Oh, this is really unlucky. I like Hacktoberfest and always get my T-shirt. Perhaps opt-in would be a great idea.<p>I can see why this happens, though. I've noticed that a whole bunch of projects have `good-first-issue` being something like "Re-architect module loading system" while most commits are like "correct typo". Like, jeez, man.<p>The participants are probably just pattern-matching against the commits available.<p>EDIT: Decided to go look at the spam that OSM got (a project close to my heart) and what the hell, man, look at this diff<p><removed><p><pre><code> * Tom Hughes [@tomhughes](https://github.com/tomhughes/)
* Andy Allan [@gravitystorm](https://github.com/gravitystorm/)
+
+
+ Made with Love
</code></pre>
This is just awful! I really feel for the maintainers. This user is just adding nonsense to a bunch of places.'<p>EDIT again: Whoops, guys, I didn't mean to cause more spam to the project. Removed the diff link. Jesus Christ, I ended up becoming the villain I was complaining about by linking it.
WOW! I have had a wildly different experience. Really sorry to see that it has caused you so much stress.<p>I run engineering at Operation Code
<a href="https://operationcode.org/" rel="nofollow">https://operationcode.org/</a>
<a href="https://github.com/operationcode/" rel="nofollow">https://github.com/operationcode/</a><p>We've been massive fans of Hacktoberfest for the last 3 years because it has brought a MINIMUM 300% increase in quality pull requests compared to even the next best month of the year.<p>I even put my own money on the line to double down on the incentives with extra prizes in exchange for resolving multiple issues. I've made friends and long-term coding partners from the event as well.<p>I hope they never end Hacktoberfest, but I think they should definitely offer the ability for you to signal/flag that you're not interested in participating as a repository.
Holy crap<p><a href="https://github.com/MattIPv4/hacktoberfest-data#diving-in-pull-requests" rel="nofollow">https://github.com/MattIPv4/hacktoberfest-data#diving-in-pul...</a><p>> <i>"Of the 483,127 PRs submitted during Hacktoberfest, only 23,299 (4.82%) were identified as spam"</i><p>That is insanely high noise for hacktoberfest, especially when tagging spam "correctly" takes a non-insignificant amount of effort from the maintainers.<p>I was ready to rant about this post but … no, wow, this is very much warranted.
This is unfortunate, and I agree with other commenters that Hacktoberfest should be opt-in.<p>I had a great experience with Hacktoberfest last year. I tagged a few issues with Hacktoberfest and got a nice PR from someone showing me how to configure my Vue project for unit testing.[0] It was a non-trivial PR and a useful contribution.<p><a href="https://github.com/mtlynch/whatgotdone/issues/279" rel="nofollow">https://github.com/mtlynch/whatgotdone/issues/279</a>
It seems like some of the spam might have been automated. From this comment at least one spammer seems to do a regex for "website" in the repo's name.<p><a href="https://github.com/promcon/website/pull/158#issuecomment-701654274" rel="nofollow">https://github.com/promcon/website/pull/158#issuecomment-701...</a><p>Some people were saying this could also be used to detect repositories that have "auto-merging" in order to add vulnerabilities to them later, perhaps using Hacktoberfest as a cover for more nefarious activities. That's strange, I haven't heard of projects that automatically merge certain PRs from arbitrary accounts.
I would love to see more talk from companies about how to foster meaningful contribution instead of focusing on measurable contribution.<p>I recently read "Working in Public" which was great, I recommend it. One interesting observation that was made: The perceived pipeline of user => casual contributor => active contributor => maintainer...is a lie. In the book they argue (convincingly) that you do not convert someone from casually contributing to actively contributing, it's instead that active contributors also make casual contributions.<p>What does that mean in this context? This company is operating under the assumption that they are helping by getting more people into the pipeline. In reality, what we need are active contributors who are invested in projects, not fly-by-night-i-want-a-shirt contributors.<p>For context I maintain <a href="https://www.CodeTriage.com" rel="nofollow">https://www.CodeTriage.com</a> which is a community of about 55,000 devs interested in open-source.
