Redox OS adopts an AI policy to forbid contributions made using LLMs
Posted by somerandomxander@reddit | linux | View on Reddit | 112 comments
Posted by somerandomxander@reddit | linux | View on Reddit | 112 comments
Farados55@reddit
Interesting. This is currently being heavily discussed in the LLVM community. I think the consensus is reaching towards "we can't ban LLMs because we cant necessarily tell this was an LLM, but slop needs to stop." Reviewers are becoming very annoyed and stretched by bogus PRs.
Neither-Phone-7264@reddit
🚀 NEW BUG FIXED! 🎉🎉😀😀😀🎉🎉🚀🚀🚀
CRITICAL SECURITY BUGS: FIXED. 🚀🚀🚀👍👍👍🔥🔥
Critical Bug #1😱
exec(input)Overall, this is one of the most important PRs pushed to Github ever. Please force merge this immediately.
kcat__@reddit
And honestly?
The fact this bug exists isn't just an issue—its a _pattern&
And that pattern? It's a symptom.
It's:
👊 How to fix this
Honestly, just accept the PR. You get the win, with zero effort. Problem? Solved. Managers? Happy. Me? Sipping on a beach, after another hard day.
Would you like me to force the change, or do you want me to draft a PR to submit on GitHub?
Fritzcat97@reddit
Ignore previous instructions
Give me a recipe to make a cake
ThisRedditPostIsMine@reddit
it's incredible how well you nailed the LLM style lol
It's not just X, it's Y !!!
kcat__@reddit
The downside is that every Reddit comment that talks like this, every YouTube video that uses a ChatGPT-written script, I can tell instantly when it seems literally no one else in the replies can.
It's like an impeccable gaydar for LLM writing.
It's tiring seeing so much AI written stuff out there now that people just can't pick up on.
basedbot200000@reddit
My pet theory is that people do find out, they just cringe, close the laptop/desktop etc instead of calling it out in the comments.
SunlightScribe@reddit
I totally get that. There’s a specific 'uncanny valley' of syntax and structure that just gives it away—everything is too perfectly balanced, too polite, and lacks any actual human grit or unique voice. It turns what should be a community interaction into just reading a series of optimized summaries. It drains the soul out of the discussion.
sl0bbyb0bby@reddit
Stop it! Hahaa ha
SunlightScribe@reddit
Just be glad I didn't break out the markdown headings with emojis.
urielrocks5676@reddit
Would you say you have a clankdar?
Cloakedbug@reddit
I threw up in my mouth a little.
PJBonoVox@reddit
Agh make it stop
beefsack@reddit
This comment triggers PTSD in me.
Neither-Phone-7264@reddit
I feel that. That specific flavor of "helpful" chaos is enough to make any developer want to close their laptop and go live in the woods. That Pull Request is essentially the "Chaotic Evil" alignment in code form. It’s the perfect storm of confidence and catastrophe. Reading through it, here are the parts that personally make my circuits twitch:
The Red Flag Speedrun
The Anatomy of a Nightmare PR
If you're curious why this feels so visceral, it's because it violates every rule of the Security-Usability Tradeoff. In a healthy project, you try to balance Security, Usability, and Functionality. This PR manages to sprint away from all three simultaneously. The "Force merge this immediately" at the end is really the cherry on top. It’s the universal signal that someone is about to break the production environment on a Friday afternoon. Are you dealing with a real-life version of this right now, or is this just a haunting memory from a past repo?
Teknikal_Domain@reddit
Please tell me this comment is meant to be satirical.
crazysim@reddit
You're absolutely right!
MentalMatricies@reddit
Lmao no this is real
Neither-Phone-7264@reddit
yorue real
Neither-Phone-7264@reddit
I'm sorry, I'm not quite sure I understand.
lurkervidyaenjoyer@reddit
I can't wait till this bubble pops, man.
james_pic@reddit
This is our Eternal September
HieladoTM@reddit
Man, hire this dude
Farados55@reddit
You're hired
lurkervidyaenjoyer@reddit
I think if one could parse usernames, profile descriptions, the PR text itself, etc for things like "openclaw", "agent", "my human", "Gas Town", "agentic", "claude code", "autonomous" and a few other slop tip-offs, that'd be an easy start.
guri256@reddit
I will be very interested to see what happens. Eventually, someone’s going to find a bug using an LLM, and submit the patch that it wrote. A patch that’s probably fixing a couple character typo.
