I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
-
@ariadne @thesamesam @bluca I think it's the kind of thing where I could end up replying "Here's my hourly rate for support requests"
@lanodan @ariadne @thesamesam our security bug bounty in systemd was 99.99% garbage until end of last year. Since then these tools have got way better, and I'd say there's a ~10% valid security bugs, ~70% valid bugs but not security relevant, and ~20% garbage. I'll happily take the 10% of real, valid issue found for the price of having to shoot down ~20% of garbage. The key is to have no mercy - there's no arguing or bargaining involved, a crap report gets binned, end of, no discussions
-
@ariadne I don't want to see the world eaten by AI but people use the tool and it drives results for them. There's nowhere much else to go.
It's like Stallman arguing for owning every piece of your machine - eventually, you have some closed source firmware blob. Purity vs reality.@ariadne also, you should be more concerned about whether you are actually doing fascism (i.e. snitching on your neighbors, working for the actual fascist goon army) versus vague ideological debates that the people doing Real Fascism will never even give a second thought to.
if systemd is actually fascist. You Will Know.
-
@ariadne Unfortunately we need (costly! 🤬) deep analysis of how deep the rot goes.
A good approach is multi-faceted:
- Avoiding introduction of new deps with LLM slop in them
- Holding back packages that are adopting slop when the existing package was essentially "done" and didn't need any heavy maintenance.
- Forking packages that are critical and where the LLM slop being introduced is threatening to create serious vulns or regressions.
- Watching closely in packages where the level of slop is contained so far.The stuff in Linux (kernel) is 🤮 but probably not show-stopping for now, and not easily replaceable or pinnable. But other things can be,
@ariadne I think bullet point 2 is the biggest immediatly actionable thing. If a package that's been zero churn except for an occasional bug/security fix every few years suddenly has massive new development (harfbuzz? chardet?), you have to deem that a malicious fork and stick with the last known-good version.
-
@lanodan @ariadne @thesamesam our security bug bounty in systemd was 99.99% garbage until end of last year. Since then these tools have got way better, and I'd say there's a ~10% valid security bugs, ~70% valid bugs but not security relevant, and ~20% garbage. I'll happily take the 10% of real, valid issue found for the price of having to shoot down ~20% of garbage. The key is to have no mercy - there's no arguing or bargaining involved, a crap report gets binned, end of, no discussions
@lanodan @ariadne @thesamesam the 70% of valid-bugs-but-not-vulnerabilities is kinda 50-50 our fault and the bots fault. The bots fault because it's a dumb LLM in the end, it doesn't understand the big picture (well doesn't "understand", full stop). Our fault because a lot of the security models are pretty much implicit, and scarcely documented if at all, so the bot has nothing to keep it grounded to reality
-
@lanodan @ariadne @thesamesam the 70% of valid-bugs-but-not-vulnerabilities is kinda 50-50 our fault and the bots fault. The bots fault because it's a dumb LLM in the end, it doesn't understand the big picture (well doesn't "understand", full stop). Our fault because a lot of the security models are pretty much implicit, and scarcely documented if at all, so the bot has nothing to keep it grounded to reality
@bluca @lanodan @thesamesam yes, in our own experiments at work, we are having to write a lot into the system prompt in order to inform claude about the threat model.
otherwise it does silly things like "zones have device nodes in them that allow accessing hypervisor services"
well, yes.
i would hope so.
considering that it's running in a hypervisor, and you need those services to access secure enclaves, for example.
-
@bluca @thesamesam @lanodan oh yes, we have been experimenting with it at work for reviews.
it has indeed gotten pretty good.
but i hesitate becoming dependent on it as a FOSS maintainer because while the first hit is free, when the economic reality catches up... it will probably be quite expensive.
@ariadne @thesamesam @lanodan yeah that's obviously the end goal of all this wild and absurd speculation, but capitalism gotta capitalism. At some point the bubble will pop and then we'll see what's left standing
-
@ariadne I don't want to see the world eaten by AI but people use the tool and it drives results for them. There's nowhere much else to go.
It's like Stallman arguing for owning every piece of your machine - eventually, you have some closed source firmware blob. Purity vs reality.@omnirabbit @ariadne I'm a pragmatist, but do appreciate it there being an effort to denounce and fight these kinds of involutions, even when it is taken to extremes I disagree with. It's the most practical example of the Overton window. Without the shift to the opposite extreme, the situation would devolve much faster.
-
@ariadne also, you should be more concerned about whether you are actually doing fascism (i.e. snitching on your neighbors, working for the actual fascist goon army) versus vague ideological debates that the people doing Real Fascism will never even give a second thought to.
if systemd is actually fascist. You Will Know.
@omnirabbit @ariadne (let's say that the age thing doesn't shine a positive light on systemd either)
-
@omnirabbit @ariadne (let's say that the age thing doesn't shine a positive light on systemd either)
@oblomov @omnirabbit what "age thing"
it's a fucking optional field in a user database for birthdate
they aren't enforcing anything or anything like that.
it is a field in a schema.
vcard also has a field for birthdate. is it also fascist?
