One interesting workflow I've seen is that the project maintainer simply rewrites and implements the pull request themselves and closes the PR.
LuaJIT has operated this way since 2012, though with a thanks and mention in the commit message. It seems like a good way to filter out people who prioritizes leveling up their github profiles.
Something a little bit similar, when I was hosting a social game server we had mods. And players always beg for mod status. At first I tried naming the admin group something weird like sandals, but eventually people would ask if they could be sandals too.
What worked best in the end was just hiding it completely making regular players see mods as other regular players. (mods would see who is a mod though)
I would also personally never make someone who asks a mod as it's almost always a sign of wanting power for the sake if it. I would instead just passively observe behavior until I trusted the player and make them a mod. I would then tell them that I don't expect them to exercise their power, but would demote if I see abuse of power.
This is my takeaway as well. Having the source code open makes it auditable, if not by you, maybe the community.
The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.
> source code open makes it auditable, if not by you, maybe the community
I think part of why this social engineering works so well is it takes advantage of that "many eyes" trust, where people are prone to delegating the responsibility of checking to the community and not do due diligence on themselves. I know I'm susceptible to it if I see a Github repo with more than 10k stars on it.
I don't know, I feel like the "numbers" like upvotes, stars, favorites or whatever stops working for me the second I see it being obviously gamed, and when there is a ton of services for buying "higher $number". GitHub stars probably stopped mattering around 2016-17 sometime, I think that's the first time I came across one of those "increase $number" services.
By now (imo), the entire web is gamed and no number can be trusted, I operate completely on a qualitative basis rather than quantitative, basically the only way I can get something out of the web. Ignore all and any numbers as any indication of anything.
I know. But the problem is that in reality the only way to get people to audit software reliably is to pay them to do it, so it's not really true as a general principle that open-source software is more thoroughly vetted.
I'd say it's objectively true to say that open source software is easier to audit compared to closed source software, which you can extrapolate to mean that it's less prone to malicious code injection.
It's not perfect, but surely it's easier to audit for malicious code than closed source.
Also, there is no shortage of volunteers looking out for code changes in established open source software. I think it's fair to exclude software that is very new and/or that has no users, which may be closer to equal footing with proprietary software.
Even for established proprietary software, you get volunteers watching out for changes in releases. Though, far less than open source, and more reserved for people who know reverse engineering.
I think there's no question that auditing open-source software is easier, but it can be harmful if auditing actually basically never happens yet people wrongly believe that all the open-source software they're installing must be audited. At that point it's not any better than relying on the fact that technically someone could disassemble binaries to try and inspect them without worrying too much about whether that happened.
unless it has video input, i wonder if something based on animation and timing would work, as screenshots wouldn't clearly capture motion and response time would be too slow as well
I'm not anti-AI but something I've been thinking about is the discipline it requires.
As you said, it's a tool that allows you to rename a variable name on one end and do complete vibe coding on the other end. Developers may say that we should stay somewhere left on that spectrum, because that's where human's are more involved.
But developers also say good practices should be followed when talking to each other, and while some may do, reality is often very different.
It requires discipline, which varies a lot between developers, between projects, current mood, and so on.
In the beginning you might be careful doing small changes, but after a while you might get more tempted to accept the output for what it is, because ultimately that's much easier.
So the way I see it; the left side is harder work and potentially bigger but delayed dopamine hits, the right side is quick dopamine hits. How do we (at least those who struggle with discipline) resist just slipping to the right?
I started out carefully myself and slipped more into vibe coding, but I don't feel particularly proud of it for some reason.
> It requires discipline, which varies a lot between developers, between projects, current mood, and so on.
In the beginning you might be careful doing small changes, but after a while you might get more tempted to accept the output for what it is, because ultimately that's much easier.
Counterpoint: how is this any different from how things were pre-LLMs? I have seen, in the same codebase, some throughly well-written and tested PRs that read like Shakespeare and some of the laziest slop that even no LLM would ever write because humans have an unlimited capacity for laziness.
You catch the bad stuff through oversight, process, automated and manual checks, and the ultimate threat that your job depends on your ability to deliver so you better allocate at least enough energy into this so that you can ship moderately working code.
> I personally think the owners should get to decide, but it's an interesting duality.
The owners of a business get to decide what to do with their business.
> (assuming it's not like everyone has a share or something, in which case they would've all had to agree I guess)
Unanimous agreement among shareholders is not necessary to sell a company.
The employees might have had some shares in the company, but not all share classes have equal voting rights. It’s also unlikely that employees in aggregate would have had enough shares to override everyone else anyway. Once shares are split among investors, founders, and employees the individual ownership of any one person or group becomes small.
