Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo

[James Le Cuirot <chewi@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 3585 bytes --]

On Mon, 2024-04-01 at 20:51 +0200, Kévin GASPARD DE RENEFORT wrote:
> > Thanks for clarifying that, it wasn't clear to me when I read the
> > earlier e-mail.
> > 
> > Personally I think the long term solution is to identify critical code
> > bases that have a low bus factor before the bad actors do and make a
> > concentrated community effort to help audit and maintain these code
> > bases.
> 
> Hi,
> 
> I hope this is not a stupid suggestion, that is also my first mail here 
> so if something does not suits habits feel free to tell me please, but 
> after reading the whole topic here I did not find this suggestion.
> 
> It’s merely a proposition out of my mind, also something I know very 
> little about.
> 
> ---
> 
> I read Linus T. speaking about usage of AI nowadays, in the IT field and 
> stating that is an awful idea to write code with it (at least, for now)… 
> But not to ask an AI to read the code and try to found by this way 
> security holes, bad habits, bugs and such.
> 
> Again, my skill and knowledge about AI, specially nowadays, is very 
> small. But would take it lot of works to sets an AI to simple «read» 
> codes to look for undesired stuff ? That won’t even modify anything, 
> merely says : «Ah, found something weird, **here**.». Maybe, properly 
> configured, it would have detected this social-hacking. Maybe not.
> 
> Since programming is a very hard works, specially when it’s about 
> security and bug, I also have very poor programing skill, but since the 
> whole purpose of a computer and it’s set of software is to do what an 
> human could NOT do properly (like being attentives while reading dozens 
> of hundreds line of code…) and automate stuff, it *seems* to perfectly 
> suits this need.
> 
> I guess the process on Gentoo side while it’s about "packaging" is 
> writing the good ebuild that download source code, compressed (and that 
> is the whole problem here if I understand) and then unpack it, compile 
> it, etc…
> 
> Could an AI reading the code could be a step somewhere ?
> 
> On other distribution I would say it needs to act **before** the package 
> is made, while building it I guess, for Gentoo I do not know.
> 
> But that is not the job of Gentoo’s ebuild writer to check other 
> projects code, that would be a non-sense ! Right ?
> 
> I’m curious of what an AI could bring in this subject.
> 
> If it’s a stupid suggestion, well, will keep reading this topic, very 
> interesting. And sorry for the noise.
> 
> PS: Thanks for the works behind libre software, open-source and here, 
> Gentoo. I trust you since I do not have knowledge to judge properly the 
> works, but Gentoo is indeed one of the best Linux available, if not the 
> best in some field. Don’t let burn-out takes you and keep your real 
> priority among everything, even Gentoo or libre software. We are humans, 
> not machines.
> 
> Regards,
> GASPARD DE RENEFORT Kévin

That's not stupid at all, I'd been thinking exactly the same thing. I raised
this whole issue during a discussion at FOSDEM 2019, where I admitted that I
didn't check the code changes for packages I was bumping, knowing that few to
none of the other people in the room did so either. Despite speaking up then,
I still didn't do it because it's a heavy a burden and I'm not paid to do it.
Now I'm thinking I really should, but I could really use some help. I'll raise
this idea at work. You could say that we specialise in these things. :)

Regards,
Chewi

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 858 bytes --]