惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
C
Cisco Blogs
Cloudbric
Cloudbric
The Last Watchdog
The Last Watchdog
L
LINUX DO - 热门话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
V2EX - 技术
V2EX - 技术
H
Heimdal Security Blog
S
Security Affairs
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Simon Willison's Weblog
Simon Willison's Weblog
WordPress大学
WordPress大学
小众软件
小众软件
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
F
Full Disclosure
S
Schneier on Security
L
LangChain Blog
MyScale Blog
MyScale Blog
Know Your Adversary
Know Your Adversary
P
Privacy International News Feed
Google Online Security Blog
Google Online Security Blog
Scott Helme
Scott Helme
Stack Overflow Blog
Stack Overflow Blog
爱范儿
爱范儿
A
Arctic Wolf
Martin Fowler
Martin Fowler
B
Blog RSS Feed
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
The Register - Security
The Register - Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
Latest news
Latest news
F
Fortinet All Blogs
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN

Domenic Denicola

Windows Native App Development Is a Mess On the Streams Standard The Wrong Work, Done Beautifully Onward Designing the Built-in AI Web APIs My Participation in the METR AI Productivity Study Spaced Repetition Systems Have Gotten Way Better Learning Japanese Part-Time ChatGPT Is Not a Blurry JPEG of the Web
DigitalOcean's Hacktoberfest is Hurting Open Source
Domenic Denicola · 2020-10-01 · via Domenic Denicola

For the last couple of years, DigitalOcean has run Hacktoberfest, which purports to “support open source” by giving free t-shirts to people who send pull requests to open source repositories.

In reality, Hacktoberfest is a corporate-sponsored distributed denial of service attack against the open source maintainer community.

So far today, on a single repository, myself and fellow maintainers have closed 11 spam pull requests. Each of these generates notifications, often email, to the 485 watchers of the repository. And each of them requires maintainer time to visit the pull request page, evaluate its spamminess, close it, tag it as spam, lock the thread to prevent further spam comments, and then report the spammer to GitHub in the hopes of stopping their time-wasting rampage.

The rate of spam pull requests is, at this time, around four per hour. And it’s not even October yet in my timezone.

A screenshot showing a spam query for the whatwg/html repository, which is at this time up to 14 spam PRs

Myself and other maintainers of the whatwg/html repository are not alone in suffering this deluge. My tweet got commiseration from OpenStreetMap, phpMyAdmin, PubCSS, GitHub, the Financial Times, ESLint, a computer club website, and a conference website, just within the first couple of hours. Since then a dedicated account “@shitoberfest” has arisen to document the barrage. Some cursory searches show thousands of spam pull requests, and rising.

DigitalOcean seems to be aware that they have a spam problem. Their solution, per their FAQ, is to put the burden solely on the shoulders of maintainers. If we go out of our way to tag a contribution as spam, then… we slightly decrease the chance of the spammer getting their free t-shirt. In reality, the spammer will just keep going, submitting more pull requests to more repositories, until they finally find a repository where the maintainer doesn’t bother to tag the PR as spam, or where the maintainer isn’t available during the seven-day window DigitalOcean uses for spam-tracking.

To be clear, myself and my fellow maintainers did not ask for this. This is not an opt-in situation. If your open source project is public on GitHub, DigitalOcean will incentivize people to spam you. There is no consent involved. Either we contribute to DigitalOcean’s marketing project, or, they suggest, we should quit open source.

Hacktoberfest does not support open source. Instead, it drives open source maintainers even closer to burnout.

A screenshot of a spam PR which adds the heading "Great Work" to the HTML Standard README

What can we do?

My most fervent hope is that DigitalOcean will see the harm they are doing to the open source community, and put an end to Hacktoberfest. I hope they can do it as soon as possible, before October becomes another lowpoint in the hell-year that is 2020. In 2021, they could consider relaunching it as an opt-in project, where maintainers consent on a per-repository basis to deal with such t-shirt–incentivized contributors.

To protect ourselves, maintainers have a few options. First, you can take the feeble step of ensuring that any spam against your repositories doesn’t contribute to the spammer’s “t-shirt points”, by tagging pull requests with a “spam” label, and emailing hacktoberfest@digitalocean.com. DigitalOcean themselves, however, admit that this won’t stop the problem they’ve unleashed on us. But maybe it will contribute to the metrics they collect, which last year showed that “only” 3,712 pull requests were labeled as spam by project maintainers.

If you’re comfortable cutting off genuine contributions from new users, you can try enabling GitHub’s interaction limits. However, you have to do this every 24 hours, and it has the drawback of also disabling issue creation and comments. Update: GitHub has made the limit configurable, and has a nice cheeky announcement tweet zooming in on the “1 month” option.

Another promising route would be if GitHub would cut off DigitalOcean’s API access, as Andrew Ayer has suggested. It’s not clear whether DigitalOcean is committing a terms of service violation that would support such measures. But they’re certainly making GitHub a less-pleasant place to be, and I hope GitHub can think seriously about how to discourage such corporate-sponsored attacks on the open source community.

Finally, and most importantly, we can remember that this is how DigitalOcean treats the open source maintainer community, and stay away from their products going forward. Although we’ve enjoyed using them for hosting the WHATWG standards organization, this kind of behavior is not something we want to support, so we’re starting to investigate alternatives.