AI policy?

I look at what others have already done in this department... curl went through exactly this sort of question, albeit their angle was different (they did it as a reaction to lots of AI slop in bug bounty program), and made a policy that isn't overly draconian: https://github.com/curl/curl/blob/master/docs/CONTRIBUTE.md#on-ai-use-in-curl

It seems like other projects I've my eyes on haven't really had a reason to deal with AI enough to worry yet...

@Richard Levitte this was on my feed today: https://blog.stuartspence.ca/2025-08-declining-ai-slop-mr.html

one thing I mentioned yesterday at the Foundation BAC meeting is the duality of the problem: we want to guide our (contributing) users into an acceptable use of AI tools when engaging with the project. On the other hand our users might desire to read about how the project consider acceptable using generative AI for its tasks, to determine if they find it acceptable and in line with their values when deciding to adopt OpenSSL for their needs, investing time and resources on the project, or endorsing the project or the mission in any public forum.

Here’s a provoking point to make an example.

Authors should be explicitly aware that the burden is on them to ensure no unlicensed code is submitted to the project.

This is independent if AI is used or not.

The above excerpt from the curl policy seems to me more or less in line with my interpretation of the current OpenSSL CLA.

Would it be acceptable for OpenSSL to have language like the above in our policy, but then carelessly use generative AI for creating engaging images in their communication material? Would it be correct to ask our users about the authorship implications of generative AI when submitting code to the project and disregard them when the same authorship issues apply to “non-technical” material?

We had a discussion on this yesterday, and one argument was the technical cost for the project of having to remove code from released sources in case of contention as being something quite dear to us as engineers. But I am pretty confident that if we had affected artists in the discussion they would advocate as much about the costs in terms of reputation and trust in disregarding human authorship, as well as the indirect damages OpenSSL would be contributing to for the disregarded exploited artists.

@Nicola Tuveri 

In the arts, there's this fuzzy line between outright plagiarism and "being inspired by" (which can be methods, which may be color choices, which may be overall style).
Younger artists start with mimicking older artists, or are just drawn to the same genre and end up doing similar things, but that may develop into something unique but still inspired later.
Musicians make covers for other musicians' work, and start composing their own stuff later on.
What of all that is "being inspired by" and what is straight plagiarism? Sometimes, it's quite hard to tell, and sometimes, it's more about intent.
Quoting from a book is considered "fair use", as long as it's within reason.

(oh boy, have I discussed these things with my mom, who was a sculptress, and oh boy, have I discussed these things with fellow photographers)

From a photographer standpoint, I do have pictures out there, some being crap, others I'm really proud of. I would find it quite disturbing if I saw one of them whole with just small edits, but I wouldn't find it overly disturbing if I found my eyes being used as a detail in a grander image.

Going back to code, I view it the same way. The way I understand AI, it's still a piecemeal generator of tokens, based on very complicated statistical models, more or less (yeah, there's more to it, but...). Is it very likely to reproduce big pieces of code verbatim, or does it recombine pieces that are likely to be seen together? On which side of the line between outright plagiarism and "being inspired by" does that fall? That's an open question I have that's still looking for an answer.

Also, another question is what we actually view as the thing covered by IP rights. Is the whole, or is it every detail? After all, there's only so many ways to write a skeleton for loop, right? When can we talk about "fair use" in the same way as for quotes from a book?

@Nicola Tuveri 

The thing that I see being an outright threat with AI isn't so much about where the code it generated came from, but rather that it can produce code so damn fast, and with obvious slop that people using it don't always pay attention to. It's scary to realize that others may accept that, 'cause quicker in spite of the quality deterioration.

So folks who care more react... and some want to reawaken Ned Ludd (https://en.wikipedia.org/wiki/Ned_Ludd)

No, I'm personally not that negative... but I gotta admit, I'm in a "wait and see" state

Circling back to the provoking point, "Authors should be explicitly aware that the burden is on them to ensure no unlicensed code is submitted to the project", I wouldn't take it farther than "to the best of your knowledge".

As was pointed out before, we run the same sort of risk because people might "be inspired by" stuff on stackflow or whatever forum, guides, book on programming they've read, yada yada yada

https://github.com/orgs/open-quantum-safe/discussions/2253 this discussion seems relevant