1. 137
  1.  

  2. 35

    I’ve already had to close one of these PRs on a project I help maintain, whose only change was to add a colourful description of the ISC license (“an wonderfull license with lots of benefits”). The PR was titled “Improved Docs”.

    When I checked the user’s other PRs, they were all also called “Improved Docs”, per the OP. Ugh!

    1. 5

      Always flag them invalid!

      1. 10

        While I abhor the idea of bad actors benefiting from their misbehaviour, you could make an argument that you shouldn’t flag them as invalid:

        1. It’s not your responsibility to moderate DigitalOcean’s game for them.
        2. Once they’ve got their T-shirt, they might stop spamming.

        It may be better to just close them and forget about them.

        1. 6

          If DO counted bad contributions against you instead of as neutral, that would fix the incentives again

      2. 2

        Same. I didn’t recognise it for hacktoberfest spam (which I’d never heard of until reading this article) until now though. I reported the user for spam. (They joined GitHub yesterday, and have sent 8+ spam PRs to random projects.)

      3. 30

        It seems that this post generated enough noise that their team released a statement:

        https://hacktoberfest.digitalocean.com/hacktoberfest-update

        1. 9

          From your link:

          For maintainers, we’re building on an existing idea and doubling down on an excluded repository list for Hacktoberfest. If you don’t want pull requests to your repositories counted toward Hacktoberfest, send us the info in an email to hacktoberfestmaintainers@digitalocean.com.

          To the maintainers: We’re sorry that these unintended consequences of Hacktoberfest have made more work for many of you. We know there is more work to do, which is why we ask that you please join us for a community roundtable discussion where we promise to listen and take actions based on your ideas.

          We’re sorry you had to deal with all these spam PRs foisted upon you by enrolling you in our scheme without your consent. Please take additional actions to opt-out and/or tell us how to fix our mistakes.

          1. 5

            It’s been around for many years and this is the first time I hear of spam (might have missed 2019). Most open source folks /I/ ever talked to about the event were in favor of it.

            1. 2

              Yeah, probably true. It’s amazing and sad how sharply something can turn from being positive to really negative once it goes beyond the intended audience and pulls in the wider internet who only want free stuff.

          2. 21

            The rules seem to be very aware of spammy PR.

            However at the same time, it’s not about landing 4 PR during october, it’s about just opening 4 that doesn’t get flagged as invalid. So the mechanic is broken.

            1. 20

              So the mechanic is broken.

              Indeed. Quoting the rules:

              The pull request must contain commits you made yourself. If a maintainer reports your pull request as spam, it will not be counted toward your participation in Hacktoberfest. If a maintainer reports behavior that’s not in line with the project’s code of conduct, you will be ineligible to participate.

              (emphasis added)

              So this just adds responsibility on maintainers, who have in no ways accepted to opt-in on this stunt but are expected to do basic quality control for a stupid marketing contest.

              Note that there is zero consequences for a GH user to engage in spamming - if at least 3 spam notifications within 24 hours led to a suspension of PR/commenting privileges across all projects, this would cut down on the very worst behavior.

              I’m a DO customer but this is something I’m considering changing. Whoever thought this was a good idea should be fired.

              1. 13

                hm, perhaps a simple way to get rid of this spam would be for DO to count spam reports as negative points. That means you would need five non-spam contributions if you got marked as spam by one project, six if you got marked by two etc. The more spam you produce, the more proper commits you’d have to make. I don’t see any obvious flaws with this simple fix, but then I just thought of it.

                1. 3

                  This might help next year (if this excrescence is still scheduled then) but it will not help much right now. Of course, expecting GitHub to roll out a solution similar to this on short notice.

                  In fact, it wouldn’t surprise me if this project was cooked up between Digital Ocean and GitHub themselves to boost “engagement”. Shifting the responsibility and work onto unpaid maintainers / moderators is after all how Reddit does it, while the parent company reaps the benefits.

                  GitHub is a social network, and the price its users pay for its functionality is being treated as a commodity by large corporations eager to mine their contributions.

                  1. 4

                    Well, if you want a solution right now, the easiest way would be to migrate away from GitHub. That should send quite a strong signal if enough large projects do this.

                    1. 3

                      I’ve moved all but a handful of repos off as of a few months ago; maybe this will be the push I need to get the rest off.

                      But this is supposed to be a yearly occurrence, and I’ve never noticed this before. Did the rules change this year to make it worse?

                      1. 3

                        I thought that the rules used to be that you had to get a merged PR, though I’m not sure about that?

                        I think one of the reasons this year was a lot worse than previous years was this video telling people “how they can earn free swag online”. CodeWithHarry told people to search for repos with “website” in the name and how to make a PR to add “an amazing project” to the README title.

                        1. 2

                          They mentioned in their update blog post (which is linked in another comment here) that they’ve been doing more marketing on Facebook, Twitter and YouTube (of all places). Probably this attracts more attention from trolls or people who don’t have any real affinity with free software and would just like a “hacker” t-shirt to look cool.

                          1. 1

                            I think we’ve been unlucky with leiningen, as it didn’t even drive a meaningful amount of contributions at all. I think I accidentally nearly fulfilled my quote one year because I had to redo some PR…

                          2. 1

                            Indeed, and I’ve mentioned that in another comment in this thread.

                            I do see some positive comments about this in the HN discussion, maybe from projects big enough to have what amounts to a “social media manager” on staff.

                      2. 6

                        Note that there is zero consequences for a GH user to engage in spamming - if at least 3 spam notifications within 24 hours led to a suspension of PR/commenting privileges across all projects, this would cut down on the very worst behavior.

                        I’ve reported users to GitHub for spamming in the past (we saw some obviously spam submissions, replacing files in the repo with things that looked like they were machine generated and were completely unrelated, accompanied by incomprehensible commit messages). I included links to other PRs that they’d sent to other projects with the same structure. GitHub disabled their account pretty quickly. Note, you need to hit the ‘report content’ menu item in the ... menu next to the PR, not just add a spam tag.

                        These are a bit more borderline, they could (if you were very generous) be assumed to be good faith attempts to improve things by someone with very limited understanding of the projects and ecosystem.

                        Of course, once a GitHub account has been removed, there’s nothing stopping these spammers from registering for a new one with a different email address. Prosecuting Digital Ocean for buying a DDoS attack against GitHub and its users seems like a better approach to solving this problem.

                        1. 1

                          Of course, once a GitHub account has been removed, there’s nothing stopping these spammers from registering for a new one with a different email address.

