this post was submitted on 24 Dec 2024
40 points (100.0% liked)

Hacker News

370 readers
551 users here now

RSS Feed of HackerNews

founded 3 months ago
MODERATORS
patrick@lemmy.bestiver.se
rssbot@lemmy.bestiver.se
40
Open source maintainers are drowning in junk bug reports written by AI (www.theregister.com)
submitted 1 week ago by rssbot@lemmy.bestiver.se to c/hackernews@lemmy.bestiver.se
9 comments fedilink hide all child comments
 

Comments

you are viewing a single comment's thread
view the rest of the comments
[–] ArbitraryValue@sh.itjust.works 5 points 1 week ago (8 children)

Why would people be doing this? Is it sabotage or just misguided?

[–] syklemil@discuss.tchncs.de 9 points 1 week ago* (last edited 1 week ago) (7 children)

Hanlon's razor seems to work well here. I wouldn't be surprised if it were a mix of people who want some real or imagined benefit from bug reports without doing or understanding the work, and people who just think LLM output is gospel—a gospel that must be spread.

[–] nightwatch_admin@feddit.nl 10 points 1 week ago* (last edited 1 week ago) (6 children)

Agreed, but also: if it works and is merged, you get credited, and your Github account gets a better reputation. This makes it easier to deploy attacks like xz as you have a track record of merges.
Also, plain vandalism, because people are like that.

Edit: probably also bug bounty attempts. If you’ve ever been on the receiving side of a Responsible Disclosure program , you’ll know what I mean.

Edit edit: it’s all in the article, darnit. Sorry.

[–] syklemil@discuss.tchncs.de 1 points 1 week ago (1 children)

Yeah, I'd count that credibility as a real benefit from helping with bugs.

As far as xz scenarios go though, the AI slop seems to be a really bad strategy.

[–] nightwatch_admin@feddit.nl 2 points 1 week ago (1 children)

I agree, it isn’t a great tactic, but with enough attempts you’ll probably hit a few times.

[–] syklemil@discuss.tchncs.de 2 points 1 week ago (1 children)

Yeah, I don't disagree. And if you hit something small or relatively insignificant but common, that's all you need

[–] nightwatch_admin@feddit.nl 1 points 1 week ago

I ran an RD program years ago. Lots of bored and/or poor, greedy devs submitted metric shit tons of pseudo vulnerabilities (“if I do ctrl-u I can see source code on your web site!” No shit, Sherlock.). I can only imagine how much easier this has become with the help of generative ai…

load more comments (4 replies)
load more comments (4 replies)
load more comments (4 replies)