Ariadne Conill 🐰9h ago

I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.

okay. fine, I guess.

but if we are rejecting dependencies that use AI tooling, where do we go?

seriously. where do we go?

if the Linux kernel is using AI tools for codegen, then where do we go?

FreeBSD? I would put money on it that they use AI tools.

OpenBSD? NetBSD? HURD?

do we hard fork every dependency that is now tainted? do we even have the resources to do it?

FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.

Show threadHaelwenn /элвэн/ 9h ago
@ariadne This one is all wack when like what 3~6 months ago there was a pro-systemd jerk being like "anti-systemd are all facists!"

Also yeah in terms of alternatives it's not great, so far I'm stuck with reducing as much as possible and planning to have more stuff like Plan9.
(Also pretty sure Hurd got LLM-tainted)
Show threadsam8h ago

@lanodan @ariadne re Hurd: I only saw one person doing some LLM review (not of submitted patches but they took it upon themselves to submit its findings), I don't consider that tainted and I don't think it's some sort of official effort or anything, even if I don't like it.

systemd embracing it with a CLAUDE.md, using it in all PRs, commits co-authored-by it etc is different.

Show threadbluca8h ago

@thesamesam @lanodan @ariadne

Hurd using LLMs for reviews: perfectly ok
systemd using LLMs for reviews: TAINTED

DId I get this right?

Show threadsam8h ago

@bluca @lanodan @ariadne Someone deciding to send ML output a handful of times an ML is different from it being an established part of the project, sure.

(I also didn't say "perfectly ok", it's just that it's clearly different, even if one does or doesn't like it?)

Show threadbluca8h ago
@thesamesam @lanodan @ariadne gotcha, rules for thee but not for me
Show threadsam8h ago

@bluca @lanodan @ariadne If a contributor had copilot review their PR for systemd but systemd didn't have it as part of CI or as some regular part of contribution, I'd say the same thing.

But I'm not even making rules! I'm pointing out a distinction?

Show threadAriadne Conill 🐰7h ago

@thesamesam @bluca @lanodan personally, i don't even think i *care* about LLM-based reviews.

what i care about is LLM-based code generation because every time i've interacted with people using those tools to produce changesets, it's been fucking miserable

Show threadsam7h ago

@ariadne @bluca @lanodan I've sort of come to this position as well, especially sympathising w/ what Lennart says about Bad Guys already using LLMs to find vulnerabilities, so may as well try to leverage them to do some good.

Don't love it still but I definitely feel warmer to it than the rest.

Show threadHaelwenn /элвэн/ 7h ago
@thesamesam @ariadne @bluca Kind of still feels bad given how overblown a lot of security vulnerabilities are (I guess ICANN and registries will get more money from website-logo vulns), plus imagine getting a big wave of low-impact security vulnerabilities.

But well that's roughly the same issues as with fuzzers, except it's combined with codegen this time.
Show threadsam7h ago
@lanodan @bluca @ariadne Yes, exactly, it really is fuzzers all over again, just the problem is you now have this script-kiddy enabling tech on top.
Show threadAriadne Conill 🐰7h ago
@thesamesam @lanodan @bluca yes, but script kiddies also figured out how to use the fuzzers and submit slop to us with "can you tell me about your bug bounty program?"
Show threadsam
@ariadne @lanodan @bluca yeah, and even before fuzzers with any sort of security tooling actually ("hello your CSP policy is missing on ur static website")
1:14pmWeb