                          No, this would not help with dedicated griefers, but it would help if someone is trying to tie their GH id to a campaign to get a t-shirt. It would at least make those people pause before submitting a 1-line cosmetic change to a bunch of repos, thereby aligning incentives better.

                          Prosecuting Digital Ocean for buying a DDoS attack against GitHub and its users seems like a better approach to solving this problem.

                          Agree, but who shall be the “prosecutor”? I’m guessing GH is complicit in this scheme, and throwing a subset of its users (maintainers) under the bus. I actually think loudly complaining on the internet is the best way forward ;)

                          1. 1

                            Agree, but who shall be the “prosecutor”?

                            Maybe some foundation like the SFC could start a class action law suit representing all free software developers.

                            1. 14

                              I doubt Digital Ocean had any ill intent with this; it seems they just wanted to set up a “fun hackathon” thing as a PR stunt and underestimated the kind of ways people would abuse that, and now they’re caught flat-footed.

                              Years ago we did a flea market with the local scout group to raise money for some long overdue repairs to our building we didn’t have the money for. We spread flyers in the neighbourhood and picked up stuff people donated to us during a few evenings; we actually got a lot of “free stuff” to sell and the response was great.

                              We had done some other fund-raising stuff over the years, but this was the first time we had done anything like a flea market.

                              On the day of the actual flea market there was already a massive crowd an hour before we opened. We were a bit taken aback, but good I guess? When we opened the gates at 10am we were completely taken by surprise: people would just rush in, grab the first expensively looking thing they’d see, and just run out again. Not just one or two people; an entire crowd of them. Most people (myself included) were so taken by surprise that this was actually happening that we didn’t quite know what to do, and we just stood there with our mouths open and “let it happen”, so to speak.

                              During the entire day person upon person would try to cheat you. Stuff like “1 euro for that is okay?”, “Alright”, proceeds to grab something much more expensive 1 metre from what he pointed at and gives you 1 euro. “Wait, that’s not what you pointed at!”, makes an entire fuss. This kind of stuff happened many many times throughout the day.

                              I loved being a scout leader and was generally one of the first to volunteer if something needed to be done if I had the time. But a flea market? I never did that again. It was well above my twat tolerance limit.

                              My point of this story is: if you’re a normal, well-intentioned, good person then it can sometimes be hard to imagine how people are going to abuse things. Perhaps we could have expected these kind of things, and in hindsight it all seems kind of obvious people were going to do that, but none of the >30 people involved expected any of this. We did it again the next year, and from I heard things went better (but I wasn’t there myself).

                              I’m not sure how fair it is to sue DigitalOcean; I suppose it will depend on how they will respond to this in the coming days/weeks, and if they’ll do the exact same thing again next year. But for now, it just seems they’re taken aback just as much as we are.

                            2. 1

                              Agree, but who shall be the “prosecutor”?

                              At least in the UK, this is a criminal offense and so reporting it to the police’s national cybercrime division is the right approach. They are always looking for easy wins and a place where a company has put their offer for people to launch a DDoS on their web site is a very low-effort case to make from an evidence-gathering perspective.

                          2. 5

                            The pull request must contain commits you made yourself. If a maintainer reports your pull request as spam, it will not be counted toward your participation in Hacktoberfest. If a maintainer reports behavior that’s not in line with the project’s code of conduct, you will be ineligible to participate.

                            Why does spam (universally and uncontroversially abhorred) count for +0 on your PR count, while CoC violations (which aren’t universally adopted, for a variety of reasons) attract a ban?

                          3. 4

                            You could probably argue that they are paying people to launch a distributed denial of service attack, which is a clear violation of the Computer Misuse Act and carries a potential prison sentence.

                          4. 15

                            I’d like ability to also delete PRs, not just issues. Specifically this spam of useless PRs makes searching for actual PRs worse as side effect.

                            1. 40

                              I seem remember a time when people were very insistent that non-code or minor contributions were just as important and valid as major code contributions, and that using social coding sites like Github instead of email patch lists or whatever was an unalloyed good. Many folks were mocked or shunned for being “gatekeepers” or being unwelcoming to new developers who–frankly–were often just padding their profiles with forks and trivial PRs.

                              I am not too big a sock to admit some amusement, then, upon reading about this situation. :)

                              (More seriously, there is a balancing act to be had in setting community norms around participation when there are in fact bad or just inconvenient actors in sufficient numbers to cause harm. Hopefully this sort of thing encourages people to reflect more on the philosophical underpinnings and practical weakpoints of open source as is practiced today.)

                              1. 47

                                There is kind of an easily understandable difference between:

                                • a non-code minor contribution - eg correcting a link or some spelling in a readme, a non code non-minor contribution - eg writing good documentation, a minor code contribution - eg any actually minor bugfix
                                • bad faith spam non-contributions (nontributions?), like what was talked about in the article

                                The former is what people were clearly very insistent was important and valid; the latter is what people are complaining about now as obvious spam. Conflating the two serves as gatekeeping, which, given your pro-gatekeeping statement, seems like it might be deliberate? It might also be just that it was a throwaway comment that you haven’t thought through though, so I might be reading too much in to it. My apologies for the aggressive tone of my previous version of this post.

                                Edit: Edited for civility, clarity.

                                1. 10

                                  No offense taken, and I rather like the nontributions coinage. :)

                                  The thing is that a lot of that is in the eye of the beholder…some of these comments tweaking readability or fonts or adding emphasis or whatever are kinda at the same level as fixing typos. The mechanism is the same, the only differences being the (arbitrary) decision in validity and the motives behind the contribution (free t-shirts versus whatever else).

                                  The problem with saying “well some of these are nontributions and clearly are in bad faith” is that in the past things like Code of Conduct proposals, switches to code styling, changes to vocabulary, and whatever else have been objected to by project maintainers who have then been pilloried.

                                  Even the concern of “well, these people are bad faith because they’re just doing it to get a free t-shirt” can be made to draw parallels to the (apparently acceptable) motives of people on web working groups and standards committees and commercially-backed projects like React or docker.

                                  I bring these things up specifically because I think the objections to Hacktoberfest are a good chance to reflect on what’s become of our culture and practices, and to wonder if maybe the things that irk us here are not worse but somehow given a pass elsewhere.

                                  1. 23

                                    If you look at the examples in the repo, they are all nontributions. Find me the person defending this PR for example.

