How does a potential positive contributor pierce through? If they are not contributing to something already and are not in the network with other contributors? They might be a SME on the subject and legit have something to bring to the table but only operated on private source.
I get that AI is creating a ton of toil to maintainers but this is not the solution.
In my OSS projects I appreciate if someone opens an issue or discussion with their idea first rather than starting with a PR. PRs often put me in an awkward position of saying "this code works, but doesn't align with other directions I'm taking this project" (e.g. API design, or a change making it harder to reach longer term goals)
One solution is to have a screensharing call with the contributor and have them explain their patch. We have already caught a couple of scammers who were applying for a FOSS internship this way. If they have not yet submitted anything non-trivial, they could showcase personal projects in the same way.
FOSS has turned into an exercise in scammer hunting.
I'm not sure if I follow, are the PRs legitimate and they are just being made to buff their resume, or are PRs malicious?
They are becoming AI slop more and more likely in an attempt to buff their resumes by making it look like they contribute to a bunch of open source. Basically low effort low quality submissions for silly things that just waste maintainers time.
Looking at this, it looks like it's intended to handle that by only denying certain code paths.
Think denying access to production. But allowing changes to staging. Prove yourself in the lower environments (other repos, unlocked code paths) in order to get access to higher envs.
Hell, we already do this in the ops world.
So basically we are back at tagging stuff as good for first contributors like we have been doing since the dawn of GitHub
It seems like it depends on how the authors have configured Vouch. They might completely close the project except to those on the vouch list (other than viewing the repo, which seems always implied).
Alternatively they might keep some things open (issues, discussions) while requiring a vouch for PRs. Then, if folks want to get vouched, they can ask for that in discussions. Or maybe you need to ask via email. Or contact maintainers via Discord. It could be anything. Linux isn't developed on GitHub, so how do you submit changes there? Well you do so by following the norms and channels which the project makes visible. Same with Vouch.