This is a good introduction to the topic as it defines the use of AI tools as allowed under the following conditions. Maybe "provided that:" is not good expression, because also sanctions are mentioned in the extensive list.

A good policy starts if necessary with defining terms. I consider that AI tools is not needed to be defined, as it is nowadays kind of trivial.

Good policies start with a duty for the individual, who are affected by the policy.

E.g. § 1 StVO, the Street Traffic Order of Germany, defines, that participanting at the road traffic (by pedestrians, cyclists, car drivers etc..) requires constant caution and mutual consideration. And alot of cases at court are just solved by this § 1. If the behavior of a participant is considered by the judges as reckless => case lost.

So any violation of the AI Usage policy will be based on this first rule.

Also it does not give any obligation to the contributor to be legally responsible for the provided code. Thats something what copilot was suggesting me, when I was typing the mardown in vscode. If we accept any code, and here I agree with qemu, we will make this code as our own. Thats it.

A simple documentation is not much asked from the contributor. Also it says, that significance is important. We could also consider to use the wording "non insignificant", which in german legalese means something between insignificant and significant.

• Isn't stating the use and naming the tool problematic in terms of copyright?
• How it was used?

Why do we care about this info?

Not every use of AI is relevant.

• If I write the code myself and then I write a text for the pull_request comment, then the text for the pull_request is not part of the code itself. So if I improve the text of the pull request comment with AI, it is irrelevant for the corresponding code.
• AI can not have copyright. But the code which was used for training is.
• Naming AI tools is not a problem of copyright. Maybe you refer to trademarks? This is not applicable because we are not using the trademark as is. Like we write that fastify is tested on Microsofrt Windows, doesnt mean that we are using Microsoft Windows as trademark
• naming the tool is somewhat relevant. Imagine tomorrow somebody uses some not well known LLM. THe contributor names it, and we are empowered to investigate further if it is maybe problematic AI.

yeah, how it was used can be better phrased. "and a brief description of the affected code." Something like this.

I agree in principle, but what if they hide it? Or even worse, make some effort to hide it?

We have no good way to even discover a violation of this clause absent obvious cases.

And honestly, as long as

1. The contributor reviews and verifies the output of the AI tool for accuracy,
   security, and compliance with the project standards, especially code style,
   tests, and code quality itself.

and other clauses are respected, I might not even want to know where the code is coming from?

@gurgunday
It is what it is. Nobody expects from us magic and to assess AI use or not use with 100% correctness. But we should take care of due dilligence. And this is it about.

"to ensure" does not mean that the contributor should investigate what data the models are trained on. It just means, that the contributor implicitly states by providing the PR that to his/her best knowledge no violation of license or copyright exists.

Also copilot for github enterprises can use code in the repos of the enterprise to be trained on. Also there is i think a setting, which says, that only OSS with unproblematic license can be used as a base.

So this means for us: If we consider the code potentially violating licensing or copyright restrictions, we just need to state that, and the contributor has to explain it.

the contributor implicitly states by providing the PR that to his/her best knowledge no violation of license or copyright exists.

Isn't this redundant with general copyright policy? AI or not, users should not violate copyright.

Sure, but I am sure that there are some people who feed first the AI with copyrighted code and then let the LLM generate code based on the copyrighted material.

We could regarding CoC and DCO refer this also just shortly at the beginning.

We put the burden of proof on the contributor.

This is just a counter measurement, for the fact, that the contributor flat out denies the use of AI, and maybe even argues, that it is insulting to accuse of undocumented use of AI. And suddenly you have a CoC violation...

Proving something which does not exist is impossible. So what means proof?
Maybe a simple affidavit as a comment is enough, "I assure you, that I wrote all the code myself."

But as I wrote above: Collaborators should not be forced to prove that AI was used. If the burden of proof is unclear or on our side, we can not sanction anything, because grey areas can not be proven by us.

I would simply say that maintenance maintainers can close a PR if they suspect AI usage, without justification.
That's how it will play out in reality.

In italy we call this "prova diabolica" (diabolic proof) because it is impossible to proof that you did not do something.

I agree with the @jean-michelet comment

Its actually the point of "liberte" of the french motto. If the state wants to do something they need a law. If they cant name a law, then it does not exist. You as a citizen dont need to find a proof, that you are doing some not illegal. Or short: Everything is allowed, till it is forbidden.

We can remove this, but again: Somebody could then state, that we have to prove that AI was used or else the person finds the mentioning of AI use potentially insulting and opens us for legal actions.

else the person finds the mentioning of AI use potentially insulting and opens us for legal actions.

😮 is this ever happened?

It is 100% true. We have absolutely zero legal obligation to anyone for anything in regard to the source code, documentation, or management of the project.

@jsumners You have a very US centric view. Dont forget that most maintainers are living in Europe. article 10 of the European Human Rights convention allows penalizing insults. Doesnt mean that it has to be persecuted via criminal law at criminal courts, it can also be sued at civil courts.

The MIT license is only covering the sourcecode. But not the interaction on this platform. And if we claim that everybody is invited to participate then we open us legally to get into a contractual binding. In common law you need a consideration to make legally binding contract. In continental law you can have contracts without consideration. You can even have pre contracts(Vorvertrag) which binds you with a legal obligation. Like you go to the bathroom in a shopping mall and slip and fall, and till then you did not bought anything, so there is no contract, but still there is culpa in contrahendo, so slip and fall is covered by obligations law.

So it does not mean that you have a blanko-check to potentially insult contributors on this platform. If I post in a repo and get insulted than If I falsely accuse somebody falsely, then the person can take legal actions against me and sue me for retracting and to not repeat the claim.