> Finally, and most importantly, we can remember that this is how DigitalOcean treats the open source maintainer community, and stay away from their products going forward. Although we’ve enjoyed using them for hosting the WHATWG standards organization, this kind of behavior is not something we want to support, so we’re starting to investigate alternatives.<p>> Another promising route would be if GitHub would cut off DigitalOcean’s API access<p>I am pretty sure DigitalOcean is not doing this in bad faith or try to damage open source community but the author seems to be out for blood for what seems to be an oversight on the part of DigitalOcean, suggesting that this is a how DigitalOcean treats open source community and one should boycott their products.
I'm appalled by this behaviour but also bemused. What's the motivation for spamming repositories <i>just to get a t-shirt</i>? I mean, are the t-shirts really <i>that</i> good?
For some context it's worth quoting directly from the published statistics available at (1). Although if this is based on manually tagging something as spam it is probably an understatement.<p><pre><code> Of the 483,127 PRs submitted during Hacktoberfest, only 23,299 (4.82%) were identified as spam, with 19,587 (84.07%) of those being in a repository that the Hacktoberfest team excluded from the competition for not following the shared values and 3,712 (15.93%) being labeled as "invalid" by project maintainers.
</code></pre>
1. <a href="https://github.com/MattIPv4/hacktoberfest-data" rel="nofollow">https://github.com/MattIPv4/hacktoberfest-data</a>
Wow. Just a moment ago I received a PR to slightly modify a readme, in a way that seemed unusual (no insertion of links or anything, but odd punctuation choices). I couldn't understand why someone would send it, and then saw this post.
I'm sorry actually to see that most of the names in the screenshot are people from India. Hacktoberfest to some degree has turned into a madfest with most college students here. Rather than actually contributing to open source, many new repos pop up during these times where fellow college students raise a PR for nothing.<p>It's the T-shirt that's the primary reason but also thr flaunting on social media as if I'm some kind of certified open source contributor.<p>PS: I've also been part of Hacktoberfest launch events where some people literally created their first PR.
This is especially stupid of the spamming participants. If you so desire a t-shirt and don’t want to make any meaningful contributions, just make your own BS repo and make your own BS pull requests.<p>I intended to make meaningful contributions last year and accidentally hit the quota just by making PRs to my own projects.
It seems it will be necessary for DO to put more of a burden on potential t-shirt recipients to prove that they are making valid PRs and acting in good faith.<p>A first step would be to only allow contributions to selected projects that have first approved to be included in Hacktoberfest.
Google's Summer of Code was a little annoying too. You'd get this wave of Indians, where GSoC is extremely popular, asking you what they could do for you if they knew some C++. It was a lot of work to deal with their applications and shepherd them along a project and it usually yielded little in the end. We wanted new contributors, but at best we'd get a sort of working idea over a summer.<p>I know for some other projects GSoC worked out well. I'm sure people will pipe up telling us how we're doing it wrong if we couldn't get good results from GsoC candidates, but after a couple of years I was tired of being involved with it and got cynical about it.
I'm sympathetic, but I'd be interested to know whether there's also an increase in non-spam contributions. We probably need to wait a while to find out, since it's reasonable to expect the spammy t-shirt-seeking PRs to be front-loaded and the substantive PRs (if any materialize) to take some time.<p>edit: and it's worth saying, sometimes a newbie's first PR is pretty indistinguishable from spam. It would be ironic if one of the results of this project was teaching a bunch of young programmers that they're not needed or wanted in FOSS.
I think I understand the intensity of emotion here. Open source is a really high trust community, more so than a lot of real-world spaces. Yet, it's adjacent to some other areas where poorly tuned incentives cause bad behavior. Spamming for free t-shirts is a relatively harmless manifestation. It's just some attention, though attention is our most valuable resource. I'm also reminded of cases where people take over undermaintained plugins to insert malicious behavior; it's the same kind of thing, just farther along on the badness scale.<p>I'd love it if we're able to preserve the high trust nature of open source. I also wouldn't be surprised if it starts eroding. If that's the case, this kind of thing is the tip of the spear, and in that light it makes sense to get pretty upset about it.
