We will no longer accept public pull requests. From now on, code changes to the Ladybird codebase will only be introduced by project maintainers.
You must log in or # to comment.
Honestly? Fair enough.
This does fly directly in the face of Ladybird’s mission, yes, but this sort of thing isn’t limited to just them, and while this is a rather nuclear response, we must remain mindful and grateful for the thousands of hours of time these people have put into this project; building a web browser and engine from scratch is not an easy task and it’s understandable that they don’t want to allow low-quality code and security vulnerabilities in.
To me this demonstrates that they truly care not just about getting this project out the door, but to do so in good faith and with high quality.
The codebase remains open-source, and the engine is still true to it’s goals to decentralise the web.
One day I do hope FOSS as a community finds an answer to low-quality mass-produced PRs written with poorly prompted AI tools, and I do hope when that happens they may reconsider their position.
Until then, I wish them the best and commend their ongoing work and await a release eagerly!
Trust is built with time and effort. AI killing the Bazaar “drive-by” approach to contributions was inevitable, and not necessarily a bad thing for critical or complex projects. It’s arguably better to have a high bar for entry and a small group of dedicated engineers, than them spending their time sifting through a mountain of slop from newbies trying to build github activity for their cv.
A monetary donation should be required for pull requests. I know it’s not ideal, but I think it’s a really solid middle ground for the AI slopocalypse.
Doesn’t make sense… This premise seems flawed by two aspects:
- The maintainers can introduce vulnerabilities unknowingly themselves
- They should only merge patches that they fully understand
It feels like they are not capable of detecting a vulnerability when they see one. meaning that they themselves can potentially introduce tons of new vulnerabilities unknowingly.
In this situation it would be for the best to have a large pool of contributors capable of detecting such issues, instead of closing it even further.
They are worried about vulnerabilities that are introduced knowingly. They said that in the past you could trust that if someone spend months writing code for you project he did it with good faith and not to sneak a backdoor past you. Basically they assumed a hacker would not invest months of work trying to add a bug to an open source project because it’s just not worth it. Now, because of AI, someone can easily create big PR with a hidden bug hoping that it will get merged.
I have no idea how true it is (i.e. if AI is able to generate a big PR that will pass all the checks and get approved) but logically it does make sense.