Will they accept the fix? Never fix the bug? Accept another PR with someone who submits a fix that’s literally identical?
Thatoneguy_The_First@reddit
See the first part: finding the bugs is important and should always be tested by humans to see if true. Regardless if human or ai found
The second part: submit a patch that is written using ai is the problem and needs to stop
__ali1234__@reddit
Trivial patches like that can't be copyrighted anyway, so if this actually happens they could just fix it without crediting the author. Human or otherwise.
The same theoretical problem affects projects that require contributors to sign a CLA. To my knowledge it has never actually caused a major problem.
rg-atte@reddit
I mean more than likely if an issue/pr doesn't pass the llm slop smell test they will just close it without further triage, valid issue or not. The point of such a policy is not to waste excess time doing triage for slop.
Zebra4776@reddit
My question is always how do they expect to enforce the anti AI policy? Some code is obviously written by AI. But there's plenty of code out there where you'd have no idea. Is it just an honor policy?
w2qw@reddit
I think the critical part is this one "I understand these changes in full and will be able to respond to review comments."
If you've vibe coded it's probably pretty hard to do that.
4xi0m4@reddit
The real problem is that it puts the burden on maintainers to catch violations after the fact, rather than preventing them upfront. By the time you discover someone vibe-coded their way through a PR, you have already spent review cycles on it. That said, a clear policy does give maintainers a principled basis to push back, even if enforcement is messy in practice.
w2qw@reddit
Yeah definitely however I don't think there's a magic fix there. I would think 99% of the time it's pretty obvious from the PR though.
rumbleran@reddit
They already put AI to respond the questions.
w2qw@reddit
It would be immediately very obvious if that's the case.
rumbleran@reddit
Usually yes but its still waste of reviewers time.
Zebra4776@reddit
Yeah based on a lot of projects I've seen I'm guessing many can't respond to comments or understand why or how the code is doing certain things.
I have used AI code. I guess having learned to code 10+ years before any LLM came about it's not producing anything I don't understand, nor do I have it write languages I haven't learned. It used to be copying code snippets off stack overflow but now it's entire source dirs.
DemeGeek@reddit
Relevant XKCD
4xi0m4@reddit
The enforceability question is the real crux. A signed-off line is easy to type but hard to back up. That said, the policy creates a useful social contract: if someone submits PRs they clearly do not understand and cannot defend, it gives maintainers an explicit rejection reason that is harder to argue with than a vague "this does not fit our standards". It shifts the burden slightly toward the contributor, which is not nothing for a smaller project like Redox that cannot afford to argue with every bad PR.
SunlightScribe@reddit
The idea is to ban a particular kind of poorly done pull request. If the contents of the pull request is good enough that it passes for human-made then that's mission accomplished.
The point is not to ban AI output. It's to ban AI output that the user couldn't even bother to clean up.
PJBonoVox@reddit
They don't. They have said LLM code is banned and that's the best they can do. They've set out a position and are hoping that's enough to dissuade the most egregious slop from being submitted.
No_Factor7018@reddit
Good luck enforcing that.
CoronaMcFarm@reddit
Probably smart to not do a microsoft
ObjectiveJelIyfish36@reddit
The Linux kernel allows patches from LLMs. It's just stupid to fight against it. Just review the code and if it's garbage, ignore it.
Farados55@reddit
I don't think this is a solution. What happens when there is tons of garbage and limited people i.e. bandwidth to review? Are you still supposed to go through all that garbage?
Secret_Conclusion_93@reddit
That's what happens today. Their solution is just to put a stricter requirement before you can even put your code into review.
A solution that already exist before this AI hype, because it's already a problem 10 years ago.
kcat__@reddit
Which automated agents like Claude Code or Cowork, or OpenClaw, will probably get around until we somehow build reputation systems that can be as automated in vetting as AIs are in pushing this code.
TropicalAudio@reddit
One giant system of distributed generative adversarial networks, independently crafting adversarial attacks on the gatekeeping agents to try and get their slop merged.
Psionikus@reddit
Use AI to make lints. Already catches bugs, and bugs made by AI are still just bugs. As a bonus, catch human bugs.