<i>What can we do?<p>My most fervent hope is that DigitalOcean will see the harm they are doing to the open source community, and put an end to Hacktoberfest. I hope they can do it as soon as possible, before October becomes another lowpoint in the hell-year that is 2020. In 2021, they could consider relaunching it as an opt-in project, where maintainers consent on a per-repository basis to deal with such t-shirt–incentivized contributors.</i><p>It seems like what could be done that's better for all involved, since there are reportedly (here in the comments) some repo maintainers that really like the program, would be to:<p>- Immediately suspend it while attempting to contact all the repo maintainers that are on the list<p>- Explain what's going on, apologiz, and give them the option at that point to opt in if they see benefit otherwise do nothing or decline to not be included<p>- Note on the Hacktoberfest project page the temporary suspendion for maybe a week while they get info back on who still wants to be included (and maybe some other repos volunteer, who knows).<p>To me that seems like a sane way to handle this (as opposed to the somewhat hyperbolic statements and suggestions in the article).
For an idea of the magnitude of this problem, just do a search for recently-created pull requests with the text "improve docs": <a href="https://github.com/pulls?q=is%3Apr+%22improve+docs%22" rel="nofollow">https://github.com/pulls?q=is%3Apr+%22improve+docs%22</a><p>By my count, the rate of these PRs has increased from about 20/hour (averaged over the past month) to about 200/hour (in the last 12 hours), with the vast majority of the recent ones being worthless spam.
I've been a developer for 5 years. One of my 2020 goals, aided by being stuck at home because of a certain pandemic, is to make the leap to being a contributor in an open source project I care about.<p>One of my coworkers shared Hacktoberfest details and I got really fired up! I looked through repositories I could reasonably contribute bug fixes or light features to. Got myself familiar with the codebases, PR process, Hacktoberfest guidelines (that are very clear about spammy contributions).<p>Then reading this and seeing some of the bogus contributions myself (some by contributors who coincidentally share my name!), I don't know how to feel about this. Maybe keep up my laziness streak and punt my contributions to November (and reward myself with nerdy apparel!)? Or take this as a fun opportunity to redeem my name?
Hm. I did my first Hacktoberfest last year, and it was fun. I only remember 2 of them.<p>One was something like build the worst implementation possible of aspects of the .Net framework, but while a joke project, it's been around for a few years, and you actually had to make something that _worked_ and in a reasonable amount of time. It was a fun challenge.<p>The other one was a bit of a lark, but it led to me and the maintainer having some discussions, working out some code, and then them taking about 2/3 of the PR just because there were constraints that were immutable for them, and neither of us could come up with a viable workaround, and we parted friends.<p>This is something that should be fun/interesting, and presumably, adding to the open source community. The T-shirt is a cool idea, but I think I ended up doing 7 or 8 of them just because I had gotten into the mode of "I'll just skim through the list of open projects and provide some real help while I have some free time."<p>Maybe it's time to make it opt-in. Register your projects with DO and Hacktoberfest, and those will be the only ones that get counted. Assumption being though that if you sign up your projects, you're going to stay up to speed on PRs and merge or mark as spam in a reasonable amount of time.
<a href="https://en.wikipedia.org/wiki/Goodhart%27s_law" rel="nofollow">https://en.wikipedia.org/wiki/Goodhart%27s_law</a><p>>When a measure becomes a target, it ceases to be a good measure.
I like the DigitalOcean team and know some of them personally. The thing is that the author is spot on with his comments.<p>In the OpenFaaS community we've suffered every year from spam and low quality PRs that completely ignore the contribution guidelines. The worst part is that we cannot opt out.<p>I would love to see the team listening to maintainers and coming up with new ideas.
I was curious what the average PR looked like, so I went to their project and opened one at random: <a href="https://github.com/whatwg/html/pull/5968/commits/5d8b75ef0a3dc5dd7c2786c27de8031b4ad5a619" rel="nofollow">https://github.com/whatwg/html/pull/5968/commits/5d8b75ef0a3...</a><p>Yeah, it's pretty bad.