                                    I extremely dislike sort of “raise the level of abstraction”-style discourse when someone here has clear, empirical examples of a thing being annoying not because it’s “not code” but because it’s spam (lots of these are code changes!)

                                    I think we all like having good docs, and people who send in contributions to docs that improve them… I mean who objects to that?

                                    Maybe you have a problem with people claiming they work on a thing without touching the main codebase (which is… I mean that’s you), but that’s pretty offtopic here tbh. (EDIT: leaving this here but I mean this in the least accusatory way possible, not trying to be dismissive of that topic as a whole)

                                    1. 8

                                      If you assume the person making the PR waa doing so in good faith (albeit without sufficient skill) then this exercise in “abstraction” gives us a really good chance to say “okay, shit, how do we deal with eternal September in software projects, and how do we deal with new users that just kinda suck without turning them off”?

                                      If you assume the people opening PRs are doing so in bad faith, then the question becomes “what features of modern open source are ripe for abuse and how do we manage that without losing our souls (more)?”.

                                      1. 2

                                        You want to have this conversation, fine, but it’s absolutely not what is being discussed right now. It comes across as derailing the conversation about bad-faith contributions like the ones linked obviously are.

                                        1. 3

                                          What’s the “conversation” about the bad-faith contributions, other than acknowledging what is effectively open source drama and whinging about a publicity stunt that went wrong? Rubbernecking at bad PRs?

                                          I think a derail is order, because the current tracks lead nowhere interesting.

                                    2. 5

                                      Right. My reply to this kind of thing is that the faculty of judgment is needed (even if only a little bit) on an individual basis even when things are easy to see as a group, because we don’t yet have an easily understandable general philosophical treatment of ontology and what you might call ‘thing-ness’ - the Platonic Man argument basically showed the problems with naive attempts to draw categorisations thousands of years ago.

                                      As it turns out, the thing we want to know is ‘is this a contribution or a nontribution’ (similar to the ‘spam vs ham’ test) which does not in any way boil down to bright lines that don’t require the faculty of judgment. Sometimes a minor doc change can be really really helpful (eg in the installation instructions for newbies!). But as part of contributing, we can reasonably expect contributors to think ‘hey, is this a contribution?’ and if it isn’t, to not send a PR, in exactly the same way we can expect people to think ‘hey, is this spam?’ and not send spam if it is.

                                      Edit: Like, with spam, we might ask things like ‘is this addressed to me?’ ‘Is this grammatically well formed?’ ‘Are there gratuitous spelling mistakes?’ ‘Does this ask me to send money?’ but none of those things actually make something spam or ham - in fact, no contents of an email mechanically definable with a simple rule will definitionally make it spam or ham, so we can’t say ‘Answering the wrong way to these definitionally makes it spam, otherwise ham’. But the person sending it knows, and if the person receiving it has the mental bandwidth to think about it, they know too.

                                      Second edit: One of the things that makes the formal sciences so interesting to me is that when something is properly, fully in the domain of a formal science this does not apply. We know what a triangle in some axiomatic system we put together is, because we define what it is.

                                  2. 25

                                    I don’t think “minor contributions” are the problem here; I went through some of the PRs and many are indeed 100% pointless:

                                    • Change font-size: 25px to 24px in some CSS file, with only “Update styles.css” as a description. What’s the point of this?

                                    • Change 404 Not Found to 404 error found. Pointless change and awkward English.

                                    • Change font-style: normal to bold on the main body text, again with no description of why. There are actually two PRs which do this.

                                    • A PR with “Improve indentation and add some comments” sounds like a promising and useful “minor change”, but if you look at the actual diff it’s just adding some really weird and pointless comments and newlines. Another promising “improve docs” PR just adds ### Great Work, hmkay?

                                    • “Add files via upload” sounds promising as well, but it adds 2MB of images which don’t seem used and makes some CSS changes which seem pointless and are unexplained.

                                    • One PR just adds <h1> misbah </h1>. Wut?

                                    In short, none of these are “minor contributions”. Labelling them as “spam” and closing them without comment is perhaps rather harsh, but to be honest all of these PRs are just complete garbage so it’s not really an unfair classification.

                                    1. 19

                                      I also though some of the PRs in the screenshot looked reasonable, but I implore you to actually go through the PRs closed as spam.

                                      Here’s the first I clicked on from the openstreetmap-website repo: https://github.com/openstreetmap/openstreetmap-website/pull/2866/files - add “made with love” to the readme.

                                      Here’s the first PR I clicked on to whatwg/html: https://github.com/whatwg/html/pull/5991/files - add “thankyou” to the readme.

                                      Here’s another PR: https://github.com/whatwg/html/pull/5981/files - replace “404 Not Found” with “404 Error Not Found”.

                                      Another one: https://github.com/whatwg/html/pull/5990/files - decrease the font size of a particular element from 25px to 24px (no description which argues why 24px is better than 25px, just the smallest visual change you can make).

                                      This one is nice: https://github.com/whatwg/html/pull/5975/files - add ‘i += 1 // Increment i’ style comments to the CSS and add newlines.

                                      All the PRs marked as spam are like this. No effort put into the code change, no effort put into the description or presentation of the PR. Most just leave the PR template untouched, with no attempt to fill out the relevant fields or argue why the fields in the PR template don’t apply. These are actually spam PRs. They’re not just good faith “non-code or minor contributions”.

                                      1. 19

                                        non-code or minor contributions

                                        FWIW the PRs are spam because they aren’t improvements, not because they are changing things other than code.

                                        Browsing through some of the example spam PRs people linked, it doesn’t look too me like spammers are particularly shy about putting their non-tributions to code files rather than markdown does.

                                        1. 1

                                          s/markdown does/markdown docs/

                                          This is what I get for using a phone keyboard carelessly

                                        2. 14

                                          I seem remember a time when people were very insistent that non-code or minor contributions were just as important and valid as major code contributions, and that using social coding sites like Github instead of email patch lists or whatever was an unalloyed good.

                                          I think these two can be separated. Non-code and minor contributions are important - just look at Rust, which has gained a great deal of popularity in the language-hacker community due to the easy and approachable process of contributing to the compiler, the core libraries, and the documentation thereof (which is superb, in my opinion).

                                          There are real issues with the way many mailing lists are run: mandating formats that are difficult to achieve with the software most people use for e-mail, for instance. As much as we might wish that all e-mail clients had a good plain-text mode, most don’t. But, again, these are separate issues; and, indeed, your implication that not using social coding sites like sr.ht or GitHub or Gitea or whatever makes it less likely to get these spam contributions does reinforce the idea that it raises the barrier to entry for contribution. If that’s an explicit goal, perhaps with the intention to avoid these kind of spam contributions, that’s fine; but being snarky about being called a gatekeeper is incompatible with that goal.

