This article is more than 1 year old
Open-source devs drown in DigitalOcean's latest tsunami of pull-request spam that is Hacktoberfest
Rewarding pointless patches with free swag leads to 'DDoS' against projects
Updated Hosting biz Digital Ocean kicked off its seventh Hacktoberfest on Thursday – and managed to seriously annoy the very developers the event aims to celebrate.
Launched in 2014, Hacktoberfest was founded to inspire people to get involved with the development of open-source software. It attempts to do so by encouraging programmers to submit quality pull requests to open-source repositories on GitHub with the promise of a free t-shirt in return.
The event has proven to be extremely popular though it hasn't done anything for the quality of the contributions. Between the lure of swag and the reputational reward one gets from social interaction metrics on GitHub for any kind of activity, there's not much that ensures contributions are meaningful.
The result has been a deluge of spam that burdens already put-upon developers who maintain projects, often without much in the way of compensation or recognition.
A pull request is a proposed code change, a text-based message posted to a code repository. The maintainers of the repo have to deal with those messages, which involves reading them and either accepting or rejecting them. And that takes time. Perhaps unsurprisingly, it turns out that urging people to suggest code changes when they haven't necessarily identified needed improvements is a recipe for frivolous submissions.
Open-source companies gather to gripe: Cloud giants sell our code as a service – and we get the square root of nothingREAD MORE
In a blog post on Wednesday, Domenic Denicola, a senior software engineer at Google who contributes to various open source projects, lambasted Hacktoberfest for promoting what he describes as "a corporate-sponsored distributed denial of service attack against the open source maintainer community."
Denicola said that in one day, before the event had even officially begun, he and his fellow maintainers of the Web Hypertext Application Technology Working Group (WHATWG) HTML repository had closed 11 spam pull requests.
"Each of these generates notifications, often email, to the 485 watchers of the repository," he explained. "And each of them requires maintainer time to visit the pull request page, evaluate its spamminess, close it, tag it as spam, lock the thread to prevent further spam comments, and then report the spammer to GitHub in the hopes of stopping their time-wasting rampage."
Since then, the number of pull requests identified as spam has risen to 28. And that's just one repository.
Drew DeVault, a developer who maintains various open-source projects, said as much in a post on Thursday: "As I write this, a Digital Ocean-sponsored and GitHub-enabled Distributed Denial of Service (DDoS) attack is ongoing, wasting the time of thousands of free software maintainers with an onslaught of meaningless spam."
Digital Ocean is aware of the situation. Its Hacktoberfest FAQs go on at length about avoiding low-quality contributions. Nonetheless, people submit pointless pull requests, like adding punctuation to a README.md file.
Sick of people making utter useless PRs like adding 1 semi colon to Readme just for the sake of completing #Hacktoberfest challenge.— Kautuk (@Kautukkundan) October 1, 2020
If you're a repo maintainer, do them a favour and label the PR as "invalid" so that it doesn't count to the challenge. Support quality OSS. pic.twitter.com/PZcsg3Q2dd
The Hacktoberfest website has a section titled, "Let's work together to reduce spam," as if the open-source community should rally to solve a problem created by Digital Ocean.
The Register asked DigitalOcean to comment. No one has responded. And DigitalOcean community platform manager Matt Cowley suggested there's nothing the company can really do.
"You can contact us via the support address on the site if you want a repo excluded," he explained via Twitter in answer to a developer looking for a way to reduce the spamming. "We can't actually stop contributions though, projects are open-source on GitHub, anyone can create a PR if they want to."
Imagine an arsonist declaring, "Only you can prevent forest fires," and you can get a sense of the frustration among open source maintainers.
"Their solution, per their FAQ, is to put the burden solely on the shoulders of maintainers," laments Denicola. "If we go out of our way to tag a contribution as spam, then… we slightly decrease the chance of the spammer getting their free t-shirt."
The discontent among developers has spurred the creation of a Twitter account with an indelicate name to track all the useless pull requests foisted upon open-source maintainers.
Open source turns 20 years old, looks to attract normal peopleREAD MORE
The account contains a link that suggests the extent of the spamming: it lists over 300,000 issues created with the keywords "improve docs" – pull requests to add text to repo documentation are the easiest to make because no actual functioning code needs to be included.
But as Denicola pointed out in an email to The Register, that search doesn't limit the time frame. If you set a start date of September 29, 2020, to account for the overenthusiastic participants who got started early, you get about 7,400 results.
A search cited by Denicola for pull requests closed as spam – an action maintainers must take deliberately – returns fewer results: 1,136 at the time this article was filed.
In a summary of last year's Hacktoberfest, DigitalOcean's Cowley said, "Of the 483,127 PRs submitted during Hacktoberfest, only 23,299 (4.82 per cent) were identified as spam, with 19,587 (84.07 per cent) of those being in a repository that the Hacktoberfest team excluded from the competition for not following the shared values and 3,712 (15.93 per cent) being labeled as 'invalid' by project maintainers."
"I think we're easily on target for hundreds of thousands this year, given that it's only October 1," said Denicola. "The 3K from last year was only the explicitly-tagged spam, and this year we've hit that in one day."
DeVault sees little point in any of it.
"Hacktoberfest has never generated anything of value for open source," he said. "It’s a marketing stunt which sends a deluge of low-effort contributions to maintainers, leaving them to clean up the spam." ®
Updated to add
"As of 2pm PST on October 1, at least four per cent of pull requests from Hacktoberfest participants have been marked ‘invalid’ or ‘spam’," Digital Ocean said in an update on Thursday. "We’ve traced the majority of this year’s spammy contributions back to a participant with a large online audience who openly encouraged their community to take part in spammy activities, including ideas on how to game the system. However, we know the spam issues go beyond this one example."
As a result, it's going to help maintainers opt out of Hacktoberfest, set up a system to ban persistent offenders, and double the amount of consideration time for maintainers to 14 days.
"We’re sorry that these unintended consequences of Hacktoberfest have made more work for many of you," the cloud biz said, addressing project developers. "We know there is more work to do, which is why we ask that you please join us for a community roundtable discussion where we promise to listen and take actions based on your ideas."