Mastodawn

If your Open Source project sees a steep increase in number of high quality security reports (mostly done with AI) right now (#curl, Linux kernel, glibc confirmed) please tell me the name of this project.

(I'd like to make a little list for my coming talk on this.)

Show thread

daniel:// stenberg://2d ago

Apache httpd, curl, Django, Firefox, glibc, GnuTLS, Haproxy, libssh, Linux kernel, python, Temporal, Wireshark, wolfSSL

More?

Show thread

daniel:// stenberg://2d ago

Updated:

Apache httpd, curl, Django, Elasticsearch Python client, Firefox, git, glibc, GnuTLS, Haproxy, Immich, libssh, Linux kernel, OpenLDAP, PowerDNS, python, Sequoia PGP, Temporal, urllib3, Wireshark, wolfSSL

We can say with certainty that this is widespread.

Show thread

René Dudfield 1d ago

@bagder

The next months I will call the-open source--security-apocalypse-dark-times (of death).

Because I wanted a cheerful name that makes it not seem as bad as it is. /s

Show thread

René Dudfield 1d ago

@bagder

Should all responsible software be running security agents against their own software now as we do fuzzers/static analysis/tests/etc?

Or instead of being proactive do nothing? And hope it’s not just the nice people reporting the bugs that are finding the issues?

Show thread

daniel:// stenberg://1d ago

@renedudfield if you don't run AI powered code analyzers against your own code, your miss out a lot of bugs...

Show thread

mirabilos 23h ago

@renedudfield @bagder are you crazy or what?

Show thread

daniel:// stenberg://23h ago

@mirabilos @renedudfield if using whatever good tools there are to find bugs and mistakes in my code makes me crazy, then yes

Show thread

mirabilos

@bagder @renedudfield it’s not a tool, it’s a planet-burning plagiarism machine made by fashtech, and advocating for it makes you just look bad, especially as you complained about these things last year.

Show thread

lbky 17h ago

@mirabilos @bagder @renedudfield Honestly: What's the alternative? Anthropic is sending bug reports to the kernel people. Should they not fix them? Not acknowledge them? Even if those companies vanished over night, those models are out there. Somebody, like nationstate actors, will run them and will find bugs that are remotely exploitable and we will all be worse off for it if they are not fixed.

The situation sucks, but bugs that are reported are bugs that can and must be fixed.

Show thread

mirabilos 17h ago

@renedudfield @lbky @bagder not acknowledge them. Throw them away unread. Write an incensed letter back telling them to stop burning the environment.

Show thread

lbky 16h ago

@mirabilos @renedudfield @bagder Ok, this will make you feel better and it is a morally consistent stance, but I don't think users will feel the same, if they are at the receiving end of a bug. The users on the receiving end might also be in dire straits. That might be a reason some small company gets ransomwared and goes bust or worse.

This is all morally murky and that sucks, but I will not fault anybody for running that stuff to fix bugs in their widely used software.

Show thread

mirabilos 16h ago

@lbky @renedudfield I will, and I have found reinforcement a couple of minutes ago that brings this into better english than I could: https://mstdn.social/@Editrix_Rachel/116369904032087546

meanwhile @bagder ’s 180° on this has made him the laughingstock of Fedi (since FOSDEM already, but seems like this perpetuates), going to seitch back to GNU wget

Rachel "Red Pen" Lapidow (@[email protected])

Folks, I think we're now past the time where we can claim to be in the middle about generative AI usage. You're either for it and okay with intellectual theft, racism, land grabs, polluted water, higher power bills, and creating an addicted population that can't think. Or you're against it.

Mastodon 🐘