| ▲ | smallerfish 10 hours ago |
| So make it a closed issue tracker with a public email gateway. Get Anthropic to donate LLM time to classify and combine incoming reports. |
|
| ▲ | throwaway85825 10 hours ago | parent [-] |
| If the LLM hallucinates bugs what makes you think any classification won't be hallucinated? |
| |
| ▲ | quuxplusone 9 hours ago | parent [-] | | The issue highlighted in Linus's message isn't that the LLM is hallucinating fake bugs; it's that 100 people running the same LLM on the same codebase find the same real bug 100 times, and if they all send it to the private security mailing list, it's (1) unmanageably high volume and (2) stupid security theater [because by definition any bad actor with the same LLM would find that bug — it's effectively public at that point]. | | |
| ▲ | throwaway85825 6 hours ago | parent [-] | | You don't need an LLM to deduplicate bugs, just categorize by files affected. The real security problem is LLMs have a ~499/500 false positive rate and the new 'security research' post this slop and DDoS the mailing list. |
|
|
