- cross-posted to:
- programming@lemmy.ml
- cross-posted to:
- programming@lemmy.ml
Seems like he’s been pushed into using LLMs as a way to cope with the deluge of LLM-generated security reports.
You must log in or # to comment.
This is the guy who accidentally forced the creation of git, by reverse engineering the BitKeeper protocol and getting all the Linux kernel developers’ licenses revoked. Chaotic Good energy.
So i dug up a bit about Andrew Tridgell:
- The reverse engineering details: https://lwn.net/Articles/132938/
- License offering and revocation: https://github.com/CuriousCurmudgeon/history_of_vcs/blob/master/06_bitkeeper.md
Hooray! It’s good to see another retired dev with 40 years exp respond more eloquently than I ever can to the flood of anti-AI rage. What gets me most about the rage is the absolutism - the flat assumption that anyone who uses AI is either stupid or evil. Period. There’s almost no genuine engagement on the topic, mostly just angry shouting. But you see that a lot online - some people think social media is Fight Club.
If you read through the comments here you’ll see a ton of nuanced comments, I think undercutting your claim. At the same time, this is also an interesting issue because you’re trying to play the centrist role. But on this issue there is no centrist role, and actually you’ve just played the pro AI role while pretending you didn’t do that.
Because think about what happened. The developer used AI and it introduced bugs and that was bad for people. These are the facts. So the people are saying hey can you stop using AI and the developer is shrugging their shoulders.
What’s the middle ground that you’re looking for here? Recognizing that it’s possible to use AI harmlessly? But that’s not what happened. If it had been harmless used then no one would have brought up the issues in the first place.
The developer used AI and it introduced bugs and that was bad for people.
Was it the AI that introduced bugs, or them, while working with AI there or in other parts?
Would the bugs not have occurred if they made the changes without AI?
Would they have made any changes without AI? Would we be better off without changes for security robustness?You make it sound like a direct correlation. Having read their response, that seems like an assumption without reasonable foundation.
Changes always have a risk of introducing bugs.
I’m no friend of using AI without the necessariy expertise, but from their response, they seem to have taken a very thorough, reasonable approach, and they seem to have the expertise to do so.I think there is more nuance or spectrum than good or bad. Vibe is one extreme, but along the dial from traditional to pure vibe are degrees of involvement. I’d characterize the degrees something like:
- No AI, just elbow grease
- AI as just auto complete on steroids
- AI generating more complete change sets, but still from focused, more surgical specs, and still a human review on everything
- “Spec-driven development” where, as I see it, you’re engineering a multi-agent-role workflow to intersect different contexts and iterating to try to converge on carefully designed specs
In 3 of those 4, the human is fundamentally the one owning the output, and AI is an accelerator and potentially an influence, kind of like pair programming. And even the SDD workflow can be a human-in-the-loop approach, although the more agents produce autonomously, the harder it might be for a human to be effective at reviewing the output.
So I’ll agree that “use it or don’t” is a binary, but I’d just add that there’s still a spectrum of how it’s used.
When I rant about polarization of AI discussions I’m talking about on social media generally, not this one remarkably civil thread. But even your use of the term “roles” is doing it - you’re assigning black hats and white hats to the participants instead of focusing on what they’re saying.
Speaking of which, where do you get the idea that the author introduced bugs by using AI? He says that in his work to improve rsync by beefing up test suites, integration testing etc he used AI to do grunt work, and thoroughly reviewed every bit of it. He explains this very clearly, and I don’t see the part where his use of AI created more bugs.
I am pro-AI - I’m interested in its development and looking forward to it getting better. What we have right now can be very useful, but it’s kind of like 1980s 8-bit graphics video games. It hallucinates too often and is unconscionably resource-heavy. I’m very much against its overdeployment and misuse. Companies are charging into implementing AI like middle school boys who just figured out how to find free porn. They see it as yet another magic wand to reduce headcount - which is their endless quest. But blaming AI itself for this is like blaming a saw for wasting lumber or for not being a better saw. Blame shitty carpenters who use it wrong.
Seems like he’s been pushed into using LLMs as a way to cope with the deluge of LLM-generated security reports
It’s not just LLM generated security reports, but vulnerabilities discovered by AI. Your wording implies they were just reports, and of less validity. Lazy LLM reports are not what he is trying to cope with, since there is nothing to do but close those reports. He is talking about real, verified, vulnerabilities that weren’t discovered until AI tools. Not because humans couldn’t find them, but none ever did. When it comes to finding, it really doesn’t matter if it’s found by human or AI, since that doesn’t change its existence or severity.
And the side that noone else talks about, threat actors are highly likely to be using ai to find these potential vulnerability. So you you are not doing the same you are immediately at a disadvantage
I am reporting that every line of your code has 17 errors. I just generated 1562364 bug reports for you. Now you just need to close those that are false, no big deal.
Except not every bug AI finds is that bad. And you have to wax through all of them.
You absolutely don’t need to wax all of them, where did you get that idea? It’s okay to only wax a few of them.
How do you know which ones to wax through?
Not even every bug AI finds is a bug.
I used AI tools to do the grunt work because they are good at that.
This is something people complaining should remember. AI is good at some parts of the work of a software engineer: the grunt work.
