Saagar Jha (@saagar@saagarjha.com)

Saagar Jha

12/30/2025

So there’s this guy on GitHub that’s sending hundreds of PRs to completely unrelated open source projects to fix typos and stuff and I’m sure he’s using AI or something because half of them are unnecessary or wrong and when someone reviews the PR to point it out he just closes it

5 replies →

5 replies

Rexo the Trans Bus 🏳️‍🌈🏳️‍⚧️🚌

12/30/2025 (replying to Saagar Jha)

@saagar@federated.saagarjha.com I think I saw this - isn't this related to some weird "crypto for contributions" thing???

pancake :radare2:

12/30/2025 (replying to Rexo the Trans Bus 🏳️‍🌈🏳️‍⚧️🚌)

@rexo @saagar probably because money ruins everything

Jonathan Hendry

12/30/2025 (replying to Saagar Jha)

@saagar

Why are they like this.

Wesley Moore

12/31/2025 (replying to Saagar Jha)

@saagar well I guess that's one way to really juice your stats on GitHub, and make it so you can claim you contributed to a bunch of major projects.

Screenshot of GitHub showing "Opened 152 other pull requests in 18 repositories" across projects such as swift, python, got, expat, mimallac, freebsd, sudo.

Saagar Jha

01/01/2026 (replying to Wesley Moore)

@wezm I mean that claim would be correct I am just a little unhappy at what it signifies

shac ron ₪‎

12/31/2025 (replying to Saagar Jha)

@saagar I would say project owners should be able to rate submissions, but then again project owners are very often huge jerks so that is a terrible idea.

Saagar Jha

01/01/2026 (replying to shac ron ₪‎)

@shac I mean they can they rate it by merging it

Hugo 雨果

12/31/2025 (replying to Saagar Jha)

@saagar he might just be using some fancy new spellchecker he came across.

Saagar Jha

12/30/2025 (replying to Saagar Jha)

There are no obvious tells and some of them do actually fix real (if often superficial problems) so he is being taken seriously by most of them, it’s just that half of them get merged and half are closed as per above because they’re wrong.

Saagar Jha

12/30/2025 (replying to Saagar Jha)

Except sudo, which has merged all 23 of his PRs without comment. I guess this means their code is either so bad that the LLM is finding all bunch of actual bugs, or that the maintainers aren’t reading his PRs closely. I’m not sure either makes me feel good about the project.

11 replies →

11 replies

Matt Massicotte

12/30/2025 (replying to Saagar Jha)

@saagar sudo merge pr

Greg Gardner

12/30/2025 (replying to Saagar Jha)

@saagar At least sudo isn't a critical piece of the security of almost every Unix-based system on the planet. Oh wait, it is.

pancake :radare2:

12/31/2025 (replying to Saagar Jha)

@saagar link?

icraze

12/31/2025 (replying to pancake :radare2:)

@pancake @saagar GitHub user AZero13

pancake :radare2:

12/31/2025 (replying to icraze)

@icraze @saagar yeah 23 prs merged in one week. I hope @millert reviewed them properly before merging, but to me the changes look safe, actually there are a couple of tricky ones that are fixing real memory safety bugs.

pancake :radare2:

12/31/2025 (replying to Saagar Jha)

@saagar llms can spot a large variety of bugs that static analyzers don’t catch, yeah sometimes also hallucinate some. But combined with asan, clang analyzer and valgrind they are a really powerful solution for code review and bug catching. So I wouldn’t say sudo’s code is bad, but software engineering is so hard that it’s easy to find ways to improve the quality over time. C coding practices evolved and that’s a techdebt we are all used to face every day

Saagar Jha

01/01/2026 (replying to pancake :radare2:)

@pancake I think it is possible to use AIs effectively but I don’t think you can send 150 PRs a month without there being problems somewhere

pancake :radare2:

01/01/2026 (replying to Saagar Jha)

@saagar yeah i doubt that too, im also not happy with blind merging or review less prs

krig

12/31/2025 (replying to Saagar Jha)

@saagar @algernon good thing it’s just some fringe project and not a foundational building block that all computing is built upon

Thomas Touhey

12/31/2025 (replying to Saagar Jha)

@saagar The maintainer does seem to have commented/done review on some, but some of the PRs either fix security issues, or introduce some, finding out which would require some more experience with the codebase. Anyway, very scary stuff.

Byte

12/31/2025 (replying to Saagar Jha)

@saagar sudo as in, *the* sudo millions of people and computers use every day??

Techokami

12/31/2025 (replying to Saagar Jha)

@saagar Two of them did have comments, though: https://github.com/sudo-project/sudo/pull/498 this one points out an issue that was then resolved by him. https://github.com/sudo-project/sudo/pull/490 THIS one, an actual conversation (albeit a short one) on potentially deprecating and removing SecureID support

Saagar Jha

01/01/2026 (replying to Techokami)

@techokami Yeah fair I didn’t actually click through all 23

Jakobpunkt🔥

12/31/2025 (replying to Saagar Jha)

@saagar @gnomon wait wat

Koutsie :unverified:

01/01/2026 (replying to Saagar Jha)

@saagar oh god

Joel

01/02/2026 (replying to Saagar Jha)

@saagar @saagar I hope this isn’t another xz con job.