Employees of Specbee posting low contribution tickets in bulk

cmlara
1 month ago
Opinions on this type of behavior?
https://www.drupal.org/user/3767476/track →
Looks like a lot of low effort issues load a theme, report when one part of a page isn’t styled, or report when a module still uses the Twitter logo instead of the X logo.
To me this is starting to feel like a new method to bulk issues, find something small and likely to occur and work through every module on D.O. to tag the issue.
Not sure that really is much different than the bulk posting of PHPCS issues and I am starting to see it occur more often. Yes they appear to be legit problems, but being loaded in bulk seems like they may fall under “Bulk posting of low-effort issues” the only caveat being they may not be detectable via current publicly avaliable automated tooling.
:face_with_diagonal_mouth:
2

40 replies

hestenet (he/him)
1 month ago
Yeah. I'm not sure. At a certain point, esp when they aren't automatable - we may have to let some of this kind of stuff go. The overall credit value of these small changes on small modules isn't super high anyway, so maybe we let the relative weighting soak the difference.

cmlara
1 month ago
Flip side of that, IIRC it only take 10 contrib fixes and you have the same gain as a massively complex multip year core fix?
I view “bulk low-effort” more like “if you find your organization creating more than 10-20 of the same
Issue in a year it’s probaly a bulk low effort” the count may be debatable, but the fact you have an entire page of the same issue it raises questions.

cmlara
1 month ago
Also worth factoring in these than become
Jumping pad issues for other orgs (like the readme issues posted yesterday) where we can see the previously warned orgs jumping on them to “fix” since they didn’t post the issue and are “just fixing open issues to help the maintainer”.

hestenet (he/him)
1 month ago
Yeah, true.

smustgrave
1 month ago
Think a warning is worthy. Or a no credit as this is novice type tickets. So they should open them and let new users try
Also sent to the channel

cmlara
1 month ago
If we do want to allow issues like this maybe it is time to scale the credit cap? Move it from 10 to maybe 100 for Core and scale the rest of the related ecosystem including the partner minimums ?
Runs the risk of even more of these type of issues being opened to counteract a loss in gain however at the same time it might push them to where the issues will at least have the most impact on the community and sends the message “if you really want your organization to be a maker work on Drupal Core”

Kristen Pol (she/her)
:palm_tree: 1 month ago
Interesting idea… I’m torn as we also don’t want to stifle innovation for lesser known projects who need buy in from their sponsoring organizations to provide funding to work on these

cmlara
1 month ago
That’s the negative and certainly would have an impact on the smaller modules.
The old “I’m not a partner but my organization can be recognized for the amount of effort I put in” system is going away/gone isn’t it? To be listed I believe now you need to be a Drupal Partner to befit from the point count and if you’re playing in that space I would suspect the organization is likely maintaining the module for a paying customer?
If so the real driver likely is that the customer keeps paying you to develop rather than doing it for the points ?

xjm
1 month ago
I mean, on the one hand, things like theming the mini-pager are annoying to do but useful to have done, as an unthemed mini pager screams "hello, I'm a Drupal site and my theme isn't 100% complete". So it is still helpful, or could be. And once someone's made a fix once, I guess they're better poised to help other projects with a similar fix. But it is kind of borderline also.

cmlara
1 month ago
Indeed.
I suppose these would annoy me less if we actually had a history of seeing these individuals move from novice to complex issues and that it didn’t feel like this was a game of whack a mole.
With the employee chrun at these mega devs it feels like we usually don’t get to see that happen and usually they make a run through at the novice level and disappear or if they stick around they often do not develop non-novice skill sets (almost like d.o. contrib maintainers are used as a training facility and once they have useable skills they are moved solely to internal customer paying dev work)
I do admit though it is at least nice to see the issues require some effort, even if it is only captcha farm level effort.

