tea.xyz causes a flood of spam pull requests to open... | web3 is going just great

web3 is going just great's posts Post Back to profile

web3 is going just great

tea.xyz causes a flood of spam pull requests to open source projects

February 26, 2024
https://www.web3isgoinggreat.com/?id=teaxyz-spam

tea.xyz causes a flood of spam pull requests to open source projects
This crypto skeptic I've heard of once said "Show me the incentive and I will show you the outcome."
A project called tea.xyz promised people they could "get rewards for [their] open-source contributions", complete with a flashy website describing how it would "enhance the sustainability of open-source software". So far, it's achieved the exact opposite. Promising to reward open source contributors with crypto tokens, the project asked users to verify their access to open source projects by merging in a YAML file containing their crypto wallet address. This kicked off a flood of pull requests to prominent, often non-crypto-related open source projects by people who had never contributed to the project (or, often, any open source project), but who wished to merge in a file describing them as a "code owner".

Particularly impacted by this project was the open source blogging platform Ghost, which was used as an example in the demo video released by tea.xyz, and which received several PRs of this kind. A somewhat flummoxed maintainer of the repository replied to one PR: "[I]n practice the TEA project is not helping to support the Ghost project, but is instead causing a rush of self-serving PRs to be submitted to cash-in on other people's work. ... This why people hate on crypto." A maintainer of another unrelated open source project called "ghost" also reported receiving an influx of spam PRs. This is not the first time crypto has generated massive Github spam, although another recent incident was (blessedly) mostly limited to open-source crypto projects and didn't waste the time of non-crypto-related projects as this one has.

Like 27 February at 14:49 | Open on indieweb.social

12 comments

web3 is going just great

markstos commented 4 days ago
Here's what I believe is happening:

The TEA project claims it wants to support open source developers using some kind of blockchain technology. Somehow, more popular projects will be rewarded more.

I believe people are rushing to add this file without explaining what it does because in each case it establishes their blockchain wallet as the "code owner" of the popular Ghost project, even though they aren't regular contributors.

So in practice the TEA project is not helping to support the Ghost project, but is instead causing a rush of self-serving PRs to be submitted to cash-in on other people's work.

Have I missed something? Because so far no alternate explanation for these tea.xyz submissions has been put forth.

And this is fun: I tried searching for the meaning of the "codeOwners" field for TEA, but for a project that claims to support open source, they don't make the documentation of this file format easy to find. Yes, they include a "what is this file" link in the file, but it doesn't take to you page that explains what the YAML means, it's just a page that describes in hand-waving terms how their crypto project is awesome.

This why people hate on crypto.

27 February at 14:51 | Open on indieweb.social

byte :ms_robot_headpats:

@web3isgreat cryptobros not being insufferable shitbags actively doing harm - challenge impossible

27 February at 14:58 | Open on awawa.club

Play Ball!!! cafechatnoir

@web3isgreat
So, they're basically vandalizing open source projects for crypto tokens that they'll never get?

27 February at 14:53 | Open on mastodon.social

awooo :autism:🏴‍☠️🐾⎇

@web3isgreat I hate whatever this fucked up timeline we've ended up in is

27 February at 15:00 | Open on floofy.tech

iliazeus

@web3isgreat oh, aren't those the same guys that are making a package manager and decided to generate package descriptions with an LLM?

https://github.com/pkgxdev/pantry/issues/5358

27 February at 15:02 | Open on lor.sh

iliazeus

@web3isgreat yup, looks like it

screenshot of github.com/pkgx

"run anything - from the creator of brew"
(...)
"pkgx is a core contributor to the tea protocol"

screenshot of tea.xyz

"From the creator of Homebrew"

27 February at 15:05 | Open on lor.sh

@iliazeus @web3isgreat The original plan was for these to be the same project. At least that’s what the landing page used to say before launch.

27 February at 18:22 | Open on mstdn.social

iliazeus

@josephholsten hm, wonder why they were trying to hide the cryptocurrency connections :blobcatthink:

27 February at 18:32 | Open on lor.sh

@iliazeus evidently, ugh. the replybot is a particularly nice touch :blobfoxfacepalm:

27 February at 15:05 | Open on hachyderm.io

@iliazeus omg it is! That’s so funny

27 February at 15:10 | Open on veoh.social

DELETED

@iliazeus @web3isgreat yep, seems like it.

27 February at 15:12 | Open on tech.lgbt

@web3isgreat @troublewithwords I think what we’ve learned from this is to stop calling things ‘ghost’ ;-)

27 February at 15:09 | Open on mastodon.online