-
@oblomov @omnirabbit what "age thing"
it's a fucking optional field in a user database for birthdate
they aren't enforcing anything or anything like that.
it is a field in a schema.
vcard also has a field for birthdate. is it also fascist?
why was the field added?
(VCARD has a lot of field for PII. Heck's, it's basically just PII> That doesn't mean that systemd should have that same information. They are different tools for different purposes.)
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne honestly i don't have the resources to ensure that every part of my stack is untainted and i've slowly made peace with this. I expect software quality to degrade, and I'm keeping that largely to the sphere outside my control, although I do try to keep make a note of projects which are not doing that (https://codeberg.org/brib/slopfree-software-index).
But I haven't made peace with working with code which has been slop generated without hefty hazard pay. I used to love the idea of open source as a digital commons and really wanted to contribute to it, but the recent sloppification has really crushed my dreams in this area
-
@ariadne honestly i don't have the resources to ensure that every part of my stack is untainted and i've slowly made peace with this. I expect software quality to degrade, and I'm keeping that largely to the sphere outside my control, although I do try to keep make a note of projects which are not doing that (https://codeberg.org/brib/slopfree-software-index).
But I haven't made peace with working with code which has been slop generated without hefty hazard pay. I used to love the idea of open source as a digital commons and really wanted to contribute to it, but the recent sloppification has really crushed my dreams in this area
@brib fwiw, pkgconf does not allow agents to work autonomously in our tree as a matter of policy:
pkgconf/CONTRIBUTING.md at master · pkgconf/pkgconf
package compiler and linker metadata toolkit. Contribute to pkgconf/pkgconf development by creating an account on GitHub.
GitHub (github.com)
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne yeah, its looks like more and more code it going to be tainted or produced by LLMs in some way. It seems unavoidable, so I guess we need more ergonomic tools for safely running untrusted code to protect as much as is possible from its flaws. But, I think even before there were LLMs this was the case. I haven't audited all of the code my computer runs and some is very flawed I'm sure.
-
@thesamesam @bluca @lanodan i guess to me, it feels unnatural and jarring to argue with a chatbot in a code review.
but that is far less harmful than dealing with changesets where the author does not even fucking know what he is submitting and cannot defend his work.
*that* is true misery as a maintainer.
@ariadne @thesamesam @bluca @lanodan The end-user should always be responsible for what they deliver, no matter the tools. Then any excuses like "AI wrote it" would not have any rights to defend the user.
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne well, as a developer who has been writing linux kernel code since back in about 2001 or so (actually I think it was something alsa/bluetooth related so probably user space at that point, but … I remember digging deep) - I don’t think it’s feasible to continue OSS without making use of gen AI in development.
Its like saying we can’t use C, everything has to be ASM.
That doesn’t mean developers don’t need to read or understand the code anymore before committing. But a hard ban? Idk.
-
@ariadne @thesamesam @bluca @lanodan The end-user should always be responsible for what they deliver, no matter the tools. Then any excuses like "AI wrote it" would not have any rights to defend the user.
@aronowski @thesamesam @bluca @lanodan yes, that is basically the pkgconf contribution policy in a nutshell.
we have taken some steps to tell agentic tools to fuck off though, because i do not want to deal with it
-
@ariadne it's protestantism but swapping the god from the ethereal one to "reason". if you are bad you are tainted permanently and must stone; if they stopped using AI tools it would also not be enough because they are "tainted".
this pattern repeats over and over from people who unlearned one piece but didn't deprogram the religious dogmatic patterns, and you end up here.
is Linux foundation funding the destruction of jobs, removing human contributions, destroying the world with debt, any of that? of course not! but it's still dogma.
I don't have a good answer to this, just to remind people what the actual goals and actions of orgs are and hope they listen.
@omnirabbit @ariadne I'm not sure. Cory Doctorow had a well-known post a month or so ago where he described a hard anti-LLM stance as "purity culture", and that produced a significant backlash, with people saying that the moral issue in this case was clear enough to justify complete abstinence. But I guess that doesn't necessarily extend to considering non-abstaining dependencies as tainted.
-
@omnirabbit @ariadne I'm not sure. Cory Doctorow had a well-known post a month or so ago where he described a hard anti-LLM stance as "purity culture", and that produced a significant backlash, with people saying that the moral issue in this case was clear enough to justify complete abstinence. But I guess that doesn't necessarily extend to considering non-abstaining dependencies as tainted.
@omnirabbit @ariadne Your argument resonates with me, because I grew up immersed in evangelicalism, so I realize that I still need to deprogram the broader religious dogmatic patterns. But then you have people, especialy here on fedi, who are absolutely certain that using LLMs is bad and that the analogy to religious purity is wrong.
-
@ariadne @distractions i feel like the decades we've managed already are worth something.
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne i do wonder what a path away from this (that isn't "everyone agrees that doing that is bad") looks like
