Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ses1984 9 hours ago

Linus also said

“AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work,” he wrote. “Feel free to use them, but use them in a way that is productive and makes for a better experience.”

So I think the closing remark from the register isn’t really appropriate given the context from the quotes they pulled.

dathinab 6 hours ago | parent | next [-]

the problem here is that many of the submissions are not "make-believe work" but actual existing security issues

it's just that in the past people most times didn't find security vulnerabilities independently of each other without knowing about the others en mass

worse it's non trivial to dedup on the submitter side, nor on the receiver site (as long as we stay with a classical mailing list format)

and while this might be fixable with an AI auto grouping duplicates etc. getting that right is _hard_ especially if we consider that there can be a lot to gain for an adversary to use prompt injection and similar to cause an effective "hiding" of "useful" security issues (e.g. by wrongly causing them being labeling as duplicate).

In addition to all the technical problems this causes some other problems: 1.) additional cost you can intentional (maliciously) increase 2.) dependence on some LLM provider 3.) trust problem wrt. the used LLM provider. Some of this can be avoided by running open models on sponsored owned hardware, but at the cost of often outdated LLM tech, higher cost, now needing to maintain additional hardware etc.

pessimizer 5 hours ago | parent [-]

> the problem here is that many of the submissions are not "make-believe work" but actual existing security issues

Not exactly, the submissions are reports about actual existing security issues. They are make-believe work because everybody has access to AI, and anybody could have done it. Deduping is not productive work, it's a search for productive work.

Instead of spamming bug reports generated by AI, people should spam cash or token credit of some sort so the project can generate these themselves. The real unnecessary part of the entire process is the submitter. There's no need for an AI middleman.

If somebody comes up with some witty trick that gets an AI to find a bug that it wouldn't have found on its own, submit the prompt.

mock-possum an hour ago | parent | prev [-]

So if a thing is good then it is good, but if a thing is bad then it is bad? Got it!