I know that it's only peanuts for Digital Ocean in the grand scheme of things, but this blatant disrespect for open source maintainers makes me seriously consider not topping up the credits for my personal servers next time and moving them elsewhere.
Classic Goodhart’s law: “When a measure becomes a target, it ceases to be a good measure."<p>I don’t know the solution for this. But sheer number of PRs/commits is obviously meaningless. We just don’t have a better (cheaper) proxy to latch on to.
When I read about this, I expected a lot of unnecessary but positive PRs, or some grammar-nazi-ness, but actually it is really pure spam:<p><pre><code> https://github.com/phpmyadmin/website/pulls?q=is%3Apr+is%3Aclosed+label%3Aspam
</code></pre>
The changes are not even positive contributions, it literally breaks the documentations and adds some useless or unwanted meaningless SPAM.
This sucks, but I’m not surprised. I’ve been contributing to Hacktoberfests for 4? 5? years now, and the explosion in size from the first year could realistically only result in this. I was planning on taking part again this year, but now I’m not so sure—I can make sure my PRs are of a minimum quality But seeing the ones they’re up against really puts a bad taste into the whole affair.
Has anyone (DigitalOcean, Github or others) run numbers on what percentage of casual users are converted into persistent open-source contributors while initially being incentivized by Hacktoberfest? Sure spam is and always will be a problem, but if that first number is significant (of course that's a big if) then it makes sense to encourage this effort by putting in some moderation overtime. As I mentioned elsewhere in the thread I'd very gladly sift through a mountain of spam if it meant getting another reliable maintainer or two for my project.
I foresee maintainers automating the process of flagging _every_ pull request as spam for the event window, and communicating that decision to the actual community beforehand.
Looking at the homepage[1] for Hacktoberfest this year, the organizers do appear to try to lead people towards projects that are looking for help.<p>It's possible that differences in the way the event is announced and explained may lead to different expectations and results.<p>And sure, some people are just going to spam, especially if there are incentives involved. Looking at a few of the pull requests linked in the post, some of them definitely are of questionable contribution value.<p>An ideal outcome should likely still incentivize participation: for some folks, this may be their first time contributing to open source at all, and there's a non-zero chance that could lead to massive learning opportunities for them, and future contributions to open source projects -- but yes, maintainer burden is a real problem to balance against too.<p>Providing opt-in/out for repositories is certainly one possible approach. What other techniques are available to manage large quantities of inbound communication and filter signal/noise?<p>[1] - <a href="https://hacktoberfest.digitalocean.com/" rel="nofollow">https://hacktoberfest.digitalocean.com/</a>
Doing anything completely open on the internet invites spam and misery.<p>This program would be better off just sponsoring projects instead. Otherwise use opt-in repos and invites/approvals of people who want to work on them, or other rules like limiting new accounts and personal repos.<p>The first improvements this October should be to the hackathon itself.
I did notice in the rules that you can report the spam.<p><i>If a maintainer reports your pull request as spam or behavior not in line with the project’s code of conduct, you will be ineligible to participate.</i><p><a href="https://hacktoberfest.digitalocean.com/" rel="nofollow">https://hacktoberfest.digitalocean.com/</a>
This reminds me of the constant "security reports" I get.<p>"Changing the email doesn't expire the session on your web app". Should it? The email isn't the login, why should the session expire? It should expire on password change, maybe username change (but even then, why?). It's just a bunch of spam templates basically from people who don't really even understand the reports they are making.<p>And then they ask for public recognition so they can get points on one of those public security leaderboards.
Such kind of issues exist everywhere albeit varying levels. I would like to draw an analogy with the research field. Researchers are solving a very specific problem in the hope of getting a paper published. Mostly they don't care about how their research would fit in the bigger picture and it is evident from the fact that most research ideas do not get adopted in commercial products (equivalent to PR requests not getting accepted)
> To be clear, myself and my fellow maintainers did not ask for this. This is not an opt-in situation.<p>I was under the impression PRs only applied if they fixed an issue tagged as “Hacktoberfest”. Is that not the case anymore or am I missing something?<p>Edit: looks like the rules changed at some point and now it’s any repo. I wonder if they should stick with labelled issues only to resolve this problem?
