I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
-
@thesamesam @lanodan @bluca yes, but script kiddies also figured out how to use the fuzzers and submit slop to us with "can you tell me about your bug bounty program?"
-
@thesamesam @bluca @lanodan basically the problem is AI as force multiplier for charlatanism.
claude making it miserable for charlatans to get their PRs merged actually seems like a positive use of the technology...
@ariadne @thesamesam @lanodan of course and stuff like that gets shot into the sun with a rocket without mercy.
But you don't argue with chatbots in reviews - these days claudebot is about 90% signal-to-noise ratio. The 10% noise you just dismiss, there's no arguing involved. But that 90% of signal has got really good in the past ~3 months, and there's no point denying it. This stuff was mostly crap until end of last year, but things change, and there's nothing wrong with changing views
-
@thesamesam @lanodan @bluca yes, but script kiddies also figured out how to use the fuzzers and submit slop to us with "can you tell me about your bug bounty program?"
-
@thesamesam @lanodan @bluca yes, but script kiddies also figured out how to use the fuzzers and submit slop to us with "can you tell me about your bug bounty program?"
@ariadne @thesamesam @bluca I think it's the kind of thing where I could end up replying "Here's my hourly rate for support requests" -
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne Unfortunately we need (costly! 🤬) deep analysis of how deep the rot goes.
A good approach is multi-faceted:
- Avoiding introduction of new deps with LLM slop in them
- Holding back packages that are adopting slop when the existing package was essentially "done" and didn't need any heavy maintenance.
- Forking packages that are critical and where the LLM slop being introduced is threatening to create serious vulns or regressions.
- Watching closely in packages where the level of slop is contained so far.The stuff in Linux (kernel) is 🤮 but probably not show-stopping for now, and not easily replaceable or pinnable. But other things can be,
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
> FreeBSD? I would put money on it that they use AI tools.
As of September they were working on a policy -- to ban it.
FreeBSD Project isn't ready to let AI commit code just yet
: But it's OK to use it for docs and translations
(www.theregister.com)
-
@ariadne @thesamesam @lanodan of course and stuff like that gets shot into the sun with a rocket without mercy.
But you don't argue with chatbots in reviews - these days claudebot is about 90% signal-to-noise ratio. The 10% noise you just dismiss, there's no arguing involved. But that 90% of signal has got really good in the past ~3 months, and there's no point denying it. This stuff was mostly crap until end of last year, but things change, and there's nothing wrong with changing views
@bluca @thesamesam @lanodan oh yes, we have been experimenting with it at work for reviews.
it has indeed gotten pretty good.
but i hesitate becoming dependent on it as a FOSS maintainer because while the first hit is free, when the economic reality catches up... it will probably be quite expensive.
-
@ariadne @thesamesam @bluca I think it's the kind of thing where I could end up replying "Here's my hourly rate for support requests"
@lanodan @ariadne @thesamesam our security bug bounty in systemd was 99.99% garbage until end of last year. Since then these tools have got way better, and I'd say there's a ~10% valid security bugs, ~70% valid bugs but not security relevant, and ~20% garbage. I'll happily take the 10% of real, valid issue found for the price of having to shoot down ~20% of garbage. The key is to have no mercy - there's no arguing or bargaining involved, a crap report gets binned, end of, no discussions
-
@ariadne I don't want to see the world eaten by AI but people use the tool and it drives results for them. There's nowhere much else to go.
It's like Stallman arguing for owning every piece of your machine - eventually, you have some closed source firmware blob. Purity vs reality.@ariadne also, you should be more concerned about whether you are actually doing fascism (i.e. snitching on your neighbors, working for the actual fascist goon army) versus vague ideological debates that the people doing Real Fascism will never even give a second thought to.
if systemd is actually fascist. You Will Know.
-
@ariadne Unfortunately we need (costly! 🤬) deep analysis of how deep the rot goes.
A good approach is multi-faceted:
- Avoiding introduction of new deps with LLM slop in them
- Holding back packages that are adopting slop when the existing package was essentially "done" and didn't need any heavy maintenance.
- Forking packages that are critical and where the LLM slop being introduced is threatening to create serious vulns or regressions.
- Watching closely in packages where the level of slop is contained so far.The stuff in Linux (kernel) is 🤮 but probably not show-stopping for now, and not easily replaceable or pinnable. But other things can be,
@ariadne I think bullet point 2 is the biggest immediatly actionable thing. If a package that's been zero churn except for an occasional bug/security fix every few years suddenly has massive new development (harfbuzz? chardet?), you have to deem that a malicious fork and stick with the last known-good version.
