Redox OS has adopted a Certificate of Origin policy and a strict no-LLM policy
38 points by linkdd
38 points by linkdd
I think the open contribution model will slowly be replaced by closed contribution or vouch systems. I think having one invitation tree per repository or project would be amazing.
That would be a shame, because that would make drive-by contributions a whole lot harder, and thus, a whole lot less. Most of the contributions I received on my own projects were drive-by. Most of the contributions I made over the past few decades were drive-by (not counting projects I was paid to contribute to): I like playing with things, and I usually run into bugs, or missing features, and end up sending a small patch or two, and then move on. Having to obtain an invite first is a barrier I'm not sure I'd be willing to cross.
I think the open contribution model is fine. A hard stance against LLMs discourages their use heavily, and it's easier to not contribute than to hide its use. And if undisclosed use is discovered, a swift ban from all project spaces will send a message.
It's already a massive pain with projects requiring CLAs or similar docs. I'm not talking to legal to send you a 1 line patch, even for a serious issue. I left a number of "this line needs fixing, but I'm not signing anything" bug reports for larger companies and mostly they're still broken.
It's already a massive pain with projects requiring CLAs or similar docs
Indeed. If I see a project with a CLA, I just close the tab and find something else (unless I don't have another option). I don't need more artificial barriers for contributions.
To be fair, usually the CLA bot sends a link to the PR you OAuth with your account and click “sign”. Not sure I would describe this as a “massive pain” personally, but you do you.
If you make the decision yourself, it's not (as long as you agree with the process). But if you do it at work and would be officially expected to clear this action with legal first - that's something completely different.
Either you are allowed to contribute to open source at work or you’re not. The CLA isn’t fundamentally different from licensing your (employer’s) code under MIT…
I think if I'm faced with the problem in the future (it's not like there's a rush of patches to Idris 1 which I'm nominally maintaining), I'll probably adopt a policy of no uninvited large PRs. Which means that ten-liners to scratch itches or fix problems are fine. And if you want to work on a big thing, you should contact the maintainers on discord/matrix/zulip/whatever first to discuss it. It would have made sense even before the AI era because there is nothing more disheartening than getting a multi-kloc PR representing a big effort that doesn't fit with your vision.
I don't think vouch systems (aka 'web of trust' - in my opinion basically a tree with weighted reputation according to distance) necessarily preclude drive-by contributions. If done well a contribution would be weighted by reputation relative to the project (perhaps relative to some select group of people who would be considered the top of the reputation tree). If a reputation system was not uselessly sparse, it's reasonable to imagine that it may be able to calculate reputation for most people. I can imagine that most drive by contributions would come from people relatively close to people already involved in the project, even if not existing contributors or necessarily known to that project. For example I can imagine most people on lobste.rs are a few hops from each other on some social network.
Ooh I kinda like that idea. It could be easily be versioned and managed as a version-controlled file.
Yeah, like BSD / Apache since the 1990s :-) https://docs.freebsd.org/en/articles/committers-guide/#conventions
Not quite the same: that's a list of committers, not contributors. Case in point, I have contributed to FreeBSD's ports collection, yet, never had commit bits.