From: Otto Moerbeek Subject: Re: AI-Driven Security Enhancements for OpenBSD Kernel To: Alfredo Ortega Cc: tech@openbsd.org Date: Wed, 12 Jun 2024 08:04:10 +0200 On Tue, Jun 11, 2024 at 09:38:39PM -0300, Alfredo Ortega wrote: > As LLM outputs are probabilistic, Each iteration needs some kind of > test to check against for the correctness of the generated code. > In this case, the only test I have is 'compiles and boots correctly' > but code with extensive tests will benefit the most, and likely will > avoid those kind of mistakes. Please stop with this approach. It won't scale. There is no way we can verify 10000 patches. Making bold statements about the (future) quality of the patches does not help at all, as they are untrue. Tests do not show absense of introduced bugs as the coverage of tests is too low in any practical piece of software. We can take a look at individual patches, with explanation why the patch is good. This means uderstanding of the code and its context by the submitter. -Otto > > El mar, 11 jun 2024 a las 15:37, Kirill A. Korinsky > () escribió: > > > > On Tue, 11 Jun 2024 16:52:02 +0100, > > Alfredo Ortega wrote: > > > > > > Another thing that you can deduce is that the system that writes > > > patches, can also find vulnerabilities. > > > I already reported some and don't have time to report them all. But I > > > imagine I'm not the only one working on these systems. > > > > > > > Here you are the operator which verify the output of this tools. > > > > This can be nice and useful tool, like valgrind or static analyzer. > > > > But it won't be the silver bullet. > > > > Ok, it migth be the silver biullet which writes the code, but you should > > accept extreamly bad quality of that code at the end. > > > > Sometimes people follows the tools suggestion without thinking that they > > doing, and it may lead to disaster. > > > > Good example of blind trust to the tool which lead to kind of disaster is > > Debian where guys had fixed OpenSSL by valgrind warning. Here random article > > about that story: https://blogs.fsfe.org/tonnerre/archives/24 > > > > > > -- > > wbr, Kirill >