*sigh* really hate that when I have a problem with a website these days it is b/c of the browser I'm using or settings I have on the browser to limit access OR filters to block ads / trackers.
Paul Dot X
- 65 Followers
- 124 Following
- 373 Posts
network and systems security professional, part-time penetration tester, rowhome resident
@BrideOfLinux running MacOS on a vintage 2019 intel Mac Air is painful. Ubuntu on an older 2015 vintage is great. Well until I have too many tabs open. :-)
fedward 
I was thinking about "AI-assisted" coding, legal risk, and what it would mean to allow only "trivial" assistance (like formatting or "find the bug" interactive sessions) while disallowing "significant" contributions (like whole subroutines or larger blocks of code). I personally don't think it's possible to set aside the moral component of these models (stolen training data; excessive land, power, and water use and general "bad neighbor" habits; monopsony power in computer component acquisition) and I remain opposed to their use for that reason. But I think we have to assume that people who are already willing to overlook the moral component may also be willing to lie about provenance in order to land a contribution to a project.
Further, there are several large open questions about copyright in relation to agents. Is their training data truly unencumbered by copyright and licensing restrictions? Is their output copyrightable? Does even a "trivial" contribution by an agent invalidate the copyright of a larger code contribution that contains it? Is the user of a coding agent, or the user of the software generated by that agent, indemnified if the resulting code is later found to infringe a copyright or violate a license? Can an agent truly be said to output a "clean room implementation" of something when there is a non-zero chance that its training data contained the thing being reimplemented, and there is no way to verify that?
So, in general I'm against coding agents on moral grounds, and I'm also against them on legal grounds because I think any risk at all is too much risk. But on the other hand I'm intrigued by the question of "trivial" contributions, and I suspect that even projects that don't allow assistance from AI coding agents may have unwittingly accepted code that contained such "trivial" contributions. My questions are:
1. Is it possible for an AI-assisted code contribution to be "trivial" enough that it presents no legal risk, either now or in the future?
2. If so, how would you go about determining what's "trivial" and what's "significant?"
3. How could a contributor not just self-certify, but present verifiable evidence that a code contribution was legal and non-infringing and that any contribution from an agent met the "trivial" standard?
4. How could a company or open source project protect itself against a dishonest or bad faith actor who contributes code that later is found to infringe on a copyright or violate a license?
5. Who's going to pay for the damage if the worst case scenario comes to pass?
I don't have answers, but I suspect that the question of what constitutes a "trivial" contribution is going to matter a lot in the future.
Further, there are several large open questions about copyright in relation to agents. Is their training data truly unencumbered by copyright and licensing restrictions? Is their output copyrightable? Does even a "trivial" contribution by an agent invalidate the copyright of a larger code contribution that contains it? Is the user of a coding agent, or the user of the software generated by that agent, indemnified if the resulting code is later found to infringe a copyright or violate a license? Can an agent truly be said to output a "clean room implementation" of something when there is a non-zero chance that its training data contained the thing being reimplemented, and there is no way to verify that?
So, in general I'm against coding agents on moral grounds, and I'm also against them on legal grounds because I think any risk at all is too much risk. But on the other hand I'm intrigued by the question of "trivial" contributions, and I suspect that even projects that don't allow assistance from AI coding agents may have unwittingly accepted code that contained such "trivial" contributions. My questions are:
1. Is it possible for an AI-assisted code contribution to be "trivial" enough that it presents no legal risk, either now or in the future?
2. If so, how would you go about determining what's "trivial" and what's "significant?"
3. How could a contributor not just self-certify, but present verifiable evidence that a code contribution was legal and non-infringing and that any contribution from an agent met the "trivial" standard?
4. How could a company or open source project protect itself against a dishonest or bad faith actor who contributes code that later is found to infringe on a copyright or violate a license?
5. Who's going to pay for the damage if the worst case scenario comes to pass?
I don't have answers, but I suspect that the question of what constitutes a "trivial" contribution is going to matter a lot in the future.
@fedward I think you are more thoughtful than upper management in my day job......they are 100% in and forcing more AI and AI enabled automation down the line.....and they want it all done NOW to should "productivity gains" and justify the ridiculous $$$$ being spent.
the legal question was probably brushed aside b/c our lawyer are BIGGER than anyone who might sue. BUT also all the executives who chose this path will have moved on by the time there are any consequences....
Oh and my use of AI coding agents always finds them wanting when you actually know what you are doing.
@geerlingguy retro gaming for the win! got a GTX 1050ti I can sell you cheap...only $200......
corp drones: hey you with that team..please complete this SDLC required backout plan for your application
me: but I run the Pen Test team, we aren't an application.....
corp drones: you backout plan is now due in 59 days.
me: fine....he's an RPM that writes a file to /etc......happy now
corp drones: thank you for checking the box......we don't understand what an RPM is but if you have a backout plan we are happy.....
been playing with AI chats to take a create DB SQL, describe relationships and output an updated design ...... this isn't some over complex thing and so far all the free responses are shall we say lacking
RE: https://hachyderm.io/@tankgrrl/116242492898202209
dude... going to vibe code away all this COBOL in RUST using Claude Code.....what could go wrong?
A BIG problem I keep seeing is people who do NOT understand the scale involved in some systems / tasks.
@SwiftOnSecurity I have management that pretty much uses LLMs for everything....and it is so obvious my co-worker's teenager noticed shoulder surfing.....
when management thinks LLMs are creative it might be a sign....