BramDriesen
1 month ago
The thing that is bugging me however is that Specbee has already been on the radar many times. They just keep finding new things to try every time. Last update here was in may, so just over a month ago… https://www.drupal.org/project/site_moderators/issues/3432186 →

Drupal.org
Contact Specbee about contribution best practices to avoid being caught up in farming
Employees of https://www.drupal.org/specbee → have been involved in several README and PHPCS tickets, which are commonly used as credit farming techniques by other companies.
Mar 19th
:point_up:
2

Also sent to the channel

kristiaanvde
:factorial: 1 month ago
Would be nice if we could differentiate between changes like these and actual changes. Then have these low-effort issues weigh at around 1:100 of a real issue.
That way, people who want to fix these readmes, icons, etc out of conviction still get the satisfaction of fixing it along with some credit, albeit next to nothing and those who do it to gamify the system will be disincentivized from doing so further.
A checkbox for maintainers only that says "Inconsequential fix" or something that gets picked up by the credit system? I pondered using the severity field and check for "minor" there, but anyone can change that field and then we'd have to police abuse there again.
If we then see Specbee et al create these non-issues on their own projects and leaving the new checkbox blank, we have a lot more to work with to show intent of gaming the system.
:heavy_plus_sign:
5

cmlara
1 month ago
I want to reiterate that I’ve seen this tactic showing up on other vendors that we have flagged.
This is not a single user only pattern. I posted this single one just because it was the one I saw today and it seemed more prolific than others I had seen an over the past several months from previously flagged vendors.
:heavy_plus_sign:
1

kristiaanvde
:factorial: 1 month ago
No, definitely not. It's a recurring pattern for a handful of companies. At this point, we need tools to discourage this gaming. Credit deductions, the checkbox I suggested, ... anything really to stop the downpour of these non-issues

catch
1 month ago
I think https://www.drupal.org/project/drupalorg/issues/2875806 ✨ Consider weighting issue credits by issue priority when ranking Marketplace organizations Active would cover this without a new checkbox potentially
Drupal.org
Consider weighting issue credits by issue priority when ranking Marketplace organizations
Just as #2833508: Consider weighting issue credits by project usage when ranking Marketplace organizations → creates a little bit more incentive/recognition for working on higher usage projects, I wonder if we should similarly create a little bit more incentive/recognition for working on higher priority issues, because generally, higher priority issues both take more effort and have higher benefit to the project. For example, a relatively weak scale: Minor (0.5), Normal (1), Major (2), Critical (3) Or a stronger scale: Minor (0.33), Normal (1), Major (3), Critical (9)
May 4th, 2017

kristiaanvde
:factorial: 1 month ago
Also, I know for a fact that there's a "Belgian team" behind the camps, cons and dev days in Belgium. I'd be surprised if there wasn't one in India.
Seeing as most, if not all, of the culprits are from India, would it be a good idea to reach out to their local Drupal body and ask that they help us figure out why we're seeing so much of these non-issues from massive vendors from a single country? Are they paying their juniors by the issue credit or something?
I know this is risky territory because it may seem like we're being prejudiced towards a specific country, but if your body were to constantly have head aches, we'd investigate the head first rather than the hands, feet and armpits. Might be worth looking into to get a better understanding of why we're seeing such an influx of spam from one location.
:100:
1

kristiaanvde
:factorial: 1 month ago
The only issue I have with repurposing the priority field is that it could arguably be something people can hide behind. "Oh, it didn't use to mean that" or "I don't consider this a minor thing" and that anyone can change it.
You could catch people messing with said field, but the fact that it defaults to normal rather than minor would still lead to a lot of these non-issues getting more credit than they should.
Having a new maintainer-only field would make it really clear what the intent is and we could easily run some queries against that to find abuse.
:plus_one:
1

cmlara
1 month ago
Drupal Indian Association use to get tagged a lot as the credited organization. I can’t say they planned it, but for a while (before the policy adoption) I saw a lot attributed to them.
I always attributed it to “they want to credit the local governing body” but I always did wonder if the behavior was comming from local camps.

cmlara
1 month ago
As somone who isn’t a DCP and has no desire to be a DCP and be listed in the Marketplace:
If somone were to ask me how to choose a partner from the marketplace my advice would probably be “skip the first page or two, theirs some good organizations in there, but many of them make their ranking on bulk easy issues that could often be scripted… if you want an org that only appears to know how to use automated tools go for the first pages, otherwise find someone who is fighting in the trenches lower down in the list who actually knows the internals and look at their issue history and see it’s one off unique fixes not pages of changing a logo or correcting a missing newline at the end of a file”
I may be alone in that mindset, however if any others share a similar view than it should be a distressing sign about the health and validity of the marketplace.

