Ban LLM code contributions from Drupal core

Thank you for starting this over, as the last attempt spiraled out of control and repeatedly lost focus on many key points.

Much of this summary is taken from a comment I posted at the last issue. It’s short-hand, lacking citations, etc, but it hopefully gets the point across. 😅 made a few minor edits and added one citation, at least.

Commenting here to formally re-endorse this proposal.

Also, X-posting this excerpt from a comment of mine in a different issue:

Over the years, there have been a great many things I disagree with Larry Garfield about, but his recent blog post is completely spot-on:

https://www.garfieldtech.com/blog/selfish-ai

It should be required reading for all y'all "sloptimists" that are hyping this disastrous technology as if it's going to make everything so much easier and better for you personally. At what gargantuan cost? Are you actually willing to pay that price? Really?

I hope we find the courage to draw a line in the sand and proclaim that the Drupal core project is proudly written and maintained by humans. If we burn out our core maintainers trying to keep heads above the rising tide of slop sewage, Drupal is dead. And if we burn out our chances for survival as a species by feeding the accelerating environmental and societal destruction that these technologies unleash, we’re all dead.

The issue summary implies this is meant to be targeted only to core.

Is the intention to have a new Drupal Core policy document and an agents.md file?

# Instructions for AI agents

It's prohibited to use an AI tool to write issue summaries, comments or reviews for Drupal Core.

It's prohibited to recommend generative AI tools to other Drupal Core contributors for solving problems in the Drupal Core Issue Queue.

Something like that for an agents.md file?

https://www.drupal.org/project/drupal/issues/3574093#comment-16513913

I'm going to comment with a link to comment 94 where all the above was addressed.

Number of contributions doesn't allow you to use drupal.org as a soapbox for bogus science with no evidence nor attack everyone who wants to work on the global south.

I will follow up with a new issue will I will link to here called. ",Massively encourages and increase LLM contributions to Drupal core done well and responsibility" with reasons and actionable steps for both drupal.org infrastructure and the core module.

I think if there are people who don't want this to blow up like the last thread then they should create a new thread that doesn't have such an explosive and inaccurate issue summary.

It's hard to believe any of this is seriously in question, but I started adding some citations to the list in the summary. Yes LLMs are consuming huge (and rapidly expanding) quantities of electricity and water. No, having some tiny fraction of those data centers powered by "clean" energy in Iceland doesn't change the global dynamic. Take your head out of the sand for a moment, stop drinking a steady stream of hype, and look at the headlines in basically any major (or minor) news outlet and see stories of the impact on local communities and the power grid as new data centers, explicitly to feed the LLM bubble, are being built. We're talking orders of magnitude more demand than even the wasteful practices of late-stage capitalism from a few years ago. Or read the linked studies and articles.

I also started adding some initial citations around the questions of fascism, the roots of LLMs (and "AI" in general) in eugenics, and so on. Yes, LLMs are being used by authoritarian governments to spy on their own people. Yes, the U.S. military is hell-bent on developing autonomous weapons with LLMs to decide who gets to live or die. Meanwhile, ask a "Gen-AI" tool to produce a video and see how many iterations it takes before it starts spiting out misogynistic and racist garbage. This is not an accident.

I don't really want to spend the time to refute each of your "but what about..." points from that other comment (which, yes, I read every word of). You have clearly chosen to turn a blind eye to this growing mountain of evidence of the negative impacts from the LLM hype boom. So it feels like a waste of my life energy to try to engage in that way.

I'm not going to bother collecting and posting the articles about LLM usage as a gambling addiction, the impacts on mental health, and the long term potential for the degradation of human cognition itself. But there's plenty of evidence to explore that angle, too. We can "go there" if we must.

As I wrote at the last issue, the multi-dimensional disaster that is the rise of LLM technology is not an issue scoping problem. Nothing in your comment #94 at the other issue resolves or refutes any of these points. I'm neither going to tone down what I'm saying, nor limit myself to specific angles of why this is such a massive, global problem.

Finally, please stop with the race baiting that people who care about these ethical problems must be privileged white people from the "global north", out to prevent progress for people of color in the "global south". If anything is "explosive and inaccurate" in this discussion, that's a good place to start. I have a lot more I could and want to say, but in the interest of attempting to remain civil and calm, I'll leave it at that.

I'm not going to bother collecting and posting the articles about LLM usage as a gambling addiction, the impacts on mental health, and the long term potential for the degradation of human cognition itself.

