1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity.
-
@mawhrin Huh? I stand by every word.
@timbray did you not write that david leads a pitchfork-wielding burn-the-witch mob?
i just finished reading that thread, and while some people weren't too pleasant, accusing david of organising a harassment campaign – which you just did – is inappropriate.
-
@timbray did you not write that david leads a pitchfork-wielding burn-the-witch mob?
i just finished reading that thread, and while some people weren't too pleasant, accusing david of organising a harassment campaign – which you just did – is inappropriate.
@mawhrin That's exactly what David did. He posted a cartoonishly and maliciously distorted precis of what Tridge said, and as anyone who's been online for a while knows, most people aren't gonna follow the link, they're just gonna react to the post. Really shameful.
-
@timbray did you not write that david leads a pitchfork-wielding burn-the-witch mob?
i just finished reading that thread, and while some people weren't too pleasant, accusing david of organising a harassment campaign – which you just did – is inappropriate.
@timbray (i'm really tired watching people excuse the Great Men Of Free Software of characterising other people's reasonable criticism as “foaming off the mouth”, a direct reference to rabies, while tone policing everyone else)
-
@mawhrin That's exactly what David did. He posted a cartoonishly and maliciously distorted precis of what Tridge said, and as anyone who's been online for a while knows, most people aren't gonna follow the link, they're just gonna react to the post. Really shameful.
@timbray @mawhrin no I just checked again. It's an entirely accurate and even-handed summary of Tridge's incredibly tone-deaf blog post.
He's just repeating the same old LLM apologia and characterizing everyone who is criticizing him as ignorant. It's a super bad look and the blog itself is WAY more damning than David's summary. -
@mawhrin That's exactly what David did. He posted a cartoonishly and maliciously distorted precis of what Tridge said, and as anyone who's been online for a while knows, most people aren't gonna follow the link, they're just gonna react to the post. Really shameful.
@timbray i would perhaps believe you if i didn't read the following thread. but i did, and i call bullshit: this simply did not happen.
(and you can't even tell me i did not see all the replies: we're running the mastodon version that includes the improvements that complete the comment threads.)
-
For context: Andrew Tridgell's post, linked in David Gerard's post: https://medium.com/@tridge60/rsync-and-outrage-d9849599e5a0
@golemwire @timbray thank you for posting this...
-
@timbray @davidgerard all in all I think it's just very sad and another example that one-time brilliance does not guarantee that it flows on, like Linus Pauling trying to cure everything with vitamin C. Or Watson and Crick being racist and eugenicist.
@carbsrule_en @timbray @davidgerard what do you mean?
He is doing brilliant work reacting to the torrent of valid AI generated security issues.
-
@timbray @davidgerard I've relied on rsync for decades. It's currently how I deploy my static website to a VPS. And now I'm having to deal with figuring out a replacement strategy that isn't a total nightmare across two different package ecosystems (Arch locally, Debian remotely), because the guy betrayed the public trust.
I try not to think about people in simple "good vs evil" terms - sometimes I fail or forget, because I'm human, but I try. I don't want this story to be about that, I don't care about classifying Tridge in those terms. But this *is* a situation where a previously trustworthy person is now creating ecosystem problems, and it needs to be addressed, and it affects a lot of people. At bare minimum, I'm allowed to be upset about being put in this position by a stranger. And I'm sure not going to carry water for that stranger while he's still actively being a problem.
-
As for IP law, five years ago all of the (us) social justice warriors, well we opposed draconian IP law.
Now my erstwhile colleges are showing the same colour's as Zuck and Musk.
Very sad
-
For context: Andrew Tridgell's post, linked in David Gerard's post: https://medium.com/@tridge60/rsync-and-outrage-d9849599e5a0
@golemwire Thanks.
-
1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity. I acknowledge I'm a bit prejudiced based on having for a few decades used Tridge's work to save my ass and achieve results that seem miraculous.
@timbray haven’t read that as I blocked davidgerard for being over the top some time ago already…
… yeah, no pitchforks. Asking to not use LLMs, and if the maintainer disagrees, exercising a fork and finding a maintainer for that. (And, of course, blocking the LLM users.)
-
2/ Furthermore I should point out that whatever you think of LLM/GenAI, if it unearths security bugs that Tridge thinks are serious (I would tend to trust his take) then they are accessible right now today to every third rate script kiddie who can run an LLM.