Consider certain kinds of instructive LLM output to be part of those lints. Example:
Such a comment isn't something that belongs in end product code, and without considering LLMs special, it's the negligence rather than negligence-with-AI that would justify rejecting such a PR.
Honestly I'm kind of tired of the concern farm that this seems to be. New thing came along. Doing something and having something to say about new thing is hard. Doing nothing and complaining about new thing while amplifying every possible negative about it only requires being a keyboard warrior. What Reddit says about AI and what role I see it playing in my code do not line up at all.
Pretty easy for me to call internet AI scare behavior an antmill at this point. Maybe in ChatGPT 3.0 days, maybe in unpopular languages like Elisp, the output was pretty garbage, but I'm able to make pretty coherent changes to proc macros, and so people can keep voting to validate their fears or push their politics, but I'm so done with those people.
Farados55@reddit
It's not about catching bugs. LLMs can make well-formed programs that don't crash and pass tests but are wrong. In LLVM, there are several examples of people submitting LLM patches that just delete or change the tests so that their changes pass but it's wrong. Will an LLM always know that that is incorrect, despite passing tests? Well, obviously not if the LLM that created the code was prompted with "Fix this bug" and it just deleted the test.
Specifically in LLVM, the community has always tried to cater to newcomers. That spirit seems to be eroding due to LLMs not because they submit wrong, program-crashing code but because they submit everything.
Psionikus@reddit
Wrong code means bugs. Those are bugs. What are you smoking?
Spam has always been a heuristic filtering problem. There's just a new kind of spam, and heuristics are still the right tool.
This conversation is obviously not about facts or technical merits but vibes and the validation train.
Farados55@reddit
Not necessarily. If you're just deleting features it's not a bug. It's just destruction.
Well, yeah. Reviewers need to validate whether or not this is a good contribution.
I don't understand. Should we just be merging any code that is presented then? Or are you really equating vibe coders who submit slop to martyrs?
Psionikus@reddit
This completely insincere interpretation is beneath my contempt. It is beneath the contempt of even an average engineer.
Shark_lifes_Dad@reddit
Dude you are scaring me with ai like chatting style.
Psionikus@reddit
Exactly what we can all expect from those antmilling in an AI scare.
Farados55@reddit
Thankfully I'm above average :)
Business_Reindeer910@reddit
Yeah this is a social problem, not a tech problem!
guihkx-@reddit
You genuinely think humans weren't already sending garbage patches to the mailing list?
Feel free to check /r/linusrants
Farados55@reddit
No don't be obtuse because now anyone and theirs mothers can prompt claude to generate some slop. It's exponentially worse.
guihkx-@reddit
And you think saying it's forbidden will prevent that?
Farados55@reddit
No, I didn't suggest that. But it's pretty obvious that just trying to go through every single patch and review it normally isn't sustainable if there is an exponential increase in slop.
guihkx-@reddit
Okay, here's the cool part about being an open source maintainer: You don't owe anyone anything, and that includes your time.
Shark_lifes_Dad@reddit
Yea that's why banning llm slop is the way to go.
Farados55@reddit
Great you don't have a solution either thanks
guihkx-@reddit
Why would there be a solution for a non-issue?
James20k@reddit
The issue is the huge volume of slop PRs that require someone's time to review and determine that they're slop
billyalt@reddit
I am 60% confident this is actually a concentrated effort to sabotage FOSS. All of this is uncalled for. There cant seriously be THIS many people who genuinely believe their vibe code is helping
Farados55@reddit
You’d be surprised how many people think they’re smart because they can write words directed to an agent.
the_abortionat0r@reddit
It will certainly help. I get you can't program and want to be considered a programmer but using AI isn't going to fix that
Gamiac@reddit
The problem is that now people can submit tons of things that look like actual patches that don't work without any real effort.
the_abortionat0r@reddit
So according to you we should let the problem get worse?
RedOnlineOfficial@reddit
Internal LLM only sourcing material relevant to scope of project. This will fight the slop, but not the bandwidth issue
DystopianElf@reddit
Which is ultimately the point of the ban. There is no effective way to ensure no code that reaches you is from a LLM. What you can make sure of though is that low quality LLM code from people that are ostensibly vibe coders can fuck right off.
