Not all bots have bad intent. Some compensate for a lack of a protocol/platform-native feature. Which makes all bots occasionally annoying, because human time is spent.
I'm sure that from the perspective of a publication that paywalls, those bots are not a good thing.
These are always either bots or people looking to bolster their CV by bragging they "contributed" n PRs to n repos. I signed up to collaboratively make some (hopefully nice) software, not to deal with a stream of PRs like this.
Typos in README or publicly facing docs are different; I usually merge those (and those are almost always good faith too, because usually a real human picks up on them before the bots/script kiddies do).
I've also submitted PRs that just fixed typos, and I've considered that a legit contribution.
But if I maintained a high-profile project right now, I'd at least take pause in thinking some of these accounts could be spam reputation-boosting accounts that only make comments/PRs to lend legitimacy to the account when it ultimately stars some artificially boosted repo.
And making it harder to detect star manipulation erodes the signals of trust which have been used on Github, and ultimately can be a security concern (historically I've looked at numbers of contributors, stars, downloads, and issues open/closed as a rough idea of how secure some npm dependency might be.. basically the idea that "more eyeballs" can mean slightly less chance of a massive security issue, especially in security-critical code like oauth libraries)
I don't know what the solution is here. Maybe requiring people sign a CLA like some corporate open source projects do is at least enough of a barrier
I imagine contributors won’t exactly be happy with that though.
OK, a credit, but really, who cares? People can see what an accepted pull request consisted of, so I'm not sure they're kidding anybody in terms of boosting their reputation with credits for fixing typos.
All the same, I'm just glad to see people improve their presentation, especially typos.
I do that when I see typos in documentation.
IMO, the solution is simple: allow project maintainers to disable pointless metrics that would incentivize the GitHub equivocal to karma farming.
I also think the quality of comment on HN suffers for the fact that the karma score is visible metric to the end-user. Reddit particularly. The view count on tweets too.
A lot more people will read the docs than the code, and typos are annoying and for some people highly distracting (OCD)
If someone wants to write "check_spelling_bot" and get a ton of github karma, I have 0 issue with it. In fact, I encourage GitHub to do it :).
If you got spam, but the spam was useful to you personally, not marking it as spam prevents your email provider from flagging the account as spam to the wider world.
Relevant xkcd: https://xkcd.com/810/
That is absolutely false. Spam is not defined based on it's utility, but based on whether a message is solicited.
If the author of a repo hasn't signed their repo up for an automated PR bot, that bot sending out PRs is absolutely spam.
A few months back, I noticed that there were some accounts posting issues on open source repositories, but their issues were a direct copy/paste of mine. I couldn’t figure out why they would copy/paste my issue so I dismissed it.
Now it makes sense!
Or are people actually deploying LLMs to inspect code and produce usable optimizations?
Because that would be an interesting beneficial side effect to an otherwise "nefarious" marketing hustle.
For what it's worth, I've seen lots of examples of this, and "usable optimizations" is entirely false. The PRs are often not working code. It's scattershot. The point isn't to make a PR that benefits the project in any way, it's to fill in the green square on the profile so it looks like there's a human doing things.
Anyone giving this stuff more than a cursory glance would see that it's all bullshit. But the point isn't to stand up to scrutiny. It's to defeat abuse protection measures with legitimate-looking activity. And in the case of stars, to make it look to anyone who's just glancing at the star-ers that there are real people starring the repos.
It's deviously clever and absolutely terrible.
> It took six hours for my order to complete, and the accounts look legit; each has a profile picture, different companies that they work for, a couple of repositories, and a contribution to one or more open-source projects, next to being a GitHub member for over a year.
This is the motivation for garbage AI-generated PRs or insubstantial docs changes that "people" make. It doesn't matter if they're good. They only exist to add surface level legitimacy to fake accounts so that services like this one can exist.