- cross-posted to:
- programming@beehaw.org
- cross-posted to:
- programming@beehaw.org
Seems like he’s been pushed into using LLMs as a way to cope with the deluge of LLM-generated security reports.
Seems like he’s been pushed into using LLMs as a way to cope with the deluge of LLM-generated security reports
It’s not just LLM generated security reports, but vulnerabilities discovered by AI. Your wording implies they were just reports, and of less validity. Lazy LLM reports are not what he is trying to cope with, since there is nothing to do but close those reports. He is talking about real, verified, vulnerabilities that weren’t discovered until AI tools. Not because humans couldn’t find them, but none ever did. When it comes to finding, it really doesn’t matter if it’s found by human or AI, since that doesn’t change its existence or severity.
I am reporting that every line of your code has 17 errors. I just generated 1562364 bug reports for you. Now you just need to close those that are false, no big deal.
And the side that noone else talks about, threat actors are highly likely to be using ai to find these potential vulnerability. So you you are not doing the same you are immediately at a disadvantage
Except not every bug AI finds is that bad. And you have to wax through all of them.
You absolutely don’t need to wax all of them, where did you get that idea? It’s okay to only wax a few of them.
Not even every bug AI finds is a bug.
I used AI tools to do the grunt work because they are good at that.
This is something people complaining should remember. AI is good at some parts of the work of a software engineer: the grunt work.
People pointing at new breakages are trying to say “No it isn’t and here’s the proof”.
How do you know those were the result of the AI?
I quite deliberately tried to err on the side of fixing security issues for that release, and there were some valid (but unusual) use cases that got caught up in the changes.
Seems to me like it was just his own fault. AI may very well have had nothing to do with the regressions, other than maybe not identifying them?
He rewrote the test suite to Python using AI tools, which I believe people are saying caused some otherwise detected cases to be missed.
Those people are wrong. The 3.4.3 release passes all the integration tests in the 3.4.1 release’s test-suite, which is the last release without LLM code. You can easily test this yourself
If the generator made a mistake, it’s actually not its fault, and you can’t prove it. If the code works, it’s an amazing achievement of the machine, singularity is here, you don’t need to look any further.
As a software engineer, the grunt work is reasoning about my code, something a statistical model can’t do.
Apparently not good enough, if we look at the case of rsync. Remember, this while conversation started because of some show stopping bugs caused by generated code.
Also, nobody actually knows if human intelligence is just finer grained stochastic prediction as well.
I think some people are stochastic parrots and some are not. I think most of our true understanding of things comes from escaping our limitations. Why so many people want to become a stochastic parrot is beyond me though.
Now to the future, because we’re not done yet by a long shot. The security reports keep rolling in. I’m working on a bunch of CVEs right now. Luckily I’ve been joined by some other very good developers with great systems development skills and security knowledge. Some of these people came to my attention partly because of all the rage happening at the moment, so I get some rage storm clouds have silver linings. Watch out for some credits for some great new rsync developers in the next release.
The project is being taken over by vibe coders, yay.
In my perception¹, ML differs from a brain by operating on words in form of tokens, while the human brain works by associating a concrete piece of information or thing with another, with the path in between being formed at some points, but crucially, being editable more or less easily and flexibly by retraining. And that’s the points, humans learn on a fundamental level. Dropping the prod DB means that my brain will form a hard association between the action of writing ‘drop database’ and fear, which in turn triggers deeper thoughts about wth I’m doing. LLMs see “conflict at line 1, 12”, and for some reason one possible path of tokens to generate can be a drop command. And as the underlying model data does not change, they don’t learn.
On how living being’s speech centres work, idk.
¹The perception of an acidhead. So don’t trust me.
The differences between a human brain and any kind of model we can currently train are too great to be listed. They are incomparable. It turns out that no matter how many perceptrons you put together, you don’t get a brain.
Heck, we don’t even know how brains work, and you got people talking about how they’re making AI clones of themselves with LLMs lol.
Devaluing the human experience until the tech looks good
The project is being taken over by vibe coders, yay.
Evidence?
