Unfortunately many game disks only contain a downloader nowadays and you often need to bind them to an account to play. Plus the version on disk without updates is probably buggy. Baldur's Gate 3 Collector's edition is an example that has a disk, but isn't really any better than a Steam key.
On the other hand you can back up a DRM free download, like the games on GOG, despite these being a purely digital download.
So overall I don't think the physical form matters that much compared to DRM.
It's disgusting how a previously open platform for gaming (PC) was turned into what it's become with Steam. Young people either don't know or don't care that it used to be the norm to buy and install a game without a middleman "service".
That argument has been harder to make with time. A couple years ago I made the difficult decision to get rid of some old game copies. I wasn't realistically going to use them ever again, and the sentimental value for me is entirely about the memory, not the media. Part of my steam collection is nearly as old and it is on track to greatly outlast. It is also significantly easier to own and use in just about every aspect, even if it is technically just a revocable license.
Beyond that, Steam and the digital media model allowed a great many people to publish games that wouldn't otherwise have been able to publish games. It made the indie world of games possible. It also did more than anyone to bridge the platform gap between windows and linux.
Steam was beneficial for small devs who otherwise had no good distribution options and were way too easy targets for piracy.
Otherwise, it's just a pain. Like my favorite PC game Age of Empires 2 was a CD, then when they finally remade it, it was like oh you gotta sign up for Steam first, and now you gotta launch this adware to play your game, which btw is an entire Chrome browser, and sometimes it'll refuse to launch your stuff too. Then several game publishers made their own Steam-like launchers except even worse. The situation is worse now, good thing I don't really care about video games anymore.
I'm really worried about what will happen to Valve when Gabe retires.
I can see a bean counter making a very convincing case that it's cheaper to go back to Windows and avoid all this Linux reverse engineering gubbins which isn't bringing in an immediate profit, especially when they're giving away all theirs efforts by open sourcing Proton.
Gabe allegedly (nobody knows because it's a private company) owns 50.1%, it's not majority employee owned. It's possible he might turn it over to the employees or some kind of co-op style board but who knows if he's offered the right price by a cashed up investor.
He's got children to consider and could reasonably want to set them and his grandchildren up for generational wealth.
Which just further highlights the importance of actual DRM free ownership. Even in the face of a relatively benevolent corporation, that corporation won’t be that way forever. Leaders and cultures change, sometimes overnight (look at what happened when Broadcom bought VMWare, they started extorting customers immediately). Adobe is another good example that pulled the rug out from underneath creatives and started renting software instead of selling it.
PC game piracy was pretty mainstream back then. It was a real problem for video game creators.
But Steam is also more annoying than it needs to be, especially forcing updates and not letting you transfer games so it's not comparable to owning a disc.
The primary spam problem isn't that a single account opens many pull requests on a single repo, but that spammer accounts open many pull requests spread across many repositories. So limiting accounts to a couple of open PRs on my repository won't help much.
I'd rather enforce a limit based on the number of PRs that account opened across all public repositories it doesn't have write access to within the last week. And PRs that were closed without getting merged should be held against the account somehow (perhaps via a "close as unwelcome" option for the maintainer).
> And PRs that were closed without getting merged should be held against the account somehow
That strikes me as a bad solution. I've sent plenty of PRs over the last two decades that were things I wasn't sure if upstream wanted or not, but I did the work and wanted to offer it to them. If you get penalized for not having a PR merged, it's going to incentivize selfishness
That's why I suggested an explicit "close as unwelcome" option (label to be bikeshed). And the impact of the rejection should decay over time.
In any case, my proposal is a rough sketch of how I'd approach the problem, not a production ready algorithm. But I'd expect even that basic approach to work a lot better than github's approach.
Ultimately what kills any effort to curb this behaviour is the fact that the perpetrator can always open another account.
If I was a maintainer of an open-source project, I would have a two-tier system:
-PRs from previous contributors.
-All others, sorted by lines of code, ascending.
Reasoning:
-Large PRs from someone without a track record are rare.
-It's not a huge ask to have people first solve a smaller problem.
-Small PRs are easy to verify - it's especially easy to tell if a given one-liner is impactful or just spam. Should also be easier to summarise it in the title.
-Don't quote me on that but I think LLMs are still bad at clear, concise, meaningful changes.
Hence the cooldown period? I think the mechanism proposed here should be perfectly fine for targeted PRs, while mitigating those that sit above baseline.
I assume the idea is that you probably weren't doing that 20+ times a day. For me, I was raising at most one or two open source PRs per week at most, and I only had time to focus on one or two repos during that time. I think thats a good baseline, with a big overhead for exceptional circumstance, but I don't see a world where someone should be able to make 10 PRs a day, every day, for weeks
Your proposal wouldn't help me at all. I wouldn't say that the problem I'm having is even "spam" per se. (For context I receive hundreds of PRs each week across my OSS projects like mise)
In my case I sometimes get a flurry of PRs from over-exuberant contributors, not necessarily low quality even! Using this I can at least put some back-pressure on that and help keep things more fair across my contributors.
Good point. I've (even with agents) never made more than like 5 PRs in one day internal to a company and if I have they typically included accompanying proto or submodule changes. Heck give a factor of safety of 2x and cap at 10 daily PRs per account for repos that youre "untrusted"
Is it? What is the motivation, and why would such spammers use PRs and not any other types of spam like comments or bugs?
I think it's more likely a lot of these are well intentioned individuals or people trying to build a resume. They'd want a lot of accepted PRs on one account, not lots of accepted PRs accross a lot of burner accounts
Github needs a "Human Trust" score where "AI Slop" label applied to a PR reduces the score and denies all PR's for the next X hours, delay increasing exponentially for every PR labelled with "AI Slop". Repeated "AI Slop" labels given by a maintainer reduces "Human Trust" Score like dropping off a cliff.
Every successful merge for a PR spread across N days slowly increases "Human Trust" score. (So a slow of fake merged PR's cannot fake increase Human Trust score). Just like the real world, Human Trust should be hard to gain and easy to lose.
If your Human Trust Score becomes negative due to too much "AI Slop", then you are banned from all PR submissions for a quarter. Your profile picture is also replaced with the Robot Identicon to indicate to the world that your human brain has been replaced by AI and urgent health-check is needed.
That could be abused the other way against well-intentioned humans. Simply let someone accumulate PRs at a not-abusive rate, and then once enough exist falsely report them all in a day.
> banned from all PR submissions
So then the person can't even make a PR against their own repository? Or when we're there a maintainer, known contributor, or a member of an organization that might be their workplace?
At least on this specific issue, the EU is trying to simplify things by introducing "EU Inc" as a new corporate form. But it'll take several years more to arrive.
I read that as the founder being able to opt into choosing EU Inc, not that only some EU member countries would offer it.
edit: it's a regulation, not a directive, so it will be directly available in all countries, without each country creating its own laws to implement it. But it'll take until 2028 or so until it's actually be available.
reply