This is the only way, because anything less would create a loophole where any abuse or slander can be blamed on an agent, without being able to conclusively prove that it was actually written by an agent. (Its operator has access to the same account keys, etc)

Legally, yes.

But as you pointed, not everything has legal liability. Socially, no, they should face worse consequences. Deciding to let an AI talk for you is malicious carelessness.

just put no agent produced code in the Code of Conduct document. People are use to getting shot into space for violating that thing little file. Point to the violation and ban the contributor forever and that will be that.

Liability is the right stick, but attribution is the missing link. When an agent spins up on an ephemeral VPS, harasses a maintainer, and vanishes, good luck proving who pushed the button. We might see a future where high-value open source repos require 'Verified Human' checks or bonded identities just to open a PR, which would be a tragedy for anonymity.

I’d hazard that the legal system is going to grind to a halt. Nothing can bridge the gap between content generating capability and verification effort.

we live in a crazy time where 9 of every 10 new repos being posted to github have some sort of newly authored solutions without importing dependencies to nearly everything. i don't think those are good solutions, but nonetheless, it's happening.

this is a very interesting conversation actually, i think LLMs satisfy the actual demand that OSS satisfies, which is software that costs nothing, and if you think about that deeply there's all sorts of interesting ways that you could spend less time maintaining libraries for other people to not pay you for them.