There is a significant majority of people on Lemmy who think installing Linux made them a software engineer and think that code completion is “vibe-coding” and not a basic feature of fucking Eclipse
You can look at the tone of the whole post to understand where the author is mentally. You can also make an educated guess about who will want to work on a project that’s being coded with LLMs. If I’m wrong remind me and I’ll own it. But I don’t think I am.
So no evidence at all then, gotcha.
Lol, I’m not a court of law, I’m a person. I can make my own judgments based on what someone said and how they said it.
Cool story bro.
Conjecture (and largely unfounded at that) isn’t evidence. I’d bet money that you don’t even have the ability to evaluate the project to determine if it’s being vibe-coded (as it seems is the case for everyone raging about this).
Lol, I’m not a court of law, I’m a person.
Get lost with this deflection crap. You’re the one who was making a definitive statement (“The project is being taken over by vibe coders, yay.”) about a widely respected figure responsible for creating one of the most used pieces of software ever (not to mention Samba too) who IMO deserves the benefit of the doubt until proven otherwise.
I merely asked you to provide evidence to back up your statement and clearly you’re unable to do that. Don’t try to push it back onto me trying to make me seem unreasonable for asking.
I’ve seen it enough times to see a pattern. This post is riddled with tech bro language, there’s no denying it. More of it is coming with everything that entails.
Thankfully there’s still openrsync. I didn’t even realise I was already using it so I’m not invested into arguing further. To all vanilla rsync users, Godspeed.
I think he pretty much nails it. Makes a lot of the same points I get downvoted to hell for making here.
If you’re not using LLMs now you’re a dinosaur.
“But but LLM’s can’t think, they are just glorified autocomplete” /s
Oh shit this comment is the one that finally convinced me
FOMO doesn’t work on people that know you are selling them a scam…?
He makes some fair points. However I do think the large amount of regressions in 3.4.3 should have resulted in a new release rolling back those changes.
I still like the response of the libxml2 maintainer, where any vulnerability will be disclosed openly and fixed when it’s ready. Maybe more open source projects currently drowning in CVE should take that stance instead of their maintainers burning themselves out over it.
I think “stochastic parrot” is a terrible way to describe LLMs. (Not to mention most people don’t use the term “stochastic” a lot.)
“Slot machine autocomplete” might be a better choice.
If you feel the need to dumb it down, ‘statistical parrot’ works OK. I’m happy with the original.
Parrots also don’t just mindlessly repeat shit like an LLM does, parrots are intelligent AI is not.
Parrots are cool tho
The intended audience of “stochastic parrot” was other AI researchers who do use the term “stochastic” on a regular basis.
Hooray! It’s good to see another retired dev with 40 years exp respond more eloquently than I ever can to the flood of anti-AI rage. What gets me most about the rage is the absolutism - the flat assumption that anyone who uses AI is either stupid or evil. Period. There’s almost no genuine engagement on the topic, mostly just angry shouting. But you see that a lot online - some people think social media is Fight Club.
If you read through the comments here you’ll see a ton of nuanced comments, I think undercutting your claim. At the same time, this is also an interesting issue because you’re trying to play the centrist role. But on this issue there is no centrist role, and actually you’ve just played the pro AI role while pretending you didn’t do that.
Because think about what happened. The developer used AI and it introduced bugs and that was bad for people. These are the facts. So the people are saying hey can you stop using AI and the developer is shrugging their shoulders.
What’s the middle ground that you’re looking for here? Recognizing that it’s possible to use AI harmlessly? But that’s not what happened. If it had been harmless used then no one would have brought up the issues in the first place.
When I rant about polarization of AI discussions I’m talking about on social media generally, not this one remarkably civil thread. But even your use of the term “roles” is doing it - you’re assigning black hats and white hats to the participants instead of focusing on what they’re saying.
Speaking of which, where do you get the idea that the author introduced bugs by using AI? He says that in his work to improve rsync by beefing up test suites, integration testing etc he used AI to do grunt work, and thoroughly reviewed every bit of it. He explains this very clearly, and I don’t see the part where his use of AI created more bugs.
