Thanks for writing this up and bringing attention to it, I agree it is a big problem.
Thinking about it though - if we can't afford to keep packages on older versions, and we also can't afford to spend the effort to police upstreams, then what options does that really leave? Do you have any proposals you are thinking about? - Dave On Tuesday, March 10th, 2026 at 11:56 AM, Michał Górny <[email protected]> wrote: > Hello, > > Recently we've seen quite a grow in LLM usage in upstream packages, to > various degrees. The exact degree differs, apparently ranging from > using LLMs as glorified autocomplete to asking them to rewrite the whole > project or being convinced that a chatbot is sentient. The results are > raising some concerns. I've originally written to the distributions ml > [1] to facilitate some feedback on how other distributions are handling > it, but the major players didn't reply. > > Our "AI policy" [2] covers only direct contributions to Gentoo. At the > time, we did not consider it appropriate to start restricting what > packages are added to Gentoo. Still, general rules apply and some of > the recent packages are starting to raise concerns there. Hence I'm > looking for your feedback. > > Two recent cases that impacted the Python team were autobahn and > chardet. > > In case of autobahn, the author started using two LLMs to write major > portions of code, as well as reply to bugs. This caused some "weird" > bugs [3,4,5], which eventually lead me to ask upstream to reconsider > which met with quite a backlash [6]. While I haven't checked the code, > judging by the kind of slop that (almost) got committed as a result of > my bug reports, we've decided that it's not safe to package the new > versions and autobahn was deprecated in Gentoo. Still, it has reverse > dependencies and I don't really have the energy to go around convincing > people to move away from it. > > In case of chardet, one of the current maintainers suddenly decided to > ask LLM to rewrite the whole codebase under a different license, > therefore obliterating all past commits. This triggered a huge > shitstorm [7], in which the maintainer pretty much admitted he did this > deliberately and was pretty much a complete asshole about it (basically, > "I've been co-maintaining this for N years, nobody was doing anything, > so I've used a plagiarism machine to rewrite the whole thing and claim > it as my own work"). I haven't read most of it, given that the same > things keep repeating: mostly GPL haters cosplaying lawyers. We've also > decided not to package the new version, given the ethical and licensing > concerns. > > However, these aren't the only concerning packages. As a result of > chardet rewrite, binaryornot has replaced it with its own code which in > which LLMs were quite likely to have been involved [8]. Linux kernel > apparently uses them too [9]. KeePassXC too, triggering security > concerns [10]. So does vim [11]. > > The key problem is, how do we decide whether to package something or > not? We definitely don't have the capability of inspecting whatever > crap upstream may be committing. Of course, that was always a risk, but > with LLMs around, things are just crazy. And we definitely can't stick > with old versions forever. > > The other side of this is that I have very little motivation to put my > human effort into dealing with random slop people are pushing to > production these days, and reporting issues that are going to be met > with incomprehensible slop replies. > > > [1] > https://lore.kernel.org/distributions/[email protected]/ > [2] https://wiki.gentoo.org/wiki/Project:Council/AI_policy > [3] https://github.com/crossbario/autobahn-python/issues/1716 > [4] https://github.com/crossbario/autobahn-python/issues/1735 > [5] https://github.com/crossbario/autobahn-python/issues/1782 > [6] https://github.com/crossbario/autobahn-python/discussions/1818 > [7] https://github.com/chardet/chardet/issues/327 > [8] https://github.com/binaryornot/binaryornot/releases/tag/v0.5.0 > [9] https://lwn.net/Articles/1026558/ > [10] https://github.com/keepassxreboot/keepassxc/issues/12635 > [11] https://hachyderm.io/@AndrewRadev/116175986749599825 > > -- > Best regards, > Michał Górny > >
