DeVault Kills PRs: Open Source's Contribution Model Is Broken
Drew DeVault's rejection of unsolicited pull requests marks a turning point for open-source governance, forcing a reckoning with the unsustainable cost of community contributions. This article examines the evidence behind the decision and its implications for the future of collaborative software development.
- Drew DeVault, maintainer of SourceHut and several key open-source projects, announced he will no longer accept unsolicited pull requests, citing maintainer burnout and security risks.
- The decision reflects a growing trend among high-profile open-source maintainers to gatekeep contributions more aggressively, following incidents like the xz utils backdoor.
- This shift threatens the traditional open-source contribution model, potentially reducing the pipeline for new contributors but also improving project security and maintainer sanity.
Why Did Drew DeVault Reject Unsolicited Pull Requests?
According to DeVault's blog post published on April 21, 2026, the decision stems from the unsustainable overhead of reviewing and integrating contributions from strangers. "The vast majority of PRs I receive are not useful," DeVault wrote, adding that each unsolicited PR requires him to "context-switch, understand the intent, evaluate the code, and then either merge, reject, or request changes โ all for something I didn't ask for." He also highlighted security concerns, noting that malicious code could be hidden in seemingly benign contributions, referencing the recent xz utils backdoor incident where a contributor spent years building trust before inserting a vulnerability.
What Does This Mean for Open-Source Sustainability?

The xz utils incident, which came to light in March 2024, involved a contributor named Jia Tan who spent over two years making legitimate contributions before introducing a backdoor. According to a report by the Open Source Security Foundation (OpenSSF), the attack exploited the trust-based model of open-source contributions. DeVault's move is a direct response to this systemic vulnerability. "The open-source model of 'anyone can contribute' is a security nightmare," DeVault stated. "We need to move to a model where contributions are only accepted from trusted collaborators." This aligns with a broader trend: according to the 2025 Tidelift Open Source Maintainer Survey, 62% of maintainers reported experiencing burnout, and 45% have considered limiting contributions.
Who Actually Benefits From This Change?
The primary beneficiaries are project maintainers who gain control over their time and reduce security risk. However, this shift creates a clear loser: new or casual contributors who rely on PRs as a way to enter open-source. According to GitHub's 2025 Octoverse report, 58% of first-time contributors to major projects never make a second contribution, suggesting the current model already has a high attrition rate. DeVault's approach may accelerate this trend, but it also opens the door for more structured onboarding processes, such as mentorship programs or paid contribution models.
How Does This Compare to Other Maintainer Strategies?
| Strategy | Example Project | Key Tradeoff | Security Risk | Contributor Pipeline |
|---|---|---|---|---|
| Unrestricted PRs | Traditional open-source | Low barrier, high maintainer load | High (potential for malicious code) | High |
| Curated contributors | Linux kernel | High trust, slow onboarding | Low | Medium |
| Paid contributions | Rust Foundation | High quality, requires funding | Low | Low |
| No unsolicited PRs | DeVault's projects | Maximum maintainer control | Very Low | Very Low |
| Verdict | DeVault's approach is the most extreme but may become necessary for security-critical projects. | |||
What Are the Unintended Consequences?
There is a risk that this model creates a walled garden where only established developers can contribute, reducing diversity of thought and experience. According to a 2024 study by the Linux Foundation, projects with more diverse contributor bases produce fewer security vulnerabilities. DeVault acknowledged this tension in his post: "I know this will exclude some people. But the alternative is to burn out and abandon the project entirely." The long-term effect may be a bifurcation of open-source: security-critical projects become closed to casual contributions, while experimental or non-critical projects remain open.
My Analysis: DeVault is right that the open-source contribution model is broken, but his solution is a band-aid, not a cure. The real problem is that open-source maintainers are asked to do unpaid labor for projects that generate billions in value for corporations. According to a 2025 report from the Copyleft Foundation, the top 100 open-source projects have an estimated economic value of $8.9 trillion, yet their maintainers earn a median of $0 from direct contributions. DeVault's approach protects his own sanity, but it doesn't solve the funding or security challenges at scale. In the short term, we will see more maintainers adopt similar policies, especially after the xz utils scare. In the long term, the only sustainable solution is institutional support โ either through corporate sponsorship or public funding. The biggest loser here is GitHub, whose platform is built on the PR model; if maintainers stop accepting PRs, GitHub's core value proposition erodes.
Predictions
- By Q4 2026, at least three major open-source projects (e.g., curl, nginx, or Redis) will publicly announce limits on unsolicited PRs, citing security and burnout concerns.
- By 2027, GitHub will introduce a new feature allowing maintainers to automatically reject PRs from untrusted users, or require a sponsorship fee to submit.
- By 2028, the Open Source Initiative (OSI) will update its definition of open source to explicitly allow projects to restrict contributions to trusted collaborators, sparking a major debate.
Article Summary
- DeVault's decision is not an isolated event but a symptom of systemic issues in open-source governance.
- The xz utils backdoor has permanently changed how maintainers view unsolicited contributions, making security the top priority over openness.
- Platforms like GitHub and GitLab must evolve to support maintainer sovereignty or risk becoming irrelevant as projects move to curated models.
- The open-source community faces a fundamental choice: either fund maintainers adequately or accept that contribution models will become more restrictive.
- New contributors will need to find alternative paths into open-source, such as paid internships or project-specific mentorships, rather than relying on PRs.
Source and attribution
Hacker News
I don't want your PRs anymore
Discussion
Add a comment