The Zig programming language has updated its code of conduct to ban LLM-generated code, vulnerability research, text-generation, and about anything AI at all

beggarmidas@mastodon.social

@campuscodi May not be a wise move on the vulnerability scanning. That's almost certainly gonna come back to bite him on his butt.

malin@dice.camp

@campuscodi
The language is so safe you can't even read an article about it.

azuaron@cyberpunk.lol

@campuscodi Bun--acquired by Anthropic--just had a huge, ridiculous PR opened to switch from Zig to Rust.

Perhaps Anthropic tried to purchase Zig, and was told to pound sand?

azuaron@cyberpunk.lol

@theeclecticdyslexic @campuscodi Oh, no, what you're supposed to do is have the slop machines review the PR.

I'm not joking. That's literal the thought process.

dalias@hachyderm.io

@campuscodi I love how the domain it's dealt with in is code of conduct.

tris@chaos.social

@campuscodi Do the same for horse64 @ell1e

ell1e@hachyderm.io

@tris @campuscodi if you have a proposal of how this should be expanded, let me know: https://horse64.org/docs/How%20to%20Contribute#why-ai-contributions-are-not-allowed

laund@wetdry.world

@eestileib @corpsmoderne @johan_andersson @campuscodi what does that mean?

Both "what does it mean for a (social?) problem to be lisp-sized" and "what did you want to communicate with that post"?

zygoon@fosstodon.org

@campuscodi next they will ban anyone using Dvorak to make patches.

mason@partychickens.net

@campuscodi This got me curious, so I looked at GCC and clang. GCC is still working on it:

working-group-ai-policy - GCC Wiki

(gcc.gnu.org)

LLVM allows slop, which disappointed me, even if they include language which suggests that the contributor should be accountable for the code:

LLVM AI Tool Use Policy — LLVM 23.0.0git documentation

(llvm.org)

I wonder how the complete lack of clarity around slop contributions is acceptable to the projects.

srazkvt@tech.lgbt

@johan_andersson @campuscodi could you not spam hashtags inside your message ? this really messes up the flow with screen readers, making your posts less accessible

also that change was before bun got "rewritten" in rust

dag@chaos.social

@campuscodi lol - a Programming language that bans vulnerability research … says it all.

datenwolf@chaos.social

@dag @campuscodi

Where the heck did you read *that*?

datenwolf@chaos.social

@Beggarmidas @campuscodi

About that… ask the cURL developers how well that work(ed) for them. TL;DR: they were drowning in LLM generated vulnerability reports, of which only a tiny fraction were actually valid. Any tool that dramatically degrades the signal-to-noise ratio does more harm than good.

dag@chaos.social

@datenwolf @campuscodi „The Zig programming language has updated its code of conduct to ban LLM-generated code, vulnerability research, text-generation, and about anything AI at all“

OP said that. Banning any kind of vulnerability research is stupid. If you allow fuzzing why not allow AI based?

datenwolf@chaos.social

@dag @campuscodi

Yes?!

Banning LLM generated "vulnerability" ""research"" is the proper proactive move. They've taken the lesson from cURL which was drowning in LLM generated vuln reports, of which only a tiny fraction was actually valid; the rest was fabricated noise.

If the signal-to-noise ratio gets degraded by some "tool", than this tool does more ham than good, as it will obscure legit reports.

The fabricated reports take away time from looking at the legit stuff.

datenwolf@chaos.social

@dag @campuscodi

Also they're not banning the submission of reports on issues that a human has thought through and written a PoC by hand, even if the actual detection of the issue was found by some AI tool.

What's banned is offloading the whole work of "detection / PoC / writing report / submission" to AI. We want whoever did the submission also have thorough understanding of what's going on; we want to be able to inquire the thought process. You can't introspect an LLM.

dag@chaos.social

@datenwolf @campuscodi you should read up on that. Curl does use AI to identify vulnerabilities themselves:

Mythos finds a curl vulnerability

yes, as in singular one. Back in April 2026 Anthropic caused a lot of media noise when they concluded that their new AI model Mythos is dangerously good at finding security flaws in source code. Apparently Mythos was so good at this that Anthropic would not release this model to the public yet but instead … Continue reading Mythos finds a curl vulnerability →

daniel.haxx.se (daniel.haxx.se)

Vulnerability submission != vulnerability research.
If they would require a human in the loop before submitting vulns, that would make sense. To ban usage of AI for vulnerability research is just plain stupid. To disallow any method to find vulnerabilities is security by obscurity and should be treated as such.

dag@chaos.social

@datenwolf @campuscodi then tell OP to update his hilarious „AI bad“ post to reflect that - not me.

drrac27@fosstodon.org

@datenwolf @Beggarmidas @campuscodi well, that is just outdated information. Now they are mostly high quality reports... https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/