Update: that was quick! GitHub banned the “AI” company’s account. Only GitHub gets to spam AI on GitHub, thank you very much.
Most of the time, products with “AI” features just elicit sighs, especially when the product category in question really doesn’t need to have anything to do with “AI” in any way, shape, or form. More often than not, though, such features are not only optional and easily ignorable, and we can always simply choose not to buy or use said products in the first place. I mean, over the last few days I’ve migrated my Pixel 8 Pro from stock Google Android to GrapheneOS as the final part of my platform transition away from big tech, and Google’s insistence on shoving “AI” into everything certainly helped in spurring this along.
But what are you supposed to do if an “AI” product forces itself upon you? What if you can’t run away from it? What if, one day, you open your GitHub repository and see a bunch of useless PRs from an “AI” bot who claims to help you fix issues, without you asking it to do so? Well, that’s what’s happening to a bunch of GitHub users who were unpleasantly surprised to see garbage, useless merge requests from a random startup testing out some “AI” tool that attempts to automatically ‘fix’ open issues on GitHub.
The proposed ‘fixes’ are accompanied by a disclaimer:
Disclaimer: The commit was created by Latta AI and you should never copy paste this code before you check the correctness of generated code. Solution might not be complete, you should use this code as an inspiration only.
This issue was tried to solve for free by Latta AI – https://latta.ai/ourmission
If you no longer want Latta AI to attempt solving issues on your repository, you can block this account.
↫ Example of a public open issue with the “AI” spam
Let me remind you: this tool, called “Latta AI”, is doing all of this unprompted, without consent, and the commits generally seem bogus and useless, too, in that they don’t actually fix any of the issues. To make matters worse, your GitHub repository will then automatically appear as part of its marketing – again without any consent or permission from the owners of the GitHub projects in question.
Clicking through to the GitHub repositories listed on the front page will reveal a lot about how developers are responding: they’re not amused. Every link I clicked on had Latta AI’s commit and comment marked as spam, abuse, or just outright deleted. We’re talking public open issues here, so it’s not like developers aren’t looking for input and possible fixes from third parties – they just want that input and those possible fixes to come from real humans, not some jank code generator that’s making us destroy the planet even faster.
This is what the future of “AI” really looks like. It’s going to make spam even easier to make, even more pervasive, and even cheaper, and it’s going to infest everything. Nothing will be safe from these monkeys on typewriters, and considering what the spread of misinformation by human-powered troll farms can do, I don’t think we’re remotely ready for what “AI” is going to mean for our society. I can assure you lying about brown people eating cats and dogs will be remembered as quaint before this nonsense is over.
So how does it work for Google then if publicly at GitHub everybody can see AI contributions are considered as being unmergable spam. Claims on how internally at Google AI already contributes 25% of the code, that explains on why this whole AI thing is a bubble, one thing are PR pamphlets and another thing is reality!
This is a poor implementation of a common toolset.
Look at tools like dependabot as an example. Tbh I think a requirement of a public repo should also be to run a static dependency scanner on it. The sheer amount of vulnerable code in Github that is regularly used without the understanding of its security status is terrifying.
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#configuration-of-dependabot-alerts
Developers opt in if they want to bothered by dependabot.
https://scan.coverity.com/
its keeps on going the good tools are all opt in.
Adurbe there is a very good reason. Lets say you have a case that the tool is doing a provable false positive you need to be able to turn this off.
https://scan.coverity.com/projects/linux
Yes a proper static scan picked up more than a simple dependency check.
Thom Holwerda,
AI is going to be a very disruptive technology, and unfortunately I have to agree that AI doesn’t discriminate between good applications and bad ones. Therefor, AI will increasingly be used by spammers and scammers as a means to achieve their ends. It can increase their efficiency and “productivity” for sure and it doesn’t matter that the world would clearly be better off without them 🙁 Although I hesitate to transitively apply the badness of scammers to AI itself. AI itself is just a tool. It would like saying telephones, email, radios, etc are bad because they help enable the scammers and even terrorists, which is logically true but misses the bigger picture. Consider that the same AI tech that scammers use can also be used to create personal assistants that help people screen calls, for example.
Unfortunately the proliferation of spam and scammers is largely a byproduct of legacy networks that are wholly inadequate against modern threat models. Telephones, emails, even payment processors are using laughably bad security measures considering what modern crypto can do. All of these networks were invented at a time when trust was implied and before modern public cryptography existed. To think that a stranger with a few static numbers can charge my bank account….in 2024…is beyond stupid and yet here we are. In all of these cases the problem is we took fundamentally insecure networks and keep patching things up in the most backwards compatible way possible, compromising everyone in the process. It’s a hodgepodge of hacks that don’t integrate perfectly and still end up with both false positives and false negatives that still allow too many scammers through.
Endpoint cryptography is extremely effective for authentication and privacy, but the biggest problem in practice is that anybody who deploys it effectively ends up on a digital island, not able to communicate with the outside. So then we’re forced to create bridges to the legacy networks. These bridges then are forced to rely on the same flawed heuristics that fail to perfectly detect unwanted calls, unwanted transactions, unwanted emails, etc. We know these techniques don’t work against modern sophisticated adversaries. We really need a clean slate: open federated standards with security built in from the get-go, no hacking security into the model after the fact.
If people want to see what the experience is like, check out the lead developer, Daniel Stenberg, of curl blog post from January:
The I in LLM stands for intelligence