-
@lanodan @ariadne @thesamesam our security bug bounty in systemd was 99.99% garbage until end of last year. Since then these tools have got way better, and I'd say there's a ~10% valid security bugs, ~70% valid bugs but not security relevant, and ~20% garbage. I'll happily take the 10% of real, valid issue found for the price of having to shoot down ~20% of garbage. The key is to have no mercy - there's no arguing or bargaining involved, a crap report gets binned, end of, no discussions
@lanodan @ariadne @thesamesam the 70% of valid-bugs-but-not-vulnerabilities is kinda 50-50 our fault and the bots fault. The bots fault because it's a dumb LLM in the end, it doesn't understand the big picture (well doesn't "understand", full stop). Our fault because a lot of the security models are pretty much implicit, and scarcely documented if at all, so the bot has nothing to keep it grounded to reality
-
@lanodan @ariadne @thesamesam the 70% of valid-bugs-but-not-vulnerabilities is kinda 50-50 our fault and the bots fault. The bots fault because it's a dumb LLM in the end, it doesn't understand the big picture (well doesn't "understand", full stop). Our fault because a lot of the security models are pretty much implicit, and scarcely documented if at all, so the bot has nothing to keep it grounded to reality
@bluca @lanodan @thesamesam yes, in our own experiments at work, we are having to write a lot into the system prompt in order to inform claude about the threat model.
otherwise it does silly things like "zones have device nodes in them that allow accessing hypervisor services"
well, yes.
i would hope so.
considering that it's running in a hypervisor, and you need those services to access secure enclaves, for example.
-
@bluca @thesamesam @lanodan oh yes, we have been experimenting with it at work for reviews.
it has indeed gotten pretty good.
but i hesitate becoming dependent on it as a FOSS maintainer because while the first hit is free, when the economic reality catches up... it will probably be quite expensive.
@ariadne @thesamesam @lanodan yeah that's obviously the end goal of all this wild and absurd speculation, but capitalism gotta capitalism. At some point the bubble will pop and then we'll see what's left standing
-
@ariadne I don't want to see the world eaten by AI but people use the tool and it drives results for them. There's nowhere much else to go.
It's like Stallman arguing for owning every piece of your machine - eventually, you have some closed source firmware blob. Purity vs reality.@omnirabbit @ariadne I'm a pragmatist, but do appreciate it there being an effort to denounce and fight these kinds of involutions, even when it is taken to extremes I disagree with. It's the most practical example of the Overton window. Without the shift to the opposite extreme, the situation would devolve much faster.
-
@ariadne also, you should be more concerned about whether you are actually doing fascism (i.e. snitching on your neighbors, working for the actual fascist goon army) versus vague ideological debates that the people doing Real Fascism will never even give a second thought to.
if systemd is actually fascist. You Will Know.
@omnirabbit @ariadne (let's say that the age thing doesn't shine a positive light on systemd either)
-
@omnirabbit @ariadne (let's say that the age thing doesn't shine a positive light on systemd either)
@oblomov @omnirabbit what "age thing"
it's a fucking optional field in a user database for birthdate
they aren't enforcing anything or anything like that.
it is a field in a schema.
vcard also has a field for birthdate. is it also fascist?
-
@oblomov @omnirabbit what "age thing"
it's a fucking optional field in a user database for birthdate
they aren't enforcing anything or anything like that.
it is a field in a schema.
vcard also has a field for birthdate. is it also fascist?
why was the field added?
(VCARD has a lot of field for PII. Heck's, it's basically just PII> That doesn't mean that systemd should have that same information. They are different tools for different purposes.)
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne honestly i don't have the resources to ensure that every part of my stack is untainted and i've slowly made peace with this. I expect software quality to degrade, and I'm keeping that largely to the sphere outside my control, although I do try to keep make a note of projects which are not doing that (https://codeberg.org/brib/slopfree-software-index).
But I haven't made peace with working with code which has been slop generated without hefty hazard pay. I used to love the idea of open source as a digital commons and really wanted to contribute to it, but the recent sloppification has really crushed my dreams in this area
-
@ariadne honestly i don't have the resources to ensure that every part of my stack is untainted and i've slowly made peace with this. I expect software quality to degrade, and I'm keeping that largely to the sphere outside my control, although I do try to keep make a note of projects which are not doing that (https://codeberg.org/brib/slopfree-software-index).
But I haven't made peace with working with code which has been slop generated without hefty hazard pay. I used to love the idea of open source as a digital commons and really wanted to contribute to it, but the recent sloppification has really crushed my dreams in this area
@brib fwiw, pkgconf does not allow agents to work autonomously in our tree as a matter of policy:
pkgconf/CONTRIBUTING.md at master · pkgconf/pkgconf
package compiler and linker metadata toolkit. Contribute to pkgconf/pkgconf development by creating an account on GitHub.
GitHub (github.com)
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne yeah, its looks like more and more code it going to be tainted or produced by LLMs in some way. It seems unavoidable, so I guess we need more ergonomic tools for safely running untrusted code to protect as much as is possible from its flaws. But, I think even before there were LLMs this was the case. I haven't audited all of the code my computer runs and some is very flawed I'm sure.
