This is bad.
-
@ireneista @xgranade voting eligibility is easy, just join at https://psfmember.org, and either pay dues or self-certify as a contributing member, and register your interest in voting when they send out the yearly email
-
@MissingClara I agree maintaining is the more difficult part, but introducing wildly unethical and flawed tooling into the authorship stage is a problem, and a major one at that.
@xgranade I also dislike it, but the cat's out of the bag, even if it wasn't allowed people would still be using it, just without revealing it
-
@astraluma Searching through commits directly at the command line, @SnoopJ found a list:
SnoopJ (@SnoopJ@hachyderm.io)
@theorangetheme@en.osm.town @xgranade@wandering.shop here are the commits on `main` where it's explicitly a co-author: (Edit: I missed a few commits because I hadn't pulled :picardfacepalm:) ``` $ git log --oneline -i --grep "Co-authored-by: Claude.*anthropic\.com" 300de1e98ac gh-86519: Add prefixmatch APIs to the re module (GH-31137) ac8b5b68900 gh-143650: Fix importlib race condition on import failure (GH-143651) 9b8d59c136c gh-72798: Add mapping example to str.translate documentation (#144454) 34e5a63f145 gh-141444: Replace dead URL in urllib.robotparser example (GH-144443) 59f247e43bc gh-115952: Fix a potential virtual memory allocation denial of service in pickle (GH-119204) 5b1862bdd80 gh-87512: Fix `subprocess` using `timeout=` on Windows blocking with a large `input=` (GH-142058) cc6bc4c97f7 GH-134453: Fix subprocess memoryview input handling on POSIX (GH-134949) 532c37695d0 gh-137134: Update SQLite to 3.50.4 for binary releases (GH-137135) ```
Hachyderm.io (hachyderm.io)
I found a few more by searching PR discussions, some mention Claude as the author but don't include that in Git metadata.
That said, the warning banner has been appearing for some folks and not others, I have no idea why.
@xgranade @astraluma I have seen the warning suppressed in at least one place on GitHub (the C "compiler" they have been wanking about) so I don't know if there's A/B testing going on or just plain old fraud or what
-
@xgranade I also dislike it, but the cat's out of the bag, even if it wasn't allowed people would still be using it, just without revealing it
@MissingClara I agree it's a hard problem, but it's one that is quickly eroding norms and trust in open source, and I think it's worth taking a firm stance on that?
Even if people lie and ignore that stance, that still sets a community value and prevents casual usage, plus gives a clear path towards banning those contributors who lie about their own usage?
-
@xgranade @theorangetheme yea, you run into "no ethical consumption" awful fast in software
-
@ireneista @xgranade voting eligibility is easy, just join at https://psfmember.org, and either pay dues or self-certify as a contributing member, and register your interest in voting when they send out the yearly email
-
This is bad. This is very, very bad.
I'm not trying to pick on Python here, I pick it because Python is something I'm actively using, and so I have a vested interest in the project *not* being AI-vulnerable.
But it's not good, chat. It's very far from good, in fact.
As an addendum, I'm using Python as an example here because it's near and dear to my heart. This is not "Python in particular is exceptionally bad," this is "a very bad thing has been happening in OSS *in general* and Python is now in that blast radius, which makes it harder for me to personally ignore."
-
@xgranade @ireneista Keep an eye on MicroPython; https://pyscript.net supports it as a backend, where it has the obvious benefit of, well, being small
@xgranade @ireneista Huh, maybe even https://brython.info/ ?
I thought that project had fizzled out, but no, it supports 3.14
-
@MissingClara I agree it's a hard problem, but it's one that is quickly eroding norms and trust in open source, and I think it's worth taking a firm stance on that?
Even if people lie and ignore that stance, that still sets a community value and prevents casual usage, plus gives a clear path towards banning those contributors who lie about their own usage?
@xgranade I agree, but it's not up to me 🫤
-
This is bad. This is very, very bad.
I'm not trying to pick on Python here, I pick it because Python is something I'm actively using, and so I have a vested interest in the project *not* being AI-vulnerable.
But it's not good, chat. It's very far from good, in fact.
@xgranade I also saw this on Neovim and Wezterm, both of which I really love. On those projects, it seems to be extremely minor stuff, but it's still extremely depressing.
I was just getting into Python lately too! I started with JavaScript, and then went right to C++/C/Rust since I wanted to do realtime DSP. There's a Python library called Abjad for manipulating Lilypond musical notation that's really cool to play with, but this puts a bit of a damper on that excitement.