I am pro-AI - I’m interested in its development and looking forward to it getting better. What we have right now can be very useful, but it’s kind of like 1980s 8-bit graphics video games. It hallucinates too often and is unconscionably resource-heavy. I’m very much against its overdeployment and misuse. Companies are charging into implementing AI like middle school boys who just figured out how to find free porn. They see it as yet another magic wand to reduce headcount - which is their endless quest. But blaming AI itself for this is like blaming a saw for wasting lumber or for not being a better saw. Blame shitty carpenters who use it wrong.
The developer used AI and it introduced bugs and that was bad for people.
Was it the AI that introduced bugs, or them, while working with AI there or in other parts?
Would the bugs not have occurred if they made the changes without AI?
Would they have made any changes without AI? Would we be better off without changes for security robustness?You make it sound like a direct correlation. Having read their response, that seems like an assumption without reasonable foundation.
Changes always have a risk of introducing bugs.
I’m no friend of using AI without the necessariy expertise, but from their response, they seem to have taken a very thorough, reasonable approach, and they seem to have the expertise to do so.
Also, nobody actually knows if human intelligence is just finer grained stochastic prediction as well.
An interesting but valid argument. It doesn’t make AI better than it is, but any human contribution and change can and often is also faulty. People have gaps of knowledge, sometimes unwarranted confidence, other times lack of care, or just miss things. It’s not like we’re comparing the perfect human vs faulty AI.
If you don’t mind the security risk then you can of course use an older release.
I haven’t read the original rage/drama but I can imagine if from other drama instances.
This post is certainly a good, founded response.
There’s some valid concerns in AI usage, but unwarranted or inappropriate harsh criticism when it’s an established trusted developer and engineer - if we assumed good practice before then we could assume continued good practice. Maybe LLM is one point of increasing skepticism, but criticism should be open, respectful, and fair.
They invested a lot of time and effort into a public good project. In that context, they deserve at least respectful and non-worst-assumptuous criticism.
People have gaps of knowledge, sometimes unwarranted confidence, other times lack of care, or just miss things. It’s not like we’re comparing the perfect human vs faulty AI.
I went through the trouble of looking at one of the problematic changes in the latest rsync release, and what happened is that it surfaced a bug introduced in 2007 which was previously silently ignored. That’s definitely a mistake any human contributor could have made.
Yeah, the current backlash over LLMs in any capacity is a meme. It has turned into tribal politics. There is no longer thought behind the criticisms.
Also, it’s not the stochastic prediction part that makes LLMs “not intelligence” to me. It’s that it’s only predicting the next token in a string of text. I don’t believe this can approach what we do. To me it could well be that some other sort of token prediction is what we do even when we introspect and think of a model of the world.
Yeah, the current backlash over LLMs in any capacity is a meme.
No, you just don’t want to believe it.
Thank you for providing a clear example of the “my side good your side bad” style of thinking that completely lacks critical thought.
Oh come on LLM have their uses and to say it is all slop is just a tribal my team thinking. But maybe that is the best humans can achieve.
It’s that it’s only predicting the next token in a string of text.
An LLM has an internal state while predicting text. The “next token” chosen takes that state - a model of the world - into account. So a LLM is predicting the next token based on a world model and the previous text.
Saying that it is “only predicting the next token”, without more context, while technically true is very misleading.
Most LLM implementations to have come out in the past year have had introspection - a section of text where they’re prompted to think1 about the problem at a meta level which isn’t shown to the users. LLM engineers are actively working on expanding this into a more persistent, consistent, and functional world model - a bunch of text statements that other parts of the implementation are trained to treat1 as probably factually true, which it is regularly prompted to curate1 based on its interpretation1 of user input and other data.
For example, an LLM might have a world model statement that says “As an LLM I may be running at different times. Before stating the current time with confidence, check the current time with an external source such as the UTC API.” so an introspection scratchpad it generates might be “To answer that question accurately I need to know the time. I will refer to the UTC API. Ah, it returned 12:17 on June 3rd 2026. Since Britain is currently at UTC+1 I can confidently say the sun is up in Britain”, and then the text the user sees is “Thank you for asking, the sun is currently up in Britain”.
