I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
-
@thesamesam @bluca @lanodan personally, i don't even think i *care* about LLM-based reviews.
what i care about is LLM-based code generation because every time i've interacted with people using those tools to produce changesets, it's been fucking miserable
-
@thesamesam @bluca @lanodan personally, i don't even think i *care* about LLM-based reviews.
what i care about is LLM-based code generation because every time i've interacted with people using those tools to produce changesets, it's been fucking miserable
-
@thesamesam @bluca @lanodan i guess to me, it feels unnatural and jarring to argue with a chatbot in a code review.
but that is far less harmful than dealing with changesets where the author does not even fucking know what he is submitting and cannot defend his work.
*that* is true misery as a maintainer.
-
@thesamesam @lanodan @ariadne and I'm pointing out that the distinction is specious and a glaring case of double standards. Everyone uses who uses these tools does so in different ways, and you don't get to do moral grandstanding just because you arbitrarily drew a line in the sand where it's most convenient for you, and not a millimeter further. Doesn't work that way, sorry
-
@thesamesam @bluca @lanodan i guess to me, it feels unnatural and jarring to argue with a chatbot in a code review.
but that is far less harmful than dealing with changesets where the author does not even fucking know what he is submitting and cannot defend his work.
*that* is true misery as a maintainer.
@thesamesam @bluca @lanodan basically the problem is AI as force multiplier for charlatanism.
claude making it miserable for charlatans to get their PRs merged actually seems like a positive use of the technology...
-
@thesamesam @ariadne @bluca Kind of still feels bad given how overblown a lot of security vulnerabilities are (I guess ICANN and registries will get more money from website-logo vulns), plus imagine getting a big wave of low-impact security vulnerabilities.
But well that's roughly the same issues as with fuzzers, except it's combined with codegen this time. -
@thesamesam @ariadne @bluca Kind of still feels bad given how overblown a lot of security vulnerabilities are (I guess ICANN and registries will get more money from website-logo vulns), plus imagine getting a big wave of low-impact security vulnerabilities.
But well that's roughly the same issues as with fuzzers, except it's combined with codegen this time. -
@thesamesam @lanodan @bluca yes, but script kiddies also figured out how to use the fuzzers and submit slop to us with "can you tell me about your bug bounty program?"
-
@thesamesam @bluca @lanodan basically the problem is AI as force multiplier for charlatanism.
claude making it miserable for charlatans to get their PRs merged actually seems like a positive use of the technology...
@ariadne @thesamesam @lanodan of course and stuff like that gets shot into the sun with a rocket without mercy.
But you don't argue with chatbots in reviews - these days claudebot is about 90% signal-to-noise ratio. The 10% noise you just dismiss, there's no arguing involved. But that 90% of signal has got really good in the past ~3 months, and there's no point denying it. This stuff was mostly crap until end of last year, but things change, and there's nothing wrong with changing views
-
@thesamesam @lanodan @bluca yes, but script kiddies also figured out how to use the fuzzers and submit slop to us with "can you tell me about your bug bounty program?"
-
@thesamesam @lanodan @bluca yes, but script kiddies also figured out how to use the fuzzers and submit slop to us with "can you tell me about your bug bounty program?"
@ariadne @thesamesam @bluca I think it's the kind of thing where I could end up replying "Here's my hourly rate for support requests" -
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
@ariadne Unfortunately we need (costly! 🤬) deep analysis of how deep the rot goes.
A good approach is multi-faceted:
- Avoiding introduction of new deps with LLM slop in them
- Holding back packages that are adopting slop when the existing package was essentially "done" and didn't need any heavy maintenance.
- Forking packages that are critical and where the LLM slop being introduced is threatening to create serious vulns or regressions.
- Watching closely in packages where the level of slop is contained so far.The stuff in Linux (kernel) is 🤮 but probably not show-stopping for now, and not easily replaceable or pinnable. But other things can be,
-
I saw a wild take where someone said distributions are fascist for using systemd because systemd now uses Claude for code review.
okay. fine, I guess.
but if we are rejecting dependencies that use AI tooling, where do we go?
seriously. where do we go?
if the Linux kernel is using AI tools for codegen, then where do we go?
FreeBSD? I would put money on it that they use AI tools.
OpenBSD? NetBSD? HURD?
do we hard fork every dependency that is now tainted? do we even have the resources to do it?
FreeBSD and Illumos are the only ones reasonably close in the tech tree and I suspect both use AI tools too, as their development, like Linux, is driven by capital.
> FreeBSD? I would put money on it that they use AI tools.
As of September they were working on a policy -- to ban it.