We have here german lawyers (Ralf Höcker, Joachim Steinhöfel) who sue twitter, facebook and co regularly despite their argument that the US freedom of speech is allowing more that what we have in article 10 EHRC or article 5 german Grundgesetz.

So we are not in wild west , and we are not dictators.

It is just as true in the EU - the CRA applies to stewards, but not open source maintainers.

That you can be sued for specific things you say doesn't change that maintainers can do literally anything they want with their package, including closing a PR without giving a reason.

If participating in open source with the rest of the world is legally difficult in Germany or the EU due to the issues you describe, then that is something in those laws that may need to change.

@ljharb

Of course we can close PRs without comments. And of course we can behave like dictators.

But this is contradicting to the CoC! Closing a PR without any feedback can be deemed unwelcoming. There are other aspects too. Like human dignity means that I dont behave in a way that i treat the person as a pure object of my actions (Immanuel Kant "Objekttheorie"). I have to give the person the chance to confront with my accusation and give the chance to potentially defend himself/herself before the action in a hearing or after the action in an appeal. Basically what we call in german Menschenwürdegarantie and Rechtstaatlichkeit/Recht auf Anhörung/Rechtsweggarantie.

This is what I considered in this policy. We close the PR and write the reason in a neutral way. The contributor can basically "appeal" in the PR.

And again: just because us law allows wild west mentality doesnt mean that it is the global standard. In contrary. Judges have the tendency to declare the right to decide about any case in front of them. Like Marbury vs. Madison 1803 of the US supreme court for declaring to have the right for judicial review of federal laws. Or various decisions of the german constitutional court at the beginning 1950s to clarify that it has the right to declare basically the decisions of other courts, laws of the Bundestag, decrees of ministries and single decisions of the administration void and null. Or the Costa/Enel decision of the european court of justice, for declaring european law as supreme to national law, and thus making the european court of justice the strongest court in europe.

So while in the US you have wild west mentality, we have the rule of law in continental europe. And dont forget that most devs of fastify are living in europe.

I would actually call fastify european.

So we have to look at european law.

Read also following article:

https://esportslegal.news/2025/06/04/gaming-bans-and-gamer-and-dsa/#the-german-perspective-courts-weigh-in

We have more digital rights in europe than you in the US.

Certainly I'm not advocating mistreating contributors :-)

I would not call our mentality "wild west", and I think generalizing the mentality of entire countries is contradicting the CoC.

The project is part of the OpenJS Foundation, which is based in the US, so while the project shouldn't ignore the laws of any country, it is not a "european project". Open source projects don't have nationalities.

This closes the gap created by only making it mandatory to document significant use of AI. The "irrespective of the significance of the AI usage." is just for clarity.

Also because the contributor has the burden of proof, caollaborators can doubt that the contributor disclosed completely.

This can be replaced with a new tick in the PR template:

• I did not/did use AI tools to implement this feature

Again: Are you interested only getting significant use disclosed or do you which to know if copilot was used as glorified autocomplete function?

Also I recommend to use the negation, as people tend to not use the checkboxes.

I realize this is missing something which I had actually in mind.

So we allow discussing the issue, but only in the affected pull request. I want to avoid that the contributor opens an issue to discuss the problem. It should be encapsulated in the pull request.

In my initial draft I wrote, that the collaborator is not obligated to discuss.

This is based from the ratio, which i found in "The Art of Being Right" by Schopenhauer, where he wrotes for his last strategem, that you should keep it like Aristoteteles.

The only safe rule, therefore, is that which Aristotle mentions in the last chapter of his Topica : not to dispute with the first person you meet, but only with those of your acquaintance of whom you know that they possess sufficient intelligence and self-respect not to advance absurdities ; to appeal to reason and not to authority, and to listen to reason and yield to it ; and, finally, to cherish truth, to be willing to accept reason even from an opponent, and to be just enough to bear being proved to be in the wrong, should truth lie with him. From this it follows that scarcely one man in a hundred is worth your disputing with him. You may let the remainder say what they please, for every one is at liberty to be a fool desipere est jus gentium. Remember what Voltaire says : La paix vaut encore mieux que la vérité. Remember also an Arabian proverb which tells us that on the tree of silence there hangs its fruit, which is peace.

Translation from german to english here

But I added that collabators are encouraged to discuss for clarity. It is the mirror rule for the collaborator for the rule above which allows the contributor to discuss. If the points are reasonable, then why not?

But if we get BS arguments, then we should just not engage in discussions.

This is the ultima ratio sanction.

I personally consider proposing AI slop an act of sabotage. So why should we assess again and again time wasting PRs?

• Isn't stating the use and naming the tool problematic in terms of copyright?
• How it was used?

the contributor implicitly states by providing the PR that to his/her best knowledge no violation of license or copyright exists.

Isn't this redundant with general copyright policy? AI or not, users should not violate copyright.

I would simply say that maintenance maintainers can close a PR if they suspect AI usage, without justification.
That's how it will play out in reality.

Why do we care about this info?

In italy we call this "prova diabolica" (diabolic proof) because it is impossible to proof that you did not do something.

I agree with the @jean-michelet comment

It seems harsh: I would re-phrase that to:

Collaborators are allowed to close pull requests that are stale and don't have feedback addressed

Not AI, related but it can be applied for AI too

This can be replaced with a new tick in the PR template:

• I did not/did use AI tools to implement this feature

I am in favor of these changes with my suggestions applied.

Very good suggestion

Unnecessary.

This change is unnecessary.

This change is not needed.

Removing the leading clause changes the intent, and I don't see what the remaining changes do. I'd just strike them all.

I agree. It is kind of redundant. The old paragraph was not fitting so i adapted it.