[RFC] Require AI Tooling Disclosures for Contributions

[Gerg]

Link for easy viewing

Inspired by ghostty-org/ghostty#8289

[no AI Tooling was used for this PR 😉]

[stephanme]

AI generated example PR for CC: cloudfoundry/cloud_controller_ng#4442
It started with AI generated code but then involved substantial traditional dev before it got merged.

[chombium]

Here are my two cents:
I recently had to review a PR clearly generated/suggested by AI. The AI generated code was using the latest version of a library which was an indirect dependency of another included library. The problem was that the direct dependency was not updated and the library, the indirect dependency was not updated as well. Hence, the build and the unit test broke and we could catch the problem.
The other problematic thing which I see more often is the usage of AI to write unit and possibly integration tests for the code written. As we mostly don't have formal requirements of features it is hard to validate that the generated code does what it has to do at all. I'm not saying that we need to change the way we contribute as including too many formalities might also be not attractive for new contributors, we all know what was contributing like in the Pivotal times.

Asking for a disclosure of AI tools used and adding something that will help us as maintainers (approvers) to grasp and understand the contributions easily would be great.

The two problems which I see are:

1. How do we check the functional correctness of the code?
2. How can we do the validation of the introduced changes are correct if both the code and the tests are AI generated? I guess we as maintainers will have to have go deeper when we check the code. Raising the number of mandatory PR approvals can help. I know some WGs are checking and discussing PRs together in their WG meetings, but that might be cumbersome.

I fully agree with what @stephanme has written. Drafting a PoC with AI and "polishing it" afterwards by a human should be acceptable. Though, this way of work might make the work of maintainers a bit harder as the AI code snippets will be even harder to detect.

I guess we have to raise the awareness about AI generated code for contributors and maintainers as well, so that the contributors might explain which AI they've used and how, so that the maintainers understand the intentions and thinking behind the changes.