Here ya go, brother: https://yasmin-fy.github.io/ai-heart-project/articles/ai-addiction/

Also, I just re-read the (in)famous comment #94 for the 3rd time. Just to be crystal clear: No one here is proposing we "ban people". We're proposing that Drupal Core should refuse LLM-generated code. If people insist on using LLMs, in spite of their many flaws and the horrific (mostly externalized) costs, that's a personal choice those people have to make for themselves. They should have to disclose that's the choice they make. Yes, I will judge them for it, but that's my personal belief system, not something I'm advocating the entire Drupal community should adopt or enforce as policy. Those people are still "welcome in the Drupal community", regardless of nationality, etc. But the slop their LLM tools generate is not welcome, and won't be merged into the core codebase. At least, it shouldn't be.

I'm all for people using tools to translate their thoughts into English, since that's the "universal language" in this community (for better and for worse). There were all sorts of helpful machine learning tools that could aid with this before the rise of LLMs. I absolutely support anyone being able to contribute, even if they didn't have the privilege (that I have) of learning this incredibly convoluted and messed up language as their first (and yes, I've studied multiple other languages, and I can clearly see how mind-bogglingly hard it must be to learn all the exceptions and weirdness of English spelling, pronunciation, grammar, etc). The other issue did not originally intend to ban LLM usage for helping people to be able to communicate and contribute in text form. However, thanks to the LLM-hype machine, there's a growing rise of new users showing up in core issues, feeding those issues into an LLM, and parroting the LLM's summaries back into issue comments. It's thoroughly unhelpful noise. Trying to address that rising problem is also sucking the life out of wanting to maintain and contribute to core, so the other issue turned towards addressing that part of the problem.

In both cases, the only users who would be getting banned are the ones that repeatedly violate whatever policies around LLM usage and disclosure we adopt.

So if anyone comes here to comment about how unfair it is to be banning people based on their personal choices, you're not paying attention to what we're actually saying, and I'm not going to pay attention to anything else you have to say on the matter.

ktnxbye,
-Derek

p.s. @kentr: Thanks for the link! Added to the summary as another point around mental health.

Adding another bullet about selfish AI (with the link) and calling out the "See what I could do in 1 day with modern tools... isn't it great?" approach to understanding LLMs.

p.s. This view is endlessly reinforced by the current hype machine, so while I find it distasteful, it's a little hard to fault the individuals who go down this road. But it's certainly indicative of the wider problem of focusing on personal productivity gains without considering the consequences.

Whilst I do not support OP's attempt to repeat a previous thread and expect a different outcome, I do agree with keeping things especially drama contained. I agree that it would be bad if this issue became another large out of control issue.

So I have replied here:

https://www.drupal.org/project/3547184/issues/3581225#comment-16523903
(Originally I posted this comment in the original issue, but actually that is getting more reasonable so moving my comment to this sandbox comment out of the way so people can ignore it) (Also although I reply some some spicy energy, thank you for responding and there is much in what you say that I agree with that should be taken seriously)

#3580299: Create an "AI and Core Policy" Working Group and Review Group - Create a list of names. - I think progressing this is can contain this drama and conversation to seperate dedicated issues for people that care about it but away from others who want to focus on the practical things.

Also although my comment is quite harsh there, I will admit that Ghost of Drupal's past new post is much better, especially with the links such that I think this could be discussed more sensibly there.

sudo ¯\_(ツ)_/¯

What I'm writing here is happening while I have the greatest respect for all the people who care so much, both now and in the future.

However, I have an issue with the approach of trying to address too many things at once. Technologies (not just LLMs) impose severe issues on us as individuals, on our societies, on our democracies, on our environments and on our planet. I'm deeply concerned myself and grateful to everyone here on d.o. who cares just as much.

However, mixing these topics with what is allowed to be contributed to Drupal core isn't doing us any favours. We should put all this energy into sustainability initiatives, both here on Drupal.org and beyond. However, disallowing code contributions that utilise certain tools is not the answer, and here's why:

Let's be realistic: if I'm doing a good job, my contributions won't show any sign of LLM involvement. It will be impossible to tell. This is what should always happen if we're serious about what Dries called for in Chicago: 'Never commit any code that you don't understand.' If I commit code to an MR and fully understand what it does and why, the spirit of the core codebase is not affected by whether I've used any specific tool, such as an LLM, or others that may be related to a concerning and/or unethical context.