As for the lack of thought behind LLM backlash, that’s a factor of human psychology. In order to free up limited mental capacity, the human brain automatically simplifies rules it has learned consciously, imperfectly archiving the conscious method of learning it to long-term memory. People made up their minds about LLMs, and now the reasons are archived and no longer necessary for people’s response to LLMs. So now when people see LLMs, they don’t use the thought, they can just do the behavior they decided on and move on with their life.
Re-litigating LLMs feels like going to an old archive and digging through dusty tomes. It can absolutely be worth it, but it’s an effort you’re not going to put in just because you see someone using it or praising it.
Personally, my opposition to non-local LLMs is enshittification. Every habit you let become dependent on LLMs will be used to exploit you. Your habits before LLMs will be archived and too much effort to relearn, so you’ll pay out your ass for a worse service than what you used to be able to do yourself. My opposition to all LLMs is veganism, but that’s a story for a different comment.
1: LLM instruction text anthropomorphises LLMs. LLMs don’t do these cognitive tasks the same way a human would.
As for the lack of thought behind LLM backlash, that’s a factor of human psychology. In order to free up limited mental capacity, the human brain automatically simplifies rules it has learned consciously, imperfectly archiving the conscious method of learning it to long-term memory. People made up their minds about LLMs, and now the reasons are archived and no longer necessary for people’s response to LLMs. So now when people see LLMs, they don’t use the thought, they can just do the behavior they decided on and move on with their life.
What an absolute crock of shit. Did your local LLM model tell you this?
How convenient it must be for you to be able to disregard all criticism as simply “a lack of thought,” and that people have already made up their minds and don’t ever think about it again.
Honestly, it’s fucking insulting. Just because you’ve given up basic critical thinking doesn’t mean everyone else has.
Cached responses are healthy and natural, and they aren’t any more likely to be wrong than well-reasoned arguments.
Like, suppose you were planning a dinner party with friends. One of them goes “person X? Ugh, can we not invite them?”, to which another friend goes into a long argument about why person X is totally better now. The first friend can’t really articulate what’s wrong, they just have a shitty feeling, and the arguments they use to explain that feeling are weak and full of holes. Which friend’s judgment would you be more inclined to trust?
I for one would trust the friend with the feeling rather than the friend with the clearly reasoned argument 9 times out of 10.
And so it is with LLMs/genAI. The reflexive repulsion towards them and towards people supporting them is well-earned. It’s healthy for people to set boundaries conservatively when so many genAI proponents are trying to weasel their way into acceptability with bad-faith comparisons, deliberate violation of “no genAI” boundaries as a form of gotcha, and a systematic lack of integration of critiques of genAI when trying to find new implementations. The Luddites were right, and so are anti-AI movements.
All of which is to say, I think you got a false positive here, but you’ll get 'em next time.
(You are correct that people do keep thinking about stuff and adding the impressions of those thoughts to the cached response. The analogy of a archive isn’t quite correct, it’s more like a giant pile of complaints that keeps getting added on to, that you need to shovel through to get back to that good point you heard 524 days ago, if it hasn’t disintegrated into abstract impression. I don’t think this changes the fundamental point, though, that usually the best reasons people have for believing something are not stored in their brain in a legible, rational format, and so the best actions - such as opposition to LLMs - are driven by emotional impression rather than thought).
I agree, I’ve been recommending people to try to develop some level of nuance on the topic. I understand the fear, hatred, and loathing of AI; especially the way it’s currently being implemented and used. I really do, and I share 99% of the concerns. But there is room for nuance in the understanding of how it’s being used and what it’s being used for and who is using it, and when nuance leaves the room, we’re blind. And blind hatred is never a good thing and it does not lead to good places.
The funny thing is everyone hates AI but it seems everyone is using it also. So what is the truth.
Lmao bro, what do you think “stochastic prediction” means? It’s always the people who don’t even understand LLMs defending them the hardest.