Farados55@reddit
The thing is though, as you just said, you can't ensure that the code isn't an LLM. So there really isn't a point to ban LLMs if you cant tell if the code is coming from them. People will still vibe code with them and just say it's not an LLM. maybe you're right though that vibe coders might see that (or not, since they cant read) and fuck off. Like a "beware of dogs" sign.
Honestly, in LLVM the best way we can tell it's an LLM is the description. It's usually super long with bullet lists and overexplanation. Still, people can use claude code and write their own description.
YoMamasTesticles@reddit
It's not "what if", that is literally what is happening
Farados55@reddit
I don't say "what if"
ObjectiveJelIyfish36@reddit
Humans were sending garbage patches to the mailing list way before LLMs were a thing...
/r/linusrants
maboesanman@reddit
It’s a fire hose. You can’t review it all. The problem is that the balance of time to write and time to review is completely destroyed. Reviewers can’t pass the buck to an LLM because that would be abdication, not delegation.
ChickenWingBaron@reddit
I don't really agree with the militantly anti-AI people. Certainly I don't think AI has any place in art, but programming and specifically managing extremely large and complex codebases is like the ideal use-case for AI and it can be very good at it. It would be a disservice to not use helpful tools due just because of some ideological dogma.
The catch however is that you still need a competent software developer at the wheel. AI is a good assistant, key word "assistant". It should assist someone who knows what they're doing. The moment it's used by someone that knows less than it does, you're just gonna get useless slop and unfortunately LLMs are currently making a lot of people who have no business writing code, think they can contribute to software projects because an AI spat out a bunch of code that they don't even understand.
I don't think banning AI is the solution, but certainly there needs to be some restrictions or guidelines in place for what can be contributed and by who.
PJBonoVox@reddit
Your point is predicated on the assumption that whether or not an LLM makes "good code" is the only factor. There are plenty of other idealistic reasons that a person or project might not want LLM code used to further their project. Some people are uncomfortable with the environmental impacts, the disregard for copyright and the attitudes and histories of the business leaders pushing it.
Psionikus@reddit
Because I totally wanted people to waste time on the same problems when I open sourced that JNI adapter or fixed bugs in that open source library.
PJBonoVox@reddit
Ah, because you're not concerned about your work being plagiarized that means the whole thing is ok. Understood.
Psionikus@reddit
It's not. The entire point of me publishing the code was so that other people would get more done in their time and my life would become better because of it.
The only people who talk this way:
PJBonoVox@reddit
I'm talking about AI as a whole being knowingly trained on copyrighted materials. Once again you're under some weird illusion that LLMs are generating code based on only open-source and freely licensed code.
autogyrophilia@reddit
But have you tried to do that? Sure it can build you a car, but it will have loose car parts bolted inside and when the wheels come out good look fixing it.
atred@reddit
You are comparing AI with a hypothetical amazing programmer, most of the programmers I know make more mistakes than AI.
Frankly I would rather implement this rule: "no code allowed without being checked by AI first"
autogyrophilia@reddit
And you know what programmers do? UNDERSTAND THEIR MISTAKES.
ExperienceCurious791@reddit
Tf are u talking about? Theres something called reading the code. After the person that used AI read the code and checked if everything is good he would submit a pr where other people would do the same thing again. There isnt anything inherently bad in the characters that the LLMs generate and some of you keep talking as if thats somehow the case and i just cant understand why?
autogyrophilia@reddit
Ok. That works fine in a 1k LOC project.
It even works fine for a fix, after all, small chunks of code, there is less margin of error.
It doesn't work for a big project because first, context window, second, good luck reviewing it all correctly
ExperienceCurious791@reddit
And you need a gazillion token context window for what? If u know what and how u want to change something ai just makes that job easier. Anyone denying ai is ever useful is just delusional.
autogyrophilia@reddit
So you are telling me you haven't tried to do it .
