1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity.
-
@timbray @davidgerard I've relied on rsync for decades. It's currently how I deploy my static website to a VPS. And now I'm having to deal with figuring out a replacement strategy that isn't a total nightmare across two different package ecosystems (Arch locally, Debian remotely), because the guy betrayed the public trust.
I try not to think about people in simple "good vs evil" terms - sometimes I fail or forget, because I'm human, but I try. I don't want this story to be about that, I don't care about classifying Tridge in those terms. But this *is* a situation where a previously trustworthy person is now creating ecosystem problems, and it needs to be addressed, and it affects a lot of people. At bare minimum, I'm allowed to be upset about being put in this position by a stranger. And I'm sure not going to carry water for that stranger while he's still actively being a problem.
-
As for IP law, five years ago all of the (us) social justice warriors, well we opposed draconian IP law.
Now my erstwhile colleges are showing the same colour's as Zuck and Musk.
Very sad
-
For context: Andrew Tridgell's post, linked in David Gerard's post: https://medium.com/@tridge60/rsync-and-outrage-d9849599e5a0
@golemwire Thanks.
-
1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity. I acknowledge I'm a bit prejudiced based on having for a few decades used Tridge's work to save my ass and achieve results that seem miraculous.
@timbray haven’t read that as I blocked davidgerard for being over the top some time ago already…
… yeah, no pitchforks. Asking to not use LLMs, and if the maintainer disagrees, exercising a fork and finding a maintainer for that. (And, of course, blocking the LLM users.)
-
2/ Furthermore I should point out that whatever you think of LLM/GenAI, if it unearths security bugs that Tridge thinks are serious (I would tend to trust his take) then they are accessible right now today to every third rate script kiddie who can run an LLM.
One can disagree with the usefulness of LLMs to generate code without thinking that its ability to generate massive dynamic fuzzing corpuses is also lacking in usefulness.
Fuzzing "to find bugs" is not a new technology -- fuzzing to find "valid programs" is new. Typically, it's the latter use of LLMs that attracts negative attention. And rsync is, in fact, that typical scenario.
(Whether a new type of fuzzer is worth the cost is a different and unrelated question.)
-
1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity. I acknowledge I'm a bit prejudiced based on having for a few decades used Tridge's work to save my ass and achieve results that seem miraculous.
@timbray @davidgerard@circumstances.run I do not think that's a useful way of describing what's going on. He's not organising a mob. We know how this works. Mobs on social media are often emergent behaviour, that occur not because people are being organised, but because of the precise opposite; people are not communicating and so are not aware of the effect they're having.
I agree the temperature needs to be lowered. You cannot calm things down by projecting characterisations onto, and assuming motivations of, people. This is basic human psychology. No-one reacts well to that.
-
3/ And to those who say he should hand it off to one or more younger people who have the resources and skill to take good care of it, I agree and I bet he’d love that. I would prefer actual concrete people rather than an abstract assumption they exist. A good place to start would be, as Tridge asks, sending a few PRs to help restore order. Assuming the people howling for his head know what a PR is or how to build one.
@timbray Who are those people? By which I mean, who exactly is howling for Tridge's head?
-
1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity. I acknowledge I'm a bit prejudiced based on having for a few decades used Tridge's work to save my ass and achieve results that seem miraculous.
@timbray @davidgerard if you're trying to lower the temperature of the discussion I must say you're going about it in an odd way.
My perspective as a user of rsync for decades is that it's a bad thing that I'm now aware of who maintains it and what his development strategy is. That means I no longer trust the package and I'm concerned.
The response by Tridge has been to dismiss all criticism as illegitimate. There's no way forward here.
-
@mawhrin That's exactly what David did. He posted a cartoonishly and maliciously distorted precis of what Tridge said, and as anyone who's been online for a while knows, most people aren't gonna follow the link, they're just gonna react to the post. Really shameful.
-
@abucci @timbray @davidgerard@circumstances.run
Did we not learn this back when Raiser killed his (ex) wife? Seriously.
-
One can disagree with the usefulness of LLMs to generate code without thinking that its ability to generate massive dynamic fuzzing corpuses is also lacking in usefulness.
Fuzzing "to find bugs" is not a new technology -- fuzzing to find "valid programs" is new. Typically, it's the latter use of LLMs that attracts negative attention. And rsync is, in fact, that typical scenario.
(Whether a new type of fuzzer is worth the cost is a different and unrelated question.)
@eschwartz @timbray Just a remark:
Fuzzing input to find bugs is not at all the same as fuzzing source code to find working code. In the first case, each "hit" you get is a solid demonstration of some actual bug; in the second, each "hit" is a piece of code which may or may not actually work, depending on how you verify it, and may or may not be maintenable, and extendable, and optimized, and generally manageable.
Those two "fuzzings" are nothing alike.
-
@mawhrin That's exactly what David did. He posted a cartoonishly and maliciously distorted precis of what Tridge said, and as anyone who's been online for a while knows, most people aren't gonna follow the link, they're just gonna react to the post. Really shameful.
-
@eschwartz @timbray Just a remark:
Fuzzing input to find bugs is not at all the same as fuzzing source code to find working code. In the first case, each "hit" you get is a solid demonstration of some actual bug; in the second, each "hit" is a piece of code which may or may not actually work, depending on how you verify it, and may or may not be maintenable, and extendable, and optimized, and generally manageable.