One can disagree with the usefulness of LLMs to generate code without thinking that its ability to generate massive dynamic fuzzing corpuses is also lacking in usefulness.
Fuzzing "to find bugs" is not a new technology -- fuzzing to find "valid programs" is new. Typically, it's the latter use of LLMs that attracts negative attention. And rsync is, in fact, that typical scenario.
(Whether a new type of fuzzer is worth the cost is a different and unrelated question.)
-
1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity. I acknowledge I'm a bit prejudiced based on having for a few decades used Tridge's work to save my ass and achieve results that seem miraculous.
@timbray @davidgerard@circumstances.run I do not think that's a useful way of describing what's going on. He's not organising a mob. We know how this works. Mobs on social media are often emergent behaviour, that occur not because people are being organised, but because of the precise opposite; people are not communicating and so are not aware of the effect they're having.
I agree the temperature needs to be lowered. You cannot calm things down by projecting characterisations onto, and assuming motivations of, people. This is basic human psychology. No-one reacts well to that.
-
3/ And to those who say he should hand it off to one or more younger people who have the resources and skill to take good care of it, I agree and I bet he’d love that. I would prefer actual concrete people rather than an abstract assumption they exist. A good place to start would be, as Tridge asks, sending a few PRs to help restore order. Assuming the people howling for his head know what a PR is or how to build one.
@timbray Who are those people? By which I mean, who exactly is howling for Tridge's head?
-
1/ You can think that Tridge made some mistakes (I do, and he acknowledges them) and disagree with his take on GenAI (I do) but the pitchfork-wielding burn-the-witch mob being led by @davidgerard should show some humility and humanity. I acknowledge I'm a bit prejudiced based on having for a few decades used Tridge's work to save my ass and achieve results that seem miraculous.
@timbray @davidgerard if you're trying to lower the temperature of the discussion I must say you're going about it in an odd way.
My perspective as a user of rsync for decades is that it's a bad thing that I'm now aware of who maintains it and what his development strategy is. That means I no longer trust the package and I'm concerned.
The response by Tridge has been to dismiss all criticism as illegitimate. There's no way forward here.
-
@mawhrin That's exactly what David did. He posted a cartoonishly and maliciously distorted precis of what Tridge said, and as anyone who's been online for a while knows, most people aren't gonna follow the link, they're just gonna react to the post. Really shameful.
-
@abucci @timbray @davidgerard@circumstances.run
Did we not learn this back when Raiser killed his (ex) wife? Seriously.
-
One can disagree with the usefulness of LLMs to generate code without thinking that its ability to generate massive dynamic fuzzing corpuses is also lacking in usefulness.
Fuzzing "to find bugs" is not a new technology -- fuzzing to find "valid programs" is new. Typically, it's the latter use of LLMs that attracts negative attention. And rsync is, in fact, that typical scenario.
(Whether a new type of fuzzer is worth the cost is a different and unrelated question.)
@eschwartz @timbray Just a remark:
Fuzzing input to find bugs is not at all the same as fuzzing source code to find working code. In the first case, each "hit" you get is a solid demonstration of some actual bug; in the second, each "hit" is a piece of code which may or may not actually work, depending on how you verify it, and may or may not be maintenable, and extendable, and optimized, and generally manageable.
Those two "fuzzings" are nothing alike.
-
@mawhrin That's exactly what David did. He posted a cartoonishly and maliciously distorted precis of what Tridge said, and as anyone who's been online for a while knows, most people aren't gonna follow the link, they're just gonna react to the post. Really shameful.
-
@eschwartz @timbray Just a remark:
Fuzzing input to find bugs is not at all the same as fuzzing source code to find working code. In the first case, each "hit" you get is a solid demonstration of some actual bug; in the second, each "hit" is a piece of code which may or may not actually work, depending on how you verify it, and may or may not be maintenable, and extendable, and optimized, and generally manageable.
Those two "fuzzings" are nothing alike.
I think we are basically saying the same thing (possibly without you realizing it)?
As I said, fuzzing to find "valid programs" i.e. working source code is a new idea that "coding agent" salespeople are pushing. This is independent of whether they are correct that it truly exists; they're selling it. I said it's the thing that gets pushback as "slop and trash" in reply to a comment that said "whatever you think of genAI, if it [shills fuzzing input to find security bugs"].
