From: Kirill A. Korinsky Subject: Re: AI-Driven Security Enhancements for OpenBSD Kernel To: Alfredo Ortega Cc: tech@openbsd.org Date: Tue, 11 Jun 2024 19:37:11 +0100 On Tue, 11 Jun 2024 16:52:02 +0100, Alfredo Ortega wrote: > > Another thing that you can deduce is that the system that writes > patches, can also find vulnerabilities. > I already reported some and don't have time to report them all. But I > imagine I'm not the only one working on these systems. > Here you are the operator which verify the output of this tools. This can be nice and useful tool, like valgrind or static analyzer. But it won't be the silver bullet. Ok, it migth be the silver biullet which writes the code, but you should accept extreamly bad quality of that code at the end. Sometimes people follows the tools suggestion without thinking that they doing, and it may lead to disaster. Good example of blind trust to the tool which lead to kind of disaster is Debian where guys had fixed OpenSSL by valgrind warning. Here random article about that story: https://blogs.fsfe.org/tonnerre/archives/24 -- wbr, Kirill