If this really is the token burn future that the AI bros want, then why does it seem like such a disorganized, leaderless clusterfuck? Why has no one developed the "AI-native vulnerability reporting framework" to not destroy the most critical projects in FOSS?
It all seems terribly shortsighted. If Linux is affected, then a hundred other projects are on the ropes.
Yea, I fear for the future of open source. There may be some asymmetries built into LLM tech and its uses that simply undercuts the FOSS system as we know it.
There may be some asymmetries built into LLM tech
The amount of energy needed to refute bullshit is an order of magnitude bigger than that needed to produce it.
Basically, yea. As sometimes BS is right enough to find a vulnerability, but rarely good enough to patch it, kinda like finding a small leak compared to metal being welded to cover it.
They don't even have to be intentionally built in. Anything that generates unnecessary work for FOSS volunteers is a win for proprietary software companies.
Even an easy to use and well-built tool that produces good results would result in mailing list and bug report noise simply because people like to contribute. If we set aside those who are just trying to pad their resume with open source contributions and bad actors trying disrupt FOSS projects, we're still left with a lot of well-intentioned, mostly inexperienced devs generating duplicate and/or invalid reports and requests.
Since the current state of AI tools certainly does not produce consistently good results, I don't think organizations that are hostile to FOSS projects actually need to do anything at all for them to be disruptive. Just make their shitty tools accessible and other people will significantly contribute to maintainer burnout without even intending to.
Even in the glorious AI powered future no one wants to work on docs
“AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work,” he wrote. “Feel free to use them, but use them in a way that is productive and makes for a better experience.”
That’s a pretty nuanced view. I agree, but I’m not sure how many people of this community do.
Bug reporting is going to have to start being an invite-only thing that you have to pass a video interview for first ... and in that interview, you'll need to demonstrate your ability and willingness to manually evaluate bugs before submitting them.
I would agree but… well the genie is out now. If security researchers don’t use it, hackers are still gonna use it. By creating more rules for submitting security bugs, we will just delay in implementing patches.
The "security researchers" aren't the problem here. It's every random amateur dev or AI enthusiast with an OpenClaw account who wants to be a security researcher, or have an excuse to put "Linux kernel contributor" on their resume.
The problem here is that bad actors are gonna use it as a tool to find exploits anyways. It's like you have the confirmed reports that the enemy country is going to throw nukes on the entire planet tonight and yet you would refuse to use yours just because ethics.
The question we should be asking is that how can we manage those reports more effectively and efficiently so that it doesn't become "unmanageable" rather than blocking people from reporting in the first place.
What you're forgetting is that many -- if not most -- of these vulnerabilities/exploits are bullshit in the first place. Either very niche situations that are extremely unlikely to happen in real life or outright hallucinations.
A few of them are legitimate security concerns, sure, but the vast majority are either low priority or a complete waste of time. And the same goes for the hackers trying to find ways in -- the vast majority of the exploits they discover this way won't actually work, or will only affect a tiny minority of Linux systems that are using obscure and/or obsolete protocols. So it's not quite the 'nukes' from your hyperbole.
Okay let’s say what you said is 100% right. How are you going to filter them or restrict them? OC said using a video interview. Who’s gonna conduct the interview? Who will pay the interviewer? How can we verify the answers that the interviewee gives are not AI generated? Wouldn’t reviewing the reports and the contributions instead would be faster even if most of them are wrong?
You want a real solution?
It costs $10 for an un-vetted reporter to submit a bug report. If the developers review the bug report and find it to be valid and helpful, you get your $10 refunded and you're added to the list of vetted reporters who can submit bug reports for free. If not, the foundation keeps the $10 and uses it to help pay the salaries of people who have to review these bug reports.
Sounds viable tbh.
...just because ethics.
Not ethics, practicality. There are only so many people contributing so many hours to open source projects. It's impossible to handle the entire incoming stream of reports without some filtering.
And your analogy isn't really capturing the problem. If you want to stick with the (slightly hyperbolic) nuke analogy, it's more like getting 9 reports that nukes are going to be launched but 6 of them name different source countries, 4 of them say it'll actually be tomorrow night, 2 of them say the nukes will be unarmed for some reason, and one says it's actually bottle rockets being launched. I hope you can find them in time because they're buried among 362 other intelligence reports about god knows what, many of which are duplicates of things you already knew about. Also, you don't know any of the sources or what their motives and competency levels are.
@OwOarchist@pawb.social didn't say anything about banning AI usage at all, just that we need a better system to restrict contributions to people who can demonstrate that they can filter the noise out of their own contributions instead of just spamming mailing lists with everything their chosen tool spits out. No one is going to dump a valid bug report just because a contributor used AI to find it. They want to dump the endless stream of duplicate and invalid reports being submitted by people that don't bother confirming that the reports they're submitting are new and valid.
Okay let’s say what you said is 100% right. How are you going to filter them or restrict them? OC said using a video interview. Who’s gonna conduct the interview? Who will pay the interviewer? How can we verify the answers that the interviewee gives are not AI generated? Wouldn’t reviewing the reports and the contributions instead would be faster even if most of them are wrong?
Wouldn’t reviewing the reports and the contributions instead would be faster even if most of them are wrong?
No. That's what this whole post is about. The current state is unsustainable and a better system is needed.
I don't think anybody has the answers to your other questions yet - that's the whole point of the discussion. Open source projects are facing a new challenge and the community as a whole needs to do some brainstorming and experimentation to figure out how to solve it. Video interviews may not be the right solution at all, it's just one idea among others.
Downvoted. AI is not the issue here. It's the person behind it. They are supposed to find bugs and verify themselves. Instead they spammed the mailinglist.
That's the increased efficiency we hear about.
fuck gipity
"We did it, Patrick! We made a technological breakthrough!"
A place for all those who loathe AI to discuss things, post articles, and ridicule the AI hype. Proud supporter of working people. And proud booer of SXSW 2024.
AI, in this case, refers to LLMs, GPT technology, and anything listed as "AI" meant to increase market valuations.