As a software engineer, the grunt work is reasoning about my code, something a statistical model can’t do.
Apparently not good enough, if we look at the case of rsync. Remember, this while conversation started because of some show stopping bugs caused by generated code.
People pointing at new breakages are trying to say “No it isn’t and here’s the proof”.
How do you know those were the result of the AI?
I quite deliberately tried to err on the side of fixing security issues for that release, and there were some valid (but unusual) use cases that got caught up in the changes.
Seems to me like it was just his own fault. AI may very well have had nothing to do with the regressions, other than maybe not identifying them?
If the generator made a mistake, it’s actually not its fault, and you can’t prove it. If the code works, it’s an amazing achievement of the machine, singularity is here, you don’t need to look any further.
He rewrote the test suite to Python using AI tools, which I believe people are saying caused some otherwise detected cases to be missed.
Those people are wrong. The 3.4.3 release passes all the integration tests in the 3.4.1 release’s test-suite, which is the last release without LLM code. You can easily test this yourself
Thanks for confirming! Really this dev just needs more maintainers for his project, but sadly people won’t step up.
Repost of my reply elsewhere:
This guy is already retired, he wants to spend his days sailing and here we are bitching about rsync not being good enough while we all use if for free
Most of us won’t be able to help code, fine.
But most of us could help with translations
Many of us could help with documentation
Some of us could contribute regularly with small financial donations
Some of us might have enough knowledge and expertise and experience to help code
Others could come up with other tasks that could be done.
The point is: rsync need more resources. Either we get him more resources or we STFU about the retired dev using AI. We can’t have it both ways.
I think it’s unreasonable to complain that the guy is not working enough for free.
I think it’s reasonable to alert people that rsync is not being properly maintained anymore and to seek alternatives.
I would prefer the maintainer to announce publicly that he can’t maintain the project anymore and is looking for help/someone to take over instead of breaking the project silently.
But where will the maintainers for these alternatives come from, when barely anybody has stepped up in the 30 years of rsync’s existence? Your comment implies that tridge didn’t call for help before, which is far from the truth.
This is thankless maintenance on critical software, not some *-arr toy project for hobbyist self-hosters.
But where will the maintainers for these alternatives come from, when barely anybody has stepped up in the 30 years of rsync’s existence?
Universal Healthcare would increase the pool of willing developers by an order of magnitude here.
No disagreement here but I’m not sure that’s on the menu right now
Either Universal Healthcare is on the menu or society falls apart, pick one.
Oh man I’m like super agreeing with you. Also I’m in a place that actually has universal healthcare, so it’s not like it’s unworkable
Universal Healthcare would increase the pool of willing developers by an order of magnitude here.
I’m not so sure. The problem is not a lack of developers. The problem is a lack of developers interested in working on rsync, or on any other specific project you can name. Most developers would rather work on their own projects.
I would also question whether or not universal healthcare (though unquestionably a good thing) would actually result in such an increase in available developers. The following study looked at the geographical distribution of OSS developers in 2021, via Github contributions, and found that the US had a similar number of OSS developers per capita compared to similar countries that do have universal healthcare (see table 2):
https://www.sciencedirect.com/science/article/pii/S0040162522000105
Github and the whole culture that it came out of it used to (it feels sooooo good to say that in the past tense) be globally hinged on Silicon Valley, why would you not expect to see a anomalously high number of US developers on it?
That’s definitely a possibility, along with the possibility that countries with worse English language skills might be underrepresented on GitHub, despite having universal healthcare. Conversely, if the US is over-represented on GitHub, then the pool of US developers who are not already active on GitHub may also be depleted compared to other countries. However, that is not something we can read out of the available evidence.
The most we can conclude is probably that the US getting universal healthcare might result in an increase in available OSS developers, depending on which assumptions turn out to be correct, but suggesting that it would lead to an order of magnitude increase is surely premature
suggesting that it would lead to an order of magnitude increase is surely premature
The US is continuing to worsen in performance on meaures of small business entrepreneurship in essentially all industries in the US, software and software adjacent industries are no different especially if you don’t get distracted by the AI bubble inflating that value of a bunch of illusions claiming to be businesses.
It is easy to see how the inability of the average person to try a new idea, or risk taking on a project that may not pay off immediately translates directly to a lack of available developers for open source software projects.
The impact of Universal Healthcare would be huge for open source development in the US, the amount of programmers that would be pushed over the line from “just making ends meet while having a work life balance” to “ok maybe I could devote some time to open source development”.
Don’t get me wrong though, I think we need to normalize straight up paying developers for Open Source Development. Just because it is open source doesn’t mean it doesn’t take labor, that is not the argument I am making.
https://github.com/rclone/rclone
https://github.com/restic/restic
https://github.com/bcpierce00/unison
The thing with old, critical software is that after some time people don’t really want to dig through decades of C code and prefer to write something new using modern tools. Those projects get plenty of support because people actually do want to work on them. If no one wants to work on rsync than what the maintainer is doing now is just prolong it’s agony a couple of years. I would say he should do the minimum work, announce end of life date and move on. People that need tools like rsync will develop something.
Also, having critical software depend on one guy is not safe. We should avoid that. If critical software depends on one guy it should be phased out.