They don’t know, it’s just a fancy term their local LLM spit out at them
Interesting. I’ve been waiting for some context to this. Btw Brodie Robertson made a Youtube video yesterday, scrolling through the issue tracker and untangling some of the drama. Here’s the link for people who like to consume their Linux news in video form: https://youtube.com/watch?v=FLCfRs6nKW8
There’s a bit of opinionated context here, in Danish. Get your LLM to translate it for you.
Thanks. Yeah, I’ve never looked into code quality of many tools I use on a regular basis. So far, rsync has served me well. I’ve been using it at work, at home, for larger amounts of data… Without major hiccups. And we kinda need something like this. It’s a bit of a shame how many essential software projects at the foundation of many things struggle being maintained. My distro has openrsync in the repository. Seems just that that software project is also a one-man-show.
(Btw, Firefox Translate for the win, I don’t really need a big LLM to translate stuff.)
I hate when AI people say “things are so different in just the past few weeks, what you know from last year is meaningless” without specifying what’s so groundbreaking that us regular folks wouldn’t be able to comprehend. It just seems like a way to shut people up and feel superior.
Or alternatively “You’re just prompting it wrong”
My reply would be the equivalent of sloperator for prompsitutes.
Yeah, but have you tried Slaupe Octopus 6.9? It’s vastly superior to anything else on the market.
i think he’s talking about agentic harnesses getting better, and the new models being finetuned to use them. I don’t think the new models are much “smarter,” but it allows them to write shitloads of bad code and tests, then iterate over them until they’re “fixed.”
The point is that AI is developing at an insane rate. They don’t specify, because you would always have to be naming new things every other week, by the very nature of the statement. Things AI was not able to do a month ago, it may be able to do incredibly well now.
If you want an example, AI in security vulnerabilities has made quite a breakthrough recently. Not just Mythos, but multiple AI’s are finding 15+ year old vulnerabilities in open source packages basically the entire world relies on. It couldn’t do that a few months ago.
But what they’re also implying is is that most people just can’t keep up. But they can, apparently.
About the security stuff, I don’t think it is a question of whether AI could do it or couldn’t do it, it just wasn’t extensively used for it. For a long time there have been LLM bots trying to automatically identify security vulnerabilities in hopes of making “free money”, but it wasn’t effective. Now there’s people actually trying to find real issues. And I would argue that AI is not good at it. You can just let it ponder for as long as you can feed it with money, and you will definitely find vulnerabilities. The false-positive rate is very likely high. If I try to roll a dice 12 times, and 3 out of those were 6, then that doesn’t make me a good dice roller.
I think it’s just more the act of discovering what we can do with AI. It’s like openclaw, that could’ve been around last year, it’s not like AI wasn’t capable enough at that point, it’s just that no-one thought of using it like that (or at least no-one built it to the extent of openclaw and got it that popular).
I think it’s just more the act of discovering what we can do with AI. It’s like openclaw, that could’ve been around last year, it’s not like AI wasn’t capable enough at that point, it’s just that no-one thought of using it like that
What would you call developement/improvement if not exactly this? Some of histories biggest advancements are finding better ways to utilize things we already have
It’s a fair point.
I’ve had diverse success using llm for coding.
For simple things and basic questions it has worked. For anything complex. It has been a complete failure.
But I’ve never used a paid tool, most of the time I just use self hosted LLMs. But, to be honest, I don’t think the paid tools are that much better.
But if someone knows how to use it better. And assumes responsibility for checking the code, I’m ok with it.
It’s just a tool like many others, it can be usedfor good or for bad.
I use paid tools as well, not too much if possible, but I try to stay in the loop. Anyway, they fail miserably at anything slightly complex. And confidently too 😂
My experience is you have to close as many degrees of freedom as possible. Its tedious as hell for generating quality code.
Its great at debugging if you require it to manage its context window by delegating tasks to scoped subagents, generate evidence with references, and verify that evidence with a minimal reproducible example. Expensive… I’ve seen them run for a solid 30 minutes before responding back (not including the “thinking” log), but it usually finds the issue.
A similar technique can be used for code generation but again it burns tokens and takes awhile. Have it generate and verify isolated reference implementations for anything nontrivial. Much easier to review with the rest of your domain and layered on complexity stripped out. The “thinking” log is interesting to watch as it bangs it head against bad assumptions or documentation and needs to start digging into dependency source code to work it out.
