On Mon, 2024-04-01 at 20:51 +0200, Kévin GASPARD DE RENEFORT wrote: > > Thanks for clarifying that, it wasn't clear to me when I read the > > earlier e-mail. > > > > Personally I think the long term solution is to identify critical code > > bases that have a low bus factor before the bad actors do and make a > > concentrated community effort to help audit and maintain these code > > bases. > > Hi, > > I hope this is not a stupid suggestion, that is also my first mail here > so if something does not suits habits feel free to tell me please, but > after reading the whole topic here I did not find this suggestion. > > It’s merely a proposition out of my mind, also something I know very > little about. > > --- > > I read Linus T. speaking about usage of AI nowadays, in the IT field and > stating that is an awful idea to write code with it (at least, for now)… > But not to ask an AI to read the code and try to found by this way > security holes, bad habits, bugs and such. > > Again, my skill and knowledge about AI, specially nowadays, is very > small. But would take it lot of works to sets an AI to simple «read» > codes to look for undesired stuff ? That won’t even modify anything, > merely says : «Ah, found something weird, **here**.». Maybe, properly > configured, it would have detected this social-hacking. Maybe not. > > Since programming is a very hard works, specially when it’s about > security and bug, I also have very poor programing skill, but since the > whole purpose of a computer and it’s set of software is to do what an > human could NOT do properly (like being attentives while reading dozens > of hundreds line of code…) and automate stuff, it *seems* to perfectly > suits this need. > > I guess the process on Gentoo side while it’s about "packaging" is > writing the good ebuild that download source code, compressed (and that > is the whole problem here if I understand) and then unpack it, compile > it, etc… > > Could an AI reading the code could be a step somewhere ? > > On other distribution I would say it needs to act **before** the package > is made, while building it I guess, for Gentoo I do not know. > > But that is not the job of Gentoo’s ebuild writer to check other > projects code, that would be a non-sense ! Right ? > > I’m curious of what an AI could bring in this subject. > > If it’s a stupid suggestion, well, will keep reading this topic, very > interesting. And sorry for the noise. > > PS: Thanks for the works behind libre software, open-source and here, > Gentoo. I trust you since I do not have knowledge to judge properly the > works, but Gentoo is indeed one of the best Linux available, if not the > best in some field. Don’t let burn-out takes you and keep your real > priority among everything, even Gentoo or libre software. We are humans, > not machines. > > Regards, > GASPARD DE RENEFORT Kévin That's not stupid at all, I'd been thinking exactly the same thing. I raised this whole issue during a discussion at FOSDEM 2019, where I admitted that I didn't check the code changes for packages I was bumping, knowing that few to none of the other people in the room did so either. Despite speaking up then, I still didn't do it because it's a heavy a burden and I'm not paid to do it. Now I'm thinking I really should, but I could really use some help. I'll raise this idea at work. You could say that we specialise in these things. :) Regards, Chewi