Also, having critical software depend on one guy is not safe. We should avoid that. If critical software depends on one guy it should be phased out.
I’m sorry to say 90% of the internet’s load bearing infrastructure is in this situation. It’s just how the story goes, everybody wants to build low-stakes toy projects, nobody wants to do high-effort low-reward infrastructure work.
“Writing something new using modern tools” is all fun and sparkles, but then you run into the same issues as rsync except without the experience. Then you get attention from attackers, you get security issues, which you have to patch with defensive code which is not appealing to read and zero fun to write. Before you know it your project is “decades of Rust/Zig/Lisp” which nobody wants to touch and you’re back at square one. All you’ve accomplished is give the attackers a few years of low hanging fruit and easy exploits.
There’s a reason why we get a million shiny toys a year but solutions like rsync stay entrenched for decades.
Also, having critical software depend on one guy is not safe. We should avoid that. If critical software depends on one guy it should be phased out.
Here are the percent of commits from the top committer in each repository you mentioned, as well as rsync, over the last 3 months:
- rsync: 99.0%
- restic: 93.2%
- rclone: 87.5%
- union: 82.9%
- syncthing: 74.4%
As you can see, each of this projects depends heavily on a single person, though to a lesser degree than rsync. That’s just the nature of most open-source software.
Note that I excluded dependabot commits from the calculations and counted Claude commits as the lead developer for rsync
How I imagine this:
- rsync gets end of life date
- People that rely on rsync start looking for alternatives
- They try to switch and figure out what functionality is missing
- They contribute to some of the alternative to fill the gaps
For example, I’m about to setup some syncing for my homelab and I will not use rsync for that. That’s why talking about the state of rsync is important. As I said, it’s not about attacking the dev for not working hard enough. It’s about long term planning.
I remember when the maintainer for discord.py stepped down. He eventually stepped back in because no one wanted took over the project and he didn’t want to see it die. This was before the current AI era, all someone had to do was continue to develop it.
I think almost everyone will do step 2 and 3 but not step 4.
The fact that open source exist and functions so well for decades shows that people do step 4. If no one wants to step in it usually means the project is not important.
The trouble with some of those projects (e.g. unison and sun thing) is that they don’t solve the same problem, not really.
A rewrite with modern tooling would be better done if it was incremental.
He’s been asking for help but nobody took him up on it.
Is that your assumption given that they’re using AI? Because it’s not at all what I have taken away from their article.
Is “not properly maintained anymore” your interpretation of them using AI? Or what do you base that on?
The whole story started because rsync stopped working for some users. That’s “not properly maintained” in my books.
I don’t know the degree to that, but bugs do happen occasionally either way as long as there are changes. In the article, they explain why the changes are necessary. Prioritizing security over no-change-stability seems reasonable and warranted.
The author said:
yes, there were regressions in some use cases of rsync in the 3.4.3 release. I quite deliberately tried to err on the side of fixing security issues for that release, and there were some valid (but unusual) use cases that got caught up in the changes.
So as I said, I don’t think it’s fair to scream at him to work harder. I do think it’s fair to worn people that rsync is having issues with stability. The author claims he knows what he’s doing and it’s all on purpose. You are free to trust him and ignore the whole affair. Other people may prefer to look for alternatives.
This whole debacle is making me extremely black pilled about open software in general. Just like cheap computing has died in recent years, I suspect non corporate free software is about to meet the same end to the acclaim of people who think they’re doing a good thing for the world.
Do you mind describing what black pill means in this context? I’m familiar with the red/blue pill references, but could only find the incel context of black pill online. Is it just a “harsh truth” kinda thing?
Sorry for bringing terminally online slang to the table haha
In my head yeah it’s the pill that teaches you a bleak and depressing truth but shows you no way out of it. I may be misusing the term.
You most certainly are, use a different metaphor/descriptor.
He’s using it correctly
I most certainly won’t lol
Ok then, you are labelling yourself as a pathetic loser.
Black pill ideology is most deeply rooted in misogynistic online communities heavily populated by incels, or involuntarily celibate men.
https://www.britannica.com/topic/What-does-black-pill-refer-to
Lol
ain’t that a spicy squirrel…
You gotta get up on ai start using it yourself, good or bad it is what it is and people will be left behind.
I think you misread my comment. I’m depressed that people are harassing open source devs, not that open source devs use LLMs.
I don’t give a shit whether a maintainer like Tridge uses AI, because i trust them to review the AI’s code like they’ve reviewed human contributions since forever.
I doubly agree to this. The moment you are deciding the license of your fucking software please think carefully. It is a public service and the dev(s) ow you nothing. Not even an apology. What you own to the devs is much greater and very high on value. They made the software that runs on your own paid electricity, that you granted to them.
Either we get him more resources or we STFU about the retired dev using AI. We can’t have it both ways.
Of course we can do both. I don’t have those resources to grant
and I get to point out that Tridge, despite his well earned reputation from the huge contribution of creating rsync and bringing it to the point where it’s effectively complete as an essential piece of internet infrastructure, was massively arrogant in abdicating his responsibility by shovelling LLM slop into that same piece of infrastructure.
Okay then you’re just bitching at a dev with nothing to help him might as well yell at the wind.