BramDriesen
1 month ago
I do follow you in that for a part. What I usually tell is to filter on the “office locations” field as well :slightly_smiling_face: rules out many of the ones we are referring to :stuck_out_tongue:

kristiaanvde
:factorial: 1 month ago
I 100% share that view. We put a lot of effort into our contributions and are glad to be on the first page because of it, but it is really disheartening to see 4 companies on page 1 that I know are only there because of a massive amount of non-issues.

BramDriesen
1 month ago
Been filtering a bit through issues, I don’t think the priority field will work :slightly_smiling_face: many of the low effort issues are being marked as major or critical :rolling_on_the_floor_laughing:

BramDriesen
1 month ago
Apparently a missing readme file which is a copy paste of the project page warrants a critical ticket :man-shrugging:

BramDriesen
1 month ago
TBH, when I’m working on issues or committing them, I usually don’t even look at the priority field.

kristiaanvde
:factorial: 1 month ago
Apparently a missing readme file which is a copy paste of the project page warrants a critical ticket
That, IMO, would be grounds to take action against whoever set that issue to critical
:plus_one:
3

cmlara
1 month ago
I’ll admit a lot of devs probably don’t use it, especially since it can be set by end users.
I do try and use it for my own priority control so I can mange my efforts, however even than I’ll admit the fact that I can’t lock a priority sometimes means I’ll ignore changing it to avoid a fight that I can’t win (looking forward to gitlab on this part)
That said flagging sometbing like a readme conversion (or having a demanding support request) as a critical is a good way to get me to internally flag the user and the org as (for lack of a better word) “troublesome” and goes back to my question recently on “do you find yourself de-prioritizing these flagged organizations”

kristiaanvde
:factorial: 1 month ago
Yeah that's why I suggest a checkbox that is flagged by default saying: "This fix is inconsequential", but nicer and more descriptive. Then check it by default.
Or vice versa: "This fix provides actual value and is not just a typo in a readme", but better written and uncheck it by default.
Either way, there should be an active decision to assign credit. We can then run queries against that checkbox and prove intent of gaming the system when people flag readme issues on hardly used modules/themes as "this should definitely get credit"

kristiaanvde
:factorial: 1 month ago
Posted that to the issue catch mentioned above.

cmlara
1 month ago
I’m reminded of a question a couple months ago regarding a type of simple easy to work issues.
Those of us in this roomed seemed to lean to “don’t credit them it’s farming” while same question in #maintainers leaned towards “it’s small but I would credit that”
Our mindsets certainly play a role in that and any system would have to contend with that ecosystem bias towards “always credit” that many of us in this room have become troubled by.

Shefali
25 days ago
Hi, representing Specbee here. I have a few questions just so we are clear what else should we talk to our team about when we have our next contribution guidelines meeting. We've already emphasized the importance of adding value through contributions and ensuring the intent is genuine.
Should the smaller issues be ignored / not worked upon or left for the project maintainers to figure out?
Should we avoid opening issues that need fixes for smaller projects?
What happens when a developer does not have enough expertise to work only on Core/top 100 projects but still intend to make a valuable contribution?
Is it acceptable to highlight genuine issues that appear bulk-submitted due to the same problem existing in many lesser-known projects?
Some of the contributors mentioned are novice contributors/developers who are learning a lot through contributions. I’m not sure asking them to stop such contributions would be the best thing to do, but it seems like we are being encouraged to focus only on high-weightage issues.

hestenet (he/him)
25 days ago
I think those are all very legitimate questions, Shefali.
Saved for later

hestenet (he/him)
25 days ago
Curious for some opinions of this group before I weigh in with some more thoughts.