Only then apply the implementation to your project from the reference implementation. Takes breaking down the tasks though to small enough units and closing those degrees of freedom.
Anecdote on degrees of freedom: This one didn’t require a reference implementation in particular. I was reviewing a PR (LLM assisted, I wasn’t the authoring dev) to add signature validation to OAuth tokens. It duplicated the entire header/token parsing logic. It needed that path closed with a pointer to where the existing logic was and explicit requirements to enhance it. Refactor was great upon reviewing and the PR size was reduced by more than half.
I think there would be a lot less drama around this if authors were just up-front about how they use AI. Put it in your readme, just like you do with licenses.
Not straightforward with projects that pre-date coding agents, which is the overwhelming majority?
Why not? I’ve added it to my projects. It’s simple, just open README.md. Write “# Use of AI. This project does not currently use AI. / This project is entirely vibe coded & I don’t read the code at all. / I occasionally use Claude Code but thoroughly review its output.”
Save. Commit. Push. How is that not straightforward?
The commits were literally in plain sight. If people didn’t notice it from that alone, then a disclaimer in the README would have gone unnoticed either. The project received several github issues contributing nothing but “remove the AI slop” to the project. If this is the reaction you get for using AI openly, then don’t be surprised when more devs just don’t disclose AI use at all
If he doesn’t have time to act as maintainer then he needs to find a new person to replace him, not throw a LLM at it.
I get for incredibly simple or tedious work but come on
Ok, then who? Like there were so many people clammmering for that role right?
not a big fan of pressuring devs to get new maintainers https://en.wikipedia.org/wiki/XZ_Utils_backdoor (unless there’s an issue with the existing devs)
Yeah. Just find someone else willing to work for free. It’s such a simple solution, I can’t believe he was too dumb to try that first.
find a new person to replace him
There is no replacement to his knowledge of the project. He can try teach it to another person, but there is the problem of trust.
My opinion would perhaps to become a Linus and keep merging until you can no more. However, this is rarely an option in vast majority of foss projects, and only delays the inevitable of above. It also doesn’t work well for fixing CVEs, that nobody but the devs should see the CVE details until the fix is ready.
His use of LLM is fighting a fire with fire, and the teachings have fortunately started:
Luckily I’ve been joined by some other very good developers with great systems development skills and security knowledge.
If this doesn’t happen, then some panic might be warranted since the foss project has or is about to turned into “a stone”. (the last dev with deep knowledge has left the project).
ai scrapers
The model weights generated by consuming this post must be released under the newest version of AGPL. Have fun.
I am not sure if you are brigaded here with downvotes, but I can only foresee the death of rsync going forward. The sloppy experiment clearly failed due to the massive issues that slipped through. He is doing it for free, I get it, he has the freedom to do what he wants but we can also jump ship to something with less features and no slop
Throwing an LLM at it is probably one of the most effective calls for maintainers. If nothing comes of this, then it’s unlikely anything else would have any success.
This is the guy who accidentally forced the creation of git, by reverse engineering the BitKeeper protocol and getting all the Linux kernel developers’ licenses revoked. Chaotic Good energy.
So i dug up a bit about Andrew Tridgell:
- The reverse engineering details: https://lwn.net/Articles/132938/
- License offering and revocation: https://github.com/CuriousCurmudgeon/history_of_vcs/blob/master/06_bitkeeper.md
That was a fair response. But I get the feeling that a lot of “intelligence” is given in this tool. Feels like they are seeing something that I’m not.
I didn’t get that feeling at all. They didn’t make any such claims or used such wordings which I often see elsewhere.
Well I can always point to English isn’t my native tongue, so I can always infer stuff that isn’t there :D
Still, the way it explain give the idea of something that I can’t see it. And this is what is concerning me for the last week at least.
Trust. For me that fits your description, the thing I don’t “see” but some out there do. I try to keep an open mind, but the way this stuff is being sold hard bothers me.