In your eyes, is all AI-produced text and code slop? Or did you check on the Python tests they designed and implemented with the help of AI, and after analysis of that, you came to the conclusion that it’s slop (as in nonsensical, incoherent, faulty, or similar)?
I can’t wait for companies to finally price out most of developers out of AI use, especially the FOSS ones.
I just hope most of them won’t get too addicted to the tech crack they are getting free/cheap samples of currently, and will be able able to find back their motivation and skill to work without a feel-good dopamine machines.
Also, lol at all the coments being like “if you’re 100% against the tech crack, you’re delusional. The cat is already out of the bag, it makes you way better at coding, if you use it responsibly!”
The problem isn’t that it’s not somewhat good, the issue is that soon you won’t be able to afford it, while also being addicted and dependant on it. But I’m sure y’all are able to use crack responsibly and will be fiiine.
If the project is understaffed and mistakes were made, wouldn’t it be more constructive to help maintain it or encourage broader participation, rather than dogpiling on a volunteer maintainer?
I run Qwen 3.6 27B at home. For “free”. It is extremely useful.
My point being that I’m not going to be priced out of using it
Don’t worry, they want to replace your hardware with a “cloud based computing solution” as well.
When did that absurdity come back? I thought we killed the cloud computer nonsense a decade ago.
Well you see… subscriptions.
What hardware that needs? My issue with running local models was that it’s too much of a resource hog to be able to do gamedev on the same machine, and any sensible model needs pretty expensive hardware to just get a server for it. Especially with current prices.
Geforce 3090 with 24TB should be able to run a “Q5 version” of it. Maybe get a second older computer, or maybe you can run two cards in one PC.
64GB unified memory. I run it (and a lot more) on a dgx spark, but a Mac mini would suffice also.
You could prob run 4-bit version on a RTX card with 32g. Maybe even 24g. Like a 5090 or 4090 or such.
So much info out there.
Mac Minis top out at 48GB and are 1.8k when configured like that. It’s going to be at least $2k to buy anything that has a hope of running it at a reasonable speed.
Running local isn’t free, but at least it’s just a single upfront payment.
The M4 Pro Mac Mini caps out at 64GB RAM. Whether or not Apple can sell you that SKU right now is a different question with the ongoing DRAM shortage.
That (64GB) doesn’t appear on the site at the moment.
Well you aren’t a brain dead business man then.
…yet
qwen is garbage. it can’t even count the elements within an array of numbers.
to be clear though, it’s not just qwen. all code models are fucking trash.
See, this is what people say when they say “people who can code” are doing good things with these LLMs.
Why the fuck would you ask the model to count elements?
Ask it to make a python script that will do the counting, then run the script.
compare these two arrays and tell me what the difference is
are these two arrays similar?
are these not legitimate questions? sure I could do them in-code, but is it not faster to just ask it?
See, this is what people say when they say “people who can code” are doing good things with these LLMs.
first time I ever had a clanker insinuate my skill level is below their own. thanks for the chuckle.
Ok. Also I am sorry the audience of Stack Overflow dried up for folks to use as punching bags.
what are you even talking about?
Yep, while I don’t use them myself, I saw the output of the latest models at the beginning of May. While there are some “good” things in it, the vast majority of the output was unnecessary maintenance load or just wrong. And, while the person showing off the output claimed they couldn’t have written the code, I didn’t see anything particularly special.
On top of that, I don’t believe the output of Qwen (or any other coding model) can be distributed without violating a large number of copyrights, so it’s entirely inappropriate for FOSS projects.
I don’t believe the output of Qwen (or any other coding model) can be distributed without violating a large number of copyrights
I have a perfect example for that. I asked Qwen to write a simple python socket app. one for server and one for client.
While I was reading through forum posts about python socket communication, I found a post from 8 years ago. same script. same variable names. same comments. word for word. line for line. the same exact script.
so much for AI “not stealing content”.
Are you sure you were using the actual coding model? There are a number of them
Qwen coder 30B A3B
most people are going to destroy their home servers running these workloads
Destroy as in the fan bearings are going to wear out quicker?
Even if too expensive for FOSS devs the mega corps relying on their software will still be able to afford them to run their own security testing, feeding the bug reports back to the project. And with time the hardware and models are only getting more efficient (for a comparable performance level).
And it may or may not be somewhat good. I think we’re seeing that shitty programmers use AI to write even shittier programs. And that will continue indefinitely.
The whole rsync repo is 65k lines total. Recent AI-centric changes account for +16k/-6k, including massive changes to the unit tests. Somehow that’s not even considered a “minor” update (v3.4.1 to v3.4.3).
That’s not responsible use of AI, that’s malpractice.
Do better then. Where’s your contributions?
Then get on your IDE and lend them a hand. Then the retired guy that’s asked for help several times in the last decade unsuccessfully wouldn’t have to buy tokens to get help.
Seems like most people want to spend their effort getting on their high horse instead of being the change they want to see.
Any specific issues though? Yeah, it’s a large change and I’d be more surprised if it didn’t have issues, but are there any specific issues with the updates that have been found so far?
Yes, there’s been several regressions that would’ve been caught by the original tests, but missed by the new vibe-coded tests. That’s what prompted the blog post linked by OP.