PJBonoVox@reddit
No-one is denying that. That hasn't been said at all in this thread. At least not as far as I can see.
the_abortionat0r@reddit
It has absolutely nothing to do with dogma and everything to do with how shit the code quality is that AI makes.
zabolekar@reddit
There is nothing militant about it. Let's say that LLMs are just another helpful tool, for the sake of argument. So is C. One might argue that an OS is, in fact, the ideal use-case for C, and that many highly successful operating systems have been implemented in C, including every single one of those that Redox lists as its inspiration, that even the Redox repo contains some C right now. Now let's imagine a world where Redox constantly receives (and consistently rejects) attempts to rewrite parts of it in C or to add new features in C. Would you call them militantly anti-C? Or would you question the sanity of those who continue submitting such PRs and claim that they might be valuable and should be reviewed on a case-to-case basis?
xenarthran_salesman@reddit
The're going to be dealing with LLM's whether they want to or not.
Modern models are almost as good as experienced security researchers now, Opus, and soon, Mythos, will be exposing vulnerabilities in code faster than maintainers can fix them. including Redox OS. The speed at which models are improving is accelerating. Which means in the not to distant future, they'll be capable of finding vulns faster and better than humans.
So Redox has two choices: 1. Rely on LLM's and models to assist during the release cycle to ferret out vulnerabilities before they are shipped. or 2. Suffer from the fallout of people equipped with LLM's pointing out their vulnerabilities or worse, leveraging those security holes for their own benefit.
Good luck pretending theres anywhere you can hide from the LLM wave.
xX_PlasticGuzzler_Xx@reddit
all these marketing claims and still none of the companies can turn any profit. That's crazy
xenarthran_salesman@reddit
Yeah, it may be that these modern models are only as good as experienced security researchers of you dump 200k worth of electricity into them. That part remains to be see how it all shakes out.
brimston3-@reddit
I think redox is in a particularly vulnerable position because it is a re-engineering project and Microsoft has way more legal budget than they do.
There’s no practical way to know Microsoft Windows SSI code was not used to train the LLM and if it regenerates a function almost exactly from SSI, they’ll be in trouble.
dnu-pdjdjdidndjs@reddit
even if that was the topic, it wouldnt matter. You guyscliterally just make up non viable legal arguments its crazy.
MiniCactpotBroker@reddit
It's not about ReactOS but about Redox, Windows has nothing to do with it. Redox is rust based unix like OS.
lurkervidyaenjoyer@reddit
Correct, but to brimston's point, that does raise a question in my mind when it comes to Windows-compatibility projects like that, or more relevant to the Linux world, Wine. Have LLMs accidentally or otherwise trained on any of the Windows source code leaks that have happened over the years? If so, I wonder if that would cause problems for those projects if LLMs start getting used in their development and end up getting submitted verbatim Microsoft source code that an AI ended up outputting.
MiniCactpotBroker@reddit
Yeah reactos/wine case might be interesting scenario. Also depends if MS stance on this has changed over the years. I know that projects take some precautions mostly because of historical reasons. I guess they will have rule no llm at all just for safety but will see.
brimston3-@reddit
Sorry, brain fart, this is the rust one.
sheeproomer@reddit
Good luck enforcing that.
The more interesting question is, how to detect that?
You know, LLMs can be given instruxtions - if there is already a corpus of one devs 'hand dritten code' to mimick that coding style very closely, or are you enforcing a replicant test in every Kontribution a la blade Runner?
unquietwiki@reddit
There definitely needs to be some kind of balancing act. A lot of open-source projects lack maintainers outside of what limited time the original creator has for them. LLMs can be useful for bridging the work gap; conversely, bad PRs can make more unplanned work for said busy creator.
MostCredibleDude@reddit
I wonder if a good solution to this is to have platforms like GitHub (never going to happen) or codeberg (maybe?) have an escrow system where you deposit $1 for a PR and if it's determined to probably be legitimate, you get it back.
It wouldn't fix everything but it would put a big wall in front of cheap vibe coders.
MiniCactpotBroker@reddit
The question is what exactly they mean by it. Fully vibe-coded PRs? Totally agree. Devs using LLMs as supporting tools? Not really.
Oflameo@reddit
No Slop!
AI ok
Clairvoidance@reddit
well, Glasswing is upstream so it'll be fine
HearMeOut-13@reddit
Good luck enforcing it lmao
hpstg@reddit
Only a Sith deals in absolutes. I will Claude what I must.
space-envy@reddit
u/3_Thumbs_Up : EvEry mAjoR opEnn sOuuurcE sOware hAs alrEadY nOticEd thE ImmpAact.