-
@xgranade I agree, but it's not up to me 🫤
@MissingClara No, that's completely fair, and it's why I'm not out to pick on Python in particular here (wrote a follow up to try and make that very clear, sorry if I wasn't clear from the get-go). This is a problem across OSS in general, and doesn't have easy solutions... I just also don't want to give up because it's difficult? But I recognize that it's a messy problem for something as large as Python, especially.
-
@xgranade I also saw this on Neovim and Wezterm, both of which I really love. On those projects, it seems to be extremely minor stuff, but it's still extremely depressing.
I was just getting into Python lately too! I started with JavaScript, and then went right to C++/C/Rust since I wanted to do realtime DSP. There's a Python library called Abjad for manipulating Lilypond musical notation that's really cool to play with, but this puts a bit of a damper on that excitement.
@reillypascal To be fair, the number of commits on CPython itself seems to be rather limited at this point. But it's more that I don't see the opposition needed to contain the problem to those commits. As I said in another thread, I see this more as a very bad leading indicator rather than immediately catastrophic.
-
@ireneista @glyph I hope it doesn't, if only because I want to be focusing on my specfic and screenplays, but if it does come to that, I very very much so appreciate your support.
-
This is bad. This is very, very bad.
I'm not trying to pick on Python here, I pick it because Python is something I'm actively using, and so I have a vested interest in the project *not* being AI-vulnerable.
But it's not good, chat. It's very far from good, in fact.
@xgranade ugh ugh UGH
-
This is bad. This is very, very bad.
I'm not trying to pick on Python here, I pick it because Python is something I'm actively using, and so I have a vested interest in the project *not* being AI-vulnerable.
But it's not good, chat. It's very far from good, in fact.
@xgranade
Looks like about a dozen commits reference Claude in the commit message or authorship. Note to others: you have to do a bit more work than just "grep -i claude", as there are humans that are named Claude too. But the Anthropic Claude is definitely in there, which raises some legal questions about copyright I think. -
@xgranade
Looks like about a dozen commits reference Claude in the commit message or authorship. Note to others: you have to do a bit more work than just "grep -i claude", as there are humans that are named Claude too. But the Anthropic Claude is definitely in there, which raises some legal questions about copyright I think.@joelle Yeah, at least one list of commits that I saw also grepped for anthropic.com, but that's a very good point.
Anyway, with respect to it being about a dozen, yes, this is fairly limited in its impact so far, but what worries me is that Python itself is in the blast radius of Anthropic's efforts to enclose OSS at *all*, and with seemingly no processes in place to limit that exposure.
It's part of why I've taken to referring to this kind of problem as "AI-vulnerable."
-
As an addendum, I'm using Python as an example here because it's near and dear to my heart. This is not "Python in particular is exceptionally bad," this is "a very bad thing has been happening in OSS *in general* and Python is now in that blast radius, which makes it harder for me to personally ignore."
As a second addendum, since this has come up in several reply threads, the number of commits is limited so far, and doesn't date back past December 5, 2025 so far as I'm aware of.
The Python-specific part of that broader problem is, at least to my mind, that there's not a mechanism that I see for limiting that exposure to those commits, to preventing further and more expansive commits in the future.
-
@xgranade @ireneista Huh, maybe even https://brython.info/ ?
I thought that project had fizzled out, but no, it supports 3.14
@xgranade @ireneista Well, MicroPython has an advantage in that it's still written in C, and it is therefore possible to port C extension modules to it, though there aren't that many which really support it yet
-
This is bad. This is very, very bad.
I'm not trying to pick on Python here, I pick it because Python is something I'm actively using, and so I have a vested interest in the project *not* being AI-vulnerable.
But it's not good, chat. It's very far from good, in fact.
@xgranade
Huh, back to perl then I guess?
-
@SnoopJ @theorangetheme No, absolutely. I see this as the leading indicator rather than the damage itself, if that makes sense?
I keep using the term "AI-vulnerable" to try and point to that there isn't necessarily an actual direct impact, so much as a dramatically increased vulnerability surface area.
@xgranade @SnoopJ @theorangetheme I'm curious--how is Claude directly able to do commits? Why is it not "Claude on behalf of Dave Alvarado"? I understand somebody ran an agent against the code base, but someBODY ran the agent against the code base. Somebody prompted it saying "go find security vulnerabilities in Python".
It sure would be nice to know who, not just "Claude".
