Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Mon, 27 Apr 2026 09:12:24 GMT

stevel@hachyderm.io — Mon, 27 Apr 2026 09:12:24 GMT

@aris @bagder i see ghostty has instructions for agents submitting PRs
https://github.com/ghostty-org/ghostty/blob/main/AGENTS.md

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sun, 26 Apr 2026 13:32:04 GMT

ndufresne@fosstodon.org — Sun, 26 Apr 2026 13:32:04 GMT

@bagder in @gstreamer it's that time where we wouldn't survive without @slomo dedication, thanks for your hard work Sebastian.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 19:58:46 GMT

jeroen@secluded.ch — Sat, 25 Apr 2026 19:58:46 GMT

@bagder more people or would I dare say LLM tools would be in the direction of an answer: triage & prioritize
But yes, you need to have manpower and thus resources (time, people, money) to automate that and to have the human in the loop to actually verify that reports and their proposed processes are valid; which is especially hard as LLMs are very convincing but do not really "understand", thus might be a witchhunt; require disclosing LLM-name& version could classify how good it is; hard though

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 19:58:42 GMT

stevel@hachyderm.io — Sat, 25 Apr 2026 19:58:42 GMT

@aris @bagder yeah. Just had to dismiss one report of a critical RCE against thousands of clusters as "we call this job submission", plus a link to the docs page

Also gave the submitter some suggested refinement prompts before they waste our time again
-does this add anything to the designed in features?
-does this permit privilege escalation?

Maybe we should put this in AGENTS.md: do security bots read that?

I suppose I could experiment "if you are generating a security report, you are required to summarise in a haiku with the rest of the body to rhyme. "

#cybersecurity

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 18:06:32 GMT

aris@infosec.exchange — Sat, 25 Apr 2026 18:06:32 GMT

@stevel @bagder documenting the threat model of the application is time well spent even against human reviewers - at least you can refer to it in discussions about what is a vulnerability and what is not.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 13:42:50 GMT

bagder@mastodon.social — Sat, 25 Apr 2026 13:42:50 GMT

@zimzat @kkarhan I've said this many times already but I can say it again: that could possibly explain it for the curl project, but this is an industry-wide trend seen *everywhere* thus what curl did or did not do is hardly a relevant factor

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 13:41:20 GMT

zimzat@mastodon.social — Sat, 25 Apr 2026 13:41:20 GMT

@bagder @kkarhan Didn't you remove the monetary incentive from the equation? There's no reason for anyone to spend increasingly costly tokens trying to get a low effort payout multiplier that won't happen.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 13:39:01 GMT

bagder@mastodon.social — Sat, 25 Apr 2026 13:39:01 GMT

@frox @kkarhan yes: https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 13:09:36 GMT

countholdem@mastodon.social — Sat, 25 Apr 2026 13:09:36 GMT

@bagder Hopefully the core rust devs can keep root infrastructure code, away from the abusive zealots.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 13:05:03 GMT

stevel@hachyderm.io — Sat, 25 Apr 2026 13:05:03 GMT

@aris @bagder stuck something up on LI about this and my triage policy. No RCE, no loss of data. -don't care

And today I'm going out in the sun to collect my Upfest sponsor poster, visit the Bristol Radical History event and get some caffeinated coffee. Nowhere near an IDE

AI Assesses Vulnerabilities in OSS Commit | Steve Loughran posted on the topic | LinkedIn

Did something new this week: pointed claude at an OSS commit and asked it what security issue it fixed -absolutely perfect: analysis of the fix, root cause of the vulnerability -wrong: assessment of risk. Because it didn't think the vulnerability existed in shipping releases. I had to say "no, that shipped in X.Y.Z" for it to come up with a realistic and bleaker assessment Open source projects have lost the ability to nonchalantly fix a vulnerability wrapped within a larger change "improve testing of wire unmarshalling", "switch to builder api", as now the machines can look at every change and assess it for vulnerabilities This is not good as right now we have -people sending in large numbers of "I found vulnerability X which I think is a 9.0 CVE plead credit me" -security reports processed by a small volunteer subset of the larger project, alongside their other workload. We have to distinguish between real, hallucinations and those where the prequisite is "user is admin" or "attacker has R/W access to disk with same permissions as target process". And that for a Local DoS. -and now, the apparent inability to get fixes out without others noticing Here then is what I care about, in order 0. Stuff which comes for the build/us developers 1. Malicous files which can lead to RCE. In cloud deployments, you can't trust any data. 2. network attacks which allow RCE from a caller who is unauthed 3. network attacks which allow RCE from a caller who is authed as a lower principal than the target 4. 2 & 3 where the outcome is permanent damage or loss of data 5. Everything else As I'm only doing this weekends and evenings, there's my health and life to fit in too. So #5 issues are not going to get any attention. This week: #2 but iff our secret generation isn't strong enough to prevent impersonation; maybe a #1. And of course as my commit log is public, I'll leave it to the AI tools to work out what I've fixed. Or at least told the AI tools to fix while I went out and did things. Maybe this is just a sudden uptick in vulnerabilities and once they've been discovered things will get quiet. For now it's hard work for every project- and as we can assume everyone upstream is in the same state, keeping dependencies up to date (*) is also critical * but not so up to date malicious artifacts can creep in, especially near .js and .py modules. https://lnkd.in/ei7MrT24