I'm not a public repo maintainer. I have just my own personal repos, but I will say that for me Hacktoberfest has been only a positive. I think my first ever PR on someone else's repo was because I was spurred on by Hacktoberfest to dip my toes in. Since then, I've become more and more comfortable with git and Github.<p>I would be very sad to see Hacktoberfest end.
It's interesting to see the other side of the story. I won't dive much further, just wanted to thank OP for the clarity of the post, explaining the rationale and above all offering an array of solutions with various effects.
That's the kind of articles I get richer from. Thanks<p>And take care, hope you don't drown in the PRs.
Perhaps the approach should be: Provide a GH username, submit actually useful code, have it reviewed & merged. Then, when the username is listed under some commit in master you can mail them their damn shirt.<p>Incentivizing spam should be criminalized over the next decade if we are to maintain our humanity.
Perhaps this would align everyone's incentives:<p>- Only honor PRs against repositories that have opted-in<p>- Only allow repositories that meet certain "notability" criteria to opt-in (to prevent the creation of "fake" repositories)<p>- Only honor PRs that are merged within a specified time-period<p>- If DO has the resources, volunteer some folks to filter/close spammy PRs on the participating repos<p>I maintain several open-source projects, and the spam would annoy me. That said, if the constraints above were applied to Hacktoberfest, I would opt-in my own projects. I think these constraints would do a reasonable job of disincentivizing people opening spammy PRs (because I simply wouldn't merge them), while bringing my projects to the attention of developers that are looking to make a contribution to open-source in good faith.
> There is no consent involved.<p>Isn't it possible to disable pull requests? I thought GitHub had that capability by now. It's unfortunate but if the abuse persists on GitHub I suppose it's always possible to go back to sending patches via email.
I was really looking forward to Hacktoberfest this year, because it's the first time that I'm also participating as a maintainer. But I've already got my first spam PR on my rather unknown 50 stars repository.<p>Interestingly, this year one can choose between a t-shirt or planting a tree. In other words, everyone who chooses a t-shirt is now considered a person valuing some "useless stuff" over doing something good for the world, which looks like a moral trap from DigitalOcean's side. They should just drop the t-shirt option, which would be both more useful and hopefully stopping at least some of the spammers.
I got one of these (they changed the title of the project in the readme to that of one of their personal projects) earlier and had no idea what it was about until a GitHub support person told me it was just more Hacktoberfest spam (at which point I went up and learned what that is). And apparently it's my responsibility to clean it up? No thank you.<p>I love the idea, but maybe let me opt in or something instead of putting the burden on me to reduce your spam. It would be trivial to have projects put a "hacktoberfest" label on something if they want to participate, for example.
While it is easy to point finger towards DO (and they do share the blame) I think it is important to remember that in the end its individual people with individual responsibility who are doing this abuse.
Here's a crazy idea: What if you had to actually get your PR merged to get a t-shirt?<p>That would dramatically reduce the incentives for spam, since a spam PR is very unlikely to be merged.
Would it be possible to use git actions to automatically flag every new pull-request as spam if it's not from a previous contributor during the month of october?
I've got some useless PRs during month of October. I archived the repo two days back since I'm not actively working on it anyway and who wants to deal with spam?<p><a href="https://github.com/learnbyexample/Python_Basics/pulls?q=is%3Apr+is%3Aclosed" rel="nofollow">https://github.com/learnbyexample/Python_Basics/pulls?q=is%3...</a><p>I'll have to see if this prompts useless PRs to my other repos. Hope not.
This is rather unfortunate. If only the spammers realized they could simply post four PRs on their own repos. That would at least limit the problem somewhat.
I m always surprise by the amount of effort a lot of people can put into winning so little. I mean, some people do SPAM pull request to get a free t-shirt ?
Such a massive marketing fail. Hacktoberfest reminds me of an event called Oktoberfest where alcoholics from around the world join their ranks and collectively destroy their livers and promote destructive drug taking (alcohol is a drug). On a second thought, given how much of a car crash this thing is, perhaps Hactoberfest bears appropriate name in the end.