                                          Any open system with many participants is going to have spam. Here, DigitialOcean is purposely exacerbating that through either malice or incompetence, but I have to say, I don’t think that means that lowering the barrier to contribution isn’t a positive thing in general. Anecdotally, I’ve received many, many more useful contributions to repos hosted on social coding sites with many users like the GNOME GitLab and GitHub itself than to, for instance, my hardware enablement libraries on my personal Gitea.

                                          1. 7

                                            I think these two can be separated. Non-code and minor contributions are important - just look at Rust, which has gained a great deal of popularity in the language-hacker community due to the easy and approachable process of contributing to the compiler, the core libraries, and the documentation thereof (which is superb, in my opinion).

                                            Thanks for highlighting that! This is indeed a conscious project strategy and IMHO also a useful driver of a) growing small contribution into larger or b) the problem that many projects are facing around cleaning the dust out of the corners. Relying on small contribution also means people leaving is not as hard. And that builds a special base to talk to: the Rust project is capable of doing things finding 10 translators for our survey in a week.

                                            The problem is indeed the incentive system that Hacktoberfest has built.

                                          2. 7

                                            There are already many examples in sibling comments, but here’s another collection that one of my repos was hit with this morning:

                                            Look at the recent commits of this user: https://github.com/Cha7410?tab=overview&from=2020-09-01&to=2020-09-30

                                            Every single one of them is a negative contribution (negtribution?), where the change is factually/grammatically/syntactically incorrect.

                                            All of the PRs have an empty body with no explanation and use the same boilerplate commit message. These are not contributions by any metric.

                                          3. 10

                                            In the last twelve hours I’ve received 30+ emails for spam PRs… every username is new(ish), has little to no activity except in October each year, the PRs have no comment or discussion, and the changes are always to a single file and usually to a comment… in no case has the change been even marginally a sensible contribution. They began within minutes of the terminator reaching India, and if last year is any indicator I expect to see hundreds more by the end of the day.

                                            Somebody’s gonna have to rethink the idea of this not being opt-in for repos.

                                            1. 9

                                              The section “What can we do?” leaves out the option of leaving GitHub. The only way to disable or limit pull requests while keeping the repo active is the emergency measures which only work for 24 hours, and that’s a product decision aimed at keeping people on the platform and exploit network effects, not a service for their users.

                                              1. 5

                                                This is an excellent market-based solution to this problem. Any git host that has a ToS forbidding this kind of behavior should be reaching out to maintainers now to help them move their repos over.

                                                1. 9

                                                  When moving, I would strongly suggest people to take this opportunity to consider self-hosting, instead. Hosting your own means being master of your own castle, where you get to decide the ToS.

                                                  1. 3

                                                    I’m completely sure that Microsoft wouldn’t do anything with such spammers and in fact - they might not want to. Actually, it’s sort of profitable to them to gain new users and additional traffic on GitHub, and the quality issues are absolutely not their problems because that’s someone else’s repositories :)

                                                  2. 4

                                                    Hi @pgeorgi, my team at GitHub has just shipped a change to Temporary interaction limits which lets you set them for up to six months.

                                                    We had started this work prior to Hacktoberfest and it wasn’t on our minds as we were planning it, but the timing happened to line up very well to release this feature today.

                                                    1. 3

                                                      Sorry to hijack this thread, but I have a related query.

                                                      Is there any reason (technical or otherwise) to not give an option to disable Pull Requests? Even outside of spam considerations, I have repos that host code snippets for my ebooks, for which I do not wish to get any PR at all. I do not mind using this “interaction limit” feature every 6 months, but it doesn’t currently have an option to restrict only PRs.

                                                      1. 5

                                                        Not a hijack at all, this is a great question. Disabling Pull Requests is definitely something we’ve heard from maintainers before. I can’t make any promises, but it’s certainly an interesting idea.

                                                        For your ebook repos, do you still want to get Issues opened, just not PRs?

                                                        1. 3

                                                          Thank you for listening to feedback :)

                                                          For your ebook repos, do you still want to get Issues opened, just not PRs?

                                                          Yes, issues will provide a way for readers to report typos/bugs/suggestions/etc. I encourage that in my README as well as within the ebook content - which seems to work as I have gotten helpful issues in the past on these repos.

                                                      2. 2

                                                        Is there a reason interaction limits are limited to six months and can’t be set indefinitely? Some projects would like to permanently disable interaction.

                                                        1. 2

                                                          Interaction limits were introduced in 2017 as a way to tackle the specific problem of heated discussions, brigading of issue trackers, and targeted harassment. It’s a very blunt tool as it prevents all of the interactions in a repository.

                                                          When we’ve talked to maintainers about limiting interactions permanently, if they wanted to limit interactions at all, it was usually having control over certain kinds of interactions, e.g. some people can open issues, but anyone can still open a PR. Do you have any examples of projects that would like to permanently disable interaction?

                                                          1. 4

                                                            A lot of projects use GitHub just for hosting/mirroring their repo, such as the Linux kernel, OpenBSD, FreeBSD, NetBSD, SQLite, LLVM, GCC, Android Open Source Project, Emacs, LibreOffice, MediaWiki, Lua, JGit, Wayland, zsh, etc. Most don’t want pull requests because they use another method like email or Gerrit for contribution, or because they don’t accept contributions at all in the case of SQLite. I assume most of these projects would want to disable comments on commits and other interactions, because in my experience those comments on these projects are noise.

                                                            In my case, I want to host repos on another host but have a mirror of the repo on GitHub as a fallback/convenience, with just the repository itself, no issues/PRs/comments/etc. I also want to be able to host repos that I don’t accept any contribution to (i.e. a personal dotfiles repo). I could re-enable interaction limits on every repo every six months, but that’s much less convenient than being able to set it permanently.

                                                            1. 1

                                                              TZ info does this too, and the maintainer prefers the mailing list:

                                                              Thanks for bringing that to the mailing list (if I could shut off GitHub pull requests I would).

                                                              (my emphasis)

                                                      3. 3

                                                        Many of my personal projects are on Sourcehut for several reasons. This is another one to add to the list.

                                                      4. 7

                                                        They’ve screwed by rewarding unmerged PRs.

