- 
                Notifications
    You must be signed in to change notification settings 
- Fork 401
Add the Bevy Org's AI Policy #2204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good. I think this lays out a clear position, and explains why we feel this is necessary without excessive moralizing or encouraging us to police problems that cannot be detected.
| I did try a render of this locally and the footnote rendering we have on docs pages leaves quite a bit to be desired. Might want to follow this PR up with a style update to make it look nicer. | 
| The unsolicited use of automated systems to communicate issues, bugs, or security vulnerabilities | ||
| about Bevy Organization projects under the guise of a human is considered unacceptable | ||
| and a Code of Conduct violation. Any individual contributor, operator of automated systems, | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this apply to communication that is clearly marked as AI-generated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If unsolicited, yes. I think we should cut "under the guise of".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "under the guise of" was explicitly included to avoid capturing automated systems that do not pretend to be humans. There are systems like GitGuardian that does a useful service but makes zero effort to hide that it's a crawler bot.
Under the proposed situation, so long as the fuzzer results are presented either by a human, or by a clearly demarked bot account, it shouldn't be an issue. It's only when it files issues or PRs as if it were a human, and then subsequently wastes valuable volunteer time with the expectations that said bot would continue to engage as if it were a human where it becomes a major problem.
|  | ||
| ## AI Generated Communications | ||
|  | ||
| The unsolicited use of automated systems to communicate issues, bugs, or security vulnerabilities | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"automated systems" is not a good phrase here IMO, it excludes things like fuzzers and linters. i would explicitly say "generative AI" or "LLMs" throughout.
(the other two places you say "automated systems" are further qualified and probably don't need changes, but this one is unqualified.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interestingly I think that automated systems is fine here: the key term is "unsolicited".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh interesting - so you wouldn't want e.g. an academic lab to post the output of a fancy dynamic fuzzer they built? that's reasonable i suppose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not without asking us first, no :) We'd say yes, but asking first is much more polite!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This reasoning clashes with what @james7132 says above:
The "under the guise of" was explicitly included to avoid capturing automated systems that do not pretend to be humans. There are systems like GitGuardian that does a useful service but makes zero effort to hide that it's a crawler bot.
Under the proposed situation, so long as the fuzzer results are presented either by a human, or by a clearly demarked bot account, it shouldn't be an issue. It's only when it files issues or PRs as if it were a human, and then subsequently wastes valuable volunteer time with the expectations that said bot would continue to engage as if it were a human where it becomes a major problem.
looks like James would find it okay to have a lab post the results of their academic fuzzer without asking as long as they clearly state what's happening?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I slightly disagree with James here, but it's not critical. Automated bots that are clearly marked as such and are trying to be helpful are both rare and not very obnoxious.
| 
 Policy is Well-ScopedI recently read Asahi Linux's Generative AI policy, and I think this policy does a good job of avoiding the pitfalls that IMHO they fell into: 
 Reasoning Seems IncorrectI very much agree with  
 Comparing Risk LevelsOne thing that's interesting about the comparison with Asahi's policy is that they make the (compelling-to-me) case that because their problem space is so esoteric and highly specific, LLMs may be more likely to reproduce the scarce, copyrighted training data that relates to the publicly undocumented hardware they write software for. FWIW, Asahi's reasoning seems to apply somewhat less readily to Bevy. Still, the three reports on AI by the US Copyright Office do indeed raise concerns for any non-trivial use of LLMs to author copyrighted content, concerns that they do not resolve. Unclear CasesI think the current draft is a bit unclear on whether the following use cases would be forbidden or allowed: 
 These feel like they fall somewhere between "autocomplete" and "generating entire function blocks". They're not equivalent to pre-LLM functionality, but neither are they Jesus-take-the-wheel-style vibe coding. I think the intention was to forbid these cases, though my own (perhaps less risk-averse) assessment would lean the other way, so it might be worth being a bit clearer. These cases would also be really hard to detect. Futility?Finally, I'd be surprised if non-trivial LLM-generated code hasn't already made it into Bevy or any widely-contributed-to open source project. Not sure what to do about that, but I guess if the intent is to err on the side of caution, a good-faith attempt to forbid the practice would be all that's practical to do. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The recent feedback about "why is this a problem" being legally suspect has convinced me: that needs to be resolved before we can move forward.
| 
 I don't remember such comments? I agree with your concern, but did you mean @chorman0773? | 
| 
 Oops yeah that’s who I meant. 😅 #2204 (comment). | 
| Some other interesting discussion of policies around AI-generated code in the Linux Kernel. | 
| By using GitHub, our contributors are already agreeing to: 
 Those two covers already most of what I expect, not sure an additional document is needed? | 
| 
 I think we do need specific guidance on what contributors, org members, and maintainers are expected to do in the case we do see both contributions and issues from them, in addition to the policy and guidelines GitHub provides. Specifically providing the guidance to add  | 
Co-authored-by: François Mockers <[email protected]>
Co-authored-by: François Mockers <[email protected]>
Co-authored-by: François Mockers <[email protected]>
Co-authored-by: Alice Cecile <[email protected]>
Co-authored-by: Niklas Eicker <[email protected]>
Co-authored-by: Alice Cecile <[email protected]>
9d093fb    to
    b6e22af      
    Compare
  
    There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have some nits with the exact legalese (see my unresolved comments), but I believe this is justified, reasonable, well-written, and useful :)
Edit: yay, my nits were addressed!
RENDERED
Added a new Policies section to the Contributing Guide and incorporated the above draft under that section. The triage reference has also been updated to make guidance for
S-Nominated-to-Closealigned with the new AI policy.