From: Otto Moerbeek Subject: Re: AI-Driven Security Enhancements for OpenBSD Kernel To: Alfredo Ortega Cc: Theo de Raadt , tech@openbsd.org Date: Wed, 12 Jun 2024 13:37:59 +0200 On Wed, Jun 12, 2024 at 04:28:05AM -0300, Alfredo Ortega wrote: > The 10000 patches number is just for the IPV4/IPV6 stack. I also don't > think you should review or integrate them, because in a couple months > when more advanced LLMs are made available I can regenerate all the > patches in less than a morning with much better quality. And again > every time a new LLM is released. > > That's why I think of the patches as a post-processing step. I.E. you > keep the regular process of development, and I or other people can > refactor and release secure versions of the kernel/userland. You have *not* demonstrated your patches will produce a more secure version of the code. That's just a big assumption you made with zero evidence. > > It's great that you want to keep the development process human, but my > opinion is that if you have AI adversaries (like we have now), you > need AI protections. Again, you assume AI will provide protection. -Otto > > El mié, 12 jun 2024 a las 3:15, Theo de Raadt () escribió: > > > > I think the important thing to understand about complex software is that > > it must be humanly comprehensible. > > > > Once abstractions levels become too grand (via human or automation > > efforts), no human will put effort into understanding how the pieces fit > > together, or put further effort into mutating the software to do some > > new future thing. > > > > So in this conversation, 10,000 extra chunks of code -- we have a choice > > between automation which will evict the human interest, or humans who > > won't accept automation that will evict their future interest. > > > > One additional point. This project has always been founded on keeping > > patches minimal, explainable, etc. That's 10,000 patches which will need > > to be submitted in very small bundles, and trying to keep the attention > > of reviewers. > > > > Oh, review isn't neccessary? Amazing. How did we ever get to this point. > >