Hi Douglas,

On Fri, Jul 10, 2026 at 05:59:20AM -0300, Douglas Fischer wrote:

> This has become a common occurrence across various open-source projects.

Well yes, and we've been seeing this for some time. I have even touched
this topic in [my last 
blogpost](https://en.blog.nic.cz/2026/06/10/the-spring-2026-of-security-vulnerabilities-in-bird/).

> It seems like there’s a massive investment in tokens—a desperate scramble
> to find any opening to shoehorn a patch into the codebase, just to post
> about it on LinkedIn.
> 
> I’ve seen a range of attitudes toward this: from code maintainers fully
> embracing it (which is actually a bit unsettling) to outright blocking
> anything AI-generated (sometimes discarding potentially interesting
> contributions in the process).

It's hard. On one hand, the quality of the contributions has been
miserable, see what Daniel Stenberg writes on his blog, and one inclines
to waste no more time on garbage. On the other hand, especially if the
project is not an infrastructure thing, people don't really care too
much about occassional crashes or performance issues, and the
maintainers are feeling pressured to accept the LLM-generated
contributions because they look good and do the things.

> I think the best suggestion I’ve seen is a middle-ground approach.
> Projects could build the necessary infrastructure internally to support
> AI-driven activities, treating them as native to the project rather than
> the work of an external entity simply scouring for opportunities.
> This would allow interested individuals to contribute their tokens to run
> whatever tests they deem appropriate.

Is there any easy way where we could register and say "please, users,
send us some tokens so that we can run commercial models in our CI and
automatically assess things"?

There are also other experiments running quietly under the hood but
mostly in testing and actual text processing instead of generating code.

We also keep resisting LLM-assisted code reviews, as with LLM
assistance, one tends to believe that if LLM found one problem of some
category, it found all of these. Not that it would be too dumb, but one
must not run LLM before reading the code humanly. And while certain
companies have allegedly already totally switched to auto-merging
changes by LLMs, just today I spoke with a big network operator and got
a clear statement that they do not support this approach at all.

> I don't believe the current volume justifies the effort.
> But once it starts to become excessive, that idea might be worth
> considering.

The current volume of the reports has already greatly exceeded the
capacity of the team. Every single report, if repeated, is 15 minutes of
work, and if new and not outright bonkers, 4 hours of senior work,
beginning with the context switch, reading the report, checking relevant
code, coding, and most importantly, assessing whether the fix makes
sense in the context of whole BIRD.

I myself vibed 5 different corner-case bugs in EVPN just last week, and
fixing them will require probably half a week.

Also only seeing the bugreport in the list is kinda nerd-sniping. It's
hard to not switch contexts when it arrives. Even just filling the
backlog is time-consuming, as one still has to do the triaging.

Leŧ's see where the future is.

-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.  

Reply via email to