You could at least evaluate the contribution to see if it is or is not actually slop. From my perspective in security, it's the exact kind of thing that I would expect a thoughtful, helpful community member to do - big project, not a lot of activity but still widely used, moderately sized security win, not super hard to do solo - hey, let's improve security for everyone! - not AI slop.

And, FWIW, cURL - who has been dealing with tons of faux-security AI slop - just recently posted about someone using AI to find 22 actual security issues in cURL, which was helpful. So even if it's AI, it's not necessarily even slop - you should evaluate the contribution on its own merits. Before AI, people opened garbage PRs to popular repos all the time that were unhelpful/noise, they continue to do so now, nothing has changed.

I tend to agree, sure. This doesn't make the PR worse or something.

On the matter of curl yeah I've seen they got actual help that way. Here is the problem. If you are an open-source maintainer there is some proportion of good contributors (most) and some proportion of low-effort spammers (few). AI is a force multiplier for sheer volume. So the spammers all pick it up because they do not care about quality. It can be used carefully to good effect, true, but now your mix of incoming volume goes from "lots of good contributions and a little to spam" to "lots of good contributions and lots of AI stuff" with the latter being mostly slop.

So open-source maintainers with limited time do what all humans do: they fall back on heuristics and adopt a bias against AI output, because now dealing with the spammers on a case-by-case basis takes way more time and just tossing AI stuff becomes easier. Like all heuristics it is imperfect, and I don't know if it's the best way, but I get why they do it.

> You could at least evaluate the contribution to see if it is or is not actually slop

Even that takes time. So people resort to proxy signals and ban for "bad vibes".