Those two "fuzzings" are nothing alike.
I think we are basically saying the same thing (possibly without you realizing it)?
As I said, fuzzing to find "valid programs" i.e. working source code is a new idea that "coding agent" salespeople are pushing. This is independent of whether they are correct that it truly exists; they're selling it. I said it's the thing that gets pushback as "slop and trash" in reply to a comment that said "whatever you think of genAI, if it [shills fuzzing input to find security bugs"].
-
I think we are basically saying the same thing (possibly without you realizing it)?
As I said, fuzzing to find "valid programs" i.e. working source code is a new idea that "coding agent" salespeople are pushing. This is independent of whether they are correct that it truly exists; they're selling it. I said it's the thing that gets pushback as "slop and trash" in reply to a comment that said "whatever you think of genAI, if it [shills fuzzing input to find security bugs"].
My goal was to push back on the idea that "fuzzing to find bugs" (a valid goal, that may not be worth the various costs of LLM) is an excuse for *also* using it to fuzz source code for "valid programs".
In particular because I dispute the claim that they are capable of fuzzing for working source code at all. Every example I've seen to date has been more effort to make it work than it would take to write naturally, and the target userbase doesn't know how to put in the work.
-
@timbray The people howling at Tridge over his use of Claude have probably been using Samba and rsync for years, explicitly or otherwise. Thanking Tridge for his service would be a good place to start.
I’m reminded of historic totalitarian regimes where some famous scientist becomes an unperson as a result of perceived sudden ideological impurity.
-
My goal was to push back on the idea that "fuzzing to find bugs" (a valid goal, that may not be worth the various costs of LLM) is an excuse for *also* using it to fuzz source code for "valid programs".
In particular because I dispute the claim that they are capable of fuzzing for working source code at all. Every example I've seen to date has been more effort to make it work than it would take to write naturally, and the target userbase doesn't know how to put in the work.
It is, indeed, a devastatingly tragic, bad use case for the generic concept of fuzzing.
Fuzzing is appealing because it lets computers do a lot of work for you in the background, filtered with "interestingness" tests like "can elicit a compiler ICE" and by definition all results are useful, although not all have equal levels of usefulness. (A compiler should never crash for any reason however unlikely.)
If you have to review for correctness at all then fuzzing doesn't help.
-
@carbsrule_en @timbray @davidgerard what do you mean?
He is doing brilliant work reacting to the torrent of valid AI generated security issues.
@worik @carbsrule_en @timbray @davidgerard "Closed, WONTFIX, fuck off" is also a valid response and doesn't cause regressions in a piece of software that is largely finished.
-
@timbray @davidgerard I've relied on rsync for decades. It's currently how I deploy my static website to a VPS. And now I'm having to deal with figuring out a replacement strategy that isn't a total nightmare across two different package ecosystems (Arch locally, Debian remotely), because the guy betrayed the public trust.
I try not to think about people in simple "good vs evil" terms - sometimes I fail or forget, because I'm human, but I try. I don't want this story to be about that, I don't care about classifying Tridge in those terms. But this *is* a situation where a previously trustworthy person is now creating ecosystem problems, and it needs to be addressed, and it affects a lot of people. At bare minimum, I'm allowed to be upset about being put in this position by a stranger. And I'm sure not going to carry water for that stranger while he's still actively being a problem.
@MaddieM4 @timbray @davidgerard I don't wish to be part of a torches and pitchforks crowd haranguing Tridge but if you're determined to replace rsync with something else take a look at https://github.com/bcpierce00/unison
I've used it on and off over the years and my only issue has been interoperability between different releases built with different OCAML versions (might or might not work, annoying to debug, don't waste time trying).
-
It is, indeed, a devastatingly tragic, bad use case for the generic concept of fuzzing.
Fuzzing is appealing because it lets computers do a lot of work for you in the background, filtered with "interestingness" tests like "can elicit a compiler ICE" and by definition all results are useful, although not all have equal levels of usefulness. (A compiler should never crash for any reason however unlikely.)
If you have to review for correctness at all then fuzzing doesn't help.
On top of that, LLMs are provably good at generating *convincingly wrong* code. Code that compiles, but has subtle bugs a human wouldn't make, because humans are geared towards making entirely different classes of mistakes, and humans are also trained to recognize those different classes of mistakes. Review doesn't *work*.
Then everyone points at the technical correctness of expensively painfully reviewed and corrected LLM code from marketing. "Look, it generates good code!"
-
@MaddieM4 @timbray @davidgerard I don't wish to be part of a torches and pitchforks crowd haranguing Tridge but if you're determined to replace rsync with something else take a look at https://github.com/bcpierce00/unison
I've used it on and off over the years and my only issue has been interoperability between different releases built with different OCAML versions (might or might not work, annoying to debug, don't waste time trying).
@rlonstein @timbray @davidgerard I hadn't even considered Unison, because it was pigeonholed in my brain as "the bidirectional sync thing" and bidirectional sync spooks me. But I bet I can figure out the args to make it do unidirectional sync, and failing that, I think I know how I can abuse git for something even faster. Thanks!