I wouldn’t assume that the employees wanted to avoid acquisition. They likely benefited significantly from their shares being acquired and their new compensation packages. Imagining that the employees resisted this is projecting some other story on to them
If you join an company with next to no monetizable business model like this, you already have made your choice that you are fine with acquisition when you joined, or have deferred your choice to make a stay/leave decision until the acquisition.
It seems to me that since the advent of image generators, art has been firmly defined by artists to mean that it was made by a human. But there might be a spectrum of human involvement where the less a human is involved the less it's art.
What happens too often during these discussions is that someone who writes "make me a cool image" gets conflated with someone used ai to fixup a small rock in their natural landscape drawing. (two extreme ends)
One problem though, is that we don't really know how much the supposed human author was involved in the piece. Now that it's becoming hard to judge, people against ai art can proudly change their opinion on on a piece once they learn that it was made by ai. I've come to think this is somewhat respectable, like you see a video of some extraordinary event (before ai) and then you learn that it was fake, just for views or something.
But on top of all this, there are different ways to "consume" art. Artists may think more about who the artist is as a person and what they felt when they made the piece, while non-artists may just enjoy the piece for what it is, detached from the artist. These two perspectives clash a lot.
While this is all good practice in theory, I wonder how much discipline plays a role here?
I am not very disciplined, and find it too convenient to reach for an agent these days.
This may sound ridiculous, but I am addicted to nicotine. I used to have some sort of rule around how I am allowed to use nicotine pouches to manage my addiction.
For example after I finish writing a feature, I could have one pouch.
It was obviously a dumb idea that didn't last very long.. But in that specific aspect, coding agents feel similar. I tried setting up rules on how I should use them, but it's not easy to follow them.
I think it's not too different in that specific sense, but it's more than that. To bring libraries on equal footing, imagine they were cloud only, had usage limits.
I'm also somewhat addicted to this stuff, and so for me it's high priority to evaluate open models I can run on my own hardware.
I'm starting to think I've been A/B tested, because this was my experience for almost a year with Claude ever since I tried it for coding. Meanwhile, my coworkers seemed to be able to use it for long periods of time without getting rate limited.
One interesting variable is that I'm located in Vietnam while my coworkers are located in Norway and Europe.
To work around this issue I used Claude for coding with a Copilot subscription which was much cheaper and had virtually no rate limiting.
Copilot gives you some set amount of credits each month, but you can also pay as you go if you run out of credit which is much better than the 5 hour window crap claude code would give me.
The only opus model available now on copilot for some reason is 4.7 and it costs 7.5x tokens, while everything else is 1x, 0.33x or free.
But I switched to using GPT 5.4 medium for a month or so which I find very reasonable.
I pay for copilot to access anthropic, google and openai models.
Claude code always give me rate limits. Claude through copilot is a bit slow, but copilot has constant network request issues or something, but at least I don't get rate limited as often.
At least local models always work, is faster (50+ tps with qwen3.5 35b a4b on a 4090) and most importantly never hit a rate limit.
But qwen3.5 35b is worse than even Claude Haiku 4.5. You could switch your Claude Code to use Haiku and never hit rate limits. Also gets similar 50tps.
I haven't tried 4.5 haiku much, but i was not impressed with previous haiku versions.
My goto proprietary model in copilot for general tasks is gemini 3 flash which is priced the same as haiku.
The qwen model is in my experience close to gemini 3 flash, but gemini flash is still better.
Maybe it's somewhat related to what we're using them for. In my case I'm mostly using llms to code Lua. One case is a typed luajit language and the other is a 3d luajit framework written entirely in luajit.
I forgot exactly how many tps i get with qwen, but with glm 4.7 flash which is really good (to be local) gets me 120tps and a 120k context.
Don't get me wrong, proprietary models are superior, but local models are getting really good AND useful for a lot of real work.
LuaJIT has operated this way since 2012, though with a thanks and mention in the commit message. It seems like a good way to filter out people who prioritizes leveling up their github profiles.
Something a little bit similar, when I was hosting a social game server we had mods. And players always beg for mod status. At first I tried naming the admin group something weird like sandals, but eventually people would ask if they could be sandals too.
What worked best in the end was just hiding it completely making regular players see mods as other regular players. (mods would see who is a mod though)
I would also personally never make someone who asks a mod as it's almost always a sign of wanting power for the sake if it. I would instead just passively observe behavior until I trusted the player and make them a mod. I would then tell them that I don't expect them to exercise their power, but would demote if I see abuse of power.
reply