@fx @Sempf /me has a sad

@Sempf how the US reacts to this is still being formulated. They expressed that AI was a matter of national security, but I haven’t personally seen much motion from them on this (but that’s probably above my pay grade to get that invitation)

@Sempf from an eu regulator standpoint “when a manufacturer becomes aware of <an actively exploited vuln> or <a severe incident> they have 24hrs to report that to authorities. So if the robots are filing issues with maintainers automagically the vendor is responsible for monitoring and reacting to that. Upstream doesn’t have legal obligations, but every downstream that uses the software will immediately start poking upstream for fixes. If the vendor isn’t monitoring upstream, that could be consider negligence. Tl/dr this is going to put even more intense pressure on the whole system and I fear maintainers will be challenged to keep pace with all the noise

@tychotithonus @Sempf I've posed the question to our AI/ML working group slack (the really smart robot-people within the OpenSSF hang out). I'll let you know what the smarter people come back with, or feel free to hop onto #wg-ai-ml-security on the public openssf slack

@Sempf @tychotithonus Ha! I see you found that. The python folks were on about that yesterday. The github comment behind this are equal parts horrifying and hilarious

@Sempf @tychotithonus doing fine! 2026 travel is about to ramp back up soon though. I’ve enjoyed my snow cave here and will be sad to leave!

@Sempf @tychotithonus the frontier model companies aren’t as engaged with the ecosystem like the hyperscalers, but I could ask my pals at the big3 and extrapolate from there.

@Sempf @tychotithonus I have not personally seen that, but AI-things change every 5 minutes. Have been more focused trying to help maintainers with the massive uptick of ai-slop reporting, it let me ask around tomorrow and see if anyone in the community is aware of such a thing.

@Sempf @tychotithonus I always enjoy a nice chat with @Sempf !!