Mike Siegel
daniel:// stenberg://The challenge with AI in open source security has transitioned from an AI slop tsunami into more of a ... plain security report tsunami. Less slop but lots of reports. Many of them really good.
I'm spending hours per day on this now. It's intense.
This trend is seen elsewhere as well. Mentioned by Willy here: https://lwn.net/Articles/1065620/
gloriouscowthis is both fascinating and somewhat terrifying
"we want fewer slop reports"
monkey paw curls
Feyter
Michael Cook@bagder “Now most of these reports are correct, to the point that we had to bring in more maintainers to help us.”
Well that’s good to see. At least it’s not the 100% made up garbage anymore.
Rough situation. Maybe this is where 2 levels of people would help? First for general + find dupes, second for bigger/trickier, passed on from first?
IDK. Such a sea change. Going to be interesting to see how the world sorts all this out.
Dirk Hohndel@bagder
At least it's spending time on stuff that's somewhat worth while?
But still, it's a DDOS on maintainers
At least it's spending time on stuff that's somewhat worth while?
But still, it's a DDOS on maintainers
@dirkhh it's actually really hard to complain when the reports are good, but yeah we're still humans who need to deal with all this
Petr Menšík 
@bagder @dirkhh sure, that is expected. But flood of many reports need to be processed by maintainers. If they came together with a fix, is should be less work to the maintainer, in theory. If the proposal is decent enough. Cloning good maintainers is much harder than cloning AI analyzers. Increasing number of reports won't help without increasing number of entities fixing bugs. If you increased the first, please try also the latter.
Carsten Hoffmann@bagder wait a minute, that post comes a day too late? ;)
Klaus Frank@bagder well at least it's not a waste of time anymore then.
♾️ Water@bagder Looking at the dashboard, Curl is at an all time low of Cyclomatic Complexity and has few open issues compared to previous years. Lines of docs and testcases per KLOC are at an all time high. I think now is a good time to work on security. If there are good reports, even better. I think curl might be in the best state it has ever been.
Wolf480pl@wolf480pl yes, I think so. We still get quite a few reports we conclude are not vulnerabilities, but there are very few of the strong slop kinds now.
Stefan Lengfeld@bagder here is a similar experience on lwn. https://lwn.net/Articles/1065620/ something is really shifting. Thanks for keeping us up to date with the ai and security developments.
@lengfeld yeps, that matches
César Pose@bagder
Perhaps it's because LLMs learn very quickly. And in that way they make fewer mistakes because they have fewer biases than humans.
Perhaps it's because LLMs learn very quickly. And in that way they make fewer mistakes because they have fewer biases than humans.
SkaveRat 🐀 
@bagder any feeling what the biggest change is?
Just more advanced models, or people learning to use them as proper tools instead of just prompting "find me bugs"?
@skaverat the tools are getting better, no doubt
Nullstring 🏴☠️@bagder imagine if people joined and contributed to projects instead of inundating maintainers they dont compensate with requests to do more work for free please
Clemens
Matěj Cepl 🇪🇺 🇨🇿 🇺🇦If that hat is any indication than both yours and mine (SUSE) colleagues (and me) can testify the same. Number of CVEs (some of them spurious but most not) is completely crazy.
grob (teeth era) 🇺🇦🏳️🌈🏳️⚧️@bagder any thoughts what that means for AI in software development in general, not necessarily only bug/security reports?