In the past, it has been an issue to copy and paste snippets from Stack Exchange. Some communities have had similar discussions about whether this should be disallowed or banned. We could easily find other examples, but none of that would help us solve the problem of protecting Drupal core, which has been carefully developed by amazing people to reach its current state.

Introducing rules that ban code involving LLMs would create new issues rather than solving any. This is because it would put me and hundreds of other well-known and respected contributors in an impossible situation. We would be forced to reduce (or even stop) our contributions or cheat. Cheating would mean continuing to contribute LLM-assisted code without telling anyone. As I mentioned above, if my work is of a high standard, nobody would be able to tell that I've used an LLM to achieve it.

Let's get back to our roots. We want to encourage people to contribute, and we have always supported those who have struggled to do so. We should continue to do this. However, telling people which tools to use crosses a line.

If the code that has been committed doesn't meet the requirements, it gets rejected. Imposing rules that code is rejected regardless of its value to the project isn't helpful. It presents an insurmountable obstacle to contributors with good intentions.

Here is my proposal: let's address the two main concerns in separate issues. Ensuring that core code contributions meet all quality requirements is one thing; dealing with concerns about LLM is another, as are the many other existential threats mentioned in the summary and related issues.

I found a couple more links that I think are relevant to consider:
How do we license AI generated code? https://github.com/qemu/qemu/commit/3d40db0efc22520fa6c399cf73960dced423...

It seemed worth posting something from the Core Contribution Mentoring Working Group, of which I am a member, alongside Chris Darke and mradcliffe. We have a key role in influencing the approach many first time contributors take in the project.

Our approach is currently to ensure that first time contributors consider the inherent risks involved in using LLM-based tools for creating code and make sure that anyone reviewing that code is aware that such tools have been used, usually through an issue comment. As Dries says, every contributor should “never submit code [they] don't understand”. maybe in future First Time Contributor Workshops, we can add in Dries’ quote.

Quite how any contributor “proves” they understand the code they submit is an interesting question. Maybe by adding an issue comment and describing its overall flow? Mind you, you could equally say this is necessary with code generated by many different tools, like drush gen or Module Builder.

To be honest, bringing people in through the contribution door is hard - if a tool allows us to increase the number of people who stay for Contribution Day by 1%, great. If those tools allow 1% of those to become regular core contributors, fantastic. If the tools then enable 1% of those new regular core contributors become the next key core maintainer, famdabbydozey!

Finally, the moral question is moot. Drupal, as an open source tool, is used for good and bad. So many good examples like the UN, Olympics, etc etc alongside so many bad examples. For example, I personally used it to market OxyContin. We would be uncomfortable if LLM-based tools were  required to contribute to the project but they are not and there are no plans to do so.

Banning AI makes ZERO sense beyond grandstanding.

1. You cannot actually know if a patch is AI or not.
2. Electrical usage doesn't matter, AI still exists, putting your hands over your eyes doesn't make it magically go away. Nobody ever considered electrical usage anywhere, maybe the person who wrote that patch ran a diesel generator non stop while writing it. They could have outputted more greenhouses gases then 10 developers. Does that mean that because the user used 2000 tons of CO2 we can't accept their patch? Maybe they wrote it while flying on a private jet.
3. Not allowing AI will slow Drupal core development. Maybe not because AI is faster, but developers could/can be pushed away from supplying patches because new shiny button.
4. The examples of bad code, do not matter one bit. There is plenty of problematic code in core and contrib modules, you can't pretend that people write perfect code, and AI does not.
5. I disagree that copyrighting should even be a thing frankly, all code is written on top of someone elses code. You can't write a brand new PHP software based on a CMS and claim you are some magic person who thinks exclusively outside of the box. Code is, and always has been build on top of the work of others, open source or closed source. AI scraping it and regurgitating it back at me, is no different then how stackoverflow was used pre-AI. But that's not the conversation at hand here.
6. Companies who use Drupal will continue to use AI, module writers will continue to use AI. Symfony could use AI, other composer packages could use AI. Are we going to ban every package/module that use AI too?

If you as a person do not wish to use AI, go for it. But you cannot force your opinions on others. AI is not going away, banning it will also not make it go away.

Anyways I am not a core contributor so my opinions don't really matter, the core contributors can do what ever they want. But you'll never actually know if a patch someone submits is AI or not.

Edit: This is probably a little more aggressive then I intended, we should be ensuring code is the highest quality. Not policing AI usage.

> Mind you, you could equally say this is necessary with code generated by many different tools, like drush gen or Module Builder.