Kristen Pol (she/her)
:palm_tree: 25 days ago
One idea is could someone having an “in training” contributor badge / text added when they are new to contributing and that is taken off at some point? Visually being able to tell new people who are learning may be of value.., that doesn’t answer the questions above though
:heavy_plus_sign:
1

cmlara
25 days ago
What happens when a developer does not have enough expertise to work only on Core/top 100 projects but still intend to make a valuable contribution?
For organizations they usually “sponsor” modules. That is where I would usually suggest their effort goes, until there are zero issues left in the queues it means there are issues where the org could be directly working ok that are “under their control” any work done there benefits the organization and the community. It also makes any “costs” for training less experienced devs be solely on the organization. These are also a mix of effort required and the more complex issues are perfect for the organizations other developers to mentor the newer developers.
In my personal opinion the contrib queue does not exist to train organizations employees, yet it often feels like inexperienced devs are being sent to us contrib maintainers to train to the point they are skilled devs. Especially on these bulk issuers where I often see even lack of foundational PHP knowledge by some devs.
I usually expect the opposite, that we never see the inexperienced devs because they’re always working internal issues (or issues on the organizations own modules) as that leads to a public image that the organization has skilled employees. Written another way, as a “potential customer” the lowest skilled employee I see publicly working on other modules is what I would assume is going to be a “high skilled” employe that would be assign to my project if I were a paying customer. As a “customer” I’m under no illusion that I have only highly skilled engineers on my coding project, however usually I expect them to be several layers removed from me where an experienced dev audits everything they do before it reaches me.

Kristen Pol (she/her)
:palm_tree: 25 days ago
I like the idea of people initially training on issues sponsored by their organization but not everyone is part of an organization or part of one that has sponsored projects

cmlara
25 days ago
but not everyone is part of an organization or part of one that has sponsored projects
The majority of these issues we’re looking at with concerns are coming from organizations. It’s rare we see a non-affiliated dev spending their free time bulk creating issues. It’s happened but at the moment on the “educational material” meta it’s a single user vs every other record being an organization IIRC.
As for not having sponsored modules, I would say why not? Look at the internal project list see what is often used, approach the dev see how they feel about adding the sponsor label in exchange for developer time (knowing they may have to guide less knowledgable devs on issues or that they make mistakes but a experienced dev from the org will be auditing their MR’s and guiding them). These solve real world issues that are actually impacting users vs many of these modules that are actually abandoned and not used.

Kristen Pol (she/her)
:palm_tree: 25 days ago
Agree that the contribution issues we see are primarily from people at orgs who likely have sponsored projects

xjm
25 days ago
@Shefali
Thanks so much for reaching out. To answer one of your questions, I think one of the most important things is to see contributors growing from "beginner" issues into more advanced contributions. When a user posts the same type of fix to dozens of contributed modules of something that is slightly helpful but fairly trivial, maintainers' reactions will vary, but a lot of maintainers might feel harassed by the issues rather than helped by it. It would be better if contributors gradually work on harder and harder tasks, or worked in pairs with a more senior developer to help meaningfully with harder tasks. (edited)

xjm
25 days ago
@Shefali
To share my own story -- Back when I first started out contributing to core, I had spent a lot of time in IRC asking for help about issues I was having with Drupal 7's taxonomy API. Drupal.org added the issue summary field the next month and I was really excited, because writing a summary of an issue was something I could do even though I was intimidated by core code. So I went through and tagged loads of issues "Needs issue summary" and wrote many of the summaries myself. Some core contributors appreciated it, but others were frustrated or even angry with me because it felt like spam to them.
I had the best intentions, but because I did a bulk thing across a huge range of issues, it caused as much unhelpful noise as it helped.
I learned from it and avoided such massive bulk comments in the future (except for a few cases where it was actually necessary due changes in core, and I gave advanced warning that I was going to do so in those cases and did not receive issue credit for it). It's of note though that I did not have the advantage of a large Drupal shop helping me; I was doing it entirely on my own without mentoring or guidance.
So even people who go on to become core committers can make these kinds of slight missteps. :slightly_smiling_face: What's important is to remember that (a) repeated comments or MR submissions that are basically copies of each other can actually make more work for maintainers rather than less, (b) we want to see contributors move on from trivial contributions to more advanced ones after their first few issues, and (c) we especially want to see contributors at organizations that have many other contributors not repeating the same mistakes their peers at the same organization made previously. And (c) is extra extra true for a certified partner. (edited)
:blue_heart:
3

Kristen Pol (she/her)
:palm_tree: 18 days ago
Perfect example and takeaways