                                                        This incentivizes spamming. Then they’ve added “spam”/“invalid” label, which incentivizes spamming even more, because the easy way around that is to spam further and faster than maintainers can flag it, rather than to make real contributions instead.

                                                        Digitalocean could have chosen to verify each PR manually before giving an award, but this is obviously laborious, too laborious for Digitalocean, so they’ve thrown that extra work at maintainers instead.

                                                        The idea of encouraging contributions is great in principle, but DO’s execution was so misguided that it created the opposite effect.

                                                        1. 4

                                                          They’ve screwed by rewarding unmerged PRs.

                                                          This. Submitting a PR is usually just a first step, especially if it’s a first time contribution. Getting the changes merged should be way more important (and fun) for beginners.

                                                        2. 7

                                                          Overly dramatic. And I do like getting a free t shirt.

                                                          1. 15

                                                            Not at all. I have a few sub-500 stars projects, and they too get a significant amount of spammy PRs. It’s literally just “Adding a gif to the readme” or something similarly ridiculous.

                                                            And I can’t begin to imagine how much crap high-profile project maintainers have to deal with. This post is fully warranted.

                                                            1. 10

                                                              Interestingly, I’ve gotten zero thus far. I wonder if tech choice and/or the kind of project is a factor here?

                                                              1. 2

                                                                I should’ve been clear—I was describing my experience from last year. After all, it’s only Oct 1st. Give it time. :)

                                                                I’ve gotten two so far for Hacktoberfest 2020, by the way.

                                                                1. 2

                                                                  I didn’t get any last year either; or any year. Actually, this is the first time I heard of the entire thing 🤔

                                                              2. 4

                                                                To add some context, Vaelatern is a Void Linux contributor and we encouraged hacktoberfest PRs: https://twitter.com/VoidLinux/status/1179006377219506177.

                                                                There is a spam problem but for some reason we were not the target, maybe because its not python, js or html.

                                                                Not sure about the stars, but we are now at 1.1k and I think we already had around 500 in 2018. I think we were easily one of the top non-spammy “add your name to a file” repositories.

                                                              3. 8

                                                                I’d love actual contributions. Even if they were just typo fixes, or I had to guide a novice how to improve the code.

                                                                But the only “contributions” I’ve got were pure useless garbage. Someone has added “Requires Windows 7 or higher” (with worse spelling) to my Mac app. They didn’t even bother read a single line of the README they were changing.

                                                                1. 3

                                                                  I thought so too, but take a look at this: https://github.com/search?o=desc&q=is%3Apr+%22improve+docs%22&s=created&type=Issues

                                                                  Try “amazing project” too. It’s an onslaught. I don’t remember it ever being this bad, but perhaps it was for the more popular repos.

                                                                  1. 2

                                                                    This small 0-star project got three “improve docs” PRs in the last 40 minutes from three different accounts (just noticed it was mentioned several times on the first page): https://github.com/tehpug/TehPUG/pulls?q=is%3Apr+is%3Aclosed

                                                                    Then I clicked another random project from that list, and this 4-star project has four pages of PRs spammed: https://github.com/Moeplhausen/SunknightsWebsite/pulls – literally those entire four pages are full of this idiocy, there’s not one legitimate PR in there. This is just idiocy.

                                                                    I don’t know why these projects gets so many, nothing about those repos or the accounts/organisations they belong to seems well-known in the slightest; just a typical small project people uploaded just for code hosting. As I mentioned in my other comment, I’ve gotten zero PRs thus far in spite of having several >100 star repos. If these repo are targetted (and I think that’s an appropriate term here) them why aren’t mine? 🤔

                                                                    What a clusterfuck.

                                                                    1. 3

                                                                      I would guess they are now targeting small/inactive repositories in the hope of maintainers not flagging their PRs within the 7 day period in which “invalid” flags are checked.

                                                                      They could instead of make PRs to their own repos or create organizations without bothering other projects.

                                                                      1. 1

                                                                        Right; that makes sense. I assumed you need to actually have the PR merged to count, but turns out you just need to make it.

                                                                        As for making your own repo, the site mentions:

                                                                        Bad repositories will be excluded. In the past, we’ve seen many repositories that encourage participants to make simple pull requests – such as adding their name to a file – to quickly gain a pull request toward completing Hacktoberfest. [..] We’ve implemented a system to block these repositories, and any pull requests submitted to such repositories will not be counted.

                                                                  2. 3

                                                                    I archived a repo two days back to avoid this spam (and I’m not actively working on it anyway)

                                                                    https://github.com/learnbyexample/Python_Basics/pulls?q=is%3Apr+is%3Aclosed

                                                                    1. 1

                                                                      man I’d feel bad if I was abhinav-TB and created a PR for some project only to have it closed without comment a mere 5 days later

                                                                      1. 1

                                                                        may be if they read the readme first or if they explained why they are making a pointless PR, then perhaps I’d have made an effort to comment

                                                                  3. 10

                                                                    Simple solution, get your project off of Github. You are using someone elses platform. Host your own gogs/gitea.

                                                                    • Not hosted by Microsoft
                                                                    • Faster Git operations (Github can get really slow at times)
                                                                    • Higher barrier of entry for contributors
                                                                    • Optionally hook it up to something like Keycloak

                                                                    This is less work than it sounds, and the benefits are huge.

                                                                    1. 9

                                                                      Simple solution, get your project off of Github.

                                                                      This isn’t necessarily so simple. GitHub have successfully established themselves as a centralised, even the de facto default, Git hosting service, and project discovery is a lot easier on GitHub than other Git hosting services. I agree that the benefits are enormous to moving off of GitHub (and I myself have started hosting my personal projects on git.sr.ht where possible), but the reality is that the userbase on sr.ht is miniscule in comparison to GitHub, you can’t star repos, and you can’t follow other users to see their activity.

                                                                      That’s not to mention things like GitHub Sponsors, which for some maintainers might be the sole reason they’re able to keep maintaining their repositories, and GitHub Actions, which lowers the barrier to entry for, and smoothens the experience of using, CI. The reality is that some maintainers might not have a choice not to use GitHub.

                                                                      The other thing is that I think this comment, along with many others on this article, misses this point from the article (emphasis mine):

                                                                      DigitalOcean seems to be aware that they have a spam problem. Their solution, per their FAQ, is to put the burden solely on the shoulders of maintainers.

                                                                      To be clear, myself and my fellow maintainers did not ask for this. This is not an opt-in situation. If your open source project is public on GitHub, DigitalOcean will incentivize people to spam you. There is no consent involved.