Yes, there’s been several regressions that would’ve been caught by the original tests, but missed by the new vibe-coded tests.
That is directly contradicted by what the developer of rsync wrote in the linked article:
yes, there were regressions in some use cases of rsync in the 3.4.3 release. … None of those cases were covered by the existing rsync test suite or by all the manual testing I did (yes, I use rsync, I don’t just develop it).
It’s possible that somebody in the issue you linked to pointed to a test that would have caught one of the regressions, but I was not able to find it in the 327 comment mess. A direct link would be appreciated, if that is the case.
But I doubt that you will find such a comment. Because I tried running the 3.4.1 test-suite with the 3.4.3 binary, and all tests passed
Seems I was mistaken. My previous statement was based on what others have said, but I haven’t actually run the tests myself. In any case, I have learned not to rely on statements made by the accused in this type of dispute.
No you learned to rely on the accusers lol
Yes it all broke which is how people noticed
Have you read the linked article? They explain how they used AI. It’s not like AI produced the code and that’s it.
They also explain about this version and the next minor version.
I’ve said this before and I’ll say it again. If an established dev uses AI and you don’t want that? Then get involved.
Yep. All the bitching is exhausting.
Talk is cheap. Send contributions or fuck off.
Well rsync is a pretty integral utility for a whole array of software at this point, and I guarantee you that not all of its userbase has the expertise required for direct contributions. I don’t think it’s fair to write off the complaints of people like that as irrelevant, especially if they have a stake in rsync working well for them without having to worry about AI hallucinations screwing them over.
Well yes but.
This guy is already retired, he wants to spend his days sailing and here we are bitching about rsync not being good enough while we all use if for free
Most of us won’t be able to help code
But most of us could help with translations
Many of us could help with documentation
Some of us could contribute regularly nwith small financial donations
Some of us might have enough knowledge and expertise and experience to help code
The point is: rsync need more resources. Either we get him more resources or we STFU about the retired dev using AI. We can’t have it both ways
Then retire. All the time people think it’s maintained it feels safe to not get involved.
I agree. Either retire and pass the torch or stop using “im retired” as an excuse. You can’t have both
I agree with the worry and wanting an alternative but demanding what the dev does is where it crosses a line I feel
I agree with that too, though I think the self-righteous attitude like that of the person I’m replying to swings in the opposite direction a little too hard for my liking. There’s a happy balance, y’know?
People shouldn’t complain in a dev’s ear like they owe them something they never promised, and people trying to call that out shouldn’t counter it with a demeaningly confrontational demeanour. Obviously that’s a lot to ask for on the internet, but it’s a good thing to try for at least.
Tell me about it, I am skeptical about AI and I kinda wanna know the True Positive, true negative, false positive, false negatives with these AI classified bugs. Still a useful tool.
I just think it’s unreasonable to ask someone to do dev work for free, either pay or contribute (code, docs, help in misc ways) or cash (and pull out when they do something you don’t approve that’s your right). But until there’s real fuckery let’s just open bug reports and complain about real issues that can be fixed.
It’s provided as is, no warranty, no guarantee. If you built your life around it, that’s on you, not the dev. If you want something else, do it yourself or pay somebody to do it for you.
Fair, but a little empathy for rsync users who only mean well would go a long way. The everyone-for-themselves mentality doesn’t tend to be very helpful most of the time, if ever.
Meaning well and blasting the rsync maintainer with absolutist anti-LLM messages are very different things.
Th rsync maintainer is ironing out issues. Use an old version and let him cook. Once things are stable, then pull the new version. If you’re on arch or another unstable distro that always pulls the latest version, this is what you signed up for. Staying on the bleeding edge means you’ll bleed.
It doesn’t excuse attacking he maintainer who seems to be making a genuine effort. That shows a lack of empathy.
Meaning well and blasting the rsync maintainer with absolutist anti-LLM messages are very different things.
…Which is why I specified those who only mean well. Obviously that doesn’t include the less pleasant crowd.
We’re mixing up two things here. There’s valid criticism. And there’s the people who want to unleash some social-media style shitstorm. The latter show up in large groups and add some unsubstantiated comments, lots of emojis and drown any kind of conversation. But that doesn’t really take away from the valid criticism. For example a maintainer shouldn’t tag a version and release it, when it’s not ready to be released. That’s the 101 of software development. You can expect as much. Because the “bleeding” thing isn’t really how it works. Once there’s a new minor release tagged by the devs, it’s supposed to be picked up by the distro maintainers and get into any distro’s repositories. Doesn’t matter if it’s Arch unstable or Debian stable. They don’t want bugs and security vulnerabilities in their distro, either. Especially not when it’s 6(!) CVEs! And the Debian dev’s in fact reacted to this. And they even backported stuff to oldstable so the people who run the rock-stable stuff from 3 years ago get the patches! So it really doesn’t matter… Run a bleeding edge distro, or a stable one and don’t update it for 2 years, you’ll be affected by this both ways.
Yeah, everyone with a local LLM running on their PC who suddenly thinks they’re an expert in software development: time to bombard the creator of Rsync with AI bullshit that he will need to wade through.
Contributions are not enough. It needs people to maintain it. That means dedicating time long term. It’s not a small undertaking.
