org/wiki/Perverse_incentive

"According to the story, the British government, concerned about the number of venomous cobras in Delhi, offered a bounty for every dead cobra. Initially, this was a successful strategy; large numbers of snakes were killed for the reward. Eventually, however, people began to breed cobras for the income. When the government became aware of this, the reward program was scrapped, and the cobra breeders set their snakes free, leading to an overall increase in the wild cobra population."

There’s a lot to dislike about shame as an enforcement mechanism but I’m starting to miss some of the upside it delivered.

I will try to give some context.

To give an example, the CSE undergrad from an average Indian college would've done 500 - 1000 leetcode "problems" for practice. But have little to no idea on how to survive in a UNIX shell, or to troubleshoot an actual problem. Hell, half of them haven't written more than 1000 lines of code for single purpose.

People early in their career (which is most SWEs including yours truly) follow whatever "influencers" on youtube (the local term being bhaiyya-didis), who give them rough "roadmaps" to "crack DSA" or "get high paying remote job". The result is that average CS guy spends most of his time navigating this rat race than studying computer science stuff that matters for the job.

I see similar kind of competition getting created at senior levels too, in the terms of people grinding theory and blog posts on "system design" interviews. I am not old^H^H^H senior enough to comment on it, though.

But it was not all bleak. IIRC, We were producing quite few good OSS contributions through GSoC, LFX etc... until few years ago (not considering my own among good ones). There were talented 1% or so (I known a few very talented people in personally). Nowadays these "hustler" variety people have started "How to crack GSoC" roadmaps [sic] too, and the spamming quoted above see may be related to this. This sort of insane rat race is not good for talented people. It's not good for companies either. Recruitment is basically lottery at higher levels too; I have seen people use AI to shamelessly lie on their resumes and get hired etc... Some of these problems may be present in west but India's scale makes some of these problems difficult.

It doesn't until suddenly it does. A glut of junk can eventually trigger a flight to quality.

Sadly, possibly not on a timeline which works for a given individual.

This is just lazy casual racism.

If I ever need to start using an AI to summarize text that someone else has generated with AI from a short summary, I'm gonna be so fucking done.

I’ve basically watched the AI crap cycle go from “this is a weird report, oh it’s fake” to “all the reports are trash, it’s so hard to find real humans in the flood” through his posts.

I suspect I would’ve stepped down long ago. I feel so bad for the open source maintainers who are just being assaulted with nonsense.

They really don't, lol

If a community is full of assholes, unwilling to change, walk away! Don't contribute to what you don't want to support. It's just like voting with your wallet.

All contingent on whether you can actually afford to do so though, as usual, but I have a hard time believing that interacting on Reddit would be so essential, especially these days.

https://daniel.haxx.se/job.html

He does criticise rich companies who don’t do anything to support cURL and demand preferential support, but that’s not the same thing (and does warrant criticism).

Finally an explanation to why GitHub suddenly have way more bugs than usual for the last months (year even?), and seemingly whole UX flows that no longer work.

I don't understand how it happens, do developers not at least load the pages their changes presumable affects? Or is the developers doing 100% vibe-coding for production code? Don't get me wrong, I use LLMs for development too, but not so I can sacrifice quality, that wouldn't make much sense.

It's kind of like people who live at the base of a giant dam but cannot comprehend that it could ever fail.

Why? If it is a purely machine generated report there is no need to have dozens of third parties that throw them around blindly. A project could run it internally without having to deal with the kind of complications third parties introduce, like duplicates, copy paste errors or nonsensical assertions that they deserve money for unrelated bugfixes.

A purely machine generated report without any meaningfull contribution by the submitter seems to be the first thing you would want to exclude from a bug bounty program.

The problem they had before was a financial incentive to sending reports, leading to crap reports that wasted time to review. Incentivizing sending reports + patches has the same failure mode, but they now have to waste even more time to review the larger quantity of input.

Anyway, for most cases I'd bet that Daniel can produce and get reviewed a correct patch for a given security bug quicker than the curl team can review a third-party patch for the same, especially if it's "correct, but ai-written".

If I find a security issue, I'm willing to responsibly disclose it, but if you make me pay, I don't think I will bother.

Punishing bad behavior to disincentivize it seems more sensible.

That sounds wonderfully meritocratic, but in the real world, a machine generating it is a very strong signal that it's bullshit, and the people are flooding maintainers using the machines. Maintainers don't have infinite time.

Throw enough AI crap at enough projects and you may get a payout.

The incentives fail in the face of no-effort flooding. They accidentally encourage it.

I can imagine GitHub becoming this filter somehow

You could then build a reputation system, much like a spam blocklist, using some sort of hash of the payment details.

Honestly, I would love it if I could front some money in order to have the devs look at my PRs. Half my PRs just go into the void and nobody looks at them until some staleness bot inevitably closes it.

This is a similar problem to resume spam. I always wish I could pay $5 when submitting a resume with the guarantee that someone would actually look at it and give me a fair shot. If I ever run a place I want to experiment with only accepting resumes through letter mail or in person.

Seems like a completely appropriate way to handle things if you're still on Github. You said yourself the spam drove you off.

They could let people who are proven not to be spammers open PRs directly.

So I think OP is trying to insinuate POTUS' behavior inspires a general lack of decorum, a la trickle-down dickonomics. Which is a sentiment I can't in good faith disagree with entirely, but it seems like a stretch in this case.

Besides, I've seen plenty of profiles here on HN who advertise their real name and espouse (in my view) awful takes that would most likely not fly in real life. I'd recommend reading this article[0] for an example of when people, with their real names exposed, can still cause a shitstorm of misunderstanding.

0: https://lwn.net/Articles/973782/

Proving out a security vulnerability from beginning to end is often very difficult for someone who isn't a domain expert or hasn't seen the code. Many times I've been reasonably confident that an issue was exploitable but unable to prove it, and a 10s interaction with the maintainer was enough to uncover something serious.

Exhausting these report channels is making this unfeasible. But the number of issues that will go undetected, that would have been detected with minimal collaboration between the reporter and the maintainer, is going to be high.

I think the parent is correct in calling out the inconsistency of promoting personal attacks when that is explicitly forbidden in the CoC.

I'll try to strike a conversation with a spammer next time I can't sleep. Thanks for a great suggestion.

"You can't be a contributor if you're an Indian using AI".

I don't think this is the way ..

I understand they people hate to to waste time. They should just be polite about it.

Or you know .. update or delete the CoC.