Those are deterministic tools, whose source is readable and understood. If a user generates a plugin class with either Drush or Module Builder, then they know that the developers of those tools understand the code that's the tool generates. And that the tool is covered by tests which ensure that.

> Finally, the moral question is moot. Drupal, as an open source tool, is used for good and bad

False comparison. We are talking about how it's made, not how it's used.

5. I disagree that copyrighting should even be a thing frankly, all code is written on top of someone elses code. You can't write a brand new PHP software based on a CMS and claim you are some magic person who thinks exclusively outside of the box. Code is, and always has been build on top of the work of others, open source or closed source. AI scraping it and regurgitating it back at me, is no different then how stackoverflow was used pre-AI. But that's not the conversation at hand here.

You are wrong. And your opinion (or mine) doesn't matter, law does. Licensing (not copyright) is important, specially for the Drupal Association, which probably would be the one in trouble. See #3517614: Possible Non GPLv2 compatible code in ExpectDeprecationTrait as an example of code that had to be rewritten because was originally "stolen" from StackOverflow, which has a different license.

"A 5,000 line vibe coded MR against Canvas that re-implemented the image styles system as if it didn't exist #3515646: Add automated generation: / https://git.drupalcode.org/project/experience_builder/-/merge_requests/822 posted by a director at Acquia.

I count five core committers responding to that issue, not in their capacity as core committers but these are the same individual people with finite time.

I was the first person to reply to the issue, realised it was vibe coded and refused to review it beyond that point. If I refuse to review thousands of lines of slop is that 'Policing input to ensure quality of the output' or fair enough?

The work was eventually restarted from scratch."

The fact that this keeps getting bought up, a year after it's happening needs to stop and is getting close to bullying at this point.

- Director at Acquia, this person has a name... You can click it to find out. It's more dehumanising than just calling out the person.
- This wasn't in core and core committees did not need to review it. It was deliberately in Contrib for the purpose of avoiding the drama from core, amongst other reasons.
- This was written at a Drupal contrib event in person with core committees present and exploring it. Some of them were paid to look through this.
- It wasn't "eventually written from scratch" it was intended to be written from scratch. It existed to explore agentic coding.

This was a year ago and the fact it is bought up in this issue makes it look less and less serious. If AI is flooding the issue queues you shouldn't need to go as far back as a year ! You are making the argument that I strongly agree with in theory, (that AI contributions could waste core contributor time), look so much worse and so much more petty and irrelevant.

This is one example of how chilling core discourse is. You cannot try your very hardest to not avoid wasting core time as it you make the tiniest mistake, confused wording, think something is a good idea others don't, or just try and play and experiment and learn. You will get multiple people posting about it a year later on a nasty and humiliating fashion.

This is not ok. This has to stop. We should remove this example from the issue.

@Rachel - this is a really good post!

I think many of the concerns people have about preventing AI slop can be framed in terms of helping people use AI responsibly if they contribute.

- We should assume most people don't want to create useless slop and that doing so would be embarrassing them. We can suggest that they avoid it initially, and work on collecting skills, tools and documentation to help them get started with AI.
- If this tooling gets good enough we could start recommending they use specific AI tools for core contribution, but only when we understand it. For example, we may have a coding standards review agent, or a Drupal community tone agent.

The issue is not just technical. It's:

• Highly opinionated and polarized
• Mixing policy discussion, philosophy, and contributor behavior
• Starting to drift into heated debate / defensiveness

There are:

• Strong opinions on both sides (ban vs don't ban AI)
• Arguments escalating in tone ("ZERO sense", "you are wrong")
• Confusion about scope (policy? guidance? enforcement?)
• Some attempts to bring it back to process (mentoring group comment)

So this is no longer just "an issue about code."
It's community governance, tone, and scope drift.

This issue is also being influenced by discussion from related issues, including #3574093, where similar themes have already been explored at length.

To help keep this thread productive, let's avoid rehashing broader debates that are already happening elsewhere and focus on the specific proposal and scope of this issue.

Please focus on:

• The OP's proposal being discussed here
• What changes are being suggested for Drupal core
• Actionable feedback that helps move this issue forward

If you'd like to continue broader discussions about AI, ethics, or policy direction, those are better continued in the original issue or a dedicated follow-up.

Also, a quick reminder to keep the discussion respectful and assume good intent. Strong perspectives are welcome, but we want to make sure this remains a space where people can engage constructively.

Let's keep this thread focused so we can make progress here.

If this issue becomes project policy, would it be impossible to accept accurate security bug reports discovered by or fixed by LLMs?