Contributions can be a step on the road though.
Yes, that is what people are saying, make the effort and contribute.
I’ve had conversations with people when you say that, like they don’t want to get involved, don’t want to code, and they want the dev done their way. Like ok. WTF? Entitled much?
And this is for established devs and their codebases, not some vibe kiddy
No. If an established dev leans on LLMs for coding and shovels it into the main branch, they have abdicated their responsibility and trashed their reputation. We get to point that out
without any obligation to do their work for them.
It’s his project. He can do whatever he wants to with it. He doesn’t have a “responsibility” to you or anybody else. Stop being so entitled.
Point it out, doesn’t change the fact that you’re not addressing the core problem, which is developer burnout in these FOSS projects.
Also no its not their work, its literally a voluntary job so stop dictating how people spend their free time.
But that’s just me, you do you.
This reasoning assumes any LLM-assisted change is faulty, right?
The linked article doesn’t make me concerned. They seem to have the expertise, seem to apply due diligence and good practice around (selectively) using LLM.
Can people not directly involved in and working on the project assess the risks well? Do we not have to depend on author and project leadership expertise just like we had to before with any parts of development, management, and tool and infrastructure use?
I haven’t looked up the original communication or drama, but I assume communication could have been much better. Maybe the commits didn’t say much about the reasoning and due diligence that they describe in this article? Other than that, how can you make a better judgment about the changes than them without taking a thorough look and assessment?
Also, nobody actually knows if human intelligence is just finer grained stochastic prediction as well.
An interesting but valid argument. It doesn’t make AI better than it is, but any human contribution and change can and often is also faulty. People have gaps of knowledge, sometimes unwarranted confidence, other times lack of care, or just miss things. It’s not like we’re comparing the perfect human vs faulty AI.
If you don’t mind the security risk then you can of course use an older release.
I haven’t read the original rage/drama but I can imagine if from other drama instances.
This post is certainly a good, founded response.
There’s some valid concerns in AI usage, but unwarranted or inappropriate harsh criticism when it’s an established trusted developer and engineer - if we assumed good practice before then we could assume continued good practice. Maybe LLM is one point of increasing skepticism, but criticism should be open, respectful, and fair.
They invested a lot of time and effort into a public good project. In that context, they deserve at least respectful and non-worst-assumptuous criticism.
People have gaps of knowledge, sometimes unwarranted confidence, other times lack of care, or just miss things. It’s not like we’re comparing the perfect human vs faulty AI.
I went through the trouble of looking at one of the problematic changes in the latest rsync release, and what happened is that it surfaced a bug introduced in 2007 which was previously silently ignored. That’s definitely a mistake any human contributor could have made.
Yeah, the current backlash over LLMs in any capacity is a meme. It has turned into tribal politics. There is no longer thought behind the criticisms.
Also, it’s not the stochastic prediction part that makes LLMs “not intelligence” to me. It’s that it’s only predicting the next token in a string of text. I don’t believe this can approach what we do. To me it could well be that some other sort of token prediction is what we do even when we introspect and think of a model of the world.
Yeah, the current backlash over LLMs in any capacity is a meme.
No, you just don’t want to face the fact that a growing number of people are less gullible than you.
Thank you for providing a clear example of the “my side good your side bad” style of thinking that completely lacks critical thought.
Oh come on LLM have their uses and to say it is all slop is just a tribal my team thinking. But maybe that is the best humans can achieve.
Most LLM implementations to have come out in the past year have had introspection - a section of text where they’re prompted to think1 about the problem at a meta level which isn’t shown to the users. LLM engineers are actively working on expanding this into a more persistent, consistent, and functional world model - a bunch of text statements that other parts of the implementation are trained to treat1 as probably factually true, which it is regularly prompted to curate1 based on its interpretation1 of user input and other data.
For example, an LLM might have a world model statement that says “As an LLM I may be running at different times. Before stating the current time with confidence, check the current time with an external source such as the UTC API.” so an introspection scratchpad it generates might be “To answer that question accurately I need to know the time. I will refer to the UTC API. Ah, it returned 12:17 on June 3rd 2026. Since Britain is currently at UTC+1 I can confidently say the sun is up in Britain”, and then the text the user sees is “Thank you for asking, the sun is currently up in Britain”.
As for the lack of thought behind LLM backlash, that’s a factor of human psychology. In order to free up limited mental capacity, the human brain automatically simplifies rules it has learned consciously, imperfectly archiving the conscious method of learning it to long-term memory. People made up their minds about LLMs, and now the reasons are archived and no longer necessary for people’s response to LLMs. So now when people see LLMs, they don’t use the thought, they can just do the behavior they decided on and move on with their life.
Re-litigating LLMs feels like going to an old archive and digging through dusty tomes. It can absolutely be worth it, but it’s an effort you’re not going to put in just because you see someone using it or praising it.
Personally, my opposition to non-local LLMs is enshittification. Every habit you let become dependent on LLMs will be used to exploit you. Your habits before LLMs will be archived and too much effort to relearn, so you’ll pay out your ass for a worse service than what you used to be able to do yourself. My opposition to all LLMs is veganism, but that’s a story for a different comment.
