Tridgell: rsync and outrage (lwn.net)
<p>Andrew Tridgell has written a <a
href="https://medium.com/@tridge60/rsync-and-outrage-d9849599e5a0">blog
post</a> responding to complaints that he has begun using LLM tools in
his work maintaining <a href="https://rsync.samba.org/">rsync</a>:</p>
<blockquote class="bq">
<p>Like many developers of open source packages I've been hit by a
flood of security reports lately in my role as the rsync
maintainer. Many of those reports are AI generated (not all though,
there are some notable ones with very careful and high quality manual
analysis).</p>
<p>As this flood started to get more intense I realised I needed to
raise the defences on rsync a lot — we needed much more thorough test
suites, code coverage analysis, CI testing on a lot more platforms,
deliberate and thorough scanning for possible security issues (so I
find at least some of them before other people!) and the addition of a
whole lot of defence-in-depth hardening techniques.</p>
<p>[...] Now to the future, because we're not done yet by a long
shot. The security reports keep rolling in. I'm working on a bunch of
CVEs right now. Luckily I've been joined by some other very good
developers with great systems development skills and security
knowledge. Some of these people came to my attention partly because of
all the rage happening at the moment, so I get some rage storm clouds
have silver linings. Watch out for some credits for some great new
rsync developers in the next release.</p>
</blockquote>
<p></p>
href="https://medium.com/@tridge60/rsync-and-outrage-d9849599e5a0">blog
post</a> responding to complaints that he has begun using LLM tools in
his work maintaining <a href="https://rsync.samba.org/">rsync</a>:</p>
<blockquote class="bq">
<p>Like many developers of open source packages I've been hit by a
flood of security reports lately in my role as the rsync
maintainer. Many of those reports are AI generated (not all though,
there are some notable ones with very careful and high quality manual
analysis).</p>
<p>As this flood started to get more intense I realised I needed to
raise the defences on rsync a lot — we needed much more thorough test
suites, code coverage analysis, CI testing on a lot more platforms,
deliberate and thorough scanning for possible security issues (so I
find at least some of them before other people!) and the addition of a
whole lot of defence-in-depth hardening techniques.</p>
<p>[...] Now to the future, because we're not done yet by a long
shot. The security reports keep rolling in. I'm working on a bunch of
CVEs right now. Luckily I've been joined by some other very good
developers with great systems development skills and security
knowledge. Some of these people came to my attention partly because of
all the rage happening at the moment, so I get some rage storm clouds
have silver linings. Watch out for some credits for some great new
rsync developers in the next release.</p>
</blockquote>
<p></p>
Comments