You all know that librsvg is developed in gitlab.gnome.org, not in GitHub. The README prominently says, "PLEASE DO NOT SEND PULL REQUESTS TO GITHUB".
So, of course, today librsvg got its first AI slop pull request and later a second one, both in GitHub. Fortunately (?) they were closed by the same account that opened them, four minutes and one minute after opening them, respectively.
I looked.
There is compiled Python code (nope, that's how you get another xz attack).
There are uncomfortably large Python scripts with jewels like
subprocess.run("a single formatted string") (nope, learn to call
commands correctly).
There are two vast JSON files with "suggestions" for branches to make changes to the code, with jewels like:
-
Suggestions to call standard library functions that do not even exist. The proposed code does not even use the nonexistent standard library function.
-
Adding enum variants to SVG-specific constructs for things that are not in the SVG spec.
-
Adding incorrect "safety checks".
assert!(!c_string.is_null())to be replaced byif c_string.is_null() { return ""; }. -
Fix a "floating-point overflow"... which is already handled correctly, and with a suggestion to use a function that does not exist.
-
Adding a cache for something that does not need caching (without an eviction policy (so it is a memory leak)).
-
Parallelizing the entire rendering process through a 4-line function. Of course this does not work.
-
Adding two "missing" filters from the SVG spec (they are already implemented), and the implementation is
todo!().
It's all like that. I stopped looking, and reported both PRs for spam.