FreeBSD Project isn't ready to let AI commit code just yet
: But it's OK to use it for docs and translations
(www.theregister.com)
-
@ariadne @thesamesam @lanodan of course and stuff like that gets shot into the sun with a rocket without mercy.
But you don't argue with chatbots in reviews - these days claudebot is about 90% signal-to-noise ratio. The 10% noise you just dismiss, there's no arguing involved. But that 90% of signal has got really good in the past ~3 months, and there's no point denying it. This stuff was mostly crap until end of last year, but things change, and there's nothing wrong with changing views
@bluca @thesamesam @lanodan oh yes, we have been experimenting with it at work for reviews.
it has indeed gotten pretty good.
but i hesitate becoming dependent on it as a FOSS maintainer because while the first hit is free, when the economic reality catches up... it will probably be quite expensive.
-
@ariadne @thesamesam @bluca I think it's the kind of thing where I could end up replying "Here's my hourly rate for support requests"
@lanodan @ariadne @thesamesam our security bug bounty in systemd was 99.99% garbage until end of last year. Since then these tools have got way better, and I'd say there's a ~10% valid security bugs, ~70% valid bugs but not security relevant, and ~20% garbage. I'll happily take the 10% of real, valid issue found for the price of having to shoot down ~20% of garbage. The key is to have no mercy - there's no arguing or bargaining involved, a crap report gets binned, end of, no discussions
-
@ariadne I don't want to see the world eaten by AI but people use the tool and it drives results for them. There's nowhere much else to go.
It's like Stallman arguing for owning every piece of your machine - eventually, you have some closed source firmware blob. Purity vs reality.@ariadne also, you should be more concerned about whether you are actually doing fascism (i.e. snitching on your neighbors, working for the actual fascist goon army) versus vague ideological debates that the people doing Real Fascism will never even give a second thought to.
if systemd is actually fascist. You Will Know.
-
@ariadne Unfortunately we need (costly! 🤬) deep analysis of how deep the rot goes.
A good approach is multi-faceted:
- Avoiding introduction of new deps with LLM slop in them
- Holding back packages that are adopting slop when the existing package was essentially "done" and didn't need any heavy maintenance.
- Forking packages that are critical and where the LLM slop being introduced is threatening to create serious vulns or regressions.
- Watching closely in packages where the level of slop is contained so far.The stuff in Linux (kernel) is 🤮 but probably not show-stopping for now, and not easily replaceable or pinnable. But other things can be,
@ariadne I think bullet point 2 is the biggest immediatly actionable thing. If a package that's been zero churn except for an occasional bug/security fix every few years suddenly has massive new development (harfbuzz? chardet?), you have to deem that a malicious fork and stick with the last known-good version.
-
@lanodan @ariadne @thesamesam our security bug bounty in systemd was 99.99% garbage until end of last year. Since then these tools have got way better, and I'd say there's a ~10% valid security bugs, ~70% valid bugs but not security relevant, and ~20% garbage. I'll happily take the 10% of real, valid issue found for the price of having to shoot down ~20% of garbage. The key is to have no mercy - there's no arguing or bargaining involved, a crap report gets binned, end of, no discussions
@lanodan @ariadne @thesamesam the 70% of valid-bugs-but-not-vulnerabilities is kinda 50-50 our fault and the bots fault. The bots fault because it's a dumb LLM in the end, it doesn't understand the big picture (well doesn't "understand", full stop). Our fault because a lot of the security models are pretty much implicit, and scarcely documented if at all, so the bot has nothing to keep it grounded to reality
-
@lanodan @ariadne @thesamesam the 70% of valid-bugs-but-not-vulnerabilities is kinda 50-50 our fault and the bots fault. The bots fault because it's a dumb LLM in the end, it doesn't understand the big picture (well doesn't "understand", full stop). Our fault because a lot of the security models are pretty much implicit, and scarcely documented if at all, so the bot has nothing to keep it grounded to reality
@bluca @lanodan @thesamesam yes, in our own experiments at work, we are having to write a lot into the system prompt in order to inform claude about the threat model.
otherwise it does silly things like "zones have device nodes in them that allow accessing hypervisor services"
well, yes.
i would hope so.
considering that it's running in a hypervisor, and you need those services to access secure enclaves, for example.
-
@bluca @thesamesam @lanodan oh yes, we have been experimenting with it at work for reviews.
it has indeed gotten pretty good.
but i hesitate becoming dependent on it as a FOSS maintainer because while the first hit is free, when the economic reality catches up... it will probably be quite expensive.
@ariadne @thesamesam @lanodan yeah that's obviously the end goal of all this wild and absurd speculation, but capitalism gotta capitalism. At some point the bubble will pop and then we'll see what's left standing