                                                                      While moving off of GitHub might alleviate the problem of spam PRs as a result of Hacktoberfest, it’s yet another solution that puts the burden on the maintainer to try to treat the symptoms, rather than addressing the root problem, which should be the responsibility of DigitalOcean.

                                                                      1. 4

                                                                        I agree. There are multiple things that can happen here, all of them positive:

                                                                        1. companies like Digital Ocean can be informed of the harm they’re doing. They can form relationships with the repos that are interested in this (for various reasons) and make this opt-in - and maybe provide help and tools to deal with the bad actors
                                                                        2. a critical mass of repos will make the step to move to another DVCS host, thus increasing diversity, and maybe pushing those hosts to add functionality that’s perceived to be lacking
                                                                        3. GitHub can provide better tools for dealing with low-effort “nontributions” (thanks @flaviusb for the coinage), such as rate-limiting bad actors, putting PRs in a “mod queue” to be dealt with asynchronously, and other stuff social media sites have dealt with for more than a decade now
                                                                        1. 5

                                                                          Github is the de facto standard, the userbase on is miniscule

                                                                          I run a gitea+keycloak and got 100+ users within a few months. It hosts several projects. People actively sign up in order to contribute to my projects. This has worked great for us because the chances of low quality contributions and/or spam issues is non-existent. I compare it to “Slack/Gitter” vs “IRC” - where we prefer IRC due to the (perceived) learning curve/difficulty … “skin in the game” comes to mind. It weeds out beginners from high quality contributions.

                                                                          That’s not to mention things like GitHub Sponsors, which for some maintainers might be the sole reason they’re able to keep maintaining their repositories

                                                                          Sorry to say but developers chose to actively participate in a centralized ecosystem run by a mega corporation not because there are no alternatives but because they are lazy. GitHub Sponsors is not the only way to obtain funding.

                                                                          which lowers the barrier to entry for, and smoothens the experience of using, CI

                                                                          There are only perceived barriers. Drone+Gitea is not rocket science.

                                                                          rather than addressing the root problem, which should be the responsibility of DigitalOcean.

                                                                          IMO the root problem is that some FOSS developers don’t realize they’re locked into an ecosystem for no reason whatsoever. They don’t care. They think self-hosting takes a lot of time. They want their little Github stars. Name your excuse, yet complain when shenanigans like this happen. I am certain you will not agree with this post, but at least I have a peace of mind of being in control over my own community.

                                                                          1. 7

                                                                            I want to preface this by saying that in no way am I (or have I been) defending GitHub and what their attempt at becoming a centralised service has done to the FOSS community. Instead I’m trying to be a realist and point out some of the reasons why project maintainers might find it difficult to move away from GitHub, counter to your assertion that it’s “less work than it sounds”.

                                                                            I am certain you will not agree with this post

                                                                            I wouldn’t be so certain if I were you; I agree with some things you’ve said. However…

                                                                            not because there are no alternatives but because they are lazy

                                                                            Drone+Gitea is not rocket science

                                                                            They don’t care. They think self-hosting takes a lot of time. They want their little Github stars.

                                                                            Just because, in your experience, these things have not been difficult for you does not mean they’re easy for everyone. That’s my main point. Alternative sources of funding may not be easy for everyone to access, everywhere in the world. Maintainers might not have the time or energy to set up or learn to use other CI services. Self-hosting may take a non-trivial amount of time for some people, and costs money.

                                                                            All of this is not to mention that, for existing projects, moving their hosting to another service could be a major disruption.

                                                                          2. 3

                                                                            I just want to add an additional point. I think that the following things are reasonable things to ask a project author to either accept (if choosing to host a project on GitHub) or reject (if choosing to host elsewhere):

                                                                            • Website run by Microsoft
                                                                            • Git repository hosted by someone else
                                                                            • Barrier to entry for contributions is low
                                                                            • etc.

                                                                            However, I don’t think the following thing is (I don’t think it should have to “come as part of the package”, so to speak):

                                                                            • An external organisation will encourage users to spam your repository with low-quality or spam contributions for a month every year
                                                                        2. 5

                                                                          This is what happens when somebody thinks that t-shirt cannons are fun.

                                                                          I’m now reflecting on the fact that the incentive structure is not meaningfully different from GSoC, which also sees lots of spam applications and low-quality contributions. GSoC is bad enough that some organizations, like X.org, run their own programs; X.org has their Endless Vacation of Code precisely to work around failures in GSoC.

                                                                          I wonder whether better incentive structures exist. For corporations, these outreach programs are meant to improve optics and increase the number of prospective job applicants. Even for X.org and other community groups, the code artifacts are secondary to the goal of promoting neophyte students into seasoned regular contributors. Perhaps we do not need to focus on production of code, then, as long as we encourage other aspects of being skilled at working with code. Skills like reading, debugging, formal (symbolic) analysis, knowing abstract algorithms and data structures, etc. could be promoted instead. Learning to write code and documentation would be part and parcel of a more holistic training regime.

                                                                          1. 2

                                                                            GSoC is bad enough that some organizations, like X.org, run their own programs; X.org has their Endless Vacation of Code precisely to work around failures in GSoC.

                                                                            AFAIU That is not the case, in fact it is the opposite. The endless vacation was started because of the success of GSoC. At least that is what I understood from this years XDC. There was a talk about GSoC/EVoC specifically. https://youtu.be/b2mnbyRgXkY?t=16753

                                                                            Besides that I’ve seen great work coming out of GSoC, like a new register allocator for SBCL or improving the unicode support (including different normalization algorithms).

                                                                            The structure is completely different from Hacktoberfest. First projects have to apply to GSoC which requires consent. Second the interaction is through a period of 3 months and with the help of a mentor, as a volunteer.

                                                                          2. 8

                                                                            GitHub is a shitty social media site.

                                                                            The moment people turned it into blogging it’s done.

                                                                            Setup your own CVS. Raise the barriers and ignore tee shirt giveaways

                                                                            1. 4

                                                                              While I think that encouraging open source contributions is really important, the tooling to support this seems broken.

                                                                              A different point entirely, why are we still shipping free t-shirts around the world in 2020?

                                                                              • The earth is constantly on fire.
                                                                              • The shirts and logistics are at best carbon-neutral (but will inevitable still require logistics which put greenhouse gases into the air)
                                                                              • Do people really need more t-shirts?
                                                                              1. 3

                                                                                Do people really need more t-shirts?

