Artificial Intelligence

Artificial Intelligence (AI) is a rapidly growing field of technology which is rapidly changing the way we interact with technology, especially in the areas of security and privacy. It’s regularly used by developers to generate content in a more efficient way.

We welcome the use of Generative Artificial Intelligence from the community in a general sense. We however have several policies which dictate the way in which it is to be used. These policies are designed to ensure that the community is able to interact with the technology in a professional and responsible manner.

These policies apply to several areas of the Authelia project, such as but not limited to:

• Pull Requests:
  • Both the Code and the Discussion Area of the Pull Request
• Issues
• Discussions:
  • On GitHub
  • In Discord
  • In Matrix
• Private Vulnerability Reports
• Emails

As with other policies these policies form part of and augment our Code of Conduct. As such these rules may be enforced using the remediation process described in the Code of Conduct.

Policy Rules

The following rules form the basis of the policy.

General Policy

The following rules apply to all areas of the project.

1. The human is 100% responsible for any and all content generated by artificial intelligence.
2. The human that is responsible for this content must always review the content before submitting it and ensure that they completely understand the content.
3. When using artificial intelligence to generate content, the human must disclose this in the first paragraph of the description of the submitted content with details about how and where it was used.
4. The areas where humans are intended to communicate with each other should be absent from artificial intelligence generated content i.e. you should not be using artificial intelligence to create or reply to emails, issues, discussions, chat rooms, etc.
5. Deliberate attempts to hide, subvert, or mislead anyone about the use of artificial intelligence are strictly prohibited and will be considered an immediate violation of this policy, and have a reasonable likelihood of being treated as a deliberate malicious act.

Exceptions

Translation

Some users may use artificial intelligence to perform translations into English in the conversational areas. We accept this is a reasonable use case within the conversational areas of the repository.

As such we make an exception for this use case provided some simple guidelines are followed.

1. The input to the artificial intelligence tool must be made by a human.
2. The input used for the artificial intelligence must be included after the first paragraph disclosing the usage and must be done as described below.

For GitHub areas use the details method as per below, where {{ Input }} is replaced with your input.

<details>
<summary>Translation Input for Artificial Intelligence</summary>
{{ Input }}
</details>

For all other areas include a GitHub Gist or equivalent link with the input.

Pull Requests

The following rules apply to pull requests.

1. The content of the proposed change must be reviewed by a human prior to making a pull request, and;
   1. All linters and tests must pass.
   2. If you used artificial intelligence tools in the creation of the code you must explicitly disclose this fact in the first line of the description of the pull request.
   3. You must fully understand the content of the proposed change. Inability to explain any given change may result in the pull request being rejected summarily, especially if the reasons for the change cannot be articulated in a clear manner.
2. The reviewers, and author of the pull request; must not use generative artificial intelligence in the formal review process itself i.e. when questions are asked, changes are requested, or responses to the reviewers are made. The use of artificial intelligence tools within the review process must be explicit and assistive in nature.
3. Large changes must not solely be produced by generative artificial intelligence tools.
4. The artificial intelligence tools or their companies must not be listed as participants in the change as a commit trailer i.e. in the Co-authored-by, Signed-off-by, Reviewed-by, Reported-by, Assisted-by, Co-developed-by, or similar trailers.
5. In such instances were assistive tools are used in the review process, i.e. we currently use CodeRabbit we suggest not blindly accepting the changes. Instead either wait for a reviewer to agree with the changes after they perform an assessment, perform an assessment yourself, or ask if the maintainers believe the changes are acceptable.

Responsible Use and Professionalism

It’s important to note that this is not a comprehensive list of rules, and users of the technology should be aware of the limitations of the technology and the limitations of the tools used to generate the content; and they should use these tools responsibly.

The requirement of responsible use is the basis for this policy and should a particular use of the technology be found to violate this principle, it may still be subject to this policy regardless of whether the use is explicitly detailed in this policy.

If we deem a use to be in violation of this policy, we expect the users response to fall within the “gracefully accepting constructive feedback” clause of the Code of Conduct. Discussion about the content or application of this policy and the Code of Conduct should be held in the appropriate channels.

Rationale

Policies similar to these are very common in the open source community, and while this is not a rational argument for these policies, they are a good starting point in this fairly new phenomenon. We expect these guidelines and ideas will evolve over time. Regardless of your personal view of generative artificial intelligence, we expect community members to abide by these policies as a matter of professionalism.

There are a few reasons for these rules. In no particular order:

1. Several studies have shown a clear indication that while these tools are getting better in their general outputs they are not getting better at generating secure code. In fact many studies indicate that more than 40% of all code generated by artificial intelligence has significant security vulnerabilities. It is imperative that in a project like this we are fully aware of any additional considerations we must make in the review process.
2. There is not a lot of clarity around the liability and legality elements in these contributions. In particular there are very few countries which recognize the ability to legally license or copyright any content unless it is made by human input; and some countries outright reject this. This is probably highly dependent on the jurisdiction.
3. It’s also unclear if the code generated by artificial intelligence can be claimed as being copyrighted by the author of the content used to train the artificial intelligence model, or the owners of the intelligence model themselves. This is probably highly dependent on the jurisdiction.
4. We want to know we’re interacting with an actual human when we’re resolving concerns about a change.