https://github.com/curl/curl/pull/20312
There, now you know.
Discussion
Loading...
Hello @bagder ,
I wonder if moving to a less crowded code hoster might lower the maintenance burden related to AI crap ?
I am sure you are aware of @Codeberg for example.
At @backintime we also have to deal with low-quality (student) and AI-crap PRs. Moving the project to @Codeberg is one item of my todo list.
For all #foss maintainers I hope we can find a way.
@buhtz @Codeberg @backintime I don't see how our challenges on hackerone is because of using GitHub?
@bagder @Codeberg @backintime
I understood that you cut off the money for extern "contributors" (PRs & Issues). Am I right so far?
But your project is big and popular and still will attract a bunch of "contributors" providing low-quality issues and PRs burning your maintenance resources.
@buhtz @Codeberg @backintime First: we have not cut anything, we have a proposal about doing it end of January.
Then: we plan to shut down the curl bug-bounty, which is what pays security researchers for reported confirmed security vulnerabilities. Today we get those reported through Hackerone.
There is no perceived problem in the curl project related to issues or PRs on GitHub and we do not intend to change anything in regards to them at this point.
(cont)
@bagder @Codeberg @backintime Thank you for clarify that. I thought hackerone is just something like a secondary issue tracker targeting on security issues. Aren't the security issue reports direct on the Microsoft GitHub issue tracker?
Microsoft (GitHub) is sponsoring curl? Give me a number and lets see if we can find an alternative. 😋
> Aren't security issue reports direct on the GitHub tracker?
No. As they need to be kept private until assessed (and possibly dealt with).
> GitHub is sponsoring curl?
Yes.
> Give me a number
North of 10K USD/month.
1 more replies (not shown)
@buhtz @Codeberg @backintime we don't move off GitHub because no one else is going to sponsor us at this level, which thus would mean a SIGNIFICANT dent in our ability to ship quality software if we still would do it. I think that would be bordering to irresponsible behavior.
@bagder how will you be able to endure this year?
@bagder the AI talk at #EuroBSDcon was hilarious, though. But I'm sure you'll always have something to talk about. Hope, this will calm BS submissions down a bit.
@bagder I totally understand the move. When running web apps with bounties this has been an issue even before AI as there are so many things of little to no value one can report.
Anyway just saw you'll be at FOSDEM, looking forward to see you rant about sloppy security reporters in person ;)
@bagder and knowing is half the battle. GIJOE!
Sorry couldn't help myself.
tHe OnLy wAy tO sToP bAd aI iS wItH g00d aIzzzz!!!!!!
@bagder people misconceive big and important with wealthy... somehow the concept of what drives open source is just not understood by the simple minded moneyhunters... :(
@bagder Canary in the coalmine – the whole apparatus of formal bug-bounty programs is surely doomed since it is an incentive to spam and the effort bar to produce plausible spam has been lowered so much
@bagder Sad that it's come to this, but also an entirely understandable decision.
@bagder I understand why it needed to be done, but I am saddened that there were enough naive (bad?) actors slopmitting AI slop to the point that the bounties via HackerOne ended up unusuable.
@bagder Wise decision.
@bagder thanks for curl! ❤️
did the "bad faith" genre grow with the introduction of AI?