1: LLM instruction text anthropomorphises LLMs. LLMs don’t do these cognitive tasks the same way a human would.
As for the lack of thought behind LLM backlash, that’s a factor of human psychology. In order to free up limited mental capacity, the human brain automatically simplifies rules it has learned consciously, imperfectly archiving the conscious method of learning it to long-term memory. People made up their minds about LLMs, and now the reasons are archived and no longer necessary for people’s response to LLMs. So now when people see LLMs, they don’t use the thought, they can just do the behavior they decided on and move on with their life.
What an absolute crock of shit. Did your local LLM model tell you this?
How convenient it must be for you to be able to disregard all criticism as simply “a lack of thought,” and that people have already made up their minds and don’t ever think about it again.
Honestly, it’s fucking insulting. Just because you’ve given up basic critical thinking doesn’t mean everyone else has.
Cached responses are healthy and natural, and they aren’t any more likely to be wrong than well-reasoned arguments.
Like, suppose you were planning a dinner party with friends. One of them goes “person X? Ugh, can we not invite them?”, to which another friend goes into a long argument about why person X is totally better now. The first friend can’t really articulate what’s wrong, they just have a shitty feeling, and the arguments they use to explain that feeling are weak and full of holes. Which friend’s judgment would you be more inclined to trust?
I for one would trust the friend with the feeling rather than the friend with the clearly reasoned argument 9 times out of 10.
And so it is with LLMs/genAI. The reflexive repulsion towards them and towards people supporting them is well-earned. It’s healthy for people to set boundaries conservatively when so many genAI proponents are trying to weasel their way into acceptability with bad-faith comparisons, deliberate violation of “no genAI” boundaries as a form of gotcha, and a systematic lack of integration of critiques of genAI when trying to find new implementations. The Luddites were right, and so are anti-AI movements.
All of which is to say, I think you got a false positive here, but you’ll get 'em next time.
(You are correct that people do keep thinking about stuff and adding the impressions of those thoughts to the cached response. The analogy of a archive isn’t quite correct, it’s more like a giant pile of complaints that keeps getting added on to, that you need to shovel through to get back to that good point you heard 524 days ago, if it hasn’t disintegrated into abstract impression. I don’t think this changes the fundamental point, though, that usually the best reasons people have for believing something are not stored in their brain in a legible, rational format, and so the best actions - such as opposition to LLMs - are driven by emotional impression rather than thought).
Lmao bro, what do you think “stochastic prediction” means? It’s always the people who don’t even understand LLMs defending them the hardest.
They don’t know, it’s just a fancy term their local LLM spit out at them
I agree, I’ve been recommending people to try to develop some level of nuance on the topic. I understand the fear, hatred, and loathing of AI; especially the way it’s currently being implemented and used. I really do, and I share 99% of the concerns. But there is room for nuance in the understanding of how it’s being used and what it’s being used for and who is using it, and when nuance leaves the room, we’re blind. And blind hatred is never a good thing and it does not lead to good places.
The funny thing is everyone hates AI but it seems everyone is using it also. So what is the truth.
The truth is that that life is full of contradictions and we are all struggling to figure this one out. Not every contradiction can be cleanly resolved. In the meantime life goes on. Later it will probably turn out that we’ve all been worrying about the wrong question, but right now… I don’t know.
It’s that it’s only predicting the next token in a string of text.
An LLM has an internal state while predicting text. The “next token” chosen takes that state - a model of the world - into account. So a LLM is predicting the next token based on a world model and the previous text.
Saying that it is “only predicting the next token”, without more context, while technically true is very misleading.
I hate when AI people say “things are so different in just the past few weeks, what you know from last year is meaningless” without specifying what’s so groundbreaking that us regular folks wouldn’t be able to comprehend. It just seems like a way to shut people up and feel superior.
The point is that AI is developing at an insane rate. They don’t specify, because you would always have to be naming new things every other week, by the very nature of the statement. Things AI was not able to do a month ago, it may be able to do incredibly well now.
If you want an example, AI in security vulnerabilities has made quite a breakthrough recently. Not just Mythos, but multiple AI’s are finding 15+ year old vulnerabilities in open source packages basically the entire world relies on. It couldn’t do that a few months ago.
But what they’re also implying is is that most people just can’t keep up. But they can, apparently.
About the security stuff, I don’t think it is a question of whether AI could do it or couldn’t do it, it just wasn’t extensively used for it. For a long time there have been LLM bots trying to automatically identify security vulnerabilities in hopes of making “free money”, but it wasn’t effective. Now there’s people actually trying to find real issues. And I would argue that AI is not good at it. You can just let it ponder for as long as you can feed it with money, and you will definitely find vulnerabilities. The false-positive rate is very likely high. If I try to roll a dice 12 times, and 3 out of those were 6, then that doesn’t make me a good dice roller.
I think it’s just more the act of discovering what we can do with AI. It’s like openclaw, that could’ve been around last year, it’s not like AI wasn’t capable enough at that point, it’s just that no-one thought of using it like that (or at least no-one built it to the extent of openclaw and got it that popular).
