How should open source software projects handle AI‑generated code? (manualdousuario.net)

KeePassXC — the popular offline open‑source password manager — sparked controversy after adding a short policy note asking contributors to disclose when a majority of a pull request was created with generative AI. Backlash prompted maintainer Janek Bevendorff to publish a blog clarifying the project’s stance: KeePassXC will not add AI features, every PR is reviewed by a human and must include tests, and generative tools have only been used for small, boilerplate fixes and tests so far. The post argues transparency is preferable to covert use, and that blanket bans are impractical because tools like GitHub Copilot leave no detectable signature and developers often mix AI output with hand‑written code. The episode matters for the wider AI/ML and open‑source communities because it crystallizes key tensions: code provenance vs. practicability, reviewer workload, and supply‑chain risk. Technically, the maintainers stress that AI‑generated code is not intrinsically more dangerous than poor human contributions — human‑led sabotage and npm/cURL incidents remain real threats — but a flood of low‑quality AI PRs could overwhelm small teams. KeePassXC’s approach — require disclosure, insist on tests and rigorous human review, and adapt policies if submission volume changes — offers a pragmatic template for projects balancing openness, security, and developer productivity.