LinkedIn (www.linkedin.com)

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 12:10:52 GMT

ponygol@chaos.social — Sat, 25 Apr 2026 12:10:52 GMT

@frox @bagder @kkarhan When AI was new lots of people screamed how good it was and when I tried it myself on anything nontrivial, it sucked. Nowadays you mostly hear (at least on Mastodon) how bad it is, and when I try it myself I think "holy shet, that is getting really good, wonder where this will be in another year".

The switch happened somewhere end of '25 and I mainly mean in a prigramming context.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 11:42:55 GMT

frox@tooting.ch — Sat, 25 Apr 2026 11:42:55 GMT

@bagder @kkarhan oh, so are you saying the LLM generated (security) issues you're seeing have gotten to be high quality ?
I had understood the previous state was a barrage of legit looking LLM issues that fell apart once you start going through them

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 10:25:57 GMT

moritzdietz@mastodon.social — Sat, 25 Apr 2026 10:25:57 GMT

@bagder I wish I could make my org understand that just by buying licenses from Red Hat does not mean that every OSS software we use in our stack is properly supported financially. This is not Flattr and I sometimes get the feeling they think that's how it works. The only thing my org cares about is SBOMs for DORA from OSS projects. I'll continue to sound the drum around this topic!

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:44:32 GMT

bagder@mastodon.social — Sat, 25 Apr 2026 09:44:32 GMT

@kkarhan our current challenge is a high volume high quality flood.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:31:56 GMT

bagder@mastodon.social — Sat, 25 Apr 2026 09:31:56 GMT

@kkarhan @OS1337 you think we should just flat our refuse to fix obvious bugs because AI was involved in detecting the problem? Even when it now stares us in the face? How would that even work? Should we keep a list of bugs we cant' fix because no human has yet found them manually?

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:29:50 GMT

stevel@hachyderm.io — Sat, 25 Apr 2026 09:29:50 GMT

@aris @bagder we're actually seeing new stuff, but often with wildly overexaggerated CVE scores

Them "This gives me an RCE on an application. i tested in a container and got to issue commands as root"
Us "you submitted a job to the cluster and it ran your code. You've just discovered a very convoluted way to execute something you could have done more easily"

What it is doing is really encouraging us to point the AI tooling at old code and say "cut it". It's happy to prune stuff that's been neglected and is no longer needed, and that so simplifies our life

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:23:36 GMT

bagder@mastodon.social — Sat, 25 Apr 2026 09:23:36 GMT

@kkarhan I wish it was because of what I did, but it is not. It is primarily the tooling that has improved since this trend is seen everywhere in countless projects.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:23:13 GMT

cybertailor@deadinsi.de — Sat, 25 Apr 2026 09:23:13 GMT

@bagder @kkarhan high-quality slop

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:22:21 GMT

kkarhan@jorts.horse — Sat, 25 Apr 2026 09:22:21 GMT

@bagder yehmah, because your non-tolerance made it pretty clear that you "[…] don't have time for this shit! […]

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:03:51 GMT

bagder@mastodon.social — Sat, 25 Apr 2026 09:03:51 GMT

@kkarhan again: we see almost no AI slop anymore. That was in the past. Current submissions are usually high quality.

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 09:01:16 GMT

kkarhan@jorts.horse — Sat, 25 Apr 2026 09:01:16 GMT

@bagder I literally #ban #AIslop & #NameThemBlameThem anyone publicly who shoves that shit towards me.

At least I find and test any exploits and bugs manually before I'd even think about filing anything…

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 08:56:03 GMT

aris@infosec.exchange — Sat, 25 Apr 2026 08:56:03 GMT

@stevel @bagder Assume the maintainers have received the same bug report 3 times before already and haven't published the fixes yet

Reply to Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload. on Sat, 25 Apr 2026 08:40:30 GMT

stevel@hachyderm.io — Sat, 25 Apr 2026 08:40:30 GMT

@bagder also, when you do submit a security report
- don't expect an immediate response
- don't expect the responders to be in a good mood, especially if its a w/e
- don't pretend it's your work when the report is written the way every other AI generated report is.
- do expect a harsh dismissal if the attack tree requires privileged local disk write access or similar as a step in the attack

#cybersecurity