I think it’s just more the act of discovering what we can do with AI. It’s like openclaw, that could’ve been around last year, it’s not like AI wasn’t capable enough at that point, it’s just that no-one thought of using it like that
What would you call developement/improvement if not exactly this? Some of histories biggest advancements are finding better ways to utilize things we already have
If you ask me personally, I don’t think that any of this has a benefit for anyone. I don’t think this is an advancement. It doesn’t make us work less, it just makes us achieve more in the same amount of time, or at least most people feel that way. It doesn’t make me more productive, it’s rather the opposite.
And what good is it to us if we achieve more? The only benefit it has is for those god damned capitalists. Great for them. The pay we get stays the same, and it probably even gets less.
OpenClaw? Why the fuck would I let an AI use my computer? I want to use my computer. I want to read my emails and I want to answer them. I want to research stuff and I want to learn. Why would I let an AI do all of those things? Hire a human because AI can’t touch grass? Seriously?
It‘s all just so gimmicky, and yes it’s interesting and amazing that those things are possible, but it’s like flying humans to mars, it is really cool? Yeah. Will it have any real benefit? No.
To me, this is all just fucking sad and will probably mark the advancement from late capitalism stage into hopefully complete economic chaos.
So yeah, when it comes to AI, I‘m probably not the best one to ask.
i think he’s talking about agentic harnesses getting better, and the new models being finetuned to use them. I don’t think the new models are much “smarter,” but it allows them to write shitloads of bad code and tests, then iterate over them until they’re “fixed.”
He makes some fair points. However I do think the large amount of regressions in 3.4.3 should have resulted in a new release rolling back those changes.
I still like the response of the libxml2 maintainer, where any vulnerability will be disclosed openly and fixed when it’s ready. Maybe more open source projects currently drowning in CVE should take that stance instead of their maintainers burning themselves out over it.
I think there would be a lot less drama around this if authors were just up-front about how they use AI. Put it in your readme, just like you do with licenses.
Not straightforward with projects that pre-date coding agents, which is the overwhelming majority?
Why not? I’ve added it to my projects. It’s simple, just open README.md. Write “# Use of AI. This project does not currently use AI. / This project is entirely vibe coded & I don’t read the code at all. / I occasionally use Claude Code but thoroughly review its output.”
Save. Commit. Push. How is that not straightforward?
Also, nobody actually knows if human intelligence is just finer grained stochastic prediction as well.
I think some people are stochastic parrots and some are not. I think most of our true understanding of things comes from escaping our limitations. Why so many people want to become a stochastic parrot is beyond me though.
Now to the future, because we’re not done yet by a long shot. The security reports keep rolling in. I’m working on a bunch of CVEs right now. Luckily I’ve been joined by some other very good developers with great systems development skills and security knowledge. Some of these people came to my attention partly because of all the rage happening at the moment, so I get some rage storm clouds have silver linings. Watch out for some credits for some great new rsync developers in the next release.
The project is being taken over by vibe coders, yay.
The project is being taken over by vibe coders, yay.
Evidence?
You can look at the tone of the whole post to understand where the author is mentally. You can also make an educated guess about who will want to work on a project that’s being coded with LLMs. If I’m wrong remind me and I’ll own it. But I don’t think I am.
So no evidence at all then, gotcha.
Lol, I’m not a court of law, I’m a person. I can make my own judgments based on what someone said and how they said it.
Cool story bro.
Conjecture (and largely unfounded at that) isn’t evidence. I’d bet money that you don’t even have the ability to evaluate the project to determine if it’s being vibe-coded (as it seems is the case for everyone raging about this).
Lol, I’m not a court of law, I’m a person.
Get lost with this deflection crap. You’re the one who was making a definitive statement (“The project is being taken over by vibe coders, yay.”) about a widely respected figure responsible for creating one of the most used pieces of software ever (not to mention Samba too) who IMO deserves the benefit of the doubt until proven otherwise.
I merely asked you to provide evidence to back up your statement and clearly you’re unable to do that. Don’t try to push it back onto me trying to make me seem unreasonable for asking.
I’ve seen it enough times to see a pattern. This post is riddled with tech bro language, there’s no denying it. More of it is coming with everything that entails.
Thankfully there’s still openrsync. I didn’t even realise I was already using it so I’m not invested into arguing further. To all vanilla rsync users, Godspeed.
There is a significant majority of people on Lemmy who think installing Linux made them a software engineer and think that code completion is “vibe-coding” and not a basic feature of fucking Eclipse
That was a fair response. But I get the feeling that a lot of “intelligence” is given in this tool. Feels like they are seeing something that I’m not.
I didn’t get that feeling at all. They didn’t make any such claims or used such wordings which I often see elsewhere.
Well I can always point to English isn’t my native tongue, so I can always infer stuff that isn’t there :D
Still, the way it explain give the idea of something that I can’t see it. And this is what is concerning me for the last week at least.
Trust. For me that fits your description, the thing I don’t “see” but some out there do. I try to keep an open mind, but the way this stuff is being sold hard bothers me.
On the one hand, using a language learning model to interpret and modify a programs code language seems like a no brainer. On the other hand, we have mountains of evidence that suggest the technology hasn’t been perfected.
Maybe, just maybe, a disclaimer is appropriate.
He did have a disclaimer. It says it was co-authored by claude
What you see in the commit history with co-authored by claude is the tip of the proverbial software engineering iceberg.