                                                                                If no one goes crazy with implications about me being racist or something, I can probably answer - yes.

                                                                                These people are often from India (or the whole IO region, including Malaysia, Indonesia, etc.), especially from rural and countryside areas which are exceptionally poor compared to their Western counterparts, but yet become “digitalized” and connected to the Web which accelerated way faster than other “quality of life” areas there, to the point there’s sometimes cheaper and easier to find the cellphone/computer and send gigabytes of data than get a regular healthy food, cloths or even clean water.

                                                                                So, young people there got technology, but didn’t get the knowledge, yet due to various cultural influences and legacy they still want to prove “india stronk and superpower by 2020”. This is mostly why the Android enthusiasts community is completely trashed now (the smartphones are orders of magnitude more popular than PCs in these regions) and while other areas are also getting the “indian bit” attached, it’s not as clearly visible as for example on XDA forum.

                                                                                Yet still, they must eat, drink and wear something. So when someone spotted the Hacktoberfest with giveway, everyone rushed there hoping to get free stuff which might be actually useful in their daily lives, as t-shirts are.

                                                                                Many of these people don’t actually know they do something bad, because they lack the knowledge, language and basics of “development culture” yet they still are pretty much convinced about doing good and being important and valuable. We should somehow address that and at least try to understand (which is different than accepting the state) and maybe redirect them into some sort of “incubators” for OSS projects to not harm the actual upstream. And while I’m not a fan of “lowering the bar” (and I don’t want anyone to do this) it might be valuable to direct these people into (currently non-existent) places where they could grasp the dev culture and actual technical knowledge helping each other without getting in the way of anyone else, and then pick most prominent ones.

                                                                                1. 2

                                                                                  If we don’t need t-shirts shipped around the globe maybe there should be better distribution lines? Or just get rid of globalization, period? /s

                                                                                  Honestly, no, the typical developer probably doesn’t need more (free) t-shirts, but after not going to conferences for a few years I think I average getting one new t-shirt per year. And the Hacktoberfest one I have is one I like.

                                                                                  I don’t really see a big difference to buying any sort of non-eco-whatever local brand clothing. Hacktoberfest was a niche event and I guess 2019 it saw a pretty big uptick in popularity. I still think the shipping for these few t-shirts isn’t even noticeable, compare to (nearly) free shipping for electronics stuff from china and people don’t even bother, just order single items because they’re cheaper (sometimes 10-100x) than buying them without shipping in a local store.

                                                                                2. 2

                                                                                  by an odd coincidence, something earlier this afternoon reminded me of opa, and i thought i’d take a peek at their github to see if anyone had forked or revived the project (sadly no, last commit was 5 years ago). but i did see there were a handful of pull requests, and lo and behold - the last one was from today!

                                                                                  1. 2

                                                                                    Haha, my idea is a github bot that just closes contributions from people who aren’t github sponsors to your project.

                                                                                    1. 3

                                                                                      While I can see some rationte behind that, I still think it’s totally evil and stands completely against the idea of FOSS.

                                                                                      And that quite terrifies me, because it would be somehow accepted with no questio within the “current wave” of young OSS devs who do some similar shady actions like putting their binaries behind Patreon paywall, moving onto proprietary IMs to coordinate important project decisions and generally trashing the whole open culture to generate some little profit.

                                                                                      1. 15

                                                                                        Why? OSS is about giving access to code, not free access to a persons time. I personally don’t like running software I don’t have the code to, but that doesn’t mean I feel the right to other peoples time.

                                                                                        I also don’t see a problem with putting binaries behind a paywall if the source code is open? Can people not compile it themselves? If not then it is a different story.

                                                                                        F**k discord though.

                                                                                        1. 1

                                                                                          FOSS is about giving access to code

                                                                                          Not only, but I think we might seriously derail the comments section getting into this :)

                                                                                          not free access to a persons time

                                                                                          Of course not. I personally draw the line before the individual support and requests w/o patches, most people related to FOSS thru the last two decades could probably agree on this.

                                                                                          I also don’t see a problem with putting binaries behind a paywall if the source code is open?

                                                                                          It depends if the author adds some arbitrary rules to the generally accepted licenses and, for example, prevents the binary distribution outside its own Patreon or other way of monetization. This is particulary bad at so many levels, mostly because there’s no way to let such software get into package managers, as well as requiring a quite complex bit of software (the web browser) and going through many webpages to obtain the program instead of simple curl or wget. This proves some accessibility issues (and this term doesn’t relate only to people with disabilities).

                                                                                          And, most of the time, people who do such weirdness as Patreons, custom Discords, custom requirements for commiting and weird non-standard licenses are actually preventing the binary distribution of their software. And while “code is open” that’s not FOSS at all. And on top of that, it generates an unwanted buzz and disinformation about what free software is, especially for newcomers and non technical people.

                                                                                          Can people not compile it themselves?

                                                                                          Oh, this is another story. In cases where people could not prevent bindist or don’t want to, it’s getting even more crazy. Take a Zrythm for example. It’s a DAW and it looks kinda cool, I’m actually interested in getting this working on my machine, but on the other paying a subscription fee for the open source software is an ultimate turnoff for me. But yes, it’s open source.

                                                                                          So, let’s see the source. At the first sight it shows 4 COPYING files for different licenses in the tree without indication which one belongs to which part of software. I’m assuming GPL3 for code which already gives us some pointers. And that seems to be okay, right?

                                                                                          You think the repository contains all the code you need? Of course not, that would be too easy - it’s scattered thorough a dozen repos which needs to be checked out first. And while that’s nothing wrong and I like the multi-repo structure for some kinds of projects (though I’d like to see them as git submodules here), it seems that they don’t contain a complete source code needed to generate final binary.

                                                                                          And, the build system is intentionally made complex and tangled, depending on Docker, Azure and God knows what else, configured in a way which probably allows the software to be built only on the author’s machine. Good luck with reproducing that if your build infra collapses, but we’re not about this right now.

                                                                                          It’s not like I can’t build software from source, I’ve seen various awkward build systems and scaffolds, everything being taped and glued, even in upstream projects (I was a package maintainer in a few distributions back in the day and actually liked that role) but this is another level, made to be obscure enough to not let anyone else try to compile without getting into that subscription model fees.

                                                                                          And this is not the only project which does the same thing, but it’s large enough to be representative.

                                                                                          1. 11

                                                                                            hi, Zrythm developer here, found this page through referrals. just want to clear some things up

                                                                                            At the first sight it shows 4 COPYING files for different licenses in the tree without indication which one belongs to which part of software.

