I think this crazy artificial intelligence bug hunting era might end up doing good for open source. Sure, it sucks right now. Everyone across the board reports massive increase of valid vulnerabilities: Daniel Stenberg is very vocal about it, the Go toolchain has been disclosing several CVEs a week, my fedi feed is full of AI security. None of my projects are xkcd 2347 compliant, I do not know what it really feels like, I do not have skin in the game. But I like to think that makes my vision clearer, because I do not have to struggle day to day. We are on the edge of something new, that is for certain. curl is giving no payments for security reports, and people keep filing them anyway. I do not know of any other software project of this size that would be likely to contain less issues. Rust projects do not suffer from memory vulnerabilities, but uutils were not spared of CVEs either. You can go beyond Rust, to languages where compilation approaches mathematical proof of correctness,…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.