Back to all videos

Open Source Friday with Mitchell Hashimoto

By GitHub

Open Source DevelopmentAI EthicsSoftware MaintenanceCommunity Management
Share:

Key Concepts

  • AI-Generated Contributions & Open Source Strain: A surge in low-quality, AI-generated contributions is overwhelming open-source maintainers, eroding social norms, and leading to burnout.
  • Vouch: A Human Boundary: The Vouch project aims to re-establish a human element in contributions by requiring new contributors to be “vouched” for by existing maintainers, operating on a “default not trusted” model.
  • Trust & Explicit Gatekeeping: Open-source projects inherently rely on trust, but these mechanisms are often implicit. Vouch makes trust explicit and provides a framework for managing contributions.
  • Policy Framework, Not Security: Vouch is designed to manage participation, not to provide security against sophisticated attacks.
  • GitHub’s Potential Role: GitHub could facilitate trust management by providing policy templates and a framework for projects to customize their approach.

The Rise of AI-Generated Contributions & Their Impact

Over the past 18 months, open-source maintainers have experienced a significant increase in the volume of contributions, many of which are “plausible but low-quality” and likely generated by AI. This isn’t a matter of inability to contribute, but a shift in interaction patterns and a disregard for established social norms. The volume – 2-3 times a day for some projects – exceeds human review capacity. This trend, while already present before AI, has been dramatically amplified. The effort required for thorough PR review (30+ minutes) is disproportionate to the quality of many submissions, leading to maintainer burnout and a decline in the “joy” of open-source maintenance. This situation is reminiscent of the “Eternal September” phenomenon, where an influx of new users diluted established community norms. A key observation is that the “lows got lower and the highs didn’t get much higher” in terms of contribution quality. Mitchell Hashimoto described the experience as akin to having a drink thrown at you while working in a cafe.

Introducing Vouch: Re-Establishing a Human Boundary

To address this challenge, Mitchell Hashimoto developed Vouch, a system designed to re-establish a “human boundary” in contributions. Vouch operates on a “default not trusted” model. New contributors must be “vouched” for by existing maintainers (currently around 20 for Ghosty). Vouching involves a human-to-human introduction, explicitly discouraging AI-generated self-introductions. The process works as follows: a new contributor attempts to open an issue or PR; if not vouched, a bot automatically closes the contribution with a link to the project’s policy; the contributor submits a vouch request via a GitHub Discussion template; maintainers review the request, prioritizing human interaction and willingness to communicate; and, if approved, the contributor is added to the vouch list, enabling them to open issues and PRs. Vouch is explicitly not a security solution, like preventing the XZ backdoor incident, but a framework for managing participation rights. It’s a “framework for policy, not policy itself.”

Vouch in Practice: Ghosty & Lessons Learned

Vouch has been implemented in Ghosty, demonstrating a noticeable improvement in contribution quality. Initial rollout faced “growing pains” related to bug fixes and localization, particularly the need to manually vouch the 50 localization volunteers through their managers. This was resolved, highlighting the importance of adapting the system to specific project needs. The speakers emphasized the importance of evaluating maintainer commitment and follow-through, citing a case study involving a significant WordPress class rewrite that was ultimately rejected due to declining maintainer activity. Observing maintainer decisions in open communication channels (like Slack) is valuable, but this practice is becoming less common.

The Importance of Trust & GitHub’s Potential Role

The discussion underscored that trust models are already fundamental to software development, having simply been implicit until now. Vouch aims to make these existing trust mechanisms explicit, lowering the barrier to entry while maintaining a level of quality control. Every open-source project already has some form of gatekeeping, but it’s often exclusionary and undocumented. The speakers suggested GitHub could play a crucial role by providing a framework for trust management, offering example policies (a “policy cookbook”) that projects can customize. Examples include vouching through discussions (Ghosty) or issues (Open Code). The speakers also noted that Vouch should not grant any more privileges than the ability to participate, specifically excluding merge privileges.

Conclusion

The increasing volume of low-quality, AI-generated contributions poses a significant threat to the health and sustainability of open-source projects. Vouch represents a proactive response, re-establishing a human boundary and making trust mechanisms explicit. While not a security solution, Vouch provides a valuable framework for managing contributions and mitigating the negative impacts of AI. GitHub’s potential role in facilitating trust management through policy templates and a standardized framework could be instrumental in helping open-source projects navigate this evolving landscape and preserve the collaborative spirit that defines the open-source movement.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Open Source Friday with Mitchell Hashimoto". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video