Damn DigitaOcean... get you . together!
Can I just buy a t-shirt and plant a tree by doing so?<p>I have only little time these days but I like the design and would like to add to the good cause behind it.
It seems like we could have a script that marks all low-value PRs during the 7 day window as spam, and automatically emails digitalocean about it.<p>And then run another script to try to find high-value/non-spam PRs and suggest those to the maintainers for a second look.
High quality plain t-shirts are $6 in bulk.<p>Why would you save $6 to turn yourself into an unpaid walking billboard for someone else?<p>To me, wearing clothes with logos or names on them that depict a company or brand that you don’t personally own is the ultimate low-status move.
It seems that you can at least opt-out by sending them an email:<p><a href="https://twitter.com/MattIPv4/status/1311366041897971712" rel="nofollow">https://twitter.com/MattIPv4/status/1311366041897971712</a>
Counter example, on the mozilla-mobile/fenix and mozilla-mobile/android-components repositories we received dozens and dozens of great PRs last year. Hacktoberfest is something we always look forward to.
This is unfortunately so true. Last year I got away with "only" 4 or 5 spam PRs (and 0 legitimate one). But this year I've already got 2 before my timezone reached October!<p>Digital Ocean, please stop this.
They responded: <a href="https://hacktoberfest.digitalocean.com/hacktoberfest-update" rel="nofollow">https://hacktoberfest.digitalocean.com/hacktoberfest-update</a>
We got hit with someone that blindly updated a file path in a mirror only repo.<p>He threw a fit though in response about us "not building a community" in the mirror repo. Heh. Get fucked buddy.
A guy that works at Google complaining about minor PR spam and attacking a generally positive open source program is a bit rich given we can't visit a website or watch a video online without having ads shoved down our throats.<p>Anyway there is a simple solution... Archive the repo for the month of October, take a break from OSS, and chill out.
> DigitalOcean seems to be aware that they have a spam problem. Their solution, per their FAQ, is to put the burden solely on the shoulders of maintainers.<p>During such events, I think maintainers(for popular projects) should get some help for spam filtering PRs.
I get that this is aggravating, but I think the hyperbolic hammering on the event that's presumably about promoting open source is misguided.<p>Opt-in could help. So could better access control tools from GitHub.<p>DO could make it so that users have to use a specific tag on the PRs; there are tons of ways maintainers could filter on that.<p>DO could switch the prizes to be something less likely to draw spam than a t-shirt would - like free cloud resources.<p>TLDR; in the spirit of software - let's iterate on this imperfect event instead of junking it outright.
> <i>To be clear, myself and my fellow maintainers did not ask for this.</i><p>Oh yes you did: by using github.<p>You can self-host and nobody will bother you in a way that you can do little about.
I feel bad for the repository maintainer, but they take Digital Ocean's initiative in extremely bad faith during this article. People are frequently incentivized to do the wrong thing and, oh look, here we are. This situation could be resolved or at least improved upon by Hacktoberfest and a load of maintainers sitting down and talking things out.<p>This is a comms problem, not a "corporate-sponsored distributed denial of service attack against the open source maintainer community". The well-meaning frequently cause more problems than they solve, but it is better to have them on the inside of the tent pissing out than on the outside of the tent pissing in, it is said.
How do you square this opinion with <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=690b0543a813b0ecfc51b0374c0ce6c8275435f0" rel="nofollow">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...</a>?, the youngest commitor to the Linux kernel?
I don't see how this is a problem. This is what you signed up for.<p>I am also an open source maintainer, and would love for Digital Ocean to drive by my project.<p>Isn't this what we signed up for as open source developers?<p>Maybe I'm just lonely.
DigitalOcean's network is one of the worst on the internet in regards to abusive traffic (DDOS, spam email, hacking attempt origin points.). I know this term is as good as dead these days but their SysOps are not good netziens. Abuse complaints never receive replies, their system images are insecure by default, they encourage novice users to take extreme risks in order to sell more product. /End rant.