For the last couple of years, DigitalOcean has run Hacktoberfest, which purports to “support open source” by giving free t-shirts to people who send pull requests to open source repositories.

In reality, Hacktoberfest is a corporate-sponsored distributed denial of service attack against the open source maintainer community.

So far today, on a single repository, myself and fellow maintainers have closed 11 spam pull requests. Each of these generates notifications, often email, to the 485 watchers of the repository. And each of them requires maintainer time to visit the pull request page, evaluate its spamminess, close it, tag it as spam, lock the thread to prevent further spam comments, and then report the spammer to GitHub in the hopes of stopping their time-wasting rampage.

The rate of spam pull requests is, at this time, around four per hour. And it’s not even October yet in my timezone.

A screenshot showing a spam query for the whatwg/html repository, which is at this time up to 14 spam PRs

Myself and other maintainers of the whatwg/html repository are not alone in suffering this deluge. My tweet got commiseration from OpenStreetMap, phpMyAdmin, PubCSS, GitHub, the Financial Times, ESLint, a computer club website, and a conference website, just within the first couple of hours. Since then a dedicated account “@shitoberfest” has arisen to document the barrage. Some cursory searches show thousands of spam pull requests, and rising.

DigitalOcean seems to be aware that they have a spam problem. Their solution, per their FAQ, is to put the burden solely on the shoulders of maintainers. If we go out of our way to tag a contribution as spam, then… we slightly decrease the chance of the spammer getting their free t-shirt. In reality, the spammer will just keep going, submitting more pull requests to more repositories, until they finally find a repository where the maintainer doesn’t bother to tag the PR as spam, or where the maintainer isn’t available during the seven-day window DigitalOcean uses for spam-tracking.

To be clear, myself and my fellow maintainers did not ask for this. This is not an opt-in situation. If your open source project is public on GitHub, DigitalOcean will incentivize people to spam you. There is no consent involved. Either we contribute to DigitalOcean’s marketing project, or, they suggest, we should quit open source.

Hacktoberfest does not support open source. Instead, it drives open source maintainers even closer to burnout.

A screenshot of a spam PR which adds the heading "Great Work" to the HTML Standard README

What can we do?

My most fervent hope is that DigitalOcean will see the harm they are doing to the open source community, and put an end to Hacktoberfest. I hope they can do it as soon as possible, before October becomes another lowpoint in the hell-year that is 2020. In 2021, they could consider relaunching it as an opt-in project, where maintainers consent on a per-repository basis to deal with such t-shirt–incentivized contributors.

To protect ourselves, maintainers have a few options. First, you can take the feeble step of ensuring that any spam against your repositories doesn’t contribute to the spammer’s “t-shirt points”, by tagging pull requests with a “spam” label, and emailing DigitalOcean themselves, however, admit that this won’t stop the problem they’ve unleashed on us. But maybe it will contribute to the metrics they collect, which last year showed that “only” 3,712 pull requests were labeled as spam by project maintainers.

If you’re comfortable cutting off genuine contributions from new users, you can try enabling GitHub’s interaction limits. However, you have to do this every 24 hours, and it has the drawback of also disabling issue creation and comments. Update: GitHub has made the limit configurable, and has a nice cheeky announcement tweet zooming in on the “1 month” option.

Another promising route would be if GitHub would cut off DigitalOcean’s API access, as Andrew Ayer has suggested. It’s not clear whether DigitalOcean is committing a terms of service violation that would support such measures. But they’re certainly making GitHub a less-pleasant place to be, and I hope GitHub can think seriously about how to discourage such corporate-sponsored attacks on the open source community.

Finally, and most importantly, we can remember that this is how DigitalOcean treats the open source maintainer community, and stay away from their products going forward. Although we’ve enjoyed using them for hosting the WHATWG standards organization, this kind of behavior is not something we want to support, so we’re starting to investigate alternatives.