                                                                                            please read the README.md file, that should be the first thing to read when attempting to copy or build software.

                                                                                            edit: note that multiple COPYING files is standard practice for when multiple licenses are involved. you should include all applicable licenses along with your source code. some licenses even require this

                                                                                            You think the repository contains all the code you need? Of course not

                                                                                            The repository does contain all the code you need. The developer is not responsible for shipping dependencies along with their project. you should install the dependencies through your distribution, or if it doesn’t provide them, ask your distribution to package them, or build them yourself.

                                                                                            And, the build system is intentionally made complex and tangled, depending on Docker, Azure and God knows what else,

                                                                                            Nothing depends on docker, azure and god knows what else. All you have to do to build Zrythm is install the dependencies and run 2 commands: meson build && ninja -C build install. No internet connection is needed either. The build instrunctions are inside INSTALL.md, please read them.

                                                                                            edit: This is also in the user manual: https://manual.zrythm.org/en/getting-started/installation.html#manual-installation

                                                                                      2. 2

                                                                                        Amusing, but it may have tax implications! In many countries getting anything back for a donation (like ability to get tech support or a code change) turns it into a paid service, and you need to pay VAT on that.

                                                                                        1. 1

                                                                                          Requiring Github sponsors also leaves out people who might be willing to contribute financially but are unwilling to provide financial identification to one of the big monopolies. This is a similar (but lesser?) stance as not participating in people’s Facebook fundraisers, And yes I think sponsorship is good and no I don’t have a better solution. :(

                                                                                          1. 1

                                                                                            I agree its not the best to solely rely on github.

                                                                                          1. 2

                                                                                            I think a more positive discourse would be around how could the intention “Encourage more people to contribute to open source projects” be executed.

                                                                                            As we can see gamification, with a T-shirt from an individual company, starts out with (yes, I will ascribe intentions here) an intent by a marketing department to increase SEO. Digital Ocean gets publicity either way. So, they are not incentivized to improve the strategy.

                                                                                            Random individuals are being incentivized with a T-shirt. This too, I would say, is an impure incentive.

                                                                                            Like all fairly complex social issues it requires a more deeply thought fix that requires attention, patience and perseverance all round. Not a marketing department gimmick.

                                                                                            Here’s a suggestion:

                                                                                            Have a month, call it Helptoberfest.

                                                                                            1. Whoever sponsors this, puts out a webpage asking open source projects to join their advertising campaign socially conscious reawakening. In the instructions are clear parameters for eligibility. Perhaps fresh graduates, perhaps non-programming graduates, perhaps journalism majors, political science majors. Folks who normally don’t go around making PRs.

                                                                                            2. Opensource projects join up and put out calls for help with issues: need a bug fix here and there, need help with docs here and there, marking them out for Helptoberfest.

                                                                                            3. People make PRs. If the Project is happy with the PR they accept it (because it aligns with their incentives) and they write a recommendation for the PR maker. Why would they do this? Because …

                                                                                            4. Then the sponsor, who is spending a lot less money now, because they aren’t giving out 100,000 T-shirts, gives the PR maker actual money for the PR and will offer them more to work short term on the project if they are in some short list of finalists, say 10.

                                                                                            I’m just saying, don’t gamify this to the lowest denominator just because that’s what marketing is also gamified to do.

                                                                                            1. 2

                                                                                              This explains why I am getting a deluge of small low quality PRs on one of my Open source repo. The repo isn’t even code but just a list of things.

                                                                                              1. 2

                                                                                                Suggest folding into epbcho.

                                                                                                1. 2

                                                                                                  I’m confused. This is causing spam just because people want a free t-shirt?

                                                                                                  1. 2

                                                                                                    Yes.

                                                                                                  2. 2

                                                                                                    It seems GitHub has added the option to limit pull requests https://twitter.com/github/status/1311772722234560517

                                                                                                    1. 2

                                                                                                      But this affects issues as well.

                                                                                                    2. 2

                                                                                                      It makes me think of the “skin in the game” idea. While it’s not a bad thing the person is doing, and they probably mean well. Many, if not most, of these contributors don’t have any “skin in the game”, so there involvement becomes a nuisance. It was meant to get more people involved in open source projects, but it really is about the t-shirt once a year because otherwise you would have already gotten involved with the project, right?

                                                                                                      Maybe there are some people that have helped with projects in the past who could make a meaningful contribution in October just for the t-shirt. That wouldn’t be a bad thing.

                                                                                                      1. 4

                                                                                                        When you look at the PRs though, they clearly don’t mean well, any more than a spammer clearly means well. “Skin in the game” isn’t really a useful way to look at it either. Whether the thing is actually a good faith attempt at a contribution is a better thing to ask

                                                                                                      2. 2

                                                                                                        Although I totally agree that this is a real problem for a lot of OSS maintainers out there, just rampaging against DO for the initiative doesn’t feel right. I’ve spent some time looking around and a lot of the accounts that are sending these (really spam PRs) are quite new, they do not have any other contributions, not even issues or any other activity in the account.

                                                                                                        I do believe that the idea behind hacktoberfest is nice, provides an incentive for developers that may not have had the change to do OSS before. I think that projects tagging some issues with the hacktoberfest tag (or something) is also a good way to attract people that may be genuinely interested in starting some contributions. I know (from personal experience) more than a couple of friends that started doing some contributions (in previous years) thanks to this. It was perfect? Absolutely not, but there has been some people that are more active in the OSS now thanks to DO.

                                                                                                        That being said there is definitively a tooling issue around this that should be improved. The way that I see it fixing a typo in a README in some repository although a tiny small contribution is a contribution nevertheless. Adding some random text to some file just for creating the PR it is not.

                                                                                                        I also think that a contributing factor (this year, feels way worst) is that Github has lowered the barrier for new contributions, for instance you don’t even need to know/install/use git if you just want to edit a file (a valid feature that I use from time to time). Click the edit button a fork will be created and you can create a PR from the commit directly, very handy indeed but as everything it can be used in a negative way. I would be interested to see some analysis on how these spam PRs were created (at a large scale).

                                                                                                        1. 1

                                                                                                          what if DO just get rid of the free tshirts?

                                                                                                          1. 1

                                                                                                            A bit hyperbolic with the headline, but I’ve been reading/hearing more complaints this year than years past. Haven’t had any spam PRs